[ovs-dev] [PATCH v4 0/3] vhost-user: Add the ability to control ownership/permissions

Mooney, Sean K sean.k.mooney at intel.com
Sat Aug 20 01:17:51 UTC 2016 


> -----Original Message-----
> From: dev [mailto:dev-bounces at openvswitch.org] On Behalf Of Aaron Conole
> Sent: Saturday, August 20, 2016 12:48 AM
> To: dev at openvswitch.org; Ben Pfaff <blp at ovn.org>; Daniele Di Proietto
> <diproiettod at vmware.com>
> Subject: [ovs-dev] [PATCH v4 0/3] vhost-user: Add the ability to control
> ownership/permissions
> 
> Currently, when using Open vSwitch with DPDK and qemu guests, the
> recommended method for joining the guests is via the dpdkvhostuser interface. This
> interface uses Unix Domain sockets to communicate. When these sockets are
> created, they inherit the permissions and ownership from the vswitchd process.
> This can lead to an undesirable state where the QEMU process cannot use the
> socket file until manual intervention is performed (via `chown` and/or `chmod`
> calls).
> 
> 
> This patchset gives the ability to set the permissions and ownership of all
> dpdkvhostuser sockets from the database, avoiding the manual intervention
> required to connect QEMU and OVS via DPDK.
[Mooney, Sean K] technically you don’t need to do any manual intervention today if you
Start the ovs-vswitchd process with sudo sg  <qemu group> -c "umask 200; ovs-vswitchd .."
i.e. start it with the same group as qemu process and allow read write acess to members of the
same group.
This is how we have deployed ovs with dpdk in the networking-ovs-dpdk devstack plug for more then 2 years.

The new parameters make this simpler though as you no longer need to use the linux sg and umask command
To adjust the socket permissions of all files created by the vswitchd process. Its also likely more secure
As the permission change is limited to the vhost-user socket files.

> 
> 
> The first patch adds chmod and chown calls to lib, with unit tests.  The second patch
> adds a hardness amplification version as described in the paper "Portably Solving
> File TOCTTOU Races with Hardness Amplification"
> found at
> https://www.usenix.org/legacy/event/fast08/tech/full_papers/tsafrir/tsafrir_html/i
> ndex.html, while the third patch hooks those calls into the
> netdev_dpdk_vhost_user_construct function, after the socket is created.
> 
> 
> Changes from v3:
> * Replaced patch 2/3 with hardness amplification version.  Retested on RHEL7
>   and validated the travis builds.
> 
> Changes from v2:
> * Added a new 2nd patch to series for chmod/chown on already opened files.
>   There exist known implementations for other systems, including FreeBSD, but
>   only linux is implemented.  ENOTSUP is set when these calls fail on non-linux
>   systems.
> 
> Aaron Conole (3):
>   chutil: introduce a new change-utils lib
>   chutil: Add hardness amplification versions of chmod/chown
>   netdev-dpdk: Support user-defined socket attribs
> 
>  INSTALL.DPDK.md      |   8 +
>  configure.ac         |   2 +-
>  lib/automake.mk      |   2 +
>  lib/chutil-unix.c    | 652
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>  lib/chutil.h         |  36 +++
>  lib/daemon-unix.c    | 149 +-----------
>  lib/netdev-dpdk.c    |  37 +++
>  tests/automake.mk    |   2 +
>  tests/library.at     |   5 +
>  tests/test-chutil.c  | 297 +++++++++++++++++++++++  vswitchd/vswitch.xml |  23
> ++
>  11 files changed, 1068 insertions(+), 145 deletions(-)  create mode 100644
> lib/chutil-unix.c  create mode 100644 lib/chutil.h  create mode 100644 tests/test-
> chutil.c
> 
> --
> 2.5.5
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

More information about the dev mailing list