update openvswitch to run with non-root user

Change-Id: I27a0927fb8b01b4eb997e8e7b840adc7a9e56d26

openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl

@@ -119,7 +119,8 @@ function start () {
           -vconsole:err \
           -vconsole:info \
           --pidfile=${OVS_PID} \
-          --mlockall
+          --mlockall \
+          --user="{{ .Values.conf.ovs_user_name }}"
 }
 
 function stop () {

openvswitch/templates/daemonset.yaml

@@ -150,10 +150,10 @@ spec:
             - name: run
               mountPath: /run
         - name: openvswitch-vswitchd
-{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Run the container in priviledged mode due to the need for root
-permissions when using the uio_pci_generic driver. */}}
+permissions when we specify --user to run in non-root. */}}
 {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Limiting CPU cores would severely affect packet throughput
 It should be handled through lcore and pmd core masks. */}}
 {{- if .Values.pod.resources.enabled }}

openvswitch/values.yaml

@@ -241,4 +241,8 @@ conf:
     #     vHost IOMMU feature restricts the vhost memory that a virtio device
     #     access, available with DPDK v17.11
     # vhost_iommu_support: true
+  ## OVS supports run in non-root for both OVS and OVS DPDK mode, the user
+  # for OVS need to be added to container image with user id 42424.
+  # useradd -u 42424 openvswitch, groupmod -g 42424 openvswitch
+  ovs_user_name: "openvswitch:openvswitch"
 ...

releasenotes/notes/openvswitch-0b37403ffc75bb63.yaml

@@ -0,0 +1,4 @@
+---
+openvswitch:
+  - Change Open vSwitch to run with non-root user
+...