rhel: run ovn with the same user as ovs

Both ovn and ovs share the same log and run directories which are owned
by the user running ovs so it makes sense that ovn runs under that user
too to diminish security concerns and possible problems with log rotation.

Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>

rhel/usr_lib_systemd_system_ovn-controller-vtep.service

@@ -39,8 +39,10 @@ Restart=on-failure
 Environment=OVN_DB=unix:%t/openvswitch/ovnsb_db.sock
 Environment=VTEP_DB=unix:%t/openvswitch/db.sock
 EnvironmentFile=-/etc/sysconfig/ovn-controller-vtep
+EnvironmentFile=/run/openvswitch.useropts
 ExecStart=/usr/share/openvswitch/scripts/ovn-ctl \
           --db-sb-sock=${OVN_DB} --db-sock=${VTEP_DB} \
+          --ovn-user=${OVS_USER_ID} \
           start_controller_vtep
 ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_controller_vtep
 

rhel/usr_lib_systemd_system_ovn-controller.service

@@ -24,7 +24,9 @@ Type=forking
 PIDFile=/var/run/openvswitch/ovn-controller.pid
 Restart=on-failure
 EnvironmentFile=-/etc/sysconfig/ovn-controller
+EnvironmentFile=/run/openvswitch.useropts
 ExecStart=/usr/share/openvswitch/scripts/ovn-ctl --no-monitor \
+          --ovn-user=${OVS_USER_ID} \
           start_controller $OVN_CONTROLLER_OPTS
 ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_controller
 

rhel/usr_lib_systemd_system_ovn-northd.service

@@ -24,7 +24,11 @@ Type=oneshot
 RemainAfterExit=yes
 Environment=OVS_RUNDIR=%t/openvswitch OVS_DBDIR=/var/lib/openvswitch
 EnvironmentFile=-/etc/sysconfig/ovn-northd
-ExecStart=/usr/share/openvswitch/scripts/ovn-ctl start_northd $OVN_NORTHD_OPTS
+EnvironmentFile=/run/openvswitch.useropts
+ExecStartPre=/usr/bin/chown -R ${OVS_USER_ID} ${OVS_DBDIR}
+ExecStart=/usr/share/openvswitch/scripts/ovn-ctl \
+          --ovs-user=${OVS_USER_ID} --ovn-user=${OVS_USER_ID} \
+          start_northd $OVN_NORTHD_OPTS
 ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_northd
 
 [Install]

rhel/usr_lib_systemd_system_ovs-vswitchd.service.in

@@ -22,11 +22,11 @@ ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages
 @end_dpdk@
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
-          ${OVSUSER} \
+          ${OVS_USER_OPT} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
           --no-monitor --system-id=random \
-          ${OVSUSER} \
+          ${OVS_USER_OPT} \
           restart $OPTIONS
 TimeoutSec=300

rhel/usr_lib_systemd_system_ovsdb-server.service

@@ -12,15 +12,16 @@ Restart=on-failure
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
-ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi'
-EnvironmentFile=-/run/openvswitch.useropts
+ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; /usr/bin/echo "OVS_USER_ID=${OVS_USER_ID}" > /run/openvswitch.useropts'
+ExecStartPre=/bin/sh -c 'if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVS_USER_OPT=--ovs-user=${OVS_USER_ID}" >> /run/openvswitch.useropts; fi'
+EnvironmentFile=/run/openvswitch.useropts
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovs-vswitchd --no-monitor --system-id=random \
-          ${OVSUSER} \
+          ${OVS_USER_OPT} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
-           ${OVSUSER} \
+           ${OVS_USER_OPT} \
            --no-monitor restart $OPTIONS
 RuntimeDirectory=openvswitch
 RuntimeDirectoryMode=0755