| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, Open vSwitch will fail to start with the following
error "libcap-ng is not configured at compile time" when it
attempts to downgrade to Open vSwitch user.
Also, if packages were built in a way where processes are
supposed to be running only as root, then there is no point
in creating "openvswitch" user in the first place.
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
While the header files added by this patch into Fedora's devel
rpm package can be considered private, the other devel packages
for RHEL/CentOS and Debian/Ubuntu distros include them.
So this patch simply makes the Fedora devel package consistent with
the other devel packages.
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On Fedora Rawhide only python3-sphinx is available, but currently
python2-sphinx is used.
This commit changes the BuildRequires for sphinx to use
/usr/bin/sphinx-build directly instead of python2-sphinx in order to make
it work on current Fedora Rawhide too.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently many tests fails on mock/koji since /etc/resolv.conf is not
present. The unexpected warning causes them to abort.
After this patch an empty resolv.conf is created and used before issuing
"make check".
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Up until now, OVN rpms were generated as sub packages of OpenvSwitch.
This patch now splits it and makes OVN rpms independent.
A new spec file - ovn-fedora.spec.in is added for this.
The openvswitch-fedora.spec.in has been modified to create only
OpenvSwitch packages.
Since we are not splitting the OVN code, the spec files run the
same build procedure. Only the required binaries/files are copied
into the rpms.
The new package names will be ovn, ovn-common, ovn-central, ovn-host,
ovn-vtep and ovn-docker.
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Tested-By: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
| |
Fixes: be51cd417343 ("ovs-actions: New document describing OVS actions in detail.")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit bc4fd439586f ("rhel: Ship ovs shared libraries, fedora")
openvswitch-devel RPM package includes both static and shared library.
This is against the Fedora Packaging Guidelines [1].
This commit prevent the static libraries and libtool archives to be shipped.
[1] https://fedoraproject.org/wiki/Packaging:Guidelines#Packaging_Static_Libraries
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In commit d5cc46e3d185 ("ipsec: Use @PYTHON@ directly instead of
"/usr/bin/env python"") ovs-monitor-ipsec is installed in bin directory,
but it's supposed to be installed in script directory.
This commit removes also the manual copy of "ovs-monitor-ipsec" in spec file
since it's installed directly in "make install".
Fixes: d5cc46e3d185 ("ipsec: Use @PYTHON@ directly instead of "/usr/bin/env python"")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the split package for ipsec is named
openvswitch-openvswitch-ipsec, but it should be named openvswitch-ipsec.
This commit changes the spec file in order to have the IPsec package as
openvswitch-ipsec instead of openvswitch-openvswitch-ipsec.
CC: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Fixes: bdddc715358e ("debian and rhel: Create IPsec package.")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
| |
Added rules and files to create debian and rpm ovs-ipsec packages.
Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
| |
Reported-by: Edgar Hoch <edgar.hoch@ims.uni-stuttgart.de>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends 4886d4d2495b (debian, rhel: Ship ovs shared libraries
and header files) to fedora, by packaging the shared libraries in
openvswitch and openvswitch-dvel RPM. These files are always packaged in
the RPMs built with rhel6 spec file.
VMware-BZ: #2036847
CC: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Flavio Leitner <fbl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Starting from Fedora 29, the legacy network scripts are installed in
the "network-scripts" package and so the network scripts ("ifup-ovs",
"ifdown-ovs") should be installed only when the "network-scripts" package
is installed.
This commit introduces (on Fedora 29+) a new subpackage
(network-scripts-openvswitch). This subpackage is installed, by default, only
if the "network-scripts" package is installed too (reverse weak dependency).
Reported-by: Lubomir Rintel <lkundrak@v3.sk>
Reported-at: https://src.fedoraproject.org/rpms/openvswitch/pull-request/4
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The /var/log/openvswitch directory is owned by the openvswitch user but
logrotate could be running as root or as another user. As a result of
which, rpmlint prints the following warning when building the spec file
on SUSE Linux Enterprise:
openvswitch.x86_64: W: suse-logrotate-user-writable-log-dir /var/log/openvswitch openvswitch:openvswitch 0750
The log directory is writable by unprivileged users. Please fix the
permissions so only root can write there or add the 'su' option
to your logrotate config
In order to fix that, we should run the logrotate script as the same
user which runs the various Open vSwitch daemons. If this is a new
installation, then this user is the 'openvswitch' one, but if we are
upgrading from an older release, then the user is normally 'root'.
As such, we set the initial user to 'root' and we fix this up in the
%post scriptlet.
Cc: Aaron Conole <aconole@redhat.com>
Cc: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Starting from Fedora 29, gcc and gcc-c++ won't be installed by default in
buildroot and so it's necessary to specify them explicitly in the spec file.
https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a simple implementation for the proposal discussed in
https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/337038.html and
https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/340013.html.
It enables ovs-vswitchd and other utilities to use DNS names when specifying
OpenFlow and OVSDB remotes.
Below are some of the features and limitations of this patch:
- Resolving is asynchornous in daemon context, avoiding blocking main loop;
- Resolving is synchronous in general utility context;
- Both IPv4 and IPv6 are supported;
- The resolving API is thread-safe;
- Depends on the unbound library;
- When multiple ip addresses are returned, only the first one is used;
- /etc/nsswitch.conf isn't respected as unbound library doesn't look at it;
- For async-resolving, caller need to retry later; there is no callback.
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
ovs-sim is a funny utility since it only works from a build tree, not from
an installed OVS. That means that we shouldn't install its manpage when
we run "make install". But we do want to install the manpage when we're
inside ovs-sim itself, so that the user can invoke "man ovs-sim" from its
nested shell.
This commit makes this happen.
Suggested-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Roi Dayan <roid@mellanox.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The rpm doesn't invoke all of the required selinux helpers to enact labeling
or relabeling on all versions of Fedora/RHEL. According to:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
This commit switches to use the selinux rpm macros which will ensure that
all of the labels defined in the .fc.in file are applied properly.
Acked-by: Ansis Atteka <aatteka@ovn.org>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, Open vSwitch on linux embeds the logic of loading and unloading
kernel modules into the ovs-ctl and ovs-lib script files. This works, but
it means that there is no way to leverage extended filesystem attributes
to grant fine grain permissions relating to module loading.
The split out utility 'ovs-kmod-ctl' will be used in an upcoming commit
for RHEL-based distributions to have a separate transition domain that
will allow module loading to be given to a separate selinux domain from
the openvswitch_t domain.
Acked-by: Ansis Atteka <aatteka@ovn.org>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently python-netifaces is needed for ovs-tcpdump that is installed
by openvswitch-test package.
This commit adds {python,python2}-netifaces as a dependency for the
openvswitch-test package.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It's always been OVS coding style to use spaces rather than tabs for
indentation, but some tabs have snuck in over time. This commit converts
them to spaces.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix following compilation error running 'make rpm-fedora'
error: Installed (but unpackaged) file(s) found:
/usr/share/man/man1/ovs-sim.1.gz
RPM build errors:
Installed (but unpackaged) file(s) found:
/usr/share/man/man1/ovs-sim.1.gz
make: *** [Makefile:7049: rpm-fedora] Error 1
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Roi Dayan <roid@mellanox.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 94cd8383e297 ("rhel: fix log directory permissions") restored the
old 755 permission on /var/log/openvswitch and this can result in the
exposure of sensitive information.
Since commit f624bf23b62a ("rhel: user/group openvswitch does not exist")
moved the user/group creations in %pre phase it's now possible to change
/var/log/openvswitch user/group to openvswitch:openvswitch and remove
the r/x bits for other again without having the "permission denied"
error when the logs are rotated.
CC: Aaron Conole <aconole@redhat.com>
Fixes: 94cd8383e297 ("rhel: fix log directory permissions")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Markos Chandras <mchandras@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently python2 and python3 binaries are searched by following the
PATHs, but, on Fedora, the python2 package does not provides /bin/python2
and so if the PATH contains /bin before /usr/bin (for example by using
the ansible poc) then the resulting RPM file will require /bin/python2
instead of /usr/bin/python2 and this breaks some tools (for example
createrepo).
This patch specify the full path of python2 interpreter and,
if python3-openvswitch package is built, the full path of python3
interpreter.
Reported-by: Ansis Atteka <ansisatteka@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-May/346796.html
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These dependencies have been moved from the %post to the %pre scriptlet
in f624bf23b62a ("rhel: user/group openvswitch does not exist") and are
already provided by the shadow-utils package so we can simply drop
them.
Cc: Alan Pevec <alan.pevec@redhat.com>
Cc: Aaron Conole <aconole@redhat.com>
Signed-off-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default ownership[1] for config files is failing on an empty system:
Running scriptlet: openvswitch-2.9.0-3.fc28.x86_64
warning: user openvswitch does not exist - using root
warning: group openvswitch does not exist - using root
...
Required user/group need to be created in %pre as documented in
Fedora guideline[2]
[1] https://github.com/openvswitch/ovs/commit/951d79e638ecdb3b1dcd19df1adb2ff91fe61af8
[2] https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation
Submitted-at: https://github.com/openvswitch/ovs/pull/223
Signed-off-by: Alan Pevec <alan.pevec@redhat.com>
Co-authored-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
| |
The sed package in RHEL/CentOS 7 only provides /bin/sed and not
/usr/bin/sed, but later versions (including Fedora) provide both.
Signed-off-by: Isaac Freeman <memotype@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GitHub uses a library called Licensee to identify a project's license
type. It shows this information in the status bar and via the API if it
can unambiguously identify the license.
This commit creates a LICENSE file that stores the full text of the
Apache license. It also removes the COPYING file and transfers its
contents to a new "License" section in the README.
Collectively, these changes allow Licensee to successfully identify the
license type of Open vSwitch's codebase as Apache.
Submitted-at: https://github.com/openvswitch/ovs/pull/224
Signed-off-by: Andrea Kao <eirinikos@gmail.com>
[blp@ovn.org removed references to COPYING and updated Makefile.am]
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The _Server database is valuable primarily because it provides database
clients a way to find out the details of changes to databases, schemas,
etc. in a granular, natural way. Until now, the only way that the server
could notify clients about these kinds of changes was to close the session;
when the client reconnects, it is expected to reassess the server's state.
One way to provide this kind of granular information would be to add
specific JSON-RPC requests to obtain notifications for different kinds of
changes, but since ovsdb-server already provides granular and flexible
notification support for databases, using a database for the purpose is
convenient and avoids duplicating functionality.
Initially this database only reports databases' names and schemas, but
when clustering support is added in a later commit it will also report
important aspects of clustering and cluster status. Thus, this database
also reduces the need to add JSON-RPC calls to retrieve information about
new features.
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The selinux policy currently builds manually, as a process that either
the user or distribution maintainer undertakes. That process consists
of:
1. Convert the intermediary files into their file form through
'make' statements at the top level.
2. Change to the selinux directory and issue the selinux "make -f"
directive.
This commit introduces a new target 'selinux-policy' which builds the
openvswitch-custom policy files.
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, "make rpm-fedora" doesn't work correctly since the new ovsdb
manpages (ovsdb.5, ovsdb.7 and ovsdb-server.7) were added.
This patch adds the new ovsdb manpages in the %files list in the spec
file.
CC: Ben Pfaff <blp@ovn.org>
Fixes: 12b84d50e032 ("ovsdb: Improve documentation.")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this commit is not possible to upgrade an openvswitch release
that includes the commit ac416a3ab2d2 (for example 2.8.0) with another release
that includes the commit ac416a3ab2d2 (for example master or 2.8.1), because
rpm changes the user/group of /etc/openvswitch to root/root, but ovsdb-server
starts with the user openvswitch and so it doesn't have permissions to write in
/etc/openvswitch/conf.db.
This patch tell rpm to use the openvswitch user and group for
/etc/openvswitch and /etc/openvswitch/default.conf.
Reported-by: Mark Michelson <mmichels@redhat.com>
CC: aaron conole <aconole@redhat.com>
Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs user")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Tested-by: Mark Michelson <mmichels@redhat.com>
|
| |
|
|
|
|
|
|
| |
Perl is unfashionable and Python is more widely available and understood,
so this commit converts one of the OVS uses of Perl into Python.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reload procedure will trigger a script that saves the flows and tlv
maps (using ovs-save) then it restarts ovsdb-server, it stops ovs-vswitchd,
it sets other_config:flow-restore-wait=true (to wait till flow restore is
finished), it starts ovs-vswitchd, it restore the backupped flows/tlv
maps and it removes other_config:flow-restore-wait=true (logic mostly ripped
from ovs-ctl).
It uses systemctl with --job-mode=ignore-dependencies to restart ovsdb-server
and stop and start ovs-vswitchd in order to avoid systemd to restart the other
components due to dependencies (as explained in rhel/README.RHEL.rst).
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
python-* package names are deprecated on Fedora
(https://fedoraproject.org/wiki/Packaging:Naming#Python2_binary_package_naming)
so use python2-sphinx, when available, instead.
CC: Lance Richardson <lrichard@redhat.com>
Fixes: cd6121410b52 ("rhel: add python-sphinx as a build dependency")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
| |
Using the dependencies feature of systemd ovs-delete-transient-ports.service
is only started once and so transient ports are only deleted only the first
time after boot.
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the logrotate script runs, and Open vSwitch is running as a non-root
user, the /var/log/openvswitch directory doesn't have other rx bits set.
This means the reopen attempt will fail with "permission denied", even though
the default logrotate configuration creates a new log file with the
appropriate attributes.
This change sets the r/x bits for other on /var/log/openvswitch
Signed-off-by: Aaron Conole <aconole@redhat.com>
Tested-by: Jean Hsiao <jhsiao@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Markos Chandras <mchandras@suse.de>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This will be used by an upcoming commit to have @begin_ and @end_ dpdk
blocks to keep dpdk specific policy decisions only active when dpdk is
used.
Acked-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Tested-by: Jean Hsiao <jhsiao@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This commit builds on the non-root ovs work and adds a udev rule which will
automatically set the group permissions of vfio devices.
Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After this commit, users may start a dpdk-enabled ovs setup as a
non-root user. This is accomplished by exporting the $HOME directory,
which dpdk uses to fill in it's semi-persistent RTE configuration.
This change may be a bit controversial since it modifies /dev/hugepages
as part of starting the ovs-vswitchd to set a hugetlbfs group
ownership. This is used to enable writing to /dev/hugepages so that the
dpdk_init will successfully complete. There is an alternate way of
accomplishing this - namely to initialize DPDK before dropping
privileges. However, this would mean that if DPDK ever grows an uninit
/ reinit function, non-root ovs likely could never use it.
This does not change OvS+DPDK's SELinux requirements. It still must be
disabled.
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
| |
This commit changes the service file from static configuration to an
autogenerated file, produced during the build. This will be relevant in a
future commit.
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After this commit, the fedora RPM will create the openvswitch user, from the
non-static pool, for use as an Open vSwitch daemon user. This only happens
on install - not upgrade. This will be the default user:group
combination for the openvswitch daemons.
To do this in a way that doesn't impact existing installations, the
/etc/openvswitch directory will be created during the installation,
rather than being provided as part of the rpm.
Acked-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Under rpm based distributions, the only user:group that the rhel daemons run
as is 'root:root'. This is fine as a default, but as part of a security
procedure, users may want to run as an alternate uid/gid. This commit
adds an OVS_USER_ID environment variable for systemd, which defaults to
root:root, but can be overridden by changing the /etc/sysconfig/openvswitch
environment file.
Acked-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrading to DPDK 17.05.1 stable release adds new
significant features relevant to OVS, including,
but not limited to:
- tun/tap PMD,
- VFIO hotplug support,
- Generic flow API.
Following changes are applied:
- netdev-dpdk: Changes required by DPDK API modifications.
- doc: Because of DPDK API changes, backward compatibility
with previous DPDK releases will be broken, thus all
relevant documentation entries are updated.
- .travis: DPDK version change from 16.11.1 to 17.05.1.
- rhel/openvswitch-fedora.spec.in: DPDK version change
from 16.11 to 17.05.1
Signed-off-by: Michal Weglicki <michalx.weglicki@intel.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Mark Kavanagh <mark.b.kavanagh@intel.com>
Tested-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The policy is to use %files to track installed files.
If %files is not used the resulting file is not owned by any package.
Before this commit:
# rpm -qf /usr/lib/ocf/resource.d/ovn/ovndb-servers
file /usr/lib/ocf/resource.d/ovn/ovndb-servers is not owned by any package
After this commit:
# rpm -qf /usr/lib/ocf/resource.d/ovn/ovndb-servers
openvswitch-ovn-common-2.7.90-1.fc26.x86_64
Fixes: a4245b7869c8 ("ovn: Add ovn db servers ocf script in fedora packager")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Acked-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The Open vSwitch log directory and files are currently set world readable.
However, since only Open vSwitch users and processes need to access this
directory and these files there is no need to allow the world to access them,
since it can result in the exposure of sensitive information.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the db lockfile will cause the openvswitch directory to
linger after uninstall because the rpm database isn't aware that it
should be treated as part of the system. This commit informs the rpmdb
properly as a 'ghost' so that when the package is uninstalled, it will
be removed automatically. This means that if no extra files exist in
/etc/openvswitch, the whole directory will be removed from /etc/.
Acked-by: Flavio Leitner <fbl@sysclose.org>
Reviewed-by: Markos Chandras <mchandra@suse.de>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
| |
Fixes: 55f36be59122 ("rhel: Firewall service files for OVN.")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Miguel Angel Ajo <majopela@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to commit 5771f4765734 ("fedora: do not restart the
service on a pkg upgrade"), this change eliminates the
automatic restart of OVN services after upgrade.
Note that the post-uninstall scriptlet affected by this change
is executed from the previously installed package when upgrading,
so existing installations need to go through two package upgrades
before this change will take effect.
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When commit d0c961a99f57 ("lib/automake.mk: don't install
runtime directories") landed, it broke RPM based builds since
the requisite directories were no longer available. This commit
adds those directories back when making RPMs so that the package
manager can see them.
Fixes: d0c961a99f57 ("lib/automake.mk: don't install runtime directories")
Reported-by: Lance Richardson <lrichard@redhat.com>
Tested-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
|
