ovs-ctl: allow passing user:group to daemons

The Open vSwitch daemons allow passing --user user[:group] to allow spawning under different user privileges. ovs-ctl now accepts --ovs-user in the same form to pass this argument on, as well as create databases and data directories with the appropriate privileges. Signed-off-by: Aaron Conole <aconole@redhat.com> Reviewed-by: Markos Chandras <mchandras@suse.de> Signed-off-by: Andy Zhou <azhou@ovn.org>
2025-09-01 14:55:18 +00:00 · 2017-02-21 17:31:05 -05:00
parent 02a9757e7e
commit 9ab5390d6d
3 changed files with 24 additions and 2 deletions
--- a/utilities/ovs-ctl.8
+++ b/utilities/ovs-ctl.8
@@ -159,6 +159,13 @@ Deletes all ports that have the other_config:transient value set to true. This
 is important on certain environments where some ports are going to be recreated
 after reboot, but other ports need to be persisted in the database.
 .
 .IP "\fB\-\-ovs\-user=user[:group]\fR"
 Ordinarily Open vSwitch daemons are started as the user invoking the ovs-ctl
 command.  Some system administrators would prefer to have the various daemons
 spawn as different users in their environments.  This option allows passing the
 \fB\-\-user\fR option to the \fBovsdb\-server\fR and \fBovs\-vswitchd\fR
 daemons, allowing them to change their privilege levels.
 .
 .PP
 The following options are less important:
 .
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -170,6 +170,8 @@ do_start_ovsdb () {
        set "$@" --private-key=db:Open_vSwitch,SSL,private_key
        set "$@" --certificate=db:Open_vSwitch,SSL,certificate
        set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert
        [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER"
        start_daemon "$OVSDB_SERVER_PRIORITY" "$OVSDB_SERVER_WRAPPER" "$@" \
            || return 1
@@ -239,6 +241,8 @@ do_start_forwarding () {
        if test X"$SELF_CONFINEMENT" = Xno; then
            set "$@" --no-self-confinement
        fi
        [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER"
        start_daemon "$OVS_VSWITCHD_PRIORITY" "$OVS_VSWITCHD_WRAPPER" "$@" ||
            return 1
    fi
@@ -503,6 +507,7 @@ set_defaults () {
    MLOCKALL=yes
    SELF_CONFINEMENT=yes
    MONITOR=yes
    OVS_USER=
    OVSDB_SERVER=yes
    OVS_VSWITCHD=yes
    OVSDB_SERVER_PRIORITY=-10
@@ -570,6 +575,7 @@ Other important options for "start", "restart" and "force-reload-kmod":
  --external-id="key=value"
                     add given key-value pair to Open_vSwitch external-ids
  --delete-bridges   delete all bridges just before starting ovs-vswitchd
  --ovs-user="user[:group]"  pass the --user flag to ovs daemons
 Less important options for "start", "restart" and "force-reload-kmod":
  --daemon-cwd=DIR               set working dir for OVS daemons (default: $DAEMON_CWD)
--- a/utilities/ovs-lib.in
+++ b/utilities/ovs-lib.in
@@ -150,8 +150,13 @@ version_geq() {
 install_dir () {
    DIR="$1"
    INSTALL_USER="root"
    INSTALL_GROUP="root"
    [ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}"
    [ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
    if test ! -d "$DIR"; then
-        install -d -m 755 -o root -g root "$DIR"
+        install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
        restorecon "$DIR" >/dev/null 2>&1
    fi
 }
@@ -372,7 +377,11 @@ move_ip_routes () {
 }
 ovsdb_tool () {
-    ovsdb-tool -vconsole:off "$@"
+    if [ "$OVS_USER" != "" ]; then
        runuser --user "${OVS_USER%:*}" -- ovsdb-tool -vconsole:off "$@"
    else
        ovsdb-tool -vconsole:off "$@"
    fi
 }
 create_db () {