set ovs_user_id for openvswitch and ovn so they run in non root

also ensure hugepage mount directory can be write by QEMU user
with id 42424

Change-Id: Ib249e15240e9feb1c1029cba4b5bcc4f018fbc10
diff --git a/build/pin-images.py b/build/pin-images.py
index 30700c3..fbc8f2c 100755
--- a/build/pin-images.py
+++ b/build/pin-images.py
@@ -22,7 +22,7 @@
     if token:
         headers["Authorization"] = f"Bearer {token}"
     else:
-        r = requests.get(url, timeout=5)
+        r = requests.get(url, timeout=5, verify=False)
         auth_header = r.headers.get("Www-Authenticate")
         if auth_header:
             realm = auth_header.split(",")[0].split("=")[1].strip('"')
@@ -30,6 +30,7 @@
             r = requests.get(
                 realm,
                 timeout=5,
+                verify=False,
                 params={"scope": f"repository:{image_ref.path()}:pull"},
             )
             r.raise_for_status()
@@ -42,6 +43,7 @@
         r = requests.get(
             f"https://{image_ref.domain()}/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
             timeout=5,
+            verify=False,
             headers=headers,
         )
         r.raise_for_status()
@@ -52,6 +54,7 @@
         r = requests.get(
             f"https://{image_ref.domain()}/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
             timeout=5,
+            verify=False,
             headers=headers,
         )
         r.raise_for_status()
@@ -62,7 +65,10 @@
 def get_pinned_image(image_src):
     image_ref = reference.Reference.parse(image_src)
     if image_ref.domain() != "harbor.atmosphere.dev":
-        image_ref = reference.Reference.parse("harbor.atmosphere.dev/" + image_src)
+        try:
+            image_ref = reference.Reference.parse("harbor.atmosphere.dev/" + image_src)
+        except Exception:
+            LOG.warn(f"failed to parse image path {image_src}")
 
     if (
         image_ref.domain() == "registry.atmosphere.dev"
diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
index dad613c..c1419b6 100644
--- a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -25,6 +25,7 @@
 {{- if .Values.conf.ovs_dpdk.enabled }}
 mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
 chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
 {{- end }}
 
 function start () {
@@ -118,7 +119,8 @@
           -vconsole:err \
           -vconsole:info \
           --pidfile=${OVS_PID} \
-          --mlockall
+          --mlockall \
+          --user={{ .Values.conf.ovs_user_name }}
 }
 
 function stop () {
diff --git a/charts/openvswitch/templates/daemonset.yaml b/charts/openvswitch/templates/daemonset.yaml
index 3a66fa5..189b507 100644
--- a/charts/openvswitch/templates/daemonset.yaml
+++ b/charts/openvswitch/templates/daemonset.yaml
@@ -150,10 +150,10 @@
             - name: run
               mountPath: /run
         - name: openvswitch-vswitchd
-{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Run the container in priviledged mode due to the need for root
-permissions when using the uio_pci_generic driver. */}}
+permissions when using --user to specify non root user. */}}
 {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Limiting CPU cores would severely affect packet throughput
 It should be handled through lcore and pmd core masks. */}}
 {{- if .Values.pod.resources.enabled }}
@@ -271,4 +271,4 @@
           hostPath:
             path: /sys/fs/cgroup
 {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/openvswitch/values.yaml b/charts/openvswitch/values.yaml
index 01aa93d..5555b60 100644
--- a/charts/openvswitch/values.yaml
+++ b/charts/openvswitch/values.yaml
@@ -241,4 +241,9 @@
     #     vHost IOMMU feature restricts the vhost memory that a virtio device
     #     access, available with DPDK v17.11
     # vhost_iommu_support: true
+
+  ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
+  # optionally specify to use user with id 42424, ensure the user exists
+  # in the container image.
+  ovs_user_name: "openvswitch:openvswitch"
 ...
diff --git a/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch b/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch
new file mode 100644
index 0000000..327ecad
--- /dev/null
+++ b/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch
@@ -0,0 +1,74 @@
+From a39ff68c922ecbc1ff9379d7bcd179d0de7d6643 Mon Sep 17 00:00:00 2001
+From: Yaguang Tang <yaguang.tang@vexxhost.com>
+Date: Sun, 19 Jan 2025 18:51:49 +0800
+Subject: [PATCH] add openvswitch user for OVS to make it run non-root
+
+Change-Id: Ib46f95221c4a978a78675c5140bbb8dfdabea3b7
+---
+ openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl  | 4 +++-
+ openvswitch/templates/daemonset.yaml                    | 6 +++---
+ openvswitch/values.yaml                                 | 5 +++++
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+index dad613c3..c1419b66 100644
+--- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
++++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+@@ -25,6 +25,7 @@ OVS_PID=/run/openvswitch/ovs-vswitchd.pid
+ {{- if .Values.conf.ovs_dpdk.enabled }}
+ mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+ chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
++chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
+ {{- end }}
+ 
+ function start () {
+@@ -118,7 +119,8 @@ function start () {
+           -vconsole:err \
+           -vconsole:info \
+           --pidfile=${OVS_PID} \
+-          --mlockall
++          --mlockall \
++          --user={{ .Values.conf.ovs_user_name }}
+ }
+ 
+ function stop () {
+diff --git a/openvswitch/templates/daemonset.yaml b/openvswitch/templates/daemonset.yaml
+index 3a66fa51..189b507a 100644
+--- a/openvswitch/templates/daemonset.yaml
++++ b/openvswitch/templates/daemonset.yaml
+@@ -150,10 +150,10 @@ spec:
+             - name: run
+               mountPath: /run
+         - name: openvswitch-vswitchd
+-{{- if .Values.conf.ovs_dpdk.enabled }}
+ {{/* Run the container in priviledged mode due to the need for root
+-permissions when using the uio_pci_generic driver. */}}
++permissions when using --user to specify non root user. */}}
+ {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
++{{- if .Values.conf.ovs_dpdk.enabled }}
+ {{/* Limiting CPU cores would severely affect packet throughput
+ It should be handled through lcore and pmd core masks. */}}
+ {{- if .Values.pod.resources.enabled }}
+@@ -271,4 +271,4 @@ It should be handled through lcore and pmd core masks. */}}
+           hostPath:
+             path: /sys/fs/cgroup
+ {{- end }}
+-{{- end }}
+\ No newline at end of file
++{{- end }}
+diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
+index 01aa93d3..5555b60f 100644
+--- a/openvswitch/values.yaml
++++ b/openvswitch/values.yaml
+@@ -241,4 +241,9 @@ conf:
+     #     vHost IOMMU feature restricts the vhost memory that a virtio device
+     #     access, available with DPDK v17.11
+     # vhost_iommu_support: true
++
++  ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
++  # optionally specify to use user with id 42424, ensure the user exists
++  # in the container image.
++  ovs_user_name: "openvswitch:openvswitch"
+ ...
+--
+2.39.5 (Apple Git-154)
diff --git a/images/openvswitch/Dockerfile b/images/openvswitch/Dockerfile
index acc2c41..5299c47 100644
--- a/images/openvswitch/Dockerfile
+++ b/images/openvswitch/Dockerfile
@@ -16,4 +16,6 @@
     tcpdump
 dnf -y clean all
 rm -rf /var/cache/dnf
+usermod -u 42424 openvswitch
+groupmod -g 42424 openvswitch
 EOF
diff --git a/images/ovn/Dockerfile b/images/ovn/Dockerfile
index c8b7729..7847744 100644
--- a/images/ovn/Dockerfile
+++ b/images/ovn/Dockerfile
@@ -15,6 +15,7 @@
 EOF
 
 FROM ${REGISTRY}/openvswitch:${RELEASE}
+ENV OVS_USER_ID=42424
 ARG TARGETPLATFORM
 ADD --chmod=755 https://dl.k8s.io/release/v1.29.3/bin/${TARGETPLATFORM}/kubectl /usr/local/bin/kubectl
 ARG OVN_SERIES=24.03
@@ -35,3 +36,9 @@
 COPY --from=ovn-kubernetes --link /src/dist/images/ovndb-raft-functions.sh /root/ovndb-raft-functions.sh
 COPY --from=ovn-kubernetes --link /src/dist/images/ovnkube.sh /root/ovnkube.sh
 COPY --from=ovn-kubernetes --link /usr/bin/ovn-kube-util /usr/bin/ovn-kube-util
+
+RUN <<EOF bash -xe
+    usermod -u 42424 openvswitch
+    mkdir -p  /var/log/ovn /var/lib/ovn /var/run/ovn
+    chown -Rv 42424:42424 /var/log/ovn /var/lib/ovn /var/run/ovn
+EOF
diff --git a/releasenotes/notes/fix-ovs-dpdk-permission-issue-fea15d01685d2e1b.yaml b/releasenotes/notes/fix-ovs-dpdk-permission-issue-fea15d01685d2e1b.yaml
new file mode 100644
index 0000000..ab4ea07
--- /dev/null
+++ b/releasenotes/notes/fix-ovs-dpdk-permission-issue-fea15d01685d2e1b.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    When use OVS with DPDK, by default both OVS and OVN run with root user, this
+    may cause issue that QEMU can't write vhost user socket file in openvswitch
+    runtime directory (``/run/openvswitch``). This has been fixed by config Open
+    vSwitch and OVN componments to run with non root user id 42424 which is same
+    with QEMU and other OpenStack services inside the container.