Setting the --file-prefix argument to be unique to each user seems to be working well for my use-case. Thanks for the suggestion! ________________________________ From: Stephen Hemminger <step...@networkplumber.org> Sent: Thursday, January 2, 2025 4:26 PM To: Dmitry Kozlyuk <dmitry.kozl...@gmail.com> Cc: Alex K <aikli...@hotmail.com>; users@dpdk.org <users@dpdk.org>; Burakov, Anatoly <anatoly.bura...@intel.com> Subject: Re: Multiple Users Running DPDK Apps
On Thu, 2 Jan 2025 23:48:13 +0300 Dmitry Kozlyuk <dmitry.kozl...@gmail.com> wrote: > 2025-01-02 19:44 (UTC+0000), Alex K: > > Should multiple users be able to take turns running DPDK apps on the same > > system without using sudo? > > > > Hugepages setup is required for multi-process support. The > > usertools/dpdk-hugepages.py script accepts user id and group id arguments > > when mounting hugepages directory. And I was hoping that files created in > > this directory would be created such that they would be accessible by the > > users in this same group. However, I'm seeing that those created hugepages > > files get the 0600 permissions (read/write by the user only) and group > > ownership is not set to the group specified in the dpdk-hugepages.py > > script. So another user attempting to run DPDK apps gets a Permission > > denied error attempting to access hugepages files. > > Is this a bug or by design? > > Should each user have a separate hugepages directory setup somehow? > > > > I'm using vfio-pci kernel module with IOMMU, DPDK 23.11.1 LTS on RHEL 9. > > Seeing same behavior with 24.11.1 LTS. Tried to follow the instructions at: > > https://doc.dpdk.org/guides-23.11/linux_gsg/enable_func.html#running-dpdk-applications-without-root-privileges > > > > Would like to understand if what I'm attempting is supported and if there's > > anything I'm missing. > > Thank you. > > Hi Alex, > > If you want to run independent applications as different users, > you can use a common directory but specify different --file-prefix > for each application (group of processes sharing hugepages). > > If you want to run different processes of one multi-process DPDK app as > different users, they must use the common directory, > so the current behavior with 0600 permissions is a blocker. > They are set intentionally: > http://git.dpdk.org/dpdk/commit/?id=da5d107207910fc318862579e7b588481c72c668 > Ownership is not controlled, so default open(2) semantics apply, > but there's still no way past the disabled group-writable bit. > If this is the case, I wonder why this is needed? > There isn't real privilege separation if processes share hugepages, > which particularly means that both processes have access to HW and DMA. DPDK really wants to run on isolated CPU's with multiple users, you may also run out available CPU's.
