Sergio Gonzalez Monroy <[email protected]> writes: > Hi Aaron,
Hi Sergio, > On 01/08/2017 23:05, Aaron Conole wrote: >> After this commit, users may start a dpdk-enabled ovs setup as a >> non-root user. This is accomplished by exporting the $HOME directory, >> which dpdk uses to fill in it's semi-persistent RTE configuration. >> >> This change may be a bit controversial since it modifies /dev/hugepages >> as part of starting the ovs-vswitchd to set a hugetlbfs group >> ownership. This is used to enable writing to /dev/hugepages so that the >> dpdk_init will successfully complete. There is an alternate way of >> accomplishing this - namely to initialize DPDK before dropping >> privileges. However, this would mean that if DPDK ever grows an uninit >> / reinit function, non-root ovs likely could never use it. >> >> This does not change OvS+DPDK's SELinux requirements. It still must be >> disabled. >> >> Signed-off-by: Aaron Conole <[email protected]> >> --- > > Instead of modifying /dev/hugepages, what about creating a hugetlbfs > mount point for OvS? You could then point DPDK to use that specific > mount (--huge-dir). With this approach, I need to also insert new information into the ovsdb. Additionally, if the user wants to customize it, I'm not sure the best way of doing that. Do you have a concrete set of steps you think makes sense here? > The only downside I can think of for this approach is that OvS would > be fixed to use a single size (either 2MB or 1GB whatever the mount > point is set to). > Without specifying the mount point directory, DPDK could use both > hugepage sizes. > > Could you elaborate on the OvS+DPDK's SELinux requirements? Sure. We need r/w permissions on vfio labeled devices, and some additional unix socket permissions for vhost-user sockets, as well as r/w and create bits for hugetlbfs labeled files. I think that was it off the top of my head. I have an selinux policy ready to go, but I want to get this change in first. > Quick summary of DPDK privileged/unprivileged user (assuming the > unprivileged user has permissions for hugepage allocation): > - if all devices are bound to vfio-pci driver (thus IOMMU enabled > system), then the DPDK can run as unprivileged user. This is the > recommended mode is possible. > - if any device is bound to igb_uio/uio_pci_generic (likely scenario > when running in VMs), then the DPDK needs privileged user to be able > to read each hugepage physical address from /proc/self/pagemap. Correct. I agree with the above. Thanks so much for looking at this! > Thanks, > Sergio > > >> Documentation/intro/install/dpdk.rst | 7 +++++++ >> NEWS | 1 + >> rhel/README.RHEL.rst | 11 +++++++++++ >> rhel/openvswitch-fedora.spec.in | 13 +++++++++++++ >> rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 5 +++++ >> 5 files changed, 37 insertions(+) >> >> diff --git a/Documentation/intro/install/dpdk.rst >> b/Documentation/intro/install/dpdk.rst >> index a05aa1a..0585c6a 100644 >> --- a/Documentation/intro/install/dpdk.rst >> +++ b/Documentation/intro/install/dpdk.rst >> @@ -134,6 +134,13 @@ has to be configured with DPDK support >> (``--with-dpdk``). >> Additional information can be found in :doc:`general`. >> +.. note:: >> + If you are running using the Fedora or Red Hat package, the Open vSwitch >> + daemon will run as a non-root user. This implies that you must have a >> + working IOMMU. Visit the `RHEL README`__ for additional information. >> + >> +__ https://github.com/openvswitch/ovs/blob/master/rhel/README.RHEL.rst >> + >> Setup >> ----- >> diff --git a/NEWS b/NEWS >> index facea02..095272a 100644 >> --- a/NEWS >> +++ b/NEWS >> @@ -64,6 +64,7 @@ Post-v2.7.0 >> * OpenFlow 1.5 packet-out is now supported. >> - Fedora Packaging: >> * OVN services are no longer restarted automatically after upgrade. >> + * ovs-vswitchd and ovsdb-server run as non-root users by default. >> - Add --cleanup option to command 'ovs-appctl exit' (see >> ovs-vswitchd(8)). >> - L3 tunneling: >> * Use new tunnel port option "packet_type" to configure L2 vs. L3. >> diff --git a/rhel/README.RHEL.rst b/rhel/README.RHEL.rst >> index 1845e8f..5f7a99a 100644 >> --- a/rhel/README.RHEL.rst >> +++ b/rhel/README.RHEL.rst >> @@ -337,6 +337,17 @@ running. All other commands where executed when Open >> vSwitch was successfully >> running. >> +Non-root User Support >> +----------------------- >> +Fedora and RHEL support running the Open vSwitch daemons as a non-root user. >> +By default, a fresh installation will create an *openvswitch* user, along >> +with any additional support groups needed (such as *hugetlbfs* for DPDK >> +support). >> + >> +This is controlled by modifying the ``OVS_USER_ID`` option. Setting this >> +to 'root:root', or commenting the variable out will revert this behavior. >> + >> + >> Reporting Bugs >> -------------- >> diff --git a/rhel/openvswitch-fedora.spec.in >> b/rhel/openvswitch-fedora.spec.in >> index 959aa2e..ccf6ea0 100644 >> --- a/rhel/openvswitch-fedora.spec.in >> +++ b/rhel/openvswitch-fedora.spec.in >> @@ -95,6 +95,10 @@ Requires: openssl hostname iproute module-init-tools >> Requires(post): /usr/bin/getent >> Requires(post): /usr/sbin/useradd >> Requires(post): /usr/bin/sed >> +%if %{with dpdk} >> +Requires(post): /usr/sbin/usermod >> +Requires(post): /usr/sbin/groupadd >> +%endif >> Requires(post): systemd-units >> Requires(preun): systemd-units >> Requires(postun): systemd-units >> @@ -370,6 +374,15 @@ if [ $1 -eq 1 ]; then >> sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' >> /etc/sysconfig/openvswitch >> +%if %{with dpdk} >> + getent group hugetlbfs >/dev/null || \ >> + groupadd hugetlbfs >> + usermod -a -G hugetlbfs openvswitch >> + sed -i \ >> + >> 's@OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\ >> + /etc/sysconfig/openvswitch >> +%endif >> + >> # In the case of upgrade, this is not needed. >> chown -R openvswitch:openvswitch /etc/openvswitch >> fi >> diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in >> b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in >> index 9aff70b..bf0f058 100644 >> --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in >> +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in >> @@ -10,8 +10,13 @@ PartOf=openvswitch.service >> [Service] >> Type=forking >> Restart=on-failure >> +Environment=HOME=/var/run/openvswitch >> EnvironmentFile=/etc/openvswitch/default.conf >> EnvironmentFile=-/etc/sysconfig/openvswitch >> +@begin_dpdk@ >> +ExecStartPre=/usr/bin/chown :hugetlbfs /dev/hugepages >> +ExecStartPre=/usr/bin/chmod 0775 /dev/hugepages >> +@end_dpdk@ >> ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ >> --no-ovsdb-server --no-monitor --system-id=random \ >> --ovs-user=${OVS_USER_ID} \ _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
