set ovs_user_id for openvswitch and ovn so they run in non root
also ensure hugepage mount directory can be write by QEMU user
with id 42424
Change-Id: Ib249e15240e9feb1c1029cba4b5bcc4f018fbc10
diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
index dad613c..c1419b6 100644
--- a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -25,6 +25,7 @@
{{- if .Values.conf.ovs_dpdk.enabled }}
mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
{{- end }}
function start () {
@@ -118,7 +119,8 @@
-vconsole:err \
-vconsole:info \
--pidfile=${OVS_PID} \
- --mlockall
+ --mlockall \
+ --user={{ .Values.conf.ovs_user_name }}
}
function stop () {
diff --git a/charts/openvswitch/templates/daemonset.yaml b/charts/openvswitch/templates/daemonset.yaml
index 3a66fa5..189b507 100644
--- a/charts/openvswitch/templates/daemonset.yaml
+++ b/charts/openvswitch/templates/daemonset.yaml
@@ -150,10 +150,10 @@
- name: run
mountPath: /run
- name: openvswitch-vswitchd
-{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Run the container in priviledged mode due to the need for root
-permissions when using the uio_pci_generic driver. */}}
+permissions when using --user to specify non root user. */}}
{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Limiting CPU cores would severely affect packet throughput
It should be handled through lcore and pmd core masks. */}}
{{- if .Values.pod.resources.enabled }}
@@ -271,4 +271,4 @@
hostPath:
path: /sys/fs/cgroup
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/openvswitch/values.yaml b/charts/openvswitch/values.yaml
index 01aa93d..5555b60 100644
--- a/charts/openvswitch/values.yaml
+++ b/charts/openvswitch/values.yaml
@@ -241,4 +241,9 @@
# vHost IOMMU feature restricts the vhost memory that a virtio device
# access, available with DPDK v17.11
# vhost_iommu_support: true
+
+ ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
+ # optionally specify to use user with id 42424, ensure the user exists
+ # in the container image.
+ ovs_user_name: "openvswitch:openvswitch"
...
diff --git a/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch b/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch
new file mode 100644
index 0000000..327ecad
--- /dev/null
+++ b/charts/patches/openvswitch/0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch
@@ -0,0 +1,74 @@
+From a39ff68c922ecbc1ff9379d7bcd179d0de7d6643 Mon Sep 17 00:00:00 2001
+From: Yaguang Tang <yaguang.tang@vexxhost.com>
+Date: Sun, 19 Jan 2025 18:51:49 +0800
+Subject: [PATCH] add openvswitch user for OVS to make it run non-root
+
+Change-Id: Ib46f95221c4a978a78675c5140bbb8dfdabea3b7
+---
+ openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl | 4 +++-
+ openvswitch/templates/daemonset.yaml | 6 +++---
+ openvswitch/values.yaml | 5 +++++
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+index dad613c3..c1419b66 100644
+--- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
++++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+@@ -25,6 +25,7 @@ OVS_PID=/run/openvswitch/ovs-vswitchd.pid
+ {{- if .Values.conf.ovs_dpdk.enabled }}
+ mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+ chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
++chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
+ {{- end }}
+
+ function start () {
+@@ -118,7 +119,8 @@ function start () {
+ -vconsole:err \
+ -vconsole:info \
+ --pidfile=${OVS_PID} \
+- --mlockall
++ --mlockall \
++ --user={{ .Values.conf.ovs_user_name }}
+ }
+
+ function stop () {
+diff --git a/openvswitch/templates/daemonset.yaml b/openvswitch/templates/daemonset.yaml
+index 3a66fa51..189b507a 100644
+--- a/openvswitch/templates/daemonset.yaml
++++ b/openvswitch/templates/daemonset.yaml
+@@ -150,10 +150,10 @@ spec:
+ - name: run
+ mountPath: /run
+ - name: openvswitch-vswitchd
+-{{- if .Values.conf.ovs_dpdk.enabled }}
+ {{/* Run the container in priviledged mode due to the need for root
+-permissions when using the uio_pci_generic driver. */}}
++permissions when using --user to specify non root user. */}}
+ {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
++{{- if .Values.conf.ovs_dpdk.enabled }}
+ {{/* Limiting CPU cores would severely affect packet throughput
+ It should be handled through lcore and pmd core masks. */}}
+ {{- if .Values.pod.resources.enabled }}
+@@ -271,4 +271,4 @@ It should be handled through lcore and pmd core masks. */}}
+ hostPath:
+ path: /sys/fs/cgroup
+ {{- end }}
+-{{- end }}
+\ No newline at end of file
++{{- end }}
+diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
+index 01aa93d3..5555b60f 100644
+--- a/openvswitch/values.yaml
++++ b/openvswitch/values.yaml
+@@ -241,4 +241,9 @@ conf:
+ # vHost IOMMU feature restricts the vhost memory that a virtio device
+ # access, available with DPDK v17.11
+ # vhost_iommu_support: true
++
++ ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
++ # optionally specify to use user with id 42424, ensure the user exists
++ # in the container image.
++ ovs_user_name: "openvswitch:openvswitch"
+ ...
+--
+2.39.5 (Apple Git-154)