Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

Sun, 26 Mar 2017 23:45:51 -0700

After building the deb-packages of DPDK 16.11.1 without fix-perm patch and adds necessary apparmor rules for vhost-user socket creation my problem is solved. 

Thanks to all.

On 03/22/2017 09:21 PM, Aaron Conole wrote:

Aynur Shakirov <ajnur.shaki...@tionix.ru> writes:


libvirt-qemu user and kvm group exists in my system (autocreated after libvirt 
package in Ubuntu):

root@dpdk-compute0:/opt/build# grep qemu /etc/passwd
libvirt-qemu:x:64055:118:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

root@dpdk-compute0:/opt/build# groups libvirt-qemu
libvirt-qemu : kvm

root@dpdk-compute0:/opt/build# cat /etc/group | grep kvm
kvm:x:118:

OVS 2.7.0 doesn't write messages about permissions, but without changes for 
socket perms: 0000
instead 0666. Because of this problem OStack Ocata cannot enable vhost socket 
to VM even with
root:root.

The recommended method for integrating with vhost-user sockets is for
ovs to be in client mode.  Lots of attempts were made (some even by
yours truly) to get server mode to provide this functionality, but there
ended up being too many corner cases to provide it in a secure manner.

The issue you're most likely encountering with OvS 2.7 is related to
custom patches added to Ubuntu's dpdk to provide the perms= flags.  This
also was rejected by the dpdk community, though not outright.  As such,
building ovs+dpdk from upstream means you won't get clogged up with
messages about users and permissions.  You will have to add custom
behavior to set the permissions, however.

Maybe we can resurrect these efforts, but with client mode available, I
don't see a huge reason to do so.


On 03/22/2017 03:37 AM, Darrell Ball wrote:


  From: <ovs-discuss-boun...@openvswitch.org> on behalf of Aynur Shakirov
  <ajnur.shaki...@tionix.ru>
  Date: Tuesday, March 21, 2017 at 6:17 AM
  To: "ovs-discuss@openvswitch.org" <ovs-discuss@openvswitch.org>
  Subject: [ovs-discuss] OVS+DPDK: socket permissions' problem


  Hello.

  Meta.
  OVS ver: 2.7.90, today master (stp tests skipped)
  Compiler: GCC 5.3.1, default flags
  DPDK: 16.11.1 (from Ubuntu Cloud Archive: Ocata)
  Env: Ubuntu 16.04.1 up-to-date.
  Kernel: 4.8.0-41-generic

  Problem.
  When I adds a vhost-interface into bridge OVS specifies incorrect rights for 
the socket:

  root@dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
  Interface vhost-user-1 type=dpdkvhostuser

  2017-03-21T12:09:33.436Z|00115|dpdk|INFO|VHOST_CONFIG: vhost-user server: 
socket
  created, fd: 46
  2017-03-21T12:09:33.436Z|00116|dpdk|INFO|VHOST_CONFIG: bind to
  /var/run/openvswitch/vhost-user-1
  2017-03-21T12:09:33.436Z|00117|dpdk|INFO|EAL: Socket
  /var/run/openvswitch/vhost-user-1 changed permissions to ����
  2017-03-21T12:09:33.436Z|00118|dpdk|ERR|EAL: user �ƿ not found,  aborting.
  2017-03-21T12:09:33.436Z|00119|dpdk|ERR|EAL: vhost-user socket unable to get
  specified user/group: �ƿ


  This worked better for me. I am using similar ovs and dpdk versions, but older
  kernel

  and distro 3.16.0-77-generic #99~14.04.1-Ubuntu.


  .

  .

  2017-03-21T23:09:21.662Z|00104|netdev_dpdk|INFO|Socket
  /usr/local/var/run/openvswitch/vhost-user-1 created for vhost-user port 
vhost-user-1

  2017-03-21T23:09:21.662Z|00105|bridge|INFO|bridge br0: added interface 
vhost-user-1 on port 6

  .

  .


  darrell@xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ ll
  /usr/local/var/run/openvswitch/vhost-user-1

  srwxr-xr-x 1 root root 0 Mar 21 16:30 
/usr/local/var/run/openvswitch/vhost-user-1=


  However, I have the libvirt-qemu user, you seem to be missing; well, at least

  based on the EAL logs.


  darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ cat /etc/passwd | grep 
libvirt

  libvirt-qemu:x:105:109:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false


  darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ groups libvirt-qemu

  libvirt-qemu : kvm


  darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ cat /etc/group | grep kvm

  kvm:x:109:


  Debug Log is here.

  For past master (2 weeks ago and with -03/march=native compiler flags) OVS 
was trying to
  configure the socket owner as fdb/show.

  DPDK Settings:

  root@dpdk-compute0:/opt/build# ovs-vsctl --no-wait get Open_vSwitch . 
other_config
  {dpdk-alloc-mem="2048", dpdk-extra="--vhost-owner libvirt-qemu:kvm 
--vhost-perm
  0666", dpdk-init="true", dpdk-lcore-mask="0x1", dpdk-socket-mem="1024,0"}

  OVS config:

  root@dpdk-compute0:/opt/build# ovs-vsctl show
  972154fa-857e-45e8-b56b-77e5cb6eb685
      Manager "ptcp:6640:127.0.0.1"
          is_connected: true
      Bridge br-int
          Controller "tcp:127.0.0.1:6633"
              is_connected: true
          fail_mode: secure
          Port int-br-ex
              Interface int-br-ex
                  type: patch
                  options: {peer=phy-br-ex}
          Port patch-tun
              Interface patch-tun
                  type: patch
                  options: {peer=patch-int}
          Port br-int
              Interface br-int
                  type: internal
      Bridge br-ex
          Controller "tcp:127.0.0.1:6633"
              is_connected: true
          fail_mode: secure
          Port "vhost-user-1"
              Interface "vhost-user-1"
                  type: dpdkvhostuser
          Port phy-br-ex
              Interface phy-br-ex
                  type: patch
                  options: {peer=int-br-ex}
          Port br-ex
              Interface br-ex
                  type: internal
          Port "intel_1g_1"
              Interface "intel_1g_1"
                  type: dpdk
                  options: {dpdk-devargs="0000:06:00.1"}
      Bridge br-tun
          Controller "tcp:127.0.0.1:6633"
              is_connected: true
          fail_mode: secure
          Port patch-int
              Interface patch-int
                  type: patch
                  options: {peer=patch-tun}
          Port br-tun
              Interface br-tun
                  type: internal
      ovs_version: "2.7.90"
  root@dpdk-compute0:/opt/build#

  Command for port add:

  root@dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
  Interface vhost-user-1 type=dpdkvhostuser

  Actual socket rights after vhost create:

  root@dpdk-compute0:/opt/build# ll /var/run/openvswitch/vhost-user-1
  s--------- 1 root root 0 Mar 21 07:14 /var/run/openvswitch/vhost-user-1=

  Why this happening? And one more question: can enable a debug logs for EAL 
over OVS?

  Thanks for help.

--

Sincerely,

Aynur Shakirov, 27.

TIONIX RUS.

Planet Earth, Solar System, Milky Way.


--
Sincerely,
Aynur Shakirov, 26.
TIONIX RUS.
Planet Earth, Solar System, Milky Way.

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Reply via email to