commit 6db2e11a046e88e0cfa0ddb6ca42f1cf09ee5acd
author Yaguang Tang <yaguang.tang@vexxhost.com> Fri Jan 17 20:14:29 2025 +0800
committer Mohammed Naser <mnaser@vexxhost.com> Fri Jan 24 14:21:35 2025 +0000
tree 0b5312689911b16198e38719b6688a14c994e715
parent bd61aa217ef2599088d7e7077c42d71a0ae14847

set ovs_user_id for openvswitch and ovn so they run in non root

also ensure hugepage mount directory can be write by QEMU user
with id 42424

Change-Id: Ib249e15240e9feb1c1029cba4b5bcc4f018fbc10

charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl

diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
index dad613c..c1419b6 100644
--- a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -25,6 +25,7 @@
 {{- if .Values.conf.ovs_dpdk.enabled }}
 mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
 chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
 {{- end }}
 
 function start () {
@@ -118,7 +119,8 @@
           -vconsole:err \
           -vconsole:info \
           --pidfile=${OVS_PID} \
-          --mlockall
+          --mlockall \
+          --user={{ .Values.conf.ovs_user_name }}
 }
 
 function stop () {

charts/openvswitch/templates/daemonset.yaml

diff --git a/charts/openvswitch/templates/daemonset.yaml b/charts/openvswitch/templates/daemonset.yaml
index 3a66fa5..189b507 100644
--- a/charts/openvswitch/templates/daemonset.yaml
+++ b/charts/openvswitch/templates/daemonset.yaml
@@ -150,10 +150,10 @@
             - name: run
               mountPath: /run
         - name: openvswitch-vswitchd
-{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Run the container in priviledged mode due to the need for root
-permissions when using the uio_pci_generic driver. */}}
+permissions when using --user to specify non root user. */}}
 {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Limiting CPU cores would severely affect packet throughput
 It should be handled through lcore and pmd core masks. */}}
 {{- if .Values.pod.resources.enabled }}
@@ -271,4 +271,4 @@
           hostPath:
             path: /sys/fs/cgroup
 {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}

charts/openvswitch/values.yaml

diff --git a/charts/openvswitch/values.yaml b/charts/openvswitch/values.yaml
index 01aa93d..5555b60 100644
--- a/charts/openvswitch/values.yaml
+++ b/charts/openvswitch/values.yaml
@@ -241,4 +241,9 @@
     #     vHost IOMMU feature restricts the vhost memory that a virtio device
     #     access, available with DPDK v17.11
     # vhost_iommu_support: true
+
+  ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
+  # optionally specify to use user with id 42424, ensure the user exists
+  # in the container image.
+  ovs_user_name: "openvswitch:openvswitch"
 ...