Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / e432155571afe15c79188ecb7d947f1321b405eb / . / charts / patches / openvswitch / 0001-add-openvswitch-user-for-OVS-to-make-it-run-non-root.patch
blob: 327ecadce8e4f75a16498c980acec0ba11a704da [file] [log] [blame]
From a39ff68c922ecbc1ff9379d7bcd179d0de7d6643 Mon Sep 17 00:00:00 2001
From: Yaguang Tang <yaguang.tang@vexxhost.com>
Date: Sun, 19 Jan 2025 18:51:49 +0800
Subject: [PATCH] add openvswitch user for OVS to make it run non-root
Change-Id: Ib46f95221c4a978a78675c5140bbb8dfdabea3b7
---
openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl | 4 +++-
openvswitch/templates/daemonset.yaml | 6 +++---
openvswitch/values.yaml | 5 +++++
3 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
index dad613c3..c1419b66 100644
--- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -25,6 +25,7 @@ OVS_PID=/run/openvswitch/ovs-vswitchd.pid
{{- if .Values.conf.ovs_dpdk.enabled }}
mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} {{ .Values.conf.ovs_dpdk.hugepages_mountpath }}
{{- end }}
function start () {
@@ -118,7 +119,8 @@ function start () {
-vconsole:err \
-vconsole:info \
--pidfile=${OVS_PID} \
- --mlockall
+ --mlockall \
+ --user={{ .Values.conf.ovs_user_name }}
}
function stop () {
diff --git a/openvswitch/templates/daemonset.yaml b/openvswitch/templates/daemonset.yaml
index 3a66fa51..189b507a 100644
--- a/openvswitch/templates/daemonset.yaml
+++ b/openvswitch/templates/daemonset.yaml
@@ -150,10 +150,10 @@ spec:
- name: run
mountPath: /run
- name: openvswitch-vswitchd
-{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Run the container in priviledged mode due to the need for root
-permissions when using the uio_pci_generic driver. */}}
+permissions when using --user to specify non root user. */}}
{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Limiting CPU cores would severely affect packet throughput
It should be handled through lcore and pmd core masks. */}}
{{- if .Values.pod.resources.enabled }}
@@ -271,4 +271,4 @@ It should be handled through lcore and pmd core masks. */}}
hostPath:
path: /sys/fs/cgroup
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
index 01aa93d3..5555b60f 100644
--- a/openvswitch/values.yaml
+++ b/openvswitch/values.yaml
@@ -241,4 +241,9 @@ conf:
# vHost IOMMU feature restricts the vhost memory that a virtio device
# access, available with DPDK v17.11
# vhost_iommu_support: true
+
+ ## OVS supports run in non-root for both OVS and OVS DPDK mode, you can
+ # optionally specify to use user with id 42424, ensure the user exists
+ # in the container image.
+ ovs_user_name: "openvswitch:openvswitch"
...
--
2.39.5 (Apple Git-154)