I stand correct, I was not using permissive mode. With permissive mode,
noiommu-0 issue seems to be resolved, however:
type=AVC msg=audit(1525707587.009:447): avc: denied { remove_name } for
pid=4497 comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1525707587.009:447): avc: denied { unlink } for
pid=4497 comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=system_u:object_r:default_t:s0 tclass=sock_file
type=AVC msg=audit(1525707587.009:448): avc: denied { add_name } for
pid=4497 comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1525707587.009:448): avc: denied { create } for
pid=4497 comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=system_u:object_r:default_t:s0 tclass=sock_file
Still occurs.
OVS log shows:
2018-05-07T15:27:15.059Z|00072|dpdk|INFO|VHOST_CONFIG: vhost-user client:
socket created, fd: 55
2018-05-07T15:27:15.059Z|00073|netdev_dpdk|INFO|vHost User device
'dpdkvhostclient1' created in 'client' mode, using client socket
'/vhostusers/vhost-user-5'
2018-05-07T15:27:15.062Z|00074|dpdk|WARN|VHOST_CONFIG: failed to connect to
/vhostusers/vhost-user-5: Permission denied
On Mon, May 7, 2018 at 6:21 PM, Leon Goldberg <[email protected]> wrote:
> Aha, indeed, I see:
>
> type=AVC msg=audit(1525649015.102:1305): avc: denied { open } for
> pid=12993 comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs"
> ino=708920 scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=AVC msg=audit(1525649177.311:1326): avc: denied { open } for
> pid=13241 comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs"
> ino=708920 scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
> and I'm using permissive mode.
>
> I also see:
>
> [root@lago-network-suite-master-host-0 ~]# cat /var/log/audit/audit.log |
> grep vhost-user-5
> type=AVC msg=audit(1525636067.061:757): avc: denied { create } for
> pid=7533 comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c423,c510
> tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
> type=AVC msg=audit(1525648910.361:1276): avc: denied { add_name } for
> pid=12734 comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c245,c301
> tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
> type=AVC msg=audit(1525648910.361:1276): avc: denied { create } for
> pid=12734 comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c245,c301
> tcontext=system_u:object_r:default_t:s0 tclass=sock_file
> type=AVC msg=audit(1525648979.442:1290): avc: denied { remove_name }
> for pid=12822 comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
> type=AVC msg=audit(1525648979.442:1290): avc: denied { unlink } for
> pid=12822 comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=system_u:object_r:default_t:s0 tclass=sock_file
> type=AVC msg=audit(1525648979.442:1291): avc: denied { add_name } for
> pid=12822 comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
> type=AVC msg=audit(1525648979.442:1291): avc: denied { create } for
> pid=12822 comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=system_u:object_r:default_t:s0 tclass=sock_file
>
> This is my vhostuser client.
>
>
>
> On Mon, May 7, 2018 at 4:39 PM, Aaron Conole <[email protected]> wrote:
>
>> Leon Goldberg <[email protected]> writes:
>>
>> > On Fri, May 4, 2018 at 10:19 PM, Aaron Conole <[email protected]>
>> wrote:
>> >
>> > Leon Goldberg <[email protected]> writes:
>> >
>> > > Hi list,
>> > >
>> > > I'm trying to integrate ovs-dpdk into oVirt. For testing purposes,
>> I'm
>> > > writing a test that looks to run a VM on top of a dpdk port.
>> > >
>> > > The testing environment consists of nested virtualization:
>> > >
>> > > Physical machine -> Jenkins CI VM -> Target VM
>> > >
>> > > The test merely looks to see that the various components are properly
>> > > configured for the real world. For that purpose, I'm using NOIOMMU
>> mode of
>> > > VFIO.
>> > >
>> > > The select virtio device fails to to be attached to dpdk, and I
>> suspect it
>> > > is due to $subject.
>> > >
>> > > Here are the CI logs[1]. I see some other red lights, but $subject
>> seems
>> > > the brightest.
>> >
>> > Can you provide:
>> >
>> > $ ps aux | grep ovs-vswitchd
>> > $ ls -lah /dev/vfio
>> >
>> > Hey Aaron,
>> >
>> > Here it is:
>> >
>> > [root@lago-network-suite-master-host-0 ~]# ps aux | grep ovs-vswitchd
>> > openvsw+ 840 0.6 6.2 1273732 116716 ? S<Lsl 07:28 0:10
>> ovs-vswitchd
>> > unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err
>> -vfile:info --mlockall --user
>> > openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitc
>> h/ovs-vswitchd.log
>> > --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
>> > root 4425 0.0 0.0 112660 976 pts/0 R+ 07:55 0:00 grep
>> --color=auto ovs-vswitchd
>> >
>> > [root@lago-network-suite-master-host-0 ~]# ls -lah /dev/vfio
>> > total 0
>> > drwxr-xr-x. 2 root root 80 May 6 07:28 .
>> > drwxr-xr-x. 19 root root 3.2K May 6 07:28 ..
>> > crw-rw----. 1 root hugetlbfs 244, 0 May 6 07:28 noiommu-0
>> > crw-rw-rw-. 1 root root 10, 196 May 6 07:28 vfio
>>
>> Okay - that looks like it should be okay.
>>
>> Can you check if there are any selinux violations in audit.log
>> (specifically from the openvswitch_t domain)? Maybe there is a missing
>> selinux policy directive.
>>
>> > Just want to see if there's a disconnect between the userid for ovs
>> > and the permissions on the vfio file. If that's the case, we may need
>> > to update the vfio rules.
>> >
>> > > Any tips will be greatly appreciated!
>> > >
>> > > Thanks,
>> > > Leon
>> > >
>> > > [1]
>> > >
>> > http://jenkins.ovirt.org/job/ovirt-system-tests_standard-che
>> ck-patch/642/artifact/exported-artifacts/check-patch.
>> network_suite_master.el7.x86_64/tests.test_dpdk/lago-
>> network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log
>> >
>> > >
>> > <http://jenkins.ovirt.org/job/ovirt-system-tests_standard-ch
>> eck-patch/642/artifact/exported-artifacts/check-patch.
>> network_suite_master.el7.x86_64/tests.test_dpdk/lago-
>> network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log>
>> >
>> > > _______________________________________________
>> > > dev mailing list
>> > > [email protected]
>> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
