The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.
Bug 1791388 - Launch ovn daemons as non-root user
Summary: Launch ovn daemons as non-root user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn2.11
Version: FDP 20.A
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Timothy Redaelli
QA Contact: Jianlin Shi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-15 17:22 UTC by Timothy Redaelli
Modified: 2020-03-10 10:08 UTC (History)
2 users (show)

Fixed In Version: ovn2.11-2.11.1-30.el7fdn
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-10 10:07:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0750 0 None None None 2020-03-10 10:08:30 UTC

Internal Links: 1806276 1809458 1825740

Description Timothy Redaelli 2020-01-15 17:22:11 UTC 
Currently ovn daemons runs as root user, but this is not good for security point of view
Comment 2 Jianlin Shi 2020-02-04 09:30:45 UTC 
run as root on ovn2.11.1-20:

[root@hp-dl380pg8-12 bz1788456]# ps aux | grep ovn-n                                                  
root     41485  0.0  0.0  59600  1152 ?        S<s  04:28   0:00 ovn-northd: monitoring pid 41486 (healthy)
root     41486  0.0  0.0  60000  2216 ?        S<   04:28   0:00 ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/run/openvswitch/ovnnb_db.sock --ovnsb-db=unix:/run/openvswitch/ovnsb_db.sock --no-chdir --log-file=/var/log/openvswitch/ovn-northd.log --pidfile=/run/openvswitch/ovn-northd.pid --detach --monitor

run as non-root on 2.11.1-32:

[root@hp-dl380pg8-12 bz1788456]# ps aux | grep ovn-n
openvsw+ 41705  0.0  0.0  61764  1188 ?        S<s  04:29   0:00 ovn-northd: monitoring pid 41706 (healthy)
openvsw+ 41706  0.0  0.0  62128  2348 ?        S<   04:29   0:00 ovn-northd --user openvswitch:hugetlbfs -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/run/openvswitch/ovnnb_db.sock --ovnsb-db=unix:/run/openvswitch/ovnsb_db.sock --no-chdir --log-file=/var/log/openvswitch/ovn-northd.log --pidfile=/run/openvswitch/ovn-northd.pid --detach --monitor

[root@hp-dl380pg8-12 bz1788456]# ps aux | grep ovn-con
openvsw+ 42032  0.4  0.0 283892  3848 ?        S<sl 04:30   0:00 ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovn-controller.log --pidfile=/var/run/openvswitch/ovn-controller.pid --detach

[root@hp-dl380pg8-12 bz1788456]# rpm -qa | grep -E "openvswitch|ovn"
ovn2.11-host-2.11.1-32.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch
ovn2.11-central-2.11.1-32.el7fdp.x86_64
openvswitch2.11-2.11.0-35.el7fdp.x86_64
ovn2.11-2.11.1-32.el7fdp.x86_64
Comment 4 errata-xmlrpc 2020-03-10 10:07:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0750
Note You need to log in before you can comment on or make changes to this bug.