set ovs_user_id for openvswitch and ovn so they run in non root
also ensure hugepage mount directory can be write by QEMU user
with id 42424
Change-Id: Ib249e15240e9feb1c1029cba4b5bcc4f018fbc10
diff --git a/build/pin-images.py b/build/pin-images.py
index 30700c3..fbc8f2c 100755
--- a/build/pin-images.py
+++ b/build/pin-images.py
@@ -22,7 +22,7 @@
if token:
headers["Authorization"] = f"Bearer {token}"
else:
- r = requests.get(url, timeout=5)
+ r = requests.get(url, timeout=5, verify=False)
auth_header = r.headers.get("Www-Authenticate")
if auth_header:
realm = auth_header.split(",")[0].split("=")[1].strip('"')
@@ -30,6 +30,7 @@
r = requests.get(
realm,
timeout=5,
+ verify=False,
params={"scope": f"repository:{image_ref.path()}:pull"},
)
r.raise_for_status()
@@ -42,6 +43,7 @@
r = requests.get(
f"https://{image_ref.domain()}/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
timeout=5,
+ verify=False,
headers=headers,
)
r.raise_for_status()
@@ -52,6 +54,7 @@
r = requests.get(
f"https://{image_ref.domain()}/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
timeout=5,
+ verify=False,
headers=headers,
)
r.raise_for_status()
@@ -62,7 +65,10 @@
def get_pinned_image(image_src):
image_ref = reference.Reference.parse(image_src)
if image_ref.domain() != "harbor.atmosphere.dev":
- image_ref = reference.Reference.parse("harbor.atmosphere.dev/" + image_src)
+ try:
+ image_ref = reference.Reference.parse("harbor.atmosphere.dev/" + image_src)
+ except Exception:
+ LOG.warn(f"failed to parse image path {image_src}")
if (
image_ref.domain() == "registry.atmosphere.dev"
diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
index dad613c..c1419b6 100644
--- a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -25,6 +25,7 @@
{{- if .Values.conf.ovs_dpdk.enabled }}
mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
{{- end }}
function start () {
@@ -118,7 +119,8 @@
-vconsole:err \
-vconsole:info \
--pidfile=${OVS_PID} \
- --mlockall
+ --mlockall \
+ --user={{ .Values.conf.ovs_user_name }}
}
function stop () {
diff --git a/charts/openvswitch/templates/daemonset.yaml b/charts/openvswitch/templates/daemonset.yaml
index 3a66fa5..189b507 100644
--- a/charts/openvswitch/templates/daemonset.yaml
+++ b/charts/openvswitch/templates/daemonset.yaml
@@ -150,10 +150,10 @@
- name: run
mountPath: /run
- name: openvswitch-vswitchd
-{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Run the container in priviledged mode due to the need for root
-permissions when using the uio_pci_generic driver. */}}
+permissions when using --user to specify non root user. */}}
{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Limiting CPU cores would severely affect packet throughput
It should be handled through lcore and pmd core masks. */}}
{{- if .Values.pod.resources.enabled }}
@@ -271,4 +271,4 @@
hostPath:
path: /sys/fs/cgroup
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/openvswitch/values.yaml b/charts/openvswitch/values.yaml
index 01aa93d..5555b60 100644
--- a/charts/openvswitch/values.yaml
+++ b/charts/openvswitch/values.yaml
@@ -241,4 +241,9 @@
# vHost IOMMU feature restricts the vhost memory that a virtio device
# access, available with DPDK v17.11
# vhost_iommu_support: true
+
+ ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
+ # optionally specify to use user with id 42424, ensure the user exists
+ # in the container image.
+ ovs_user_name: "openvswitch:openvswitch"
...
diff --git a/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch b/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch
new file mode 100644
index 0000000..327ecad
--- /dev/null
+++ b/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch
@@ -0,0 +1,74 @@
+From a39ff68c922ecbc1ff9379d7bcd179d0de7d6643 Mon Sep 17 00:00:00 2001
+From: Yaguang Tang <yaguang.tang@vexxhost.com>
+Date: Sun, 19 Jan 2025 18:51:49 +0800
+Subject: [PATCH] add openvswitch user for OVS to make it run non-root
+
+Change-Id: Ib46f95221c4a978a78675c5140bbb8dfdabea3b7
+---
+ openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl | 4 +++-
+ openvswitch/templates/daemonset.yaml | 6 +++---
+ openvswitch/values.yaml | 5 +++++
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+index dad613c3..c1419b66 100644
+--- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
++++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+@@ -25,6 +25,7 @@ OVS_PID=/run/openvswitch/ovs-vswitchd.pid
+ {{- if .Values.conf.ovs_dpdk.enabled }}
+ mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+ chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
++chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
+ {{- end }}
+
+ function start () {
+@@ -118,7 +119,8 @@ function start () {
+ -vconsole:err \
+ -vconsole:info \
+ --pidfile=${OVS_PID} \
+- --mlockall
++ --mlockall \
++ --user={{ .Values.conf.ovs_user_name }}
+ }
+
+ function stop () {
+diff --git a/openvswitch/templates/daemonset.yaml b/openvswitch/templates/daemonset.yaml
+index 3a66fa51..189b507a 100644
+--- a/openvswitch/templates/daemonset.yaml
++++ b/openvswitch/templates/daemonset.yaml
+@@ -150,10 +150,10 @@ spec:
+ - name: run
+ mountPath: /run
+ - name: openvswitch-vswitchd
+-{{- if .Values.conf.ovs_dpdk.enabled }}
+ {{/* Run the container in priviledged mode due to the need for root
+-permissions when using the uio_pci_generic driver. */}}
++permissions when using --user to specify non root user. */}}
+ {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
++{{- if .Values.conf.ovs_dpdk.enabled }}
+ {{/* Limiting CPU cores would severely affect packet throughput
+ It should be handled through lcore and pmd core masks. */}}
+ {{- if .Values.pod.resources.enabled }}
+@@ -271,4 +271,4 @@ It should be handled through lcore and pmd core masks. */}}
+ hostPath:
+ path: /sys/fs/cgroup
+ {{- end }}
+-{{- end }}
+\ No newline at end of file
++{{- end }}
+diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
+index 01aa93d3..5555b60f 100644
+--- a/openvswitch/values.yaml
++++ b/openvswitch/values.yaml
+@@ -241,4 +241,9 @@ conf:
+ # vHost IOMMU feature restricts the vhost memory that a virtio device
+ # access, available with DPDK v17.11
+ # vhost_iommu_support: true
++
++ ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
++ # optionally specify to use user with id 42424, ensure the user exists
++ # in the container image.
++ ovs_user_name: "openvswitch:openvswitch"
+ ...
+--
+2.39.5 (Apple Git-154)
diff --git a/images/openvswitch/Dockerfile b/images/openvswitch/Dockerfile
index acc2c41..5299c47 100644
--- a/images/openvswitch/Dockerfile
+++ b/images/openvswitch/Dockerfile
@@ -16,4 +16,6 @@
tcpdump
dnf -y clean all
rm -rf /var/cache/dnf
+usermod -u 42424 openvswitch
+groupmod -g 42424 openvswitch
EOF
diff --git a/images/ovn/Dockerfile b/images/ovn/Dockerfile
index c8b7729..7847744 100644
--- a/images/ovn/Dockerfile
+++ b/images/ovn/Dockerfile
@@ -15,6 +15,7 @@
EOF
FROM ${REGISTRY}/openvswitch:${RELEASE}
+ENV OVS_USER_ID=42424
ARG TARGETPLATFORM
ADD --chmod=755 https://dl.k8s.io/release/v1.29.3/bin/${TARGETPLATFORM}/kubectl /usr/local/bin/kubectl
ARG OVN_SERIES=24.03
@@ -35,3 +36,9 @@
COPY --from=ovn-kubernetes --link /src/dist/images/ovndb-raft-functions.sh /root/ovndb-raft-functions.sh
COPY --from=ovn-kubernetes --link /src/dist/images/ovnkube.sh /root/ovnkube.sh
COPY --from=ovn-kubernetes --link /usr/bin/ovn-kube-util /usr/bin/ovn-kube-util
+
+RUN <<EOF bash -xe
+ usermod -u 42424 openvswitch
+ mkdir -p /var/log/ovn /var/lib/ovn /var/run/ovn
+ chown -Rv 42424:42424 /var/log/ovn /var/lib/ovn /var/run/ovn
+EOF
diff --git a/releasenotes/notes/fix-ovs-dpdk-permission-issue-fea15d01685d2e1b.yaml b/releasenotes/notes/fix-ovs-dpdk-permission-issue-fea15d01685d2e1b.yaml
new file mode 100644
index 0000000..ab4ea07
--- /dev/null
+++ b/releasenotes/notes/fix-ovs-dpdk-permission-issue-fea15d01685d2e1b.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+ - |
+ When use OVS with DPDK, by default both OVS and OVN run with root user, this
+ may cause issue that QEMU can't write vhost user socket file in openvswitch
+ runtime directory (``/run/openvswitch``). This has been fixed by config Open
+ vSwitch and OVN componments to run with non root user id 42424 which is same
+ with QEMU and other OpenStack services inside the container.