From c124717a76bde72dc132d8644fc0459e55bea93c Mon Sep 17 00:00:00 2001
From: Yaguang Tang <yaguang.tang@vexxhost.com>
Date: Fri, 25 Oct 2024 15:26:52 +0800
Subject: [PATCH] add user and group to ovn container image to rebuild for dpdk
 file access

update ovn-controler script to chown ovs bridge socket files so that
libvirt pod can read

fix #1982
---
 .../ovn/templates/bin/_ovn-controller-init.sh.tpl   |  3 +++
 ...ovs-bridge-socket-file-ownship-to-non-root.patch | 13 +++++++++++++
 images/ovn/Dockerfile                               |  8 ++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 charts/patches/ovn/0003-update-ovs-bridge-socket-file-ownship-to-non-root.patch

diff --git a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
index 1d303c8d9..f7f5384b3 100644
--- a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
+++ b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
@@ -175,5 +175,8 @@ do
   then
     ovs-vsctl --may-exist add-port $bridge $iface
     migrate_ip_from_nic $iface $bridge
+  # update bridge socket file to non root owner 42424
+  chown 42424:42424 /var/run/openvswitch/*.mgmt
+  chown 42424:42424 /var/run/openvswitch/*.snoop
   fi
 done
diff --git a/charts/patches/ovn/0003-update-ovs-bridge-socket-file-ownship-to-non-root.patch b/charts/patches/ovn/0003-update-ovs-bridge-socket-file-ownship-to-non-root.patch
new file mode 100644
index 000000000..1983326fb
--- /dev/null
+++ b/charts/patches/ovn/0003-update-ovs-bridge-socket-file-ownship-to-non-root.patch
@@ -0,0 +1,13 @@
+diff --git a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
+index b1960212..8da8416f 100644
+--- a/ovn/templates/bin/_ovn-controller-init.sh.tpl
++++ b/ovn/templates/bin/_ovn-controller-init.sh.tpl
+@@ -169,5 +169,8 @@ do
+   then
+     ovs-vsctl --may-exist add-port $bridge $iface
+     migrate_ip_from_nic $iface $bridge
++  # update bridge socket file to non root owner 42424
++  chown 42424:42424 /var/run/openvswitch/*.mgmt
++  chown 42424:42424 /var/run/openvswitch/*.snoop
+   fi
+ done
diff --git a/images/ovn/Dockerfile b/images/ovn/Dockerfile
index de7a8e817..34e0a18c2 100644
--- a/images/ovn/Dockerfile
+++ b/images/ovn/Dockerfile
@@ -34,3 +34,11 @@ EOF
 COPY --from=ovn-kubernetes --link /src/dist/images/ovndb-raft-functions.sh /root/ovndb-raft-functions.sh
 COPY --from=ovn-kubernetes --link /src/dist/images/ovnkube.sh /root/ovnkube.sh
 COPY --from=ovn-kubernetes --link /usr/bin/ovn-kube-util /usr/bin/ovn-kube-util
+
+ARG PROJECT=ovn
+ENV OVS_USER_ID=42424
+RUN \
+    groupadd -g 42424 ${PROJECT} && \
+    useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s /sbin/nologin -c "${PROJECT} User" ${PROJECT} && \
+    mkdir -p /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/run/${PROJECT} && \
+    chown -Rv ${PROJECT}:${PROJECT} /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/run/${PROJECT}