Juan Hernandez has uploaded a new change for review.
Change subject: packaging: Allow normal users to run the service
......................................................................
packaging: Allow normal users to run the service
Currently we have a restriction in the service script to only allow root
to run it. This patch adds a new variable ENGINE_SERVICE_USER to the
/etc/sysconfig/ovirt-engine script that contains the name of the user
allowed to run the service. The default value is "root", but in
development environments it can be changed to allow the developer to run
the service.
Change-Id: I52d784cb5f84627a175e20e0fdc7b1f91076f478
Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com>
---
M backend/manager/conf/engine.conf.defaults
M packaging/fedora/engine-service.py
2 files changed, 26 insertions(+), 4 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/38/10538/1
diff --git a/backend/manager/conf/engine.conf.defaults
b/backend/manager/conf/engine.conf.defaults
index f7c615f..661ec68 100644
--- a/backend/manager/conf/engine.conf.defaults
+++ b/backend/manager/conf/engine.conf.defaults
@@ -45,6 +45,12 @@
ENGINE_PID=/var/run/ovirt-engine.pid
#
+# The name of the user that should execute the service script, usually
+# root, but can be different in development environments:
+#
+ENGINE_SERVICE_USER=root
+
+#
# The names of the user and group that will execute the java
# virtual machine of the engine:
#
diff --git a/packaging/fedora/engine-service.py
b/packaging/fedora/engine-service.py
index b3f5d40..099457a 100644
--- a/packaging/fedora/engine-service.py
+++ b/packaging/fedora/engine-service.py
@@ -47,8 +47,10 @@
engineConfig = None
# The name of the user and group that should run the service:
+serviceUser = None
engineUser = None
engineGroup = None
+serviceUid = 0
engineUid = 0
engineGid = 0
@@ -149,6 +151,17 @@
global engineConfig
engineConfig = Config(engineConfigFiles)
+ # Get the numeric id of the user that is allowed to run the service
+ # script, this is usually root but in development environments it
+ # can by a normal user:
+ global serviceUser
+ global serviceUid
+ serviceUser = engineConfig.getString("ENGINE_SERVICE_USER")
+ try:
+ serviceUid = pwd.getpwnam(serviceUser).pw_uid
+ except:
+ raise Exception("The service user \"%s\" doesn't exist." % serviceUser)
+
# Get the id of the engine user:
global engineUser
global engineUid
@@ -225,8 +238,10 @@
def checkIdentity():
- if os.getuid() != 0:
- raise Exception("This script should run with the root user.")
+ # Check that we are running with the service user as the effective
+ # identity:
+ if os.getuid() != serviceUid:
+ raise Exception("This service should run with the %s user." %
serviceUser)
def checkOwnership(name, uid=None, gid=None):
@@ -496,8 +511,9 @@
# Change the resource limits while we are root as we won't be
# able to change them once we assume the engine identity:
- engineNofile = engineConfig.getInteger("ENGINE_NOFILE")
- resource.setrlimit(resource.RLIMIT_NOFILE, (engineNofile, engineNofile))
+ if serviceUid == 0:
+ engineNofile = engineConfig.getInteger("ENGINE_NOFILE")
+ resource.setrlimit(resource.RLIMIT_NOFILE, (engineNofile,
engineNofile))
# This is the child process, first thing we do is assume the engine
# identity:
--
To view, visit http://gerrit.ovirt.org/10538
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I52d784cb5f84627a175e20e0fdc7b1f91076f478
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
