mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 01:51:26 +00:00
Code Issues Releases Wiki Activity
ovs/utilities/ovs-lib.in
Vladislav Odintsov 4f27d5a024 utilities: Add support to set umask in ovs-ctl. 
This patch adds new ovs-ctl options to pass umask configuration to allow
OVS daemons set requested socket permissions on group.  Previous
behaviour (if using with systemd service unit) created sockets with 0750
permissions mask (group has no write permission).

Write permission for group is reasonable in usecase, where ovs-vswitchd
or ovsdb-server runs as a non-privileged user:group (say,
openvswitch:openvswitch) and it is needed to access unix socket from
process running as another non-privileged user.  In this case
administrator has to add that user to openvswitch group and can connect
to OVS sockets from a process running under that user.

Two new ovs-ctl options --ovsdb-server-umask and --ovs-vswitchd-umask
were added to manage umask values for appropriate daemons.  This is
useful for systemd users: both ovs-vswitchd and ovsdb-server systemd
units read options from single /etc/sysconfig/openvswitch configuration
file.  So, with separate options it is possible to set umask only for
specific daemon.

OPTIONS="--ovsdb-server-umask=0002"

in /etc/openvswitch/sysconfig file will set umask to 0002 value before
starting only ovsdb-server, while

OPTIONS="--ovs-vswitchd-umask=0002"

will set umask to ovs-vswitchd daemon.

Previous behaviour (not setting umask) is left as default.

Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2023-January/401501.html
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Vladislav Odintsov <odivlad@gmail.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-02-20 19:58:35 +01:00

722 lines
22 KiB
Bash
Raw Blame History

# -*- sh -*-
# vi:syntax=sh
# This is a shell function library sourced by some Open vSwitch scripts.
# It is not intended to be invoked on its own.
# Copyright (C) 2009, 2010, 2011, 2012 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## ----------------- ##
## configure options ##
## ----------------- ##
# All of these should be substituted by the Makefile at build time.
logdir=${OVS_LOGDIR-'@LOGDIR@'} # /var/log/openvswitch
rundir=${OVS_RUNDIR-'@RUNDIR@'} # /var/run/openvswitch
sysconfdir=${OVS_SYSCONFDIR-'@sysconfdir@'} # /etc
etcdir=$sysconfdir/openvswitch # /etc/openvswitch
datadir=${OVS_PKGDATADIR-'@pkgdatadir@'} # /usr/share/openvswitch
bindir=${OVS_BINDIR-'@bindir@'} # /usr/bin
sbindir=${OVS_SBINDIR-'@sbindir@'} # /usr/sbin
# /etc/openvswitch or /var/lib/openvswitch
if test X"$OVS_DBDIR" != X; then
dbdir=$OVS_DBDIR
elif test X"$OVS_SYSCONFDIR" != X; then
dbdir=$OVS_SYSCONFDIR/openvswitch
else
dbdir='@DBDIR@'
fi
ovs_ctl_log () {
echo "$@" >> "${logdir}/ovs-ctl.log"
}
ovs_ctl () {
case "$@" in
*"=strace"*)
# In case of running the daemon with strace, piping the o/p causes
# the script to block (strace probably does not close the inherited
# pipe). So, do not log the o/p to ovs-ctl.log.
"${datadir}/scripts/ovs-ctl" "$@"
;;
"status")
# In case of the command 'status', we should return the exit status
# of ovs-ctl. It is also useful to document the o/p in ovs-ctl.log.
display=`"${datadir}/scripts/ovs-ctl" "$@" 2>&1`
rc=$?
if test -w "${logdir}/ovs-ctl.log"; then
echo "${display}" | tee -a "${logdir}/ovs-ctl.log"
else
echo "${display}"
fi
return ${rc}
;;
*)
echo "`date -u`:$@" >> "${logdir}/ovs-ctl.log"
"${datadir}/scripts/ovs-ctl" "$@" 2>&1 | tee -a "${logdir}/ovs-ctl.log"
;;
esac
}
VERSION='@VERSION@'
DAEMON_CWD=/
LC_ALL=C; export LC_ALL
## ------------- ##
## LSB functions ##
## ------------- ##
# Use the system's own implementations if it has any.
if test -e /etc/init.d/functions; then
. /etc/init.d/functions
elif test -e /etc/rc.d/init.d/functions; then
. /etc/rc.d/init.d/functions
elif test -e /lib/lsb/init-functions; then
. /lib/lsb/init-functions
fi
# Implement missing functions (e.g. OpenSUSE lacks 'action').
if type log_success_msg >/dev/null 2>&1; then :; else
log_success_msg () {
printf '%s.\n' "$*"
}
fi
if type log_failure_msg >/dev/null 2>&1; then :; else
log_failure_msg () {
printf '%s ... failed!\n' "$*"
}
fi
if type log_warning_msg >/dev/null 2>&1; then :; else
log_warning_msg () {
printf '%s ... (warning).\n' "$*"
}
fi
if type action >/dev/null 2>&1; then :; else
action () {
STRING=$1
shift
"$@"
rc=$?
if test $rc = 0; then
log_success_msg "$STRING"
else
log_failure_msg "$STRING"
fi
return $rc
}
fi
## ------- ##
## Daemons ##
## ------- ##
pid_exists () {
# This is better than "kill -0" because it doesn't require permission to
# send a signal (so daemon_status in particular works as non-root).
test -n "$1" && test -d /proc/"$1"
}
pid_comm_check () {
[ "$1" = "`cat /proc/$2/comm`" ]
}
# version_geq version_a version_b
#
# Compare (dot separated) version numbers. Returns true (exit code 0) if
# version_a is greater or equal than version_b, otherwise false (exit code 1).
version_geq() {
echo $1 $2 | awk '{
n1 = split($1, a, ".");
n2 = split($2, b, ".");
n = (n1 > n2) ? n1 : n2;
for (i = 1; i <= n; i++) {
if (a[i]+0 < b[i]+0) exit 1
if (a[i]+0 > b[i]+0) exit 0
}
}'
}
install_dir () {
DIR="$1"
INSTALL_MODE="${2:-755}"
INSTALL_USER="root"
INSTALL_GROUP="root"
[ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}"
[ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
if test ! -d "$DIR"; then
install -d -m "$INSTALL_MODE" -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
restorecon "$DIR" >/dev/null 2>&1
fi
}
start_daemon () {
priority=$1 && shift
wrapper=$1 && shift
umask=$1 && shift
daemon=$1
strace=""
# drop core files in a sensible place
install_dir "$DAEMON_CWD"
set "$@" --no-chdir
cd "$DAEMON_CWD"
# log file
install_dir "$logdir" "750"
set "$@" --log-file="$logdir/$daemon.log"
# pidfile and monitoring
install_dir "$rundir"
set "$@" --pidfile="$rundir/$daemon.pid"
set "$@" --detach
test X"$MONITOR" = Xno || set "$@" --monitor
# wrapper
case $wrapper in
valgrind)
if (valgrind --version) > /dev/null 2>&1; then
set valgrind -q --leak-check=full --time-stamp=yes \
--log-file="$logdir/$daemon.valgrind.log.%p" "$@"
else
log_failure_msg "valgrind not installed, running $daemon without it"
fi
;;
strace)
if (strace -V) > /dev/null 2>&1; then
strace="strace -tt -T -s 256 -ff"
if (strace -DV) > /dev/null 2>&1; then
# Has the -D option.
set $strace -D -o "$logdir/$daemon.strace.log" "$@"
strace=""
fi
else
log_failure_msg "strace not installed, running $daemon without it"
fi
;;
glibc)
set env MALLOC_CHECK_=2 MALLOC_PERTURB_=165 "$@"
;;
'')
;;
*)
log_failure_msg "unknown wrapper $wrapper, running $daemon without it"
;;
esac
# priority
if test X"$priority" != X; then
set nice -n "$priority" "$@"
fi
# Set requested umask if any and turn previous value back.
if [ -n "$umask" ]; then
previuos_umask_value=$(umask)
umask "$umask"
fi
action "Starting $daemon" "$@" || return 1
# If umask was set, turn umask value to previous value.
if [ -n "$umask" ]; then
umask "$previuos_umask_value"
fi
if test X"$strace" != X; then
# Strace doesn't have the -D option so we attach after the fact.
setsid $strace -o "$logdir/$daemon.strace.log" \
-p `cat $rundir/$daemon.pid` > /dev/null 2>&1 &
fi
}
stop_daemon () {
if test -e "$rundir/$1.pid"; then
if pid=`cat "$rundir/$1.pid"`; then
if pid_exists "$pid" >/dev/null 2>&1; then :; else
rm -f $rundir/$1.$pid.ctl $rundir/$1.$pid
return 0
fi
graceful="EXIT .1 .25 .65 1"
actions="TERM .1 .25 .65 1 1 1 1 \
KILL 1 1 1 2 10 15 30 \
FAIL"
version=`ovs-appctl -T 1 -t $rundir/$1.$pid.ctl version \
| awk 'NR==1{print $NF}'`
# Use `ovs-appctl exit` only if the running daemon version
# is >= 2.5.90. This script might be used during upgrade to
# stop older versions of daemons which do not behave correctly
# with `ovs-appctl exit` (e.g. ovs-vswitchd <= 2.5.0 deletes
# internal ports).
if version_geq "$version" "2.5.90"; then
actions="$graceful $actions"
fi
actiontype=""
for action in $actions; do
if pid_exists "$pid" >/dev/null 2>&1; then :; else
# pid does not exist.
if [ -n "$actiontype" ]; then
return 0
fi
# But, does the file exist? We may have had a daemon
# segfault with `ovs-appctl exit`. Check one more time
# before deciding that the daemon is dead.
[ -e "$rundir/$1.pid" ] && sleep 2 && pid=`cat "$rundir/$1.pid"` 2>/dev/null
if pid_exists "$pid" >/dev/null 2>&1; then :; else
return 0
fi
fi
case $action in
EXIT)
action "Exiting $1 ($pid)" \
${bindir}/ovs-appctl -T 1 -t $rundir/$1.$pid.ctl exit
# The above command could have resulted in delayed
# daemon segfault. And if a monitor is running, it
# would restart the daemon giving it a new pid.
;;
TERM)
action "Killing $1 ($pid)" kill $pid
actiontype="force"
;;
KILL)
action "Killing $1 ($pid) with SIGKILL" kill -9 $pid
actiontype="force"
;;
FAIL)
log_failure_msg "Killing $1 ($pid) failed"
return 1
;;
*)
sleep $action
;;
esac
done
fi
fi
log_success_msg "$1 is not running"
}
daemon_status () {
pidfile=$rundir/$1.pid
if test -e "$pidfile"; then
if pid=`cat "$pidfile"`; then
if pid_exists "$pid"; then
echo "$1 is running with pid $pid"
return 0
else
echo "Pidfile for $1 ($pidfile) is stale"
fi
else
echo "Pidfile for $1 ($pidfile) exists but cannot be read"
fi
else
echo "$1 is not running"
fi
return 1
}
daemon_is_running () {
pidfile=$rundir/$1.pid
test -e "$pidfile" && pid=`cat "$pidfile"` && pid_exists "$pid" && pid_comm_check $1 $pid
} >/dev/null 2>&1
# Prints commands needed to move the ip address from interface $1 to interface
# $2
move_ip_address () {
if [ -z "$1" ] || [ -z "$2" ]; then
return
fi
dev="$1"
dst="$2"
# IP addresses (including IPv6).
echo "ip addr flush dev $dev 2>/dev/null" # Suppresses "Nothing to flush".
ip addr show dev $dev | while read addr; do
set -- $addr
# Check and trim family.
family=$1
shift
case $family in
inet | inet6) ;;
*) continue ;;
esac
# Trim device off the end--"ip" insists on having "dev" precede it.
addrcmd=
while test $# != 0; do
case $1 in
dynamic)
# XXX: According to 'man ip-address', "dynamic" is only
# used for ipv6 addresses. But, atleast on RHEL 7.4
# (iproute-3.10.0-87), it is being used for ipv4
# addresses assigned with dhcp.
if [ "$family" = "inet" ]; then
shift
continue
fi
# Omit kernel-maintained route.
continue 2
;;
scope)
if test "$2" = link -a "$family" != inet6; then
# Omit route derived from IP address, e.g.
# 172.16.0.0/16 derived from 172.16.12.34,
# but preserve IPv6 link-local address.
continue 2
fi
;;
"$dev"|"$dev:"*)
# Address label string
label=`echo $1 | sed "s/$dev/$dst/"`
addrcmd="$addrcmd label $label"
shift
continue
;;
esac
addrcmd="$addrcmd $1"
shift
done
if test "$1" != "$dev"; then
addrcmd="$addrcmd $1"
fi
echo ip -f $family addr add $addrcmd dev $dst
done
}
# Prints commands needed to move the ip route of interface $1 to interface $2
move_ip_routes () {
if [ -z "$1" ] || [ -z "$2" ]; then
return
fi
dev="$1"
dst="$2"
echo "ip route flush dev $dev proto boot 2>/dev/null" # Suppresses "Nothing to flush".
ip route show dev $dev | while read route; do
# "proto kernel" routes are installed by the kernel automatically.
case $route in
*" proto kernel "*) continue ;;
esac
echo "ip route add $route dev $dst"
done
}
run_as_ovsuser() {
if [ "$OVS_USER" != "" ]; then
local uid=$(id -u "${OVS_USER%:*}")
local gid=$(id -g "${OVS_USER%:*}")
local groups=$(id -G "${OVS_USER%:*}" | tr ' ' ',')
setpriv --reuid "$uid" --regid "$gid" --groups "$groups" "$@"
else
"$@"
fi
}
ovsdb_tool () {
run_as_ovsuser ovsdb-tool -vconsole:off "$@"
}
create_db () {
DB_FILE="$1"
DB_SCHEMA="$2"
action "Creating empty database $DB_FILE" ovsdb_tool create "$DB_FILE" "$DB_SCHEMA"
}
backup_db () {
# Back up the old version.
version=`ovsdb_tool db-version "$DB_FILE"`
cksum=`ovsdb_tool db-cksum "$DB_FILE" | awk '{print $1}'`
backup=$DB_FILE.backup$version-$cksum
action "Backing up database to $backup" cp "$DB_FILE" "$backup" || return 1
}
upgrade_db () {
DB_FILE="$1"
DB_SCHEMA="$2"
schemaver=`ovsdb_tool schema-version "$DB_SCHEMA"`
if test ! -e "$DB_FILE"; then
log_warning_msg "$DB_FILE does not exist"
install_dir `dirname $DB_FILE`
create_db "$DB_FILE" "$DB_SCHEMA"
elif test X"`ovsdb_tool needs-conversion "$DB_FILE" "$DB_SCHEMA"`" = Xyes; then
backup_db || return 1
# Compact database. This is important if the old schema did not enable
# garbage collection (i.e. if it did not have any tables with "isRoot":
# true) but the new schema does. In that situation the old database
# may contain a transaction that creates a record followed by a
# transaction that creates the first use of the record. Replaying that
# series of transactions against the new database schema (as "convert"
# does) would cause the record to be dropped by the first transaction,
# then the second transaction would cause a referential integrity
# failure (for a strong reference).
#
# Errors might occur on an Open vSwitch downgrade if ovsdb-tool doesn't
# understand some feature of the schema used in the OVSDB version that
# we're downgrading from, so we don't give up on error.
action "Compacting database" ovsdb_tool compact "$DB_FILE"
# Upgrade or downgrade schema.
if action "Converting database schema" ovsdb_tool convert "$DB_FILE" "$DB_SCHEMA"; then
:
else
log_warning_msg "Schema conversion failed, using empty database instead"
rm -f "$DB_FILE"
create_db "$DB_FILE" "$DB_SCHEMA"
fi
fi
}
upgrade_cluster () {
local DB_SCHEMA=$1 DB_SERVER=$2
local schema_name=$(ovsdb-tool schema-name $1) || return 1
action "Waiting for $schema_name to come up" ovsdb-client -t 30 wait "$DB_SERVER" "$schema_name" connected || return $?
local db_version=$(ovsdb-client -t 10 get-schema-version "$DB_SERVER" "$schema_name") || return $?
local target_version=$(ovsdb-tool schema-version "$DB_SCHEMA") || return $?
if ovsdb-tool compare-versions "$db_version" == "$target_version"; then
:
elif ovsdb-tool compare-versions "$db_version" ">" "$target_version"; then
log_warning_msg "Database $schema_name has newer schema version ($db_version) than our local schema ($target_version), possibly an upgrade is partially complete?"
else
action "Upgrading database $schema_name from schema version $db_version to $target_version" ovsdb-client -t 30 convert "$DB_SERVER" "$DB_SCHEMA"
fi
}
create_cluster () {
DB_FILE="$1"
DB_SCHEMA="$2"
LOCAL_ADDR="$3"
ELECTION_TIMER_MS="$4"
election_timer_arg=
if [ -n "$ELECTION_TIMER_MS" ]; then
election_timer_arg="--election-timer=$ELECTION_TIMER_MS"
fi
if test ! -e "$DB_FILE"; then
action "Creating cluster database $DB_FILE" ovsdb_tool $election_timer_arg create-cluster "$DB_FILE" "$DB_SCHEMA" "$LOCAL_ADDR"
elif ovsdb_tool db-is-standalone "$DB_FILE"; then
# Convert standalone database to clustered.
backup_db || return 1
rm -f "$DB_FILE"
action "Creating cluster database $DB_FILE from existing one" \
ovsdb_tool $election_timer_arg create-cluster "$DB_FILE" "$backup" "$LOCAL_ADDR"
fi
}
join_cluster() {
DB_FILE="$1"
SCHEMA_NAME="$2"
LOCAL_ADDR="$3"
REMOTE_ADDR="$4"
if test -e "$DB_FILE" && ovsdb_tool db-is-standalone "$DB_FILE"; then
backup_db || return 1
rm $DB_FILE
fi
if test ! -e "$DB_FILE"; then
action "Joining $DB_FILE to cluster" \
ovsdb_tool join-cluster "$DB_FILE" "$SCHEMA_NAME" "$LOCAL_ADDR" "$REMOTE_ADDR"
fi
}
ovs_vsctl () {
ovs-vsctl --no-wait "$@"
}
## ----------------- ##
## force-reload-kmod ##
## ----------------- ##
ovs_kmod_ctl () {
"$dir0/ovs-kmod-ctl" "$@"
}
internal_interfaces () {
# Outputs a list of internal interfaces:
#
# - There is an internal interface for every bridge, whether it
# has an Interface record or not and whether the Interface
# record's 'type' is properly set or not.
#
# - There is an internal interface for each Interface record whose
# 'type' is 'internal'.
#
# But ignore interfaces that don't really exist.
for d in `(ovs_vsctl --bare \
-- --columns=name find Interface type=internal \
-- list-br) | sort -u`
do
if test -e "/sys/class/net/$d"; then
printf "%s " "$d"
fi
done
}
ovs_save () {
bridges=`ovs_vsctl -- --real list-br`
if [ -n "${bridges}" ] && \
"$datadir/scripts/ovs-save" "$1" ${bridges} > "$2"; then
chmod +x "$2"
return 0
fi
[ -z "${bridges}" ] && return 0
}
save_flows_if_required () {
if test X"$DELETE_BRIDGES" != Xyes; then
action "Saving flows" ovs_save save-flows "${script_flows}"
fi
}
save_interfaces () {
"$datadir/scripts/ovs-save" save-interfaces ${ifaces} \
> "${script_interfaces}"
}
flow_restore_wait () {
if test X"${OVS_VSWITCHD:-yes}" = Xyes; then
ovs_vsctl set open_vswitch . other_config:flow-restore-wait="true"
fi
}
flow_restore_complete () {
if test X"${OVS_VSWITCHD:-yes}" = Xyes; then
ovs_vsctl --if-exists remove open_vswitch . other_config \
flow-restore-wait="true"
fi
}
restore_flows () {
[ -x "${script_flows}" ] && \
action "Restoring saved flows" "${script_flows}"
}
restore_interfaces () {
[ ! -x "${script_interfaces}" ] && return 0
action "Restoring interface configuration" "${script_interfaces}"
rc=$?
if test $rc = 0; then
level=debug
else
level=err
fi
log="logger -p daemon.$level -t ovs-save"
$log "interface restore script exited with status $rc:"
$log -f "$script_interfaces"
}
init_restore_scripts () {
script_interfaces=`mktemp`
script_flows=`mktemp`
trap 'rm -f "${script_interfaces}" "${script_flows}"' 0
}
force_reload_kmod () {
if test X"${OVS_VSWITCHD:-yes}" != Xyes; then
log_failure_msg "Reloading of kmod without ovs-vswitchd is an error"
exit 1
fi
ifaces=`internal_interfaces`
action "Detected internal interfaces: $ifaces" true
init_restore_scripts
save_flows_if_required
# Restart the database first, since a large database may take a
# while to load, and we want to minimize forwarding disruption.
stop_ovsdb
start_ovsdb || return 1
stop_forwarding
if action "Saving interface configuration" save_interfaces; then
:
else
log_warning_msg "Failed to save configuration, not replacing kernel module"
start_forwarding
add_managers
exit 1
fi
chmod +x "$script_interfaces"
for dp in `ovs-dpctl dump-dps`; do
action "Removing datapath: $dp" ovs-dpctl del-dp "$dp"
done
if test -e /sys/module/ip_gre; then
action "Forcing removal of ip_gre module" rmmod ip_gre
fi
if test -e /sys/module/gre; then
action "Forcing removal of gre module" rmmod gre
fi
ovs_kmod_ctl remove
# Start vswitchd by asking it to wait till flow restore is finished.
flow_restore_wait
start_forwarding || return 1
# Restore saved flows and inform vswitchd that we are done.
restore_flows
flow_restore_complete
add_managers
restore_interfaces
action "Finding processes on dead interfaces" timeout 5 \
"$datadir/scripts/ovs-check-dead-ifs" || true
}
## ------- ##
## restart ##
## ------- ##
restart () {
if daemon_is_running ovsdb-server && daemon_is_running ovs-vswitchd; then
init_restore_scripts
if test X"${OVS_VSWITCHD:-yes}" = Xyes; then
save_flows_if_required
fi
fi
# Restart the database first, since a large database may take a
# while to load, and we want to minimize forwarding disruption.
stop_ovsdb
start_ovsdb || return 1
stop_forwarding
# Start vswitchd by asking it to wait till flow restore is finished.
flow_restore_wait
start_forwarding || return 1
# Restore saved flows and inform vswitchd that we are done.
restore_flows
flow_restore_complete
add_managers
}
Reference in New Issue View Git Blame Copy Permalink