1559374 – ovs package update complains openvswitch user not exist

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1559374 - ovs package update complains openvswitch user not exist

Summary: ovs package update complains openvswitch user not exist

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openvswitch
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Aaron Conole
QA Contact:	Rick Alongi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-22 12:24 UTC by zenghui.shi
Modified:	2018-06-21 13:37 UTC (History)
CC List:	15 users (show)
Fixed In Version:	openvswitch-2.9.0-27.el7fdn
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-21 13:36:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	553926	None	MERGED	Add condition to ovs run during upgrade.	2020-11-17 15:19:25 UTC
OpenStack gerrit	557164	None	MERGED	Ensure openvswitch user exist before package update	2020-11-17 15:19:46 UTC
OpenStack gerrit	558471	None	MERGED	Change ovs user and fix permissions on ovs upgrade	2020-11-17 15:19:24 UTC
Red Hat Product Errata	RHBA-2018:1962	None	None	None	2018-06-21 13:37:49 UTC

Description zenghui.shi 2018-03-22 12:24:35 UTC

Description of problem:

When updating openvswitch package from 2.7 to 2.8, yum update complains openvswitch user not exist, and fail to execute cmd 'chown -R openvswitch:openvswitch /etc/openvswitch' in package scriptlet.
This means an openvswitch user shall be created first by administrator in order to update ovs package correctly.

This is also causing problem for layer products like tripleo/director to handle ovs package update, as it has to create special cases in order to update the package.

[root@nfvsdn-17 ~]# rpm -q --scripts openvswitch
postinstall scriptlet (using /bin/sh):
if [ $1 -eq 1 ]; then
    getent passwd openvswitch >/dev/null || \
        useradd -r -d / -s /sbin/nologin -c "Open vSwitch Daemons" openvswitch

    sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch

    getent group hugetlbfs >/dev/null || \
        groupadd hugetlbfs
    usermod -a -G hugetlbfs openvswitch
    sed -i \
        's@OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\
        /etc/sysconfig/openvswitch
fi
# Package %files sets /etc/openvswitch to root:root in installation and upgrade so
# we always need to reset ownership
chown -R openvswitch:openvswitch /etc/openvswitch

    
if [ $1 -eq 1 ] ; then 
        # Initial installation 
        systemctl preset openvswitch.service >/dev/null 2>&1 || : 
fi
preuninstall scriptlet (using /bin/sh):
    
if [ $1 -eq 0 ] ; then 
        # Package removal, not upgrade 
        systemctl --no-reload disable openvswitch.service > /dev/null 2>&1 || : 
        systemctl stop openvswitch.service > /dev/null 2>&1 || : 
fi
postuninstall scriptlet (using /bin/sh):
    
systemctl daemon-reload >/dev/null 2>&1 || : 
if [ $1 -ge 1 ] ; then 
        # Package upgrade, not uninstall 
        systemctl try-restart openvswitch.service >/dev/null 2>&1 || : 
fi


[root@nfvsdn-17 ~]# rpm -qa | grep openvswitch
openvswitch-2.8.2-1.el7.x86_64

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
the user creation be handled both in package update and fresh installation.

Additional info:

Comment 2 Yolanda Robla 2018-03-22 12:50:26 UTC

It will also need to modify the /etc/sysconfig/

Comment 3 Yolanda Robla 2018-03-22 12:51:07 UTC

Ideally, it will also need to modify the /etc/sysconfig/openvswitch file, the same it is doing for the postinstall tasks

Comment 4 Yolanda Robla 2018-03-26 08:03:27 UTC

If the change is implemented on upgrade, it will need to avoid the restart openvswitch services as part of it. As it will cut network connection,  that's not acceptable. So the change needed there is to create user/group, change config file, and then let users restart the services by themselves.

Comment 5 Saravanan KR 2018-03-26 10:57:41 UTC

(In reply to Yolanda Robla from comment #3)
> Ideally, it will also need to modify the /etc/sysconfig/openvswitch file,
> the same it is doing for the postinstall tasks

I believe no, package update should not enforce the user migration. It should be left to the user, in our case tripleo should update it. But user and group could be created even during the package update.

Comment 6 Aaron Conole 2018-03-26 13:01:12 UTC

Agreed with Saravan, here.

The update should *not* force migrate the user.  Even assuming we can 100% be certain the end user hasn't implemented their own type of user, we can't be 100% certain we won't break something about their setup (either directories being used, or alternative configurations).

Open vSwitch package upgrade should not be restarting the daemons anyway.  Do you see that happening with 2.7+?  It may have happened with 2.6, although I think we fixed it by that point.

Comment 8 zenghui.shi 2018-03-27 02:14:07 UTC

(In reply to Saravanan KR from comment #5)
> (In reply to Yolanda Robla from comment #3)
> > Ideally, it will also need to modify the /etc/sysconfig/openvswitch file,
> > the same it is doing for the postinstall tasks
> 
> I believe no, package update should not enforce the user migration. It
> should be left to the user, in our case tripleo should update it. But user
> and group could be created even during the package update.


'openvswitch' user is required when updating ovs package to 2.8, otherwise it will complain 'openvswitch' user not exist. with that, I think we need 'openvswitch' user be created during package update, just like it's created with fresh installation.

IIUC, openvswitch and qemu user share the same group 'hugetlbfs' in ovs 2.8 onwards; then who will be responsible to create 'hugetlbfs' group? I believe either ovs nor qemu shall do that during their package update, instead, tripleo should do the creation of 'hugetlbfs' group before updating both packages.

as for user migration, when do we expect the user can be migrated ?
with the workaround in tripleo, it has been ensured that openvswitch service will not be restarted during package update (if there is a postuninstall script to try restart ovs service), then we will still be running old ovs version and old config after package update, but do we allow operator to restart ovs service after package update ? if yes, which user and group will ovs use after service restart ? if not, do we expect a reboot right after tripleo minor update (along with ovs package update) to make new ovs config be available?

maybe the right place to insert new ovs config is before minor update reboot and after ovs package update, and only allow reboot to make all new config available.

Comment 9 Yolanda Robla 2018-03-27 12:06:25 UTC

Re Saravanan and Aaron. If we don't force the user to change user/group in /etc/sysconfig/openvswitch, why should then create those users? From your comments, i understand it may be optional and users could run in their own way. Then, what's the point of creating user/group if we don't enforce the config file? I still see it as "do everything" or "do nothing", in terms of the ovs package changes.

Comment 10 zenghui.shi 2018-04-02 08:00:11 UTC

setting needinfo per comment #9

Comment 11 Saravanan KR 2018-04-02 11:34:21 UTC

Generally when a package is installed, all the related users and groups should be created with the installation, which implies that when openvswitch package is present in node, user 'openvswitch' and group 'hugetlbfs' should exist. But it is upto the user to run it with the default recommended user or not. IMO, user group creation should not be linked with how the user is intend to use it.

Comment 14 Alan Pevec 2018-04-27 11:17:53 UTC

related upstream PR https://github.com/openvswitch/ovs/pull/223
posted by Aaron to ovs-dev [PATCH v3] rhel: user/group openvswitch does not exist

Comment 15 Aaron Conole 2018-05-04 13:36:54 UTC

Merged to fdn tree as of build 2.9.0-27

Comment 18 Aaron Conole 2018-06-14 19:21:14 UTC

You can check for the warning messages about missing user when doing a dnf installation on a clean system.  Clean means, you'll need to remove the openvswitch user/group and the hugetlbfs group.

Comment 19 Rick Alongi 2018-06-18 15:01:31 UTC

Verified using openvswitch-2.9.0-47.el7fdp.x86_64.rpm.  Details below:

[root@netqe11 ~]# cat bz1559374.sh 
#!/bin/bash

starting_ovs_rpm="http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.7.3/3.git20180112.el7fdp/x86_64/openvswitch-2.7.3-3.git20180112.el7fdp.x86_64.rpm"
target_ovs_version=$1

cleanup_ovs()
{
	for bridge in $(ovs-vsctl list-br); do ovs-vsctl del-br $bridge; done
	systemctl stop openvswitch
	yum -y remove openvswitch
	rm -Rf /etc/openvswitch
	rm -Rf /var/log/openvswitch
	rm -f /etc/sysconfig/openvswitch
	if [[ $(cut -d: -f1 /etc/group | grep hugetlbfs) ]]; then groupdel hugetlbfs; fi
	if [[ $(cut -d: -f1 /etc/group | grep openvswitch) ]]; then userdel openvswitch; fi
}

cleanup_ovs
yum -y install $starting_ovs_rpm
systemctl start openvswitch
yum -y update $target_ovs_version


## Reproduce problem when updating from openvswitch 2.7.3.3 FDP to openvswitch 2.9.0.19 FDP (warning messages assert):

[root@netqe11 ~]# ./bz1559374.sh http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.9.0/19.el7fdp/x86_64/openvswitch-2.9.0-19.el7fdp.x86_64.rpm
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package openvswitch.x86_64 0:2.9.0-47.el7fdp will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
 Package              Arch            Version                    Repository          Size
==========================================================================================
Removing:
 openvswitch          x86_64          2.9.0-47.el7fdp            installed           22 M

Transaction Summary
==========================================================================================
Remove  1 Package

Installed size: 22 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : openvswitch-2.9.0-47.el7fdp.x86_64                                     1/1 
  Verifying  : openvswitch-2.9.0-47.el7fdp.x86_64                                     1/1 

Removed:
  openvswitch.x86_64 0:2.9.0-47.el7fdp                                                    

Complete!
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
openvswitch-2.7.3-3.git20180112.el7fdp.x86_64.rpm                  | 4.3 MB  00:00:00     
Examining /var/tmp/yum-root-qlj7Yg/openvswitch-2.7.3-3.git20180112.el7fdp.x86_64.rpm: openvswitch-2.7.3-3.git20180112.el7fdp.x86_64
Marking /var/tmp/yum-root-qlj7Yg/openvswitch-2.7.3-3.git20180112.el7fdp.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package openvswitch.x86_64 0:2.7.3-3.git20180112.el7fdp will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
 Package
   Arch   Version                    Repository                                      Size
==========================================================================================
Installing:
 openvswitch
   x86_64 2.7.3-3.git20180112.el7fdp /openvswitch-2.7.3-3.git20180112.el7fdp.x86_64  18 M

Transaction Summary
==========================================================================================
Install  1 Package

Total size: 18 M
Installed size: 18 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          1/1 
  Verifying  : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          1/1 

Installed:
  openvswitch.x86_64 0:2.7.3-3.git20180112.el7fdp                                         

Complete!
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
openvswitch-2.9.0-19.el7fdp.x86_64.rpm                             | 6.3 MB  00:00:00     
Examining /var/tmp/yum-root-qlj7Yg/openvswitch-2.9.0-19.el7fdp.x86_64.rpm: openvswitch-2.9.0-19.el7fdp.x86_64
Marking /var/tmp/yum-root-qlj7Yg/openvswitch-2.9.0-19.el7fdp.x86_64.rpm as an update to openvswitch-2.7.3-3.git20180112.el7fdp.x86_64
Resolving Dependencies
--> Running transaction check
---> Package openvswitch.x86_64 0:2.7.3-3.git20180112.el7fdp will be updated
---> Package openvswitch.x86_64 0:2.9.0-19.el7fdp will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
 Package        Arch      Version            Repository                              Size
==========================================================================================
Updating:
 openvswitch    x86_64    2.9.0-19.el7fdp    /openvswitch-2.9.0-19.el7fdp.x86_64     21 M

Transaction Summary
==========================================================================================
Upgrade  1 Package

Total size: 21 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : openvswitch-2.9.0-19.el7fdp.x86_64                                     1/2 
warning: user openvswitch does not exist - using root
warning: group openvswitch does not exist - using root
warning: user openvswitch does not exist - using root
warning: group openvswitch does not exist - using root
chown: invalid user: ‘openvswitch:openvswitch’
  Cleanup    : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          2/2 
  Verifying  : openvswitch-2.9.0-19.el7fdp.x86_64                                     1/2 
  Verifying  : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          2/2 

Updated:
  openvswitch.x86_64 0:2.9.0-19.el7fdp                                                    

Complete!

#########################################################################

Verify fix when updating from openvswitch 2.7.3.3 FDP to openvswitch 2.9.0.47 FDP (no warning messages assert):

[root@netqe11 ~]# ./bz1559374.sh http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.9.0/47.el7fdp/x86_64/openvswitch-2.9.0-47.el7fdp.x86_64.rpm
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package openvswitch.x86_64 0:2.9.0-19.el7fdp will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
 Package              Arch            Version                    Repository          Size
==========================================================================================
Removing:
 openvswitch          x86_64          2.9.0-19.el7fdp            installed           21 M

Transaction Summary
==========================================================================================
Remove  1 Package

Installed size: 21 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : openvswitch-2.9.0-19.el7fdp.x86_64                                     1/1 
  Verifying  : openvswitch-2.9.0-19.el7fdp.x86_64                                     1/1 

Removed:
  openvswitch.x86_64 0:2.9.0-19.el7fdp                                                    

Complete!
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
openvswitch-2.7.3-3.git20180112.el7fdp.x86_64.rpm                  | 4.3 MB  00:00:00     
Examining /var/tmp/yum-root-qlj7Yg/openvswitch-2.7.3-3.git20180112.el7fdp.x86_64.rpm: openvswitch-2.7.3-3.git20180112.el7fdp.x86_64
Marking /var/tmp/yum-root-qlj7Yg/openvswitch-2.7.3-3.git20180112.el7fdp.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package openvswitch.x86_64 0:2.7.3-3.git20180112.el7fdp will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
 Package
   Arch   Version                    Repository                                      Size
==========================================================================================
Installing:
 openvswitch
   x86_64 2.7.3-3.git20180112.el7fdp /openvswitch-2.7.3-3.git20180112.el7fdp.x86_64  18 M

Transaction Summary
==========================================================================================
Install  1 Package

Total size: 18 M
Installed size: 18 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          1/1 
  Verifying  : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          1/1 

Installed:
  openvswitch.x86_64 0:2.7.3-3.git20180112.el7fdp                                         

Complete!
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
openvswitch-2.9.0-47.el7fdp.x86_64.rpm                             | 6.4 MB  00:00:00     
Examining /var/tmp/yum-root-qlj7Yg/openvswitch-2.9.0-47.el7fdp.x86_64.rpm: openvswitch-2.9.0-47.el7fdp.x86_64
Marking /var/tmp/yum-root-qlj7Yg/openvswitch-2.9.0-47.el7fdp.x86_64.rpm as an update to openvswitch-2.7.3-3.git20180112.el7fdp.x86_64
Resolving Dependencies
--> Running transaction check
---> Package openvswitch.x86_64 0:2.7.3-3.git20180112.el7fdp will be updated
---> Package openvswitch.x86_64 0:2.9.0-47.el7fdp will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
 Package        Arch      Version            Repository                              Size
==========================================================================================
Updating:
 openvswitch    x86_64    2.9.0-47.el7fdp    /openvswitch-2.9.0-47.el7fdp.x86_64     22 M

Transaction Summary
==========================================================================================
Upgrade  1 Package

Total size: 22 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : openvswitch-2.9.0-47.el7fdp.x86_64                                     1/2 
  Cleanup    : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          2/2 
  Verifying  : openvswitch-2.9.0-47.el7fdp.x86_64                                     1/2 
  Verifying  : openvswitch-2.7.3-3.git20180112.el7fdp.x86_64                          2/2 

Updated:
  openvswitch.x86_64 0:2.9.0-47.el7fdp                                                    

Complete!

Comment 21 errata-xmlrpc 2018-06-21 13:36:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1962

Note You need to log in before you can comment on or make changes to this bug.