On 02/08/2017 16:07, Aaron Conole wrote:
Sergio Gonzalez Monroy <[email protected]> writes:
Hi Aaron,
Hi Sergio,
On 01/08/2017 23:05, Aaron Conole wrote:
After this commit, users may start a dpdk-enabled ovs setup as a
non-root user. This is accomplished by exporting the $HOME directory,
which dpdk uses to fill in it's semi-persistent RTE configuration.
This change may be a bit controversial since it modifies /dev/hugepages
as part of starting the ovs-vswitchd to set a hugetlbfs group
ownership. This is used to enable writing to /dev/hugepages so that the
dpdk_init will successfully complete. There is an alternate way of
accomplishing this - namely to initialize DPDK before dropping
privileges. However, this would mean that if DPDK ever grows an uninit
/ reinit function, non-root ovs likely could never use it.
This does not change OvS+DPDK's SELinux requirements. It still must be
disabled.
Signed-off-by: Aaron Conole <[email protected]>
---
Instead of modifying /dev/hugepages, what about creating a hugetlbfs
mount point for OvS? You could then point DPDK to use that specific
mount (--huge-dir).
With this approach, I need to also insert new information into the
ovsdb. Additionally, if the user wants to customize it, I'm not sure
the best way of doing that. Do you have a concrete set of steps you
think makes sense here?
I was just checking with the team here (I am not very familiar with the
OvS specifics) and
the option is already in ovsdb 'dpdk-hugepage-dir'.
Are you referring to something else?
Thanks,
Sergio
The only downside I can think of for this approach is that OvS would
be fixed to use a single size (either 2MB or 1GB whatever the mount
point is set to).
Without specifying the mount point directory, DPDK could use both
hugepage sizes.
Could you elaborate on the OvS+DPDK's SELinux requirements?
Sure. We need r/w permissions on vfio labeled devices, and some
additional unix socket permissions for vhost-user sockets, as well as
r/w and create bits for hugetlbfs labeled files. I think that was it
off the top of my head. I have an selinux policy ready to go, but I
want to get this change in first.
Quick summary of DPDK privileged/unprivileged user (assuming the
unprivileged user has permissions for hugepage allocation):
- if all devices are bound to vfio-pci driver (thus IOMMU enabled
system), then the DPDK can run as unprivileged user. This is the
recommended mode is possible.
- if any device is bound to igb_uio/uio_pci_generic (likely scenario
when running in VMs), then the DPDK needs privileged user to be able
to read each hugepage physical address from /proc/self/pagemap.
Correct. I agree with the above.
Thanks so much for looking at this!
Thanks,
Sergio
Documentation/intro/install/dpdk.rst | 7 +++++++
NEWS | 1 +
rhel/README.RHEL.rst | 11 +++++++++++
rhel/openvswitch-fedora.spec.in | 13 +++++++++++++
rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 5 +++++
5 files changed, 37 insertions(+)
diff --git a/Documentation/intro/install/dpdk.rst
b/Documentation/intro/install/dpdk.rst
index a05aa1a..0585c6a 100644
--- a/Documentation/intro/install/dpdk.rst
+++ b/Documentation/intro/install/dpdk.rst
@@ -134,6 +134,13 @@ has to be configured with DPDK support (``--with-dpdk``).
Additional information can be found in :doc:`general`.
+.. note::
+ If you are running using the Fedora or Red Hat package, the Open vSwitch
+ daemon will run as a non-root user. This implies that you must have a
+ working IOMMU. Visit the `RHEL README`__ for additional information.
+
+__ https://github.com/openvswitch/ovs/blob/master/rhel/README.RHEL.rst
+
Setup
-----
diff --git a/NEWS b/NEWS
index facea02..095272a 100644
--- a/NEWS
+++ b/NEWS
@@ -64,6 +64,7 @@ Post-v2.7.0
* OpenFlow 1.5 packet-out is now supported.
- Fedora Packaging:
* OVN services are no longer restarted automatically after upgrade.
+ * ovs-vswitchd and ovsdb-server run as non-root users by default.
- Add --cleanup option to command 'ovs-appctl exit' (see ovs-vswitchd(8)).
- L3 tunneling:
* Use new tunnel port option "packet_type" to configure L2 vs. L3.
diff --git a/rhel/README.RHEL.rst b/rhel/README.RHEL.rst
index 1845e8f..5f7a99a 100644
--- a/rhel/README.RHEL.rst
+++ b/rhel/README.RHEL.rst
@@ -337,6 +337,17 @@ running. All other commands where executed when Open
vSwitch was successfully
running.
+Non-root User Support
+-----------------------
+Fedora and RHEL support running the Open vSwitch daemons as a non-root user.
+By default, a fresh installation will create an *openvswitch* user, along
+with any additional support groups needed (such as *hugetlbfs* for DPDK
+support).
+
+This is controlled by modifying the ``OVS_USER_ID`` option. Setting this
+to 'root:root', or commenting the variable out will revert this behavior.
+
+
Reporting Bugs
--------------
diff --git a/rhel/openvswitch-fedora.spec.in
b/rhel/openvswitch-fedora.spec.in
index 959aa2e..ccf6ea0 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -95,6 +95,10 @@ Requires: openssl hostname iproute module-init-tools
Requires(post): /usr/bin/getent
Requires(post): /usr/sbin/useradd
Requires(post): /usr/bin/sed
+%if %{with dpdk}
+Requires(post): /usr/sbin/usermod
+Requires(post): /usr/sbin/groupadd
+%endif
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -370,6 +374,15 @@ if [ $1 -eq 1 ]; then
sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:'
/etc/sysconfig/openvswitch
+%if %{with dpdk}
+ getent group hugetlbfs >/dev/null || \
+ groupadd hugetlbfs
+ usermod -a -G hugetlbfs openvswitch
+ sed -i \
+
's@OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\
+ /etc/sysconfig/openvswitch
+%endif
+
# In the case of upgrade, this is not needed.
chown -R openvswitch:openvswitch /etc/openvswitch
fi
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
index 9aff70b..bf0f058 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
@@ -10,8 +10,13 @@ PartOf=openvswitch.service
[Service]
Type=forking
Restart=on-failure
+Environment=HOME=/var/run/openvswitch
EnvironmentFile=/etc/openvswitch/default.conf
EnvironmentFile=-/etc/sysconfig/openvswitch
+@begin_dpdk@
+ExecStartPre=/usr/bin/chown :hugetlbfs /dev/hugepages
+ExecStartPre=/usr/bin/chmod 0775 /dev/hugepages
+@end_dpdk@
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovsdb-server --no-monitor --system-id=random \
--ovs-user=${OVS_USER_ID} \
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
