Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
openvswitch.7636
0001-utilities-Launch-ovsdb-tool-without-using-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-utilities-Launch-ovsdb-tool-without-using-PAM.patch of Package openvswitch.7636
From 5c5c6e0054a9a80fabfa99a0e14752df327e75f4 Mon Sep 17 00:00:00 2001 From: Timothy Redaelli <tredaelli@redhat.com> Date: Mon, 6 Aug 2018 12:03:40 +0200 Subject: [PATCH] utilities: Launch ovsdb-tool without using PAM When ovsdb-server is starting, it performs some DB steps such as creating and upgrading the OvS DB. When we are running as 'non-root' user, the 'runuser' tool is used to manage the privileges. However, when this happens during systemd boot, we observe the following errors in journald: Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Failed to add PIDs to scope's control group: No such process Jun 21 07:32:57 virt systemd[1]: Failed to start Session c1 of user openvswitch. Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Unit entered failed state. According to the analysis performed on openSUSE bugzilla[1], it seems that ovsdb-server.service creates (via the call to runuser) a user session and therefore call pam_systemd which in its turn tries to start a systemd user instance: "user@474.service". However "user@474.service" is supposed to be started after systemd-user-sessions.service which is supposed to be started after network.target. Additionally, ovsdb-server.service uses Before=network.target hence the deadlock. This commit uses "setpriv" instead of "runuser" to launch "ovsdb-tool" that doesn't use PAM and so it permits to launch "ovsdb-tool" as a user without having the deadlock. Since some old versions for "setpriv" (such as the one used by RHEL7) doesn't support the username / groupname, but only the user ids / group ids, "id" is used to get the user ID and the group IDs. To replicate the same behaviour of "runuser", the effective group ID of the user is used as GID (usually "openvswitch") and the remaining group IDs are used as supplementary groups (usually "hugetlbfs", if OVS is built with DPDK support). [1]: https://bugzilla.suse.com/show_bug.cgi?id=1098630 Reported-by: Markos Chandras <mchandras@suse.de> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349716.html Co-authored-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Aaron Conole <aconole@redhat.com> --- utilities/ovs-lib.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in index 1bccea0c5..0b5f4ce50 100644 --- a/utilities/ovs-lib.in +++ b/utilities/ovs-lib.in @@ -387,7 +387,10 @@ move_ip_routes () { ovsdb_tool () { if [ "$OVS_USER" != "" ]; then - runuser --user "${OVS_USER%:*}" -- ovsdb-tool -vconsole:off "$@" + local uid=$(id -u "${OVS_USER%:*}") + local gid=$(id -g "${OVS_USER%:*}") + local groups=$(id -G "${OVS_USER%:*}" | tr ' ' ',') + setpriv --reuid "$uid" --regid "$gid" --groups "$groups" ovsdb-tool -vconsole:off "$@" else ovsdb-tool -vconsole:off "$@" fi -- 2.16.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor