From 5b47f00633c12b1290acad8c02b3e3f72bd2acf6 Mon Sep 17 00:00:00 2001
From: Yaguang Tang <heut2008@gmail.com>
Date: Sat, 18 Jan 2025 20:06:59 +0800
Subject: [PATCH] update openvswitch to run with non-root user

Change-Id: I27a0927fb8b01b4eb997e8e7b840adc7a9e56d26
---
 openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl | 3 ++-
 openvswitch/templates/daemonset.yaml                   | 4 ++--
 openvswitch/values.yaml                                | 4 ++++
 releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml   | 4 ++++
 4 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml

diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
index d32d2ec9e..1c35e1c8f 100644
--- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -119,7 +119,8 @@ function start () {
           -vconsole:err \
           -vconsole:info \
           --pidfile=${OVS_PID} \
-          --mlockall
+          --mlockall \
+          --user="{{ .Values.conf.ovs_user_name }}"
 }
 
 function stop () {
diff --git a/openvswitch/templates/daemonset.yaml b/openvswitch/templates/daemonset.yaml
index 3a66fa519..a6c7527b5 100644
--- a/openvswitch/templates/daemonset.yaml
+++ b/openvswitch/templates/daemonset.yaml
@@ -150,10 +150,10 @@ spec:
             - name: run
               mountPath: /run
         - name: openvswitch-vswitchd
-{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Run the container in priviledged mode due to the need for root
-permissions when using the uio_pci_generic driver. */}}
+permissions when we specify --user to run in non-root. */}}
 {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Limiting CPU cores would severely affect packet throughput
 It should be handled through lcore and pmd core masks. */}}
 {{- if .Values.pod.resources.enabled }}
diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
index b350f03ed..6cf823373 100644
--- a/openvswitch/values.yaml
+++ b/openvswitch/values.yaml
@@ -241,4 +241,8 @@ conf:
     #     vHost IOMMU feature restricts the vhost memory that a virtio device
     #     access, available with DPDK v17.11
     # vhost_iommu_support: true
+  ## OVS supports run in non-root for both OVS and OVS DPDK mode, the user
+  # for OVS need to be added to container image with user id 42424.
+  # useradd -u 42424 openvswitch, groupmod -g 42424 openvswitch
+  ovs_user_name: "openvswitch:openvswitch"
 ...
diff --git a/releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml b/releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml
new file mode 100644
index 000000000..89dfd1292
--- /dev/null
+++ b/releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml
@@ -0,0 +1,4 @@
+---
+openvswitch:
+  - Change Open vSwitch to run with non-root user
+...