Leon Goldberg <[email protected]> writes: > On Mon, May 7, 2018 at 9:00 PM, Aaron Conole <[email protected]> wrote: > > Leon Goldberg <[email protected]> writes: > > > I stand correct, I was not using permissive mode. With permissive mode, > noiommu-0 > issue seems to > > be resolved, however: > > Cool. I caught other issues turning on the -DB flag... although maybe > that was using enforcing mode as well. > > > type=AVC msg=audit(1525707587.009:447): avc: denied { remove_name } for > pid=4497 > > comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121 > > scontext=system_u:system_r:svirt_t:s0:c794,c950 > tcontext=unconfined_u:object_r:default_t:s0 > > tclass=dir > > type=AVC msg=audit(1525707587.009:447): avc: denied { unlink } for > pid=4497 > > comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121 > > scontext=system_u:system_r:svirt_t:s0:c794,c950 > tcontext=system_u:object_r:default_t:s0 > > tclass=sock_file > > type=AVC msg=audit(1525707587.009:448): avc: denied { add_name } for > pid=4497 > > comm="qemu-kvm" name="vhost-user-5" > scontext=system_u:system_r:svirt_t:s0:c794,c950 > > tcontext=unconfined_u:object_r:default_t:s0 tclass=dir > > type=AVC msg=audit(1525707587.009:448): avc: denied { create } for > pid=4497 > > comm="qemu-kvm" name="vhost-user-5" > scontext=system_u:system_r:svirt_t:s0:c794,c950 > > tcontext=system_u:object_r:default_t:s0 tclass=sock_file > > > > Still occurs. > > > > OVS log shows: > > > > 2018-05-07T15:27:15.059Z|00072|dpdk|INFO|VHOST_CONFIG: vhost-user client: > socket created, fd: > > 55 > > 2018-05-07T15:27:15.059Z|00073|netdev_dpdk|INFO|vHost User device > 'dpdkvhostclient1' created > > in 'client' mode, using client socket '/vhostusers/vhost-user-5' > > 2018-05-07T15:27:15.062Z|00074|dpdk|WARN|VHOST_CONFIG: failed to connect to > > /vhostusers/vhost-user-5: Permission denied > > Does that directory exist? What are the permissions? What are the > permissions of the sock file that exist in that directory? > > [root@lago-network-suite-master-host-0 ~]# ll /vhostusers/ > total 0 > srwxrwxr-x. 1 qemu kvm 0 May 7 11:55 vhost-user-5
That looks like a problem. Have a look at /etc/libvirt/qemu.conf and change the group to hugetlbfs, restart libvirtd, and see if that allows ovs+libvirt to proceed. More information could be available at: https://developers.redhat.com/blog/2018/03/23/non-root-open-vswitch-rhel/ -Aaron > > > On Mon, May 7, 2018 at 6:21 PM, Leon Goldberg <[email protected]> wrote: > > > > Aha, indeed, I see: > > > > type=AVC msg=audit(1525649015.102:1305): avc: denied { open } for > pid=12993 > > comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs" ino=708920 > > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:object_r:device_t:s0 > > tclass=chr_file > > type=AVC msg=audit(1525649177.311:1326): avc: denied { open } for > pid=13241 > > comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs" ino=708920 > > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:object_r:device_t:s0 > > tclass=chr_file > > > > and I'm using permissive mode. > > > > I also see: > > > > [root@lago-network-suite-master-host-0 ~]# cat /var/log/audit/audit.log | > grep > vhost-user-5 > > type=AVC msg=audit(1525636067.061:757): avc: denied { create } for > pid=7533 > > comm="qemu-kvm" name="vhost-user-5" > scontext=system_u:system_r:svirt_t:s0:c423,c510 > > tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file > > type=AVC msg=audit(1525648910.361:1276): avc: denied { add_name } for > pid=12734 > > comm="qemu-kvm" name="vhost-user-5" > scontext=system_u:system_r:svirt_t:s0:c245,c301 > > tcontext=unconfined_u:object_r:default_t:s0 tclass=dir > > type=AVC msg=audit(1525648910.361:1276): avc: denied { create } for > pid=12734 > > comm="qemu-kvm" name="vhost-user-5" > scontext=system_u:system_r:svirt_t:s0:c245,c301 > > tcontext=system_u:object_r:default_t:s0 tclass=sock_file > > type=AVC msg=audit(1525648979.442:1290): avc: denied { remove_name } > for > pid=12822 > > comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121 > > scontext=system_u:system_r:svirt_t:s0:c515,c819 > tcontext=unconfined_u:object_r:default_t:s0 > > tclass=dir > > type=AVC msg=audit(1525648979.442:1290): avc: denied { unlink } for > pid=12822 > > comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121 > > scontext=system_u:system_r:svirt_t:s0:c515,c819 > tcontext=system_u:object_r:default_t:s0 > > tclass=sock_file > > type=AVC msg=audit(1525648979.442:1291): avc: denied { add_name } for > pid=12822 > > comm="qemu-kvm" name="vhost-user-5" > scontext=system_u:system_r:svirt_t:s0:c515,c819 > > tcontext=unconfined_u:object_r:default_t:s0 tclass=dir > > type=AVC msg=audit(1525648979.442:1291): avc: denied { create } for > pid=12822 > > comm="qemu-kvm" name="vhost-user-5" > scontext=system_u:system_r:svirt_t:s0:c515,c819 > > tcontext=system_u:object_r:default_t:s0 tclass=sock_file > > > > This is my vhostuser client. > > > > On Mon, May 7, 2018 at 4:39 PM, Aaron Conole <[email protected]> wrote: > > > > Leon Goldberg <[email protected]> writes: > > > > > On Fri, May 4, 2018 at 10:19 PM, Aaron Conole <[email protected]> > wrote: > > > > > > Leon Goldberg <[email protected]> writes: > > > > > > > Hi list, > > > > > > > > I'm trying to integrate ovs-dpdk into oVirt. For testing purposes, > I'm > > > > writing a test that looks to run a VM on top of a dpdk port. > > > > > > > > The testing environment consists of nested virtualization: > > > > > > > > Physical machine -> Jenkins CI VM -> Target VM > > > > > > > > The test merely looks to see that the various components are properly > > > > configured for the real world. For that purpose, I'm using NOIOMMU > mode of > > > > VFIO. > > > > > > > > The select virtio device fails to to be attached to dpdk, and I > suspect it > > > > is due to $subject. > > > > > > > > Here are the CI logs[1]. I see some other red lights, but $subject > seems > > > > the brightest. > > > > > > Can you provide: > > > > > > $ ps aux | grep ovs-vswitchd > > > $ ls -lah /dev/vfio > > > > > > Hey Aaron, > > > > > > Here it is: > > > > > > [root@lago-network-suite-master-host-0 ~]# ps aux | grep ovs-vswitchd > > > openvsw+ 840 0.6 6.2 1273732 116716 ? S<Lsl 07:28 0:10 > ovs-vswitchd > > > unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err > -vfile:info --mlockall > --user > > > openvswitch:hugetlbfs --no-chdir > --log-file=/var/log/openvswitch/ovs-vswitchd.log > > > --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach > > > root 4425 0.0 0.0 112660 976 pts/0 R+ 07:55 0:00 grep > --color=auto > > ovs-vswitchd > > > > > > [root@lago-network-suite-master-host-0 ~]# ls -lah /dev/vfio > > > total 0 > > > drwxr-xr-x. 2 root root 80 May 6 07:28 . > > > drwxr-xr-x. 19 root root 3.2K May 6 07:28 .. > > > crw-rw----. 1 root hugetlbfs 244, 0 May 6 07:28 noiommu-0 > > > crw-rw-rw-. 1 root root 10, 196 May 6 07:28 vfio > > > > Okay - that looks like it should be okay. > > > > Can you check if there are any selinux violations in audit.log > > (specifically from the openvswitch_t domain)? Maybe there is a missing > > selinux policy directive. > > > > > Just want to see if there's a disconnect between the userid for ovs > > > and the permissions on the vfio file. If that's the case, we may need > > > to update the vfio rules. > > > > > > > Any tips will be greatly appreciated! > > > > > > > > Thanks, > > > > Leon > > > > > > > > [1] > > > > > > > > > > > http://jenkins.ovirt.org/job/ovirt-system-tests_standard-check-patch/642/artifact/exported-artifacts/check-patch.network_suite_master.el7.x86_64/tests.test_dpdk/lago-network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log > > > > > > > > > > > > > > > > > <http://jenkins.ovirt.org/job/ovirt-system-tests_standard-check-patch/642/artifact/exported-artifacts/check-patch.network_suite_master.el7.x86_64/tests.test_dpdk/lago-network-suite-master-host-0/_var_log/openvswitch/ovs-vswitchd.log> > > > > > > > > > > _______________________________________________ > > > > dev mailing list > > > > [email protected] > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
