[ovs-dev] [Debian-non-root v2 4/4] Debian: start daemons as ovs(non-root) user

Fri, 09 Oct 2015 17:14:25 -0700 

Changes to Debian packaging scripts to create the ovs user and group.
Fix the permissions of ovs created files and directories so that
they are accessible by users belong to the ovs group.
Start daemons as the ovs user.

Signed-off-by: Andy Zhou <az...@nicira.com>

----
This patch does not include changes to the ipsec package. Ansis has
other plans for updating it.
---
 NEWS                                       |  3 +-
 debian/automake.mk                         |  1 +
 debian/control                             |  1 +
 debian/openvswitch-common.postinst         | 45 ++++++++++++++++++++++++++++++
 debian/openvswitch-pki.postinst            |  5 ++++
 debian/openvswitch-switch.init             |  1 +
 debian/openvswitch-switch.logrotate        |  2 +-
 debian/openvswitch-switch.postinst         |  6 ++++
 debian/openvswitch-testcontroller.init     |  8 +++++-
 debian/openvswitch-testcontroller.postinst |  5 ++++
 debian/openvswitch-vtep.init               |  9 +++++-
 11 files changed, 82 insertions(+), 4 deletions(-)
 create mode 100755 debian/openvswitch-common.postinst

diff --git a/NEWS b/NEWS
index cdf2815..8f0e5b6 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,8 @@ Post-v2.4.0
    - Dropped support for GRE64 tunnel.
    - Mark --syslog-target argument as deprecated.  It will be removed in
      the next OVS release.
-   - Added --user option to all daemons
+   - Added --user option to all daemons.
+   - Debain package starts daemons as the 'ovs' user.
 
 
 v2.4.0 - 20 Aug 2015
diff --git a/debian/automake.mk b/debian/automake.mk
index c29a560..3092569 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -8,6 +8,7 @@ EXTRA_DIST += \
        debian/dkms.conf.in \
        debian/dirs \
        debian/openvswitch-common.dirs \
+       debian/openvswitch-common.postinst \
        debian/openvswitch-common.docs \
        debian/openvswitch-common.install \
        debian/openvswitch-common.manpages \
diff --git a/debian/control b/debian/control
index 3eac644..7c07cb2 100644
--- a/debian/control
+++ b/debian/control
@@ -60,6 +60,7 @@ Architecture: linux-any
 Depends: openssl,
          python,
          python (>= 2.7) | python-argparse,
+         adduser,
          ${misc:Depends},
          ${shlibs:Depends}
 Suggests: ethtool
diff --git a/debian/openvswitch-common.postinst 
b/debian/openvswitch-common.postinst
new file mode 100755
index 0000000..cc42b13
--- /dev/null
+++ b/debian/openvswitch-common.postinst
@@ -0,0 +1,45 @@
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    configure)
+        LOGDIR=/var/log/openvswitch
+        # Create the ovs user and group.
+        adduser --system --group --no-create-home --quiet $OVS_USER || true
+        adduser $OVS_USER adm || true
+
+        # Fix ownership.
+        chown -R $OVS_USER:$OVS_GROUP $LOGDIR
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst
index f4705e9..b7821d4 100755
--- a/debian/openvswitch-pki.postinst
+++ b/debian/openvswitch-pki.postinst
@@ -5,6 +5,9 @@
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -31,6 +34,8 @@ case "$1" in
         if test ! -e /var/lib/openvswitch/pki; then
             ovs-pki init
         fi
+
+        chown -R $OVS_USER:$OVS_GROUP /var/lib/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
index 8e156da..febf414 100755
--- a/debian/openvswitch-switch.init
+++ b/debian/openvswitch-switch.init
@@ -64,6 +64,7 @@ start () {
     if test X"$FORCE_COREFILES" != X; then
        set "$@" --force-corefiles="$FORCE_COREFILES"
     fi
+    set "$@" --no-run-as-root
     set "$@" $OVS_CTL_OPTS
     "$@" || exit $?
     if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
diff --git a/debian/openvswitch-switch.logrotate 
b/debian/openvswitch-switch.logrotate
index a7a71bd..e93c568 100644
--- a/debian/openvswitch-switch.logrotate
+++ b/debian/openvswitch-switch.logrotate
@@ -1,7 +1,7 @@
 /var/log/openvswitch/*.log {
     daily
     compress
-    create 640 root adm
+    create 640 ovs adm
     delaycompress
     missingok
     rotate 30
diff --git a/debian/openvswitch-switch.postinst 
b/debian/openvswitch-switch.postinst
index 2464572..0879c7c 100755
--- a/debian/openvswitch-switch.postinst
+++ b/debian/openvswitch-switch.postinst
@@ -5,6 +5,9 @@
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -33,6 +36,9 @@ case "$1" in
                 fi
             done
        fi
+
+       # fix owner and permissions for /etc/openvswitch.
+       chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-testcontroller.init 
b/debian/openvswitch-testcontroller.init
index 67b7a99..d67500e 100755
--- a/debian/openvswitch-testcontroller.init
+++ b/debian/openvswitch-testcontroller.init
@@ -37,6 +37,8 @@ DAEMON=/usr/bin/ovs-testcontroller # Introduce the server's 
location here
 NAME=ovs-testcontroller         # Introduce the short server's name here
 DESC=ovs-testcontroller         # Introduce a short description here
 LOGDIR=/var/log/openvswitch    # Log directory to use
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
 
 PIDFILE=/var/run/openvswitch/$NAME.pid
 
@@ -109,7 +111,10 @@ start_server() {
     fi
 
     if [ ! -d /var/run/openvswitch ]; then
-        install -d -m 755 -o root -g root /var/run/openvswitch
+        install -d -m 770 -o $OVS_USER -g $OVS_GROUP /var/run/openvswitch
+    else
+        chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
+        chmod 0770 -R /var/run/openvswitch
     fi
 
     SSL_OPTS=
@@ -139,6 +144,7 @@ start_server() {
         if [ -z "$DAEMONUSER" ] ; then
             start-stop-daemon --start --pidfile $PIDFILE \
                         --exec $DAEMON -- --detach --pidfile=$PIDFILE \
+                        --user $OVS_USER:$OVS_GROUP \
                         $LISTEN $DAEMON_OPTS $SSL_OPTS
             errcode=$?
         else
diff --git a/debian/openvswitch-testcontroller.postinst 
b/debian/openvswitch-testcontroller.postinst
index 7242b4a..ee7f4c7 100755
--- a/debian/openvswitch-testcontroller.postinst
+++ b/debian/openvswitch-testcontroller.postinst
@@ -5,6 +5,9 @@
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -42,6 +45,8 @@ case "$1" in
             chmod go+r cert.pem req.pem
             umask $oldumask
         fi
+
+        chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch-testcontroller
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init
index ebf4e26..05a0a68 100644
--- a/debian/openvswitch-vtep.init
+++ b/debian/openvswitch-vtep.init
@@ -10,6 +10,8 @@
 # Description:       Initializes the Open vSwitch VTEP emulator
 ### END INIT INFO
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
 
 # Include defaults if available
 default=/etc/default/openvswitch-vtep
@@ -40,17 +42,22 @@ start () {
         cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign 
ovsclient
     fi
 
+    chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
+    chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
+    chmod -R 0770 /var/run/openvswitch
+
     ovsdb-server --pidfile --detach --log-file --remote \
         punix:/var/run/openvswitch/db.sock \
         --remote=db:hardware_vtep,Global,managers \
         --private-key=/etc/openvswitch/ovsclient-privkey.pem \
         --certificate=/etc/openvswitch/ovsclient-cert.pem \
         --bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+        --user $OVS_USER:$OVS_GROUP \
         /etc/openvswitch/conf.db /etc/openvswitch/vtep.db
 
     modprobe openvswitch
 
-    ovs-vswitchd --pidfile --detach --log-file \
+    ovs-vswitchd --pidfile --detach --log-file --user $OVS_USER:$OVS_GROUP \
         unix:/var/run/openvswitch/db.sock
 }
 
-- 
1.9.1

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to