Fix logrotate user in UBI images

Logrotate will run as the user openvswitch, but we start the OVS daemon as the root user. We can disable this behavior by specifying `--without libcapng` in RPM builds. Fixes: #6046 Signed-off-by: Xu Liu <[email protected]>
antrea-io · Mar 6, 2024 · 2a2ff09 · 2a2ff09
1 parent 75205ef
commit 2a2ff09
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/build/images/ovs/Dockerfile.ubi b/build/images/ovs/Dockerfile.ubi
@@ -32,7 +32,12 @@ RUN cd /tmp/openvswitch* && \
     sed -e "s/@VERSION@/$OVS_VERSION/" rhel/openvswitch-fedora.spec.in > /tmp/ovs.spec && \
     yum-builddep -y /tmp/ovs.spec && ./boot.sh && \
     ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc && \
-    make rpm-fedora && mkdir -p /tmp/ovs-rpms && \
+    # https://github.com/openvswitch/ovs/blob/v2.17.7/rhel/openvswitch-fedora.spec.in#L26-L27
+    # Antrea will run OVS and logrotate as the root user. Disabling libcapng helps
+    # to skip configuring the user and group for OVS and logrotate.
+    # Specifying `--without libcapng` will cause OVS not linking to libcapng, and thus
+    # OVS might fail to start with the `--user` option.
+    RPMBUILD_OPT="--without libcapng" make rpm-fedora && mkdir -p /tmp/ovs-rpms && \
     mv /tmp/openvswitch-$OVS_VERSION/rpm/rpmbuild/RPMS/*/*.rpm  /tmp/ovs-rpms && \
     rm -rf /tmp/openvswitch*
 

diff --git a/test/e2e/basic_test.go b/test/e2e/basic_test.go
@@ -56,6 +56,7 @@ func TestBasic(t *testing.T) {
 	t.Run("testDeletePreviousRoundFlowsOnStartup", func(t *testing.T) { testDeletePreviousRoundFlowsOnStartup(t, data) })
 	t.Run("testGratuitousARP", func(t *testing.T) { testGratuitousARP(t, data, data.testNamespace) })
 	t.Run("testClusterIdentity", func(t *testing.T) { testClusterIdentity(t, data) })
+	t.Run("testLogRotate", func(t *testing.T) { testLogRotate(t, data) })
 }
 
 // testPodAssignIP verifies that Antrea allocates IP addresses properly to new Pods. It does this by
@@ -892,3 +893,14 @@ func testClusterIdentity(t *testing.T, data *TestData) {
 	assert.NoError(t, err, "Failed to retrieve cluster identity information within %v", timeout)
 	assert.NotEqual(t, uuid.Nil, clusterUUID)
 }
+
+func testLogRotate(t *testing.T, data *TestData) {
+	nodeName := nodeName(0)
+	podName := getAntreaPodName(t, data, nodeName)
+	cmd := []string{"logrotate", "-vf", "/etc/logrotate.d/openvswitch-switch"}
+	stdout, stderr, err := data.RunCommandFromPod(antreaNamespace, podName, ovsContainerName, cmd)
+	if err != nil {
+		t.Fatalf("Error when running logrotate command in Pod '%s': %v, stdout: %s, stderr: %s", podName, err, stdout, stderr)
+	}
+	t.Logf("Successfully ran logrotate command in Pod '%s': stdout: %s, stderr: %s", podName, stdout, stderr)
+}