Merge "update openvswitch to run with non-root user"

This commit is contained in:
Zuul 2025-01-28 17:06:39 +00:00 committed by Gerrit Code Review
commit 775a2d079b
4 changed files with 12 additions and 3 deletions

@ -119,7 +119,8 @@ function start () {
-vconsole:err \
-vconsole:info \
--pidfile=${OVS_PID} \
--mlockall
--mlockall \
--user="{{ .Values.conf.ovs_user_name }}"
}
function stop () {

@ -150,10 +150,10 @@ spec:
- name: run
mountPath: /run
- name: openvswitch-vswitchd
{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Run the container in priviledged mode due to the need for root
permissions when using the uio_pci_generic driver. */}}
permissions when we specify --user to run in non-root. */}}
{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
{{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Limiting CPU cores would severely affect packet throughput
It should be handled through lcore and pmd core masks. */}}
{{- if .Values.pod.resources.enabled }}

@ -241,4 +241,8 @@ conf:
# vHost IOMMU feature restricts the vhost memory that a virtio device
# access, available with DPDK v17.11
# vhost_iommu_support: true
## OVS supports run in non-root for both OVS and OVS DPDK mode, the user
# for OVS need to be added to container image with user id 42424.
# useradd -u 42424 openvswitch, groupmod -g 42424 openvswitch
ovs_user_name: "openvswitch:openvswitch"
...

@ -0,0 +1,4 @@
---
openvswitch:
- Change Open vSwitch to run with non-root user
...