Bug 1830857

Summary: conf.db should be in /var/lib/openvswitch
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Yedidyah Bar David <didi>
Component: openvswitch2.11Assignee: Timothy Redaelli <tredaelli>
Status: ASSIGNED --- QA Contact: Bob Fubel <bfubel>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: RHEL 8.0CC: aconole, ctrautma, dholler, jhsiao, mmichels, ralongi, tredaelli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://mail.openvswitch.org/pipermail/ovs-dev/2020-September/374813.html
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2020-05-04 06:51:00 UTC 
Description of problem:

conf.db is by default at /etc/openvswitch.

It should be at /var/lib/openvswitch , like ovnnb_db.db and ovnsb_db.db .

This is a database file. /etc is for configuration files.

I see that /etc/openvswitch is owned by openvswitch:openvswitch (and that ovsdb-server runs as user openvswitch), whereas /var/lib/openvswitch is owned by root:root (and that at least ovn-northd runs as root). I do not know much about OVS/OVN, nor specifically about its security model etc., so not sure what must run as root etc. For doing a minimal change, just for current bug, I tested this, and it seems to work:

mkdir /var/lib/openvswitch/ovsdb
chown openvswitch:openvswitch /var/lib/openvswitch/ovsdb

Add to /usr/lib/systemd/system/ovsdb-server.service this line, after [Service]:

Environment=OVS_DBDIR=/var/lib/openvswitch/ovsdb

Now, all services manage to start and use their db files under /var/lib/openvswitch.
Comment 4 Timothy Redaelli 2020-05-13 08:59:08 UTC 
(In reply to Yedidyah Bar David from comment #0)
> Description of problem:
> 
> conf.db is by default at /etc/openvswitch.
> 
> It should be at /var/lib/openvswitch , like ovnnb_db.db and ovnsb_db.db .
> 
> This is a database file. /etc is for configuration files.
> 
> I see that /etc/openvswitch is owned by openvswitch:openvswitch (and that
> ovsdb-server runs as user openvswitch), whereas /var/lib/openvswitch is
> owned by root:root (and that at least ovn-northd runs as root). I do not
> know much about OVS/OVN, nor specifically about its security model etc., so
> not sure what must run as root etc. For doing a minimal change, just for
> current bug, I tested this, and it seems to work:

On recent ovn builds (since 2.11.1-30) also ovn runs as non-root user

> mkdir /var/lib/openvswitch/ovsdb
> chown openvswitch:openvswitch /var/lib/openvswitch/ovsdb
> 
> Add to /usr/lib/systemd/system/ovsdb-server.service this line, after
> [Service]:
> 
> Environment=OVS_DBDIR=/var/lib/openvswitch/ovsdb
> 
> Now, all services manage to start and use their db files under
> /var/lib/openvswitch.
Comment 5 Timothy Redaelli 2020-05-25 09:40:00 UTC 
I see that debian does something similar,
they symlink conf.db from /var/lib/openvswitch to /etc/openvswitch for backward compatibility:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681880
Comment 6 Timothy Redaelli 2020-09-10 13:39:36 UTC 
Patch sent upstream