diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl index d32d2ec9e7..1c35e1c8f6 100644 --- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl +++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl @@ -119,7 +119,8 @@ function start () { -vconsole:err \ -vconsole:info \ --pidfile=${OVS_PID} \ - --mlockall + --mlockall \ + --user="{{ .Values.conf.ovs_user_name }}" } function stop () { diff --git a/openvswitch/templates/daemonset.yaml b/openvswitch/templates/daemonset.yaml index 3a66fa519a..a6c7527b5e 100644 --- a/openvswitch/templates/daemonset.yaml +++ b/openvswitch/templates/daemonset.yaml @@ -150,10 +150,10 @@ spec: - name: run mountPath: /run - name: openvswitch-vswitchd -{{- if .Values.conf.ovs_dpdk.enabled }} {{/* Run the container in priviledged mode due to the need for root -permissions when using the uio_pci_generic driver. */}} +permissions when we specify --user to run in non-root. */}} {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}} +{{- if .Values.conf.ovs_dpdk.enabled }} {{/* Limiting CPU cores would severely affect packet throughput It should be handled through lcore and pmd core masks. */}} {{- if .Values.pod.resources.enabled }} diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml index b350f03ed9..6cf8233734 100644 --- a/openvswitch/values.yaml +++ b/openvswitch/values.yaml @@ -241,4 +241,8 @@ conf: # vHost IOMMU feature restricts the vhost memory that a virtio device # access, available with DPDK v17.11 # vhost_iommu_support: true + ## OVS supports run in non-root for both OVS and OVS DPDK mode, the user + # for OVS need to be added to container image with user id 42424. + # useradd -u 42424 openvswitch, groupmod -g 42424 openvswitch + ovs_user_name: "openvswitch:openvswitch" ... diff --git a/releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml b/releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml new file mode 100644 index 0000000000..89dfd12921 --- /dev/null +++ b/releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml @@ -0,0 +1,4 @@ +--- +openvswitch: + - Change Open vSwitch to run with non-root user +...