Re: [ovs-dev] [PATCH RFC 3/3] manager: Allow change to punix socket file group ownership.

Wed, 26 Aug 2015 15:57:06 -0700 

Well, if so, that makes life easy ;-)

On Wed, Aug 26, 2015 at 03:07:34PM -0700, Andy Zhou wrote:
> Can we assume ovsdb-server will be launched by the process that has
> the right owner and group?
> 
> On Wed, Aug 26, 2015 at 2:19 PM, Ben Pfaff <b...@nicira.com> wrote:
> > I guess the question is from what users and groups should ovsdb-server
> > accept connections.  If it's only supposed to accept connections from
> > root or a specified group, then it needs to have the correct privileges
> > to at least create a root-owned socket or a socket with that group.
> >
> > On Fri, Aug 21, 2015 at 11:05:57PM -0700, Alex Wang wrote:
> >> If we want to make ovsdb-server non-root, this change may not be need,~
> >>
> >> On Fri, Aug 21, 2015 at 11:10 PM, Alex Wang <al...@nicira.com> wrote:
> >>
> >> > This commit adds a new key-value pair, 'punix_file_group=<user group>',
> >> > to the 'other_config' column in the 'Manager' table.  This new config
> >> > allows user to change the punix socket file's group ownership, so that
> >> > non-root process can also connect to ovsdb-server.
> >> >
> >> > Signed-off-by: Alex Wang <al...@nicira.com>
> >> > ---
> >> >  ovsdb/jsonrpc-server.c |    6 ++++++
> >> >  ovsdb/jsonrpc-server.h |    1 +
> >> >  ovsdb/ovsdb-server.c   |    2 ++
> >> >  vswitchd/vswitch.xml   |   16 ++++++++++++++++
> >> >  4 files changed, 25 insertions(+)
> >> >
> >> > diff --git a/ovsdb/jsonrpc-server.c b/ovsdb/jsonrpc-server.c
> >> > index fffcb73..387a7a0 100644
> >> > --- a/ovsdb/jsonrpc-server.c
> >> > +++ b/ovsdb/jsonrpc-server.c
> >> > @@ -32,6 +32,7 @@
> >> >  #include "row.h"
> >> >  #include "server.h"
> >> >  #include "simap.h"
> >> > +#include "socket-util.h"
> >> >  #include "stream.h"
> >> >  #include "table.h"
> >> >  #include "timeval.h"
> >> > @@ -227,6 +228,11 @@ ovsdb_jsonrpc_server_set_remotes(struct
> >> > ovsdb_jsonrpc_server *svr,
> >> >          }
> >> >
> >> >          ovsdb_jsonrpc_session_set_all_options(remote, options);
> >> > +
> >> > +        if (!strncmp(node->name, "punix:", 6)) {
> >> > +            unix_socket_set_file_group(node->name + 6,
> >> > +                                       options->punix_file_group);
> >> > +        }
> >> >      }
> >> >  }
> >> >
> >> > diff --git a/ovsdb/jsonrpc-server.h b/ovsdb/jsonrpc-server.h
> >> > index fce8b7b..36a15f3 100644
> >> > --- a/ovsdb/jsonrpc-server.h
> >> > +++ b/ovsdb/jsonrpc-server.h
> >> > @@ -35,6 +35,7 @@ struct ovsdb_jsonrpc_options {
> >> >      int max_backoff;            /* Maximum reconnection backoff, in 
> >> > msec.
> >> > */
> >> >      int probe_interval;         /* Max idle time before probing, in 
> >> > msec.
> >> > */
> >> >      int dscp;                   /* Dscp value for manager connections */
> >> > +    const char *punix_file_group; /* For setting the punix file's group.
> >> > */
> >> >  };
> >> >  struct ovsdb_jsonrpc_options *
> >> >  ovsdb_jsonrpc_default_options(const char *target);
> >> > diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
> >> > index cd13b0d..8dca006 100644
> >> > --- a/ovsdb/ovsdb-server.c
> >> > +++ b/ovsdb/ovsdb-server.c
> >> > @@ -770,6 +770,8 @@ add_manager_options(struct shash *remotes, const
> >> > struct ovsdb_row *row)
> >> >              options->dscp = dscp;
> >> >          }
> >> >      }
> >> > +    options->punix_file_group = read_map_string_column(row,
> >> > "other_config",
> >> > +
> >> >  "punix_file_group");
> >> >  }
> >> >
> >> >  static void
> >> > diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
> >> > index 6f6e0ed..ae7abfb 100644
> >> > --- a/vswitchd/vswitch.xml
> >> > +++ b/vswitchd/vswitch.xml
> >> > @@ -4286,6 +4286,22 @@
> >> >          default value of 48 is chosen.  Valid DSCP values must be in the
> >> > range
> >> >          0 to 63.
> >> >        </column>
> >> > +
> >> > +      <column name="other_config" key="punix_file_group"
> >> > +                type='{"type": "string"}'>
> >> > +        <p>
> >> > +          When connection method in <ref column="target"/> is
> >> > +          <code>punix</code>, this config specifies the user group to
> >> > which
> >> > +          the group ownership for 'punix' (unix domain socket) file
> >> > created
> >> > +          by ovsdb will be applied.  Also, the file's access permission
> >> > will be
> >> > +          changed to '0770'.
> >> > +        </p>
> >> > +        <p>
> >> > +          By default, the 'punix' file is associated with the 'root'
> >> > +          group and have access permission '0700'.  If this config is
> >> > +          not specified or specified as 'root', the default is restored.
> >> > +        </p>
> >> > +      </column>
> >> >      </group>
> >> >
> >> >      <group title="Common Columns">
> >> > --
> >> > 1.7.9.5
> >> >
> >> >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to