Re: [ovs-dev] [PATCH v4 5/5] redhat: allow dpdk to also run as non-root user

[Aaron Conole]

Russell Bryant  writes:

> On Fri, Aug 4, 2017 at 1:00 PM, Aaron Conole  wrote:
>> After this commit, users may start a dpdk-enabled ovs setup as a
>> non-root user.  This is accomplished by exporting the $HOME directory,
>> which dpdk uses to fill in it's semi-persistent RTE configuration.
>>
>> This change may be a bit controversial since it modifies /dev/hugepages
>> as part of starting the ovs-vswitchd to set a hugetlbfs group
>> ownership.  This is used to enable writing to /dev/hugepages so that the
>> dpdk_init will successfully complete.  There is an alternate way of
>> accomplishing this - namely to initialize DPDK before dropping
>> privileges.  However, this would mean that if DPDK ever grows an uninit
>> / reinit function, non-root ovs likely could never use it.
>
> Indeed ... the modifications to /dev/hugepages don't look ideal ...
>
> If this was truly limited to when DPDK was in use, I'd feel better
> about it.  We want to build a single package for OVS, right?  The
> package will have DPDK enabled, even for normal uses that won't use
> DPDK.  That means these modifications take place even for non-DPDK
> use.  I'd feel more comfortable if it could be restricted to only when
> DPDK was actually in use.  Maybe some of this logic could be moved
> into ovs-ctl so that the check could be at runtime?

I couldn't find a way of doing that check.  It is possible to
dynamically enable dpdk (since commit ec2b070143c2 "dpdk: Late
initialization"), which means we would need something constantly polling
for the status change -OR- we would need to have a way of changing gid
in response to the database change.  The second might be possible but
would require some changes in ovs-vswitchd.

>>
>> This does not change OvS+DPDK's SELinux requirements.  It still must be
>> disabled.
>>
>> Signed-off-by: Aaron Conole 
>> ---
>>  Documentation/intro/install/dpdk.rst|  7 +++
>>  NEWS|  1 +
>>  rhel/README.RHEL.rst| 11 +++
>>  rhel/openvswitch-fedora.spec.in | 13 +
>>  rhel/usr_lib_systemd_system_ovs-vswitchd.service.in |  5 +
>>  5 files changed, 37 insertions(+)
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v4 5/5] redhat: allow dpdk to also run as non-root user

[Russell Bryant]

On Fri, Aug 4, 2017 at 1:00 PM, Aaron Conole  wrote:
> After this commit, users may start a dpdk-enabled ovs setup as a
> non-root user.  This is accomplished by exporting the $HOME directory,
> which dpdk uses to fill in it's semi-persistent RTE configuration.
>
> This change may be a bit controversial since it modifies /dev/hugepages
> as part of starting the ovs-vswitchd to set a hugetlbfs group
> ownership.  This is used to enable writing to /dev/hugepages so that the
> dpdk_init will successfully complete.  There is an alternate way of
> accomplishing this - namely to initialize DPDK before dropping
> privileges.  However, this would mean that if DPDK ever grows an uninit
> / reinit function, non-root ovs likely could never use it.

Indeed ... the modifications to /dev/hugepages don't look ideal ...

If this was truly limited to when DPDK was in use, I'd feel better
about it.  We want to build a single package for OVS, right?  The
package will have DPDK enabled, even for normal uses that won't use
DPDK.  That means these modifications take place even for non-DPDK
use.  I'd feel more comfortable if it could be restricted to only when
DPDK was actually in use.  Maybe some of this logic could be moved
into ovs-ctl so that the check could be at runtime?

>
> This does not change OvS+DPDK's SELinux requirements.  It still must be
> disabled.
>
> Signed-off-by: Aaron Conole 
> ---
>  Documentation/intro/install/dpdk.rst|  7 +++
>  NEWS|  1 +
>  rhel/README.RHEL.rst| 11 +++
>  rhel/openvswitch-fedora.spec.in | 13 +
>  rhel/usr_lib_systemd_system_ovs-vswitchd.service.in |  5 +
>  5 files changed, 37 insertions(+)
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev