Bug 1791388

Summary: Launch ovn daemons as non-root user
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Timothy Redaelli <tredaelli>
Component: ovn2.11Assignee: Timothy Redaelli <tredaelli>
Status: CLOSED ERRATA QA Contact: Jianlin Shi <jishi>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 20.ACC: ctrautma, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn2.11-2.11.1-30.el7fdn Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-10 10:07:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Timothy Redaelli 2020-01-15 17:22:11 UTC 
Currently ovn daemons runs as root user, but this is not good for security point of view
Comment 2 Jianlin Shi 2020-02-04 09:30:45 UTC 
run as root on ovn2.11.1-20:

[root@hp-dl380pg8-12 bz1788456]# ps aux | grep ovn-n                                                  
root     41485  0.0  0.0  59600  1152 ?        S<s  04:28   0:00 ovn-northd: monitoring pid 41486 (healthy)
root     41486  0.0  0.0  60000  2216 ?        S<   04:28   0:00 ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/run/openvswitch/ovnnb_db.sock --ovnsb-db=unix:/run/openvswitch/ovnsb_db.sock --no-chdir --log-file=/var/log/openvswitch/ovn-northd.log --pidfile=/run/openvswitch/ovn-northd.pid --detach --monitor

run as non-root on 2.11.1-32:

[root@hp-dl380pg8-12 bz1788456]# ps aux | grep ovn-n
openvsw+ 41705  0.0  0.0  61764  1188 ?        S<s  04:29   0:00 ovn-northd: monitoring pid 41706 (healthy)
openvsw+ 41706  0.0  0.0  62128  2348 ?        S<   04:29   0:00 ovn-northd --user openvswitch:hugetlbfs -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/run/openvswitch/ovnnb_db.sock --ovnsb-db=unix:/run/openvswitch/ovnsb_db.sock --no-chdir --log-file=/var/log/openvswitch/ovn-northd.log --pidfile=/run/openvswitch/ovn-northd.pid --detach --monitor

[root@hp-dl380pg8-12 bz1788456]# ps aux | grep ovn-con
openvsw+ 42032  0.4  0.0 283892  3848 ?        S<sl 04:30   0:00 ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovn-controller.log --pidfile=/var/run/openvswitch/ovn-controller.pid --detach

[root@hp-dl380pg8-12 bz1788456]# rpm -qa | grep -E "openvswitch|ovn"
ovn2.11-host-2.11.1-32.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch
ovn2.11-central-2.11.1-32.el7fdp.x86_64
openvswitch2.11-2.11.0-35.el7fdp.x86_64
ovn2.11-2.11.1-32.el7fdp.x86_64
Comment 4 errata-xmlrpc 2020-03-10 10:07:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0750