subject:"Re\: \[ovs\-discuss\] OVS\+DPDK\: socket permissions' problem"

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

2017-03-27 Thread Aynur Shakirov

After building the deb-packages of DPDK 16.11.1 without fix-perm patch 
and adds necessary apparmor rules for vhost-user socket creation my 
problem is solved.


Thanks to all.

On 03/22/2017 09:21 PM, Aaron Conole wrote:

Aynur Shakirov  writes:


libvirt-qemu user and kvm group exists in my system (autocreated after libvirt 
package in Ubuntu):

root@dpdk-compute0:/opt/build# grep qemu /etc/passwd
libvirt-qemu:x:64055:118:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

root@dpdk-compute0:/opt/build# groups libvirt-qemu
libvirt-qemu : kvm

root@dpdk-compute0:/opt/build# cat /etc/group | grep kvm
kvm:x:118:

OVS 2.7.0 doesn't write messages about permissions, but without changes for 
socket perms: 
instead 0666. Because of this problem OStack Ocata cannot enable vhost socket 
to VM even with
root:root.

The recommended method for integrating with vhost-user sockets is for
ovs to be in client mode.  Lots of attempts were made (some even by
yours truly) to get server mode to provide this functionality, but there
ended up being too many corner cases to provide it in a secure manner.

The issue you're most likely encountering with OvS 2.7 is related to
custom patches added to Ubuntu's dpdk to provide the perms= flags.  This
also was rejected by the dpdk community, though not outright.  As such,
building ovs+dpdk from upstream means you won't get clogged up with
messages about users and permissions.  You will have to add custom
behavior to set the permissions, however.

Maybe we can resurrect these efforts, but with client mode available, I
don't see a huge reason to do so.


On 03/22/2017 03:37 AM, Darrell Ball wrote:

   

   


  From:  on behalf of Aynur Shakirov
  
  Date: Tuesday, March 21, 2017 at 6:17 AM
  To: "ovs-discuss@openvswitch.org" 
  Subject: [ovs-discuss] OVS+DPDK: socket permissions' problem

   


  Hello.

  Meta.
  OVS ver: 2.7.90, today master (stp tests skipped)
  Compiler: GCC 5.3.1, default flags
  DPDK: 16.11.1 (from Ubuntu Cloud Archive: Ocata)
  Env: Ubuntu 16.04.1 up-to-date.
  Kernel: 4.8.0-41-generic

  Problem.
  When I adds a vhost-interface into bridge OVS specifies incorrect rights for 
the socket:

  root@dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
  Interface vhost-user-1 type=dpdkvhostuser

  2017-03-21T12:09:33.436Z|00115|dpdk|INFO|VHOST_CONFIG: vhost-user server: 
socket
  created, fd: 46
  2017-03-21T12:09:33.436Z|00116|dpdk|INFO|VHOST_CONFIG: bind to
  /var/run/openvswitch/vhost-user-1
  2017-03-21T12:09:33.436Z|00117|dpdk|INFO|EAL: Socket
  /var/run/openvswitch/vhost-user-1 changed permissions to 
  2017-03-21T12:09:33.436Z|00118|dpdk|ERR|EAL: user �ƿ not found,  aborting.
  2017-03-21T12:09:33.436Z|00119|dpdk|ERR|EAL: vhost-user socket unable to get
  specified user/group: �ƿ

   

   

   


  This worked better for me. I am using similar ovs and dpdk versions, but older
  kernel

  and distro 3.16.0-77-generic #99~14.04.1-Ubuntu.

   


  .

  .

  2017-03-21T23:09:21.662Z|00104|netdev_dpdk|INFO|Socket
  /usr/local/var/run/openvswitch/vhost-user-1 created for vhost-user port 
vhost-user-1

  2017-03-21T23:09:21.662Z|00105|bridge|INFO|bridge br0: added interface 
vhost-user-1 on port 6

  .

  .

   

   


  darrell@---server125:~/ovs/ovs_master$ ll
  /usr/local/var/run/openvswitch/vhost-user-1

  srwxr-xr-x 1 root root 0 Mar 21 16:30 
/usr/local/var/run/openvswitch/vhost-user-1=

   

   


  However, I have the libvirt-qemu user, you seem to be missing; well, at least

  based on the EAL logs.

   


  darrell@ ---server125:~/ovs/ovs_master$ cat /etc/passwd | grep 
libvirt

  libvirt-qemu:x:105:109:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

   


  darrell@ ---server125:~/ovs/ovs_master$ groups libvirt-qemu

  libvirt-qemu : kvm

   


  darrell@ ---server125:~/ovs/ovs_master$ cat /etc/group | grep kvm

  kvm:x:109:

   

   


  Debug Log is here.

  For past master (2 weeks ago and with -03/march=native compiler flags) OVS 
was trying to
  configure the socket owner as fdb/show.

  DPDK Settings:

  root@dpdk-compute0:/opt/build# ovs-vsctl --no-wait get Open_vSwitch . 
other_config
  {dpdk-alloc-mem="2048", dpdk-extra="--vhost-owner libvirt-qemu:kvm 
--vhost-perm
  0666", dpdk-init="true", dpdk-lcore-mask="0x1", dpdk-socket-mem="1024,0"}

  OVS config:

  root@dpdk-compute0:/opt/build# ovs-vsctl show
  972154fa-857e-45e8-b56b-77e5cb6eb685
  Manager "ptcp:6640:127.0.0.1"
  is_connected: true
  Bridge br-int
  Controller "tcp:127.0.0.1:6633"
  is_connected: true
  fail_mode: secure
  Port int-br-ex
  Interface int-br-ex
  type: patch
  options: {peer=phy-br-ex}
  Port patch-tun
  Interface patch-tun
  type: patch

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

2017-03-22 Thread Aaron Conole

Aynur Shakirov  writes:

> libvirt-qemu user and kvm group exists in my system (autocreated after 
> libvirt package in Ubuntu):
>
> root@dpdk-compute0:/opt/build# grep qemu /etc/passwd
> libvirt-qemu:x:64055:118:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>
> root@dpdk-compute0:/opt/build# groups libvirt-qemu
> libvirt-qemu : kvm
>
> root@dpdk-compute0:/opt/build# cat /etc/group | grep kvm
> kvm:x:118:
>
> OVS 2.7.0 doesn't write messages about permissions, but without changes for 
> socket perms: 
> instead 0666. Because of this problem OStack Ocata cannot enable vhost socket 
> to VM even with
> root:root.

The recommended method for integrating with vhost-user sockets is for
ovs to be in client mode.  Lots of attempts were made (some even by
yours truly) to get server mode to provide this functionality, but there
ended up being too many corner cases to provide it in a secure manner.

The issue you're most likely encountering with OvS 2.7 is related to
custom patches added to Ubuntu's dpdk to provide the perms= flags.  This
also was rejected by the dpdk community, though not outright.  As such,
building ovs+dpdk from upstream means you won't get clogged up with
messages about users and permissions.  You will have to add custom
behavior to set the permissions, however.

Maybe we can resurrect these efforts, but with client mode available, I
don't see a huge reason to do so.

> On 03/22/2017 03:37 AM, Darrell Ball wrote:
>
>   
>
>   
>
>  From:  on behalf of Aynur Shakirov
>  
>  Date: Tuesday, March 21, 2017 at 6:17 AM
>  To: "ovs-discuss@openvswitch.org" 
>  Subject: [ovs-discuss] OVS+DPDK: socket permissions' problem
>
>   
>
>  Hello.
>
>  Meta.
>  OVS ver: 2.7.90, today master (stp tests skipped)
>  Compiler: GCC 5.3.1, default flags
>  DPDK: 16.11.1 (from Ubuntu Cloud Archive: Ocata)
>  Env: Ubuntu 16.04.1 up-to-date.
>  Kernel: 4.8.0-41-generic
>
>  Problem. 
>  When I adds a vhost-interface into bridge OVS specifies incorrect rights for 
> the socket:
>
>  root@dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
>  Interface vhost-user-1 type=dpdkvhostuser
>
>  2017-03-21T12:09:33.436Z|00115|dpdk|INFO|VHOST_CONFIG: vhost-user server: 
> socket
>  created, fd: 46
>  2017-03-21T12:09:33.436Z|00116|dpdk|INFO|VHOST_CONFIG: bind to
>  /var/run/openvswitch/vhost-user-1
>  2017-03-21T12:09:33.436Z|00117|dpdk|INFO|EAL: Socket
>  /var/run/openvswitch/vhost-user-1 changed permissions to 
>  2017-03-21T12:09:33.436Z|00118|dpdk|ERR|EAL: user �ƿ not found,  aborting.
>  2017-03-21T12:09:33.436Z|00119|dpdk|ERR|EAL: vhost-user socket unable to get
>  specified user/group: �ƿ
>
>   
>
>   
>
>   
>
>  This worked better for me. I am using similar ovs and dpdk versions, but 
> older
>  kernel
>
>  and distro 3.16.0-77-generic #99~14.04.1-Ubuntu.
>
>   
>
>  .
>
>  .
>
>  2017-03-21T23:09:21.662Z|00104|netdev_dpdk|INFO|Socket
>  /usr/local/var/run/openvswitch/vhost-user-1 created for vhost-user port 
> vhost-user-1
>
>  2017-03-21T23:09:21.662Z|00105|bridge|INFO|bridge br0: added interface 
> vhost-user-1 on port 6
>
>  .
>
>  .
>
>   
>
>   
>
>  darrell@---server125:~/ovs/ovs_master$ ll
>  /usr/local/var/run/openvswitch/vhost-user-1 
>
>  srwxr-xr-x 1 root root 0 Mar 21 16:30 
> /usr/local/var/run/openvswitch/vhost-user-1=
>
>   
>
>   
>
>  However, I have the libvirt-qemu user, you seem to be missing; well, at least
>
>  based on the EAL logs.
>
>   
>
>  darrell@ ---server125:~/ovs/ovs_master$ cat /etc/passwd | grep 
> libvirt
>
>  libvirt-qemu:x:105:109:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>
>   
>
>  darrell@ ---server125:~/ovs/ovs_master$ groups libvirt-qemu
>
>  libvirt-qemu : kvm
>
>   
>
>  darrell@ ---server125:~/ovs/ovs_master$ cat /etc/group | grep kvm
>
>  kvm:x:109:
>
>   
>
>   
>
>  Debug Log is here.
>
>  For past master (2 weeks ago and with -03/march=native compiler flags) OVS 
> was trying to
>  configure the socket owner as fdb/show.
>
>  DPDK Settings:
>
>  root@dpdk-compute0:/opt/build# ovs-vsctl --no-wait get Open_vSwitch . 
> other_config
>  {dpdk-alloc-mem="2048", dpdk-extra="--vhost-owner libvirt-qemu:kvm 
> --vhost-perm
>  0666", dpdk-init="true", dpdk-lcore-mask="0x1", dpdk-socket-mem="1024,0"}
>
>  OVS config:
>
>  root@dpdk-compute0:/opt/build# ovs-vsctl show
>  972154fa-857e-45e8-b56b-77e5cb6eb685
>  Manager "ptcp:6640:127.0.0.1"
>  is_connected: true
>  Bridge br-int
>  Controller "tcp:127.0.0.1:6633"
>  is_connected: true
>  fail_mode: secure
>  Port int-br-ex
>  Interface int-br-ex
>  type: patch
>  options: {peer=phy-br-ex}
>  Port patch-tun
>  Interface patch-tun
>  type: patch
>  options: {peer=patch-int}
>  Port br-int
>

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

2017-03-22 Thread Aynur Shakirov

libvirt-qemu user and kvm group exists in my system (autocreated after 
libvirt package in Ubuntu):


root@dpdk-compute0:/opt/build# grep qemu /etc/passwd
libvirt-qemu:x:64055:118:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

root@dpdk-compute0:/opt/build# groups libvirt-qemu
libvirt-qemu : kvm

root@dpdk-compute0:/opt/build# cat /etc/group | grep kvm
kvm:x:118:

OVS 2.7.0 doesn't write messages about permissions, but without changes 
for socket perms:  instead 0666. Because of this problem OStack 
Ocata cannot enable vhost socket to VM even with root:root.



On 03/22/2017 03:37 AM, Darrell Ball wrote:


*From: * on behalf of Aynur 
Shakirov 

*Date: *Tuesday, March 21, 2017 at 6:17 AM
*To: *"ovs-discuss@openvswitch.org" 
*Subject: *[ovs-discuss] OVS+DPDK: socket permissions' problem

Hello.

Meta.
OVS ver: 2.7.90, today master (stp tests skipped)
Compiler: GCC 5.3.1, default flags
DPDK: 16.11.1 (from Ubuntu Cloud Archive: Ocata)
Env: Ubuntu 16.04.1 up-to-date.
Kernel: 4.8.0-41-generic

Problem.
When I adds a vhost-interface into bridge OVS specifies incorrect 
rights for the socket:


root@dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 
-- set Interface vhost-user-1 type=dpdkvhostuser


2017-03-21T12:09:33.436Z|00115|dpdk|INFO|VHOST_CONFIG: vhost-user 
server: socket created, fd: 46
2017-03-21T12:09:33.436Z|00116|dpdk|INFO|VHOST_CONFIG: bind to 
/var/run/openvswitch/vhost-user-1
2017-03-21T12:09:33.436Z|00117|dpdk|INFO|EAL: Socket 
/var/run/openvswitch/vhost-user-1 changed permissions to 

2017-03-21T12:09:33.436Z|00118|dpdk|ERR|EAL: user �ƿ not found,  aborting.
2017-03-21T12:09:33.436Z|00119|dpdk|ERR|EAL: vhost-user socket unable 
to get specified user/group: �ƿ


This worked better for me. I am using similar ovs and dpdk versions, 
but older kernel


and distro 3.16.0-77-generic #99~14.04.1-Ubuntu.

.

.

2017-03-21T23:09:21.662Z|00104|netdev_dpdk|INFO|Socket 
/usr/local/var/run/openvswitch/vhost-user-1 created for vhost-user 
port vhost-user-1


2017-03-21T23:09:21.662Z|00105|bridge|INFO|bridge br0: added interface 
vhost-user-1 on port 6


.

.

darrell@---server125:~/ovs/ovs_master$ ll 
/usr/local/var/run/openvswitch/vhost-user-1


srwxr-xr-x 1 root root 0 Mar 21 16:30 
/usr/local/var/run/openvswitch/vhost-user-1=


However, I have the libvirt-qemu user, you seem to be missing; well, 
at least


based on the EAL logs.

darrell@---server125:~/ovs/ovs_master$ cat /etc/passwd | 
grep libvirt


libvirt-qemu:x:105:109:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

darrell@---server125:~/ovs/ovs_master$ groups libvirt-qemu

libvirt-qemu : kvm

darrell@---server125:~/ovs/ovs_master$ cat /etc/group | 
grep kvm


kvm:x:109:



Debug Log is here 
.


For past master (2 weeks ago and with -03/march=native compiler flags) 
OVS was trying to configure the socket owner as fdb/show.


DPDK Settings:

root@dpdk-compute0:/opt/build# ovs-vsctl --no-wait get Open_vSwitch . 
other_config
{dpdk-alloc-mem="2048", dpdk-extra="--vhost-owner libvirt-qemu:kvm 
--vhost-perm 0666", dpdk-init="true", dpdk-lcore-mask="0x1", 
dpdk-socket-mem="1024,0"}


OVS config:

root@dpdk-compute0:/opt/build# ovs-vsctl show
972154fa-857e-45e8-b56b-77e5cb6eb685
Manager "ptcp:6640:127.0.0.1"
is_connected: true
Bridge br-int
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-ex
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
*Port "vhost-user-1"**
Interface "vhost-user-1"
type: dpdkvhostuser*
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port br-ex
Interface br-ex
type: internal
Port "intel_1g_1"
Interface "intel_1g_1"
type: dpdk
options: {dpdk-devargs=":06:00.1"}
Bridge br-tun
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type: internal
ovs_version: "2.7.90"

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

2017-03-21 Thread Darrell Ball

From:  on behalf of Aynur Shakirov 

Date: Tuesday, March 21, 2017 at 6:17 AM
To: "ovs-discuss@openvswitch.org" 
Subject: [ovs-discuss] OVS+DPDK: socket permissions' problem

Hello.
Meta.
OVS ver: 2.7.90, today master (stp tests skipped)
Compiler: GCC 5.3.1, default flags
DPDK: 16.11.1 (from Ubuntu Cloud Archive: Ocata)
Env: Ubuntu 16.04.1 up-to-date.
Kernel: 4.8.0-41-generic

Problem.
When I adds a vhost-interface into bridge OVS specifies incorrect rights for 
the socket:

root@dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set 
Interface vhost-user-1 type=dpdkvhostuser

2017-03-21T12:09:33.436Z|00115|dpdk|INFO|VHOST_CONFIG: vhost-user server: 
socket created, fd: 46
2017-03-21T12:09:33.436Z|00116|dpdk|INFO|VHOST_CONFIG: bind to 
/var/run/openvswitch/vhost-user-1
2017-03-21T12:09:33.436Z|00117|dpdk|INFO|EAL: Socket 
/var/run/openvswitch/vhost-user-1 changed permissions to 
2017-03-21T12:09:33.436Z|00118|dpdk|ERR|EAL: user �ƿ not found,  aborting.
2017-03-21T12:09:33.436Z|00119|dpdk|ERR|EAL: vhost-user socket unable to get 
specified user/group: �ƿ

This worked better for me. I am using similar ovs and dpdk versions, but older 
kernel
and distro 3.16.0-77-generic #99~14.04.1-Ubuntu.

.
.
2017-03-21T23:09:21.662Z|00104|netdev_dpdk|INFO|Socket 
/usr/local/var/run/openvswitch/vhost-user-1 created for vhost-user port 
vhost-user-1
2017-03-21T23:09:21.662Z|00105|bridge|INFO|bridge br0: added interface 
vhost-user-1 on port 6
.
.

darrell@---server125:~/ovs/ovs_master$ ll 
/usr/local/var/run/openvswitch/vhost-user-1
srwxr-xr-x 1 root root 0 Mar 21 16:30 
/usr/local/var/run/openvswitch/vhost-user-1=

However, I have the libvirt-qemu user, you seem to be missing; well, at least
based on the EAL logs.

darrell@ ---server125:~/ovs/ovs_master$ cat /etc/passwd | grep 
libvirt
libvirt-qemu:x:105:109:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

darrell@ ---server125:~/ovs/ovs_master$ groups libvirt-qemu
libvirt-qemu : kvm

darrell@ ---server125:~/ovs/ovs_master$ cat /etc/group | grep kvm
kvm:x:109:

Debug Log is 
here.

For past master (2 weeks ago and with -03/march=native compiler flags) OVS was 
trying to configure the socket owner as fdb/show.

DPDK Settings:

root@dpdk-compute0:/opt/build# ovs-vsctl --no-wait get Open_vSwitch . 
other_config
{dpdk-alloc-mem="2048", dpdk-extra="--vhost-owner libvirt-qemu:kvm --vhost-perm 
0666", dpdk-init="true", dpdk-lcore-mask="0x1", dpdk-socket-mem="1024,0"}

OVS config:

root@dpdk-compute0:/opt/build# ovs-vsctl show
972154fa-857e-45e8-b56b-77e5cb6eb685
Manager "ptcp:6640:127.0.0.1"
is_connected: true
Bridge br-int
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-ex
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "vhost-user-1"
Interface "vhost-user-1"
type: dpdkvhostuser
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port br-ex
Interface br-ex
type: internal
Port "intel_1g_1"
Interface "intel_1g_1"
type: dpdk
options: {dpdk-devargs=":06:00.1"}
Bridge br-tun
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type: internal
ovs_version: "2.7.90"
root@dpdk-compute0:/opt/build#

Command for port add:

root@dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set 
Interface vhost-user-1 type=dpdkvhostuser

Actual socket rights after vhost create:

root@dpdk-compute0:/opt/build# ll /var/run/openvswitch/vhost-user-1
s- 1 root root 0 Mar 21 07:14 /var/run/openvswitch/vhost-user-1=

Why this happening? And one more question: can enable a debug logs for EAL over 
OVS?

Thanks for help.

--

Sincerely,

Aynur Shakirov, 27.

TIONIX RUS.

Planet Earth, Solar System, Milky Way.
___
discuss mailing list
disc...@openvswitch.org

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

Re: [ovs-discuss] OVS+DPDK: socket permissions' problem

4 matches

Site Navigation

Mail list logo

Footer information