Aha, indeed, I see:
type=AVC msg=audit(1525649015.102:1305): avc: denied { open } for
pid=12993 comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs"
ino=708920 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1525649177.311:1326): avc: denied { open } for
pid=13241 comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs"
ino=708920 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
and I'm using permissive mode.
I also see:
[root@lago-network-suite-master-host-0 ~]# cat /var/log/audit/audit.log |
grep vhost-user-5
type=AVC msg=audit(1525636067.061:757): avc: denied { create } for
pid=7533 comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c423,c510
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1525648910.361:1276): avc: denied { add_name } for
pid=12734 comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c245,c301
tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1525648910.361:1276): avc: denied { create } for
pid=12734 comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c245,c301
tcontext=system_u:object_r:default_t:s0 tclass=sock_file
type=AVC msg=audit(1525648979.442:1290): avc: denied { remove_name } for
pid=12822 comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
scontext=system_u:system_r:svirt_t:s0:c515,c819
tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1525648979.442:1290): avc: denied { unlink } for
pid=12822 comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
scontext=system_u:system_r:svirt_t:s0:c515,c819
tcontext=system_u:object_r:default_t:s0 tclass=sock_file
type=AVC msg=audit(1525648979.442:1291): avc: denied { add_name } for
pid=12822 comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c515,c819
tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1525648979.442:1291): avc: denied { create } for
pid=12822 comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c515,c819
tcontext=system_u:object_r:default_t:s0 tclass=sock_file
This is my vhostuser client.
On Mon, May 7, 2018 at 4:39 PM, Aaron Conole <[email protected]> wrote:
> Leon Goldberg <[email protected]> writes:
>
> > On Fri, May 4, 2018 at 10:19 PM, Aaron Conole <[email protected]>
> wrote:
> >
> > Leon Goldberg <[email protected]> writes:
> >
> > > Hi list,
> > >
> > > I'm trying to integrate ovs-dpdk into oVirt. For testing purposes, I'm
> > > writing a test that looks to run a VM on top of a dpdk port.
> > >
> > > The testing environment consists of nested virtualization:
> > >
> > > Physical machine -> Jenkins CI VM -> Target VM
> > >
> > > The test merely looks to see that the various components are properly
> > > configured for the real world. For that purpose, I'm using NOIOMMU
> mode of
> > > VFIO.
> > >
> > > The select virtio device fails to to be attached to dpdk, and I
> suspect it
> > > is due to $subject.
> > >
> > > Here are the CI logs[1]. I see some other red lights, but $subject
> seems
> > > the brightest.
> >
> > Can you provide:
> >
> > $ ps aux | grep ovs-vswitchd
> > $ ls -lah /dev/vfio
> >
> > Hey Aaron,
> >
> > Here it is:
> >
> > [root@lago-network-suite-master-host-0 ~]# ps aux | grep ovs-vswitchd
> > openvsw+ 840 0.6 6.2 1273732 116716 ? S<Lsl 07:28 0:10
> ovs-vswitchd
> > unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err
> -vfile:info --mlockall --user
> > openvswitch:hugetlbfs --no-chdir --log-file=/var/log/
> openvswitch/ovs-vswitchd.log
> > --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
> > root 4425 0.0 0.0 112660 976 pts/0 R+ 07:55 0:00 grep
> --color=auto ovs-vswitchd
> >
> > [root@lago-network-suite-master-host-0 ~]# ls -lah /dev/vfio
> > total 0
> > drwxr-xr-x. 2 root root 80 May 6 07:28 .
> > drwxr-xr-x. 19 root root 3.2K May 6 07:28 ..
> > crw-rw----. 1 root hugetlbfs 244, 0 May 6 07:28 noiommu-0
> > crw-rw-rw-. 1 root root 10, 196 May 6 07:28 vfio
>
> Okay - that looks like it should be okay.
>
> Can you check if there are any selinux violations in audit.log
> (specifically from the openvswitch_t domain)? Maybe there is a missing
> selinux policy directive.
>
> > Just want to see if there's a disconnect between the userid for ovs
> > and the permissions on the vfio file. If that's the case, we may need
> > to update the vfio rules.
> >
> > > Any tips will be greatly appreciated!
> > >
> > > Thanks,
> > > Leon
> > >
> > > [1]
> > >
> > http://jenkins.ovirt.org/job/ovirt-system-tests_standard-
> check-patch/642/artifact/exported-artifacts/check-
> patch.network_suite_master.el7.x86_64/tests.test_dpdk/
> lago-network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log
> >
> > >
> > <http://jenkins.ovirt.org/job/ovirt-system-tests_standard-
> check-patch/642/artifact/exported-artifacts/check-
> patch.network_suite_master.el7.x86_64/tests.test_dpdk/
> lago-network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log>
> >
> > > _______________________________________________
> > > dev mailing list
> > > [email protected]
> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
