Change ovs user and fix permissions on ovs upgrade

When upgrading to latest ovs, package needs to run with ovs user,
and also the affected folders need to change their perms. Change
the config file for it, and initially do a perm change. Also
create a one-time service file that will run after reboot, to be
sure that all the remaining folders have changed their perms
properly.

Change-Id: Iab8371161ec4ccb7f9541448e51bb0f647e43798
Related-Bug: #1759982

puppet/services/openvswitch.yaml

@@ -164,6 +164,73 @@ outputs:
             shell: /sbin/nologin
             comment: "OpenvSwitch Daemons"
 
+        - name: Check for openvswitch upgrade
+          when: step|int == 2
+          register: ovs_need_upgrade
+          ignore_errors: true
+          shell: |
+            yum check-upgrade openvswitch | awk '/openvswitch/{print}'
+
+        - block:
+            - name: update openvswitch for latest version
+              yum:
+                name: openvswitch
+                state: latest
+
+            - name: Check if ovs >= 2.8
+              shell: |
+                ovs_version=$(rpm -q --queryformat '%{VERSION}' openvswitch)
+                major_version=`echo $ovs_version | cut -d. -f1`
+                minor_version=`echo $ovs_version | cut -d. -f2`
+                echo $(($major_version*10+$minor_version))
+              register: ovs_version_number
+
+            - name: Replace correct settings for openvswitch if exist
+              lineinfile:
+                  path: /etc/sysconfig/openvswitch
+                  regexp: '^\#*OVS_USER_ID='
+                  line: 'OVS_USER_ID="openvswitch:hugetlbfs"'
+              when: ovs_version_number.stdout|default('')|int>=28
+
+            - name: Add correct settings for openvswitch if not exist
+              lineinfile:
+                  path: /etc/sysconfig/openvswitch
+                  line: 'OVS_USER_ID="openvswitch:hugetlbfs"'
+                  state: present
+              when: ovs_version_number.stdout|default('')|int>=28
+
+            - name: Check if we need to change permissions in ovs
+              shell: |
+                  find /etc/openvswitch /var/log/openvswitch ! -user openvswitch ! -group hugetlbfs
+              register: ovs_need_perm_change
+              when: ovs_version_number.stdout|default('')|int>=28
+
+            - name: Copy service to change ovs permissions
+              copy:
+                  dest: /etc/systemd/system/multi-user.target.wants/fix-ovs-permissions.service
+                  content: |
+                    [Unit]
+                    Description=One time service to fix permissions in OpenvSwitch
+                    Before=openvswitch.service
+
+                    [Service]
+                    Type=oneshot
+                    User=root
+                    ExecStart=/usr/bin/bash -c "/usr/bin/chown -R openvswitch:hugetlbfs /etc/openvswitch /var/log/openvswitch || true"
+                    ExecStartPost=/usr/bin/rm /etc/systemd/system/multi-user.target.wants/fix-ovs-permissions.service
+                    TimeoutStartSec=0
+                    RemainAfterExit=no
+
+                    [Install]
+                    WantedBy=default.target
+                  mode: 0775
+              when:
+                - ovs_version_number.stdout|default('')|int>=28
+                - ovs_need_perm_change.stdout|default('')
+          when:
+            - step|int == 2
+            - ovs_need_upgrade.stdout|default('')
+
       upgrade_tasks:
         - name: Check openvswitch version.
           tags: step2