On 11/04/2018 15:03, Stephen Finucane wrote:
On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
Tiago Lam <tiago....@intel.com> writes:

When explaining on how to add vhost-user ports to a guest, using
libvirt, the following piece of configuration is used:
     <disk type='dir' device='disk'>
       <driver name='qemu' type='fat'/>
       <source dir='/usr/src/dpdk-stable-17.11.1'/>
       <target dev='vdb' bus='virtio'/>

This is used to facilitate sharing of a DPDK directory between the host
and the guest. However, for this to work selinux also needs to be
configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
would need to be added to complain only in AppArmor. Instead, in [1] it
is advised to use wget to get the DPDK sources over the internet, which
avoids this differentiation. Thus, we drop this piece of configuration
here as well and keep the example configuration as simple as possible.

This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS


Signed-off-by: Tiago Lam <tiago....@intel.com>

CC'ed Stephen,

I took the liberty of removing your TODO from here, as I read it to be related
to the (now removed) SELinux instruction below. If you think it should still be
there let me know and I'll gladly send a v2.

I think it should remain until the selinux issues have been addressed.

Is there a list somewhere of the AVC denials?  Maybe it makes sense to
allow them.

If I'm reading this correctly, Tiago is saying these exceptions only
happen because we're sharing an arbitrary directory with the guest to
avoid downloading the DPDK sources twice. Given that there's a valid
workaround (just fetching sources twice), simply removing that section
of the XML removes the need to disable SELinux. If so, dropping the
warning does make sense in my mind.


Thanks, Stephen. Yeah, that's what I was aiming at. In order to get the file sharing working properly, one must fiddle around with either SELinux or AppArmor, and that seems to be the sole reason why `setenforce 0` is there. Losing the dependency on the file sharing means we can lose any instructions that tell the user how to fiddle with either of those systems.

Just a note though, in that the user won't have to download the DPDK sources twice, only once. Following the guide, the user first sets up the vhost-user ports using libvirt, and once inside the VM he should follow up on running `testpmd` inside the guest [1], where he will be instructed to download the DPDK sources. This makes this piece of the docs a bit more consistent, I think.

[1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
dev mailing list

Reply via email to