[ovs-dev] [ovs-discuss] Somebody making --user and dpdk compatible again?

Aaron Conole aconole at redhat.com
Tue Jan 26 19:06:22 UTC 2016


I should be on the discuss mailing list. Let me just state a big _YES_ I
am working on this problem from multiple facets.

Ansis Atteka <aatteka at vmware.com> writes:
> Hi,
>
>
> In fact I think we should remove any Discretionary Access Control
> (--user) and ?implement proper Mandatory Access Control (SELinux and
> Apparmor) support. Unless anyone can bring up a good case to keep
> and/or extend DAC feature in OVS.

There was a reason to implement it in the first place, yes? I don't know
if NetBSD has MAC, but it is still listed as a supported platform. I
know there's some kind of MAC in FreeBSD, but I don't know much else
from that perspective.

> The link you posted seems to mention Apparmor as the root cause for
> Permission Denied issue and not File Access bits - however this
> contradicts wit the fact that chown helped you to get rid of the
> error.

I have a bug open to resolve this from my side, and posted patches to
get by the first hurdle
(http://openvswitch.org/pipermail/dev/2015-December/063565.html and
http://openvswitch.org/pipermail/dev/2015-December/063567.html) - but
having DPDK initialize once and then drop privileges is my ultimate goal.

> To verify this can you do:
>
> 1. ps -Af for both processes that create and connect to the sokcet.
>
> 2. ls -la for the socket that is getting permission denied?
>
>
> Thanks,
>
> Ansis
>
> ________________________________
> From: discuss <discuss-bounces at openvswitch.org> on behalf of Christian
> Ehrhardt <christian.ehrhardt at canonical.com>
> Sent: Monday, January 25, 2016 10:32 PM
> To: dev at openvswitch.org; discuss at openvswitch.org
> Subject: [ovs-discuss] Somebody making --user and dpdk compatible again?
>
> Hi,
> to avoid missing another work already been done (and google didn't
> find me anything).
> Is there already work going on to get --user and dpdk working together?
> (see http://openvswitch.org/pipermail/dev/2015-September/060382.html)

I haven't posted anything yet for the initialization piece, but I am
working on this. The problem is, DPDK wants to do things, but we may
have already dropped privileges (among other issues).

> Background:
> While setting up a vhost_user based ovs-dpdk setup I'm struggling to
> get access to the vhost user sockets from qemu/kvm due to permission
> issues.
> Various mailing list posts like
> (http://openvswitch.org/pipermail/discuss/2015-August/018553.html)
> indicate to change the user running OVS, since the sockets are
> defaulting to process user/group.
> To run OVS as different user --user seems to be the preferred way.
> But as linked above, --user has other issues with DPDK and therefore
> is mutually exclusive for now.
>
> I was able to fix the permission issue with some chown/chmod, but I
> wonder if there would be cleaner way to do so at some point. Maybe
> eventually the approach is totally different anyway (like only
> specifying :group for the sockets to be created). But I wondered if
> that old mail thread is still worked on by somebody atm.

See the patches I linked earlier. This is my first step - get vhostuser
configurable so that a flexible permissions system can be used (ie: why
not have a :vhost group on the system to which ovs and qemu belong).

I'll be reposting them once I hear back on the dpdk intialization series.

> Christian Ehrhardt
> Software Engineer, Ubuntu Server
> Canonical Ltd
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev



More information about the dev mailing list