Leon Goldberg <[email protected]> writes:
> I stand correct, I was not using permissive mode. With permissive mode,
> noiommu-0 issue seems to
> be resolved, however:
Cool. I caught other issues turning on the -DB flag... although maybe
that was using enforcing mode as well.
> type=AVC msg=audit(1525707587.009:447): avc: denied { remove_name } for
> pid=4497
> comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
> scontext=system_u:system_r:svirt_t:s0:c794,c950
> tcontext=unconfined_u:object_r:default_t:s0
> tclass=dir
> type=AVC msg=audit(1525707587.009:447): avc: denied { unlink } for pid=4497
> comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
> scontext=system_u:system_r:svirt_t:s0:c794,c950
> tcontext=system_u:object_r:default_t:s0
> tclass=sock_file
> type=AVC msg=audit(1525707587.009:448): avc: denied { add_name } for
> pid=4497
> comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c794,c950
> tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
> type=AVC msg=audit(1525707587.009:448): avc: denied { create } for pid=4497
> comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c794,c950
> tcontext=system_u:object_r:default_t:s0 tclass=sock_file
>
> Still occurs.
>
> OVS log shows:
>
> 2018-05-07T15:27:15.059Z|00072|dpdk|INFO|VHOST_CONFIG: vhost-user client:
> socket created, fd:
> 55
> 2018-05-07T15:27:15.059Z|00073|netdev_dpdk|INFO|vHost User device
> 'dpdkvhostclient1' created
> in 'client' mode, using client socket '/vhostusers/vhost-user-5'
> 2018-05-07T15:27:15.062Z|00074|dpdk|WARN|VHOST_CONFIG: failed to connect to
> /vhostusers/vhost-user-5: Permission denied
Does that directory exist? What are the permissions? What are the
permissions of the sock file that exist in that directory?
> On Mon, May 7, 2018 at 6:21 PM, Leon Goldberg <[email protected]> wrote:
>
> Aha, indeed, I see:
>
> type=AVC msg=audit(1525649015.102:1305): avc: denied { open } for
> pid=12993
> comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs" ino=708920
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:device_t:s0
> tclass=chr_file
> type=AVC msg=audit(1525649177.311:1326): avc: denied { open } for
> pid=13241
> comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs" ino=708920
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:device_t:s0
> tclass=chr_file
>
> and I'm using permissive mode.
>
> I also see:
>
> [root@lago-network-suite-master-host-0 ~]# cat /var/log/audit/audit.log |
> grep vhost-user-5
> type=AVC msg=audit(1525636067.061:757): avc: denied { create } for
> pid=7533
> comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c423,c510
> tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
> type=AVC msg=audit(1525648910.361:1276): avc: denied { add_name } for
> pid=12734
> comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c245,c301
> tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
> type=AVC msg=audit(1525648910.361:1276): avc: denied { create } for
> pid=12734
> comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c245,c301
> tcontext=system_u:object_r:default_t:s0 tclass=sock_file
> type=AVC msg=audit(1525648979.442:1290): avc: denied { remove_name } for
> pid=12822
> comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=unconfined_u:object_r:default_t:s0
> tclass=dir
> type=AVC msg=audit(1525648979.442:1290): avc: denied { unlink } for
> pid=12822
> comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=system_u:object_r:default_t:s0
> tclass=sock_file
> type=AVC msg=audit(1525648979.442:1291): avc: denied { add_name } for
> pid=12822
> comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
> type=AVC msg=audit(1525648979.442:1291): avc: denied { create } for
> pid=12822
> comm="qemu-kvm" name="vhost-user-5"
> scontext=system_u:system_r:svirt_t:s0:c515,c819
> tcontext=system_u:object_r:default_t:s0 tclass=sock_file
>
> This is my vhostuser client.
>
> On Mon, May 7, 2018 at 4:39 PM, Aaron Conole <[email protected]> wrote:
>
> Leon Goldberg <[email protected]> writes:
>
> > On Fri, May 4, 2018 at 10:19 PM, Aaron Conole <[email protected]> wrote:
> >
> > Leon Goldberg <[email protected]> writes:
> >
> > > Hi list,
> > >
> > > I'm trying to integrate ovs-dpdk into oVirt. For testing purposes, I'm
> > > writing a test that looks to run a VM on top of a dpdk port.
> > >
> > > The testing environment consists of nested virtualization:
> > >
> > > Physical machine -> Jenkins CI VM -> Target VM
> > >
> > > The test merely looks to see that the various components are properly
> > > configured for the real world. For that purpose, I'm using NOIOMMU mode
> of
> > > VFIO.
> > >
> > > The select virtio device fails to to be attached to dpdk, and I suspect
> it
> > > is due to $subject.
> > >
> > > Here are the CI logs[1]. I see some other red lights, but $subject seems
> > > the brightest.
> >
> > Can you provide:
> >
> > $ ps aux | grep ovs-vswitchd
> > $ ls -lah /dev/vfio
> >
> > Hey Aaron,
> >
> > Here it is:
> >
> > [root@lago-network-suite-master-host-0 ~]# ps aux | grep ovs-vswitchd
> > openvsw+ 840 0.6 6.2 1273732 116716 ? S<Lsl 07:28 0:10
> ovs-vswitchd
> > unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info
> --mlockall --user
> > openvswitch:hugetlbfs --no-chdir
> --log-file=/var/log/openvswitch/ovs-vswitchd.log
> > --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
> > root 4425 0.0 0.0 112660 976 pts/0 R+ 07:55 0:00 grep
> --color=auto
> ovs-vswitchd
> >
> > [root@lago-network-suite-master-host-0 ~]# ls -lah /dev/vfio
> > total 0
> > drwxr-xr-x. 2 root root 80 May 6 07:28 .
> > drwxr-xr-x. 19 root root 3.2K May 6 07:28 ..
> > crw-rw----. 1 root hugetlbfs 244, 0 May 6 07:28 noiommu-0
> > crw-rw-rw-. 1 root root 10, 196 May 6 07:28 vfio
>
> Okay - that looks like it should be okay.
>
> Can you check if there are any selinux violations in audit.log
> (specifically from the openvswitch_t domain)? Maybe there is a missing
> selinux policy directive.
>
> > Just want to see if there's a disconnect between the userid for ovs
> > and the permissions on the vfio file. If that's the case, we may need
> > to update the vfio rules.
> >
> > > Any tips will be greatly appreciated!
> > >
> > > Thanks,
> > > Leon
> > >
> > > [1]
> > >
> >
>
> http://jenkins.ovirt.org/job/ovirt-system-tests_standard-check-patch/642/artifact/exported-artifacts/check-patch.network_suite_master.el7.x86_64/tests.test_dpdk/lago-network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log
>
> >
> > >
> >
>
> <http://jenkins.ovirt.org/job/ovirt-system-tests_standard-check-patch/642/artifact/exported-artifacts/check-patch.network_suite_master.el7.x86_64/tests.test_dpdk/lago-network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log>
>
> >
> > > _______________________________________________
> > > dev mailing list
> > > [email protected]
> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
