[ovs-dev] [PATCH v3 6/6] redhat: allow dpdk to also run as non-root user
Sergio Gonzalez Monroy
sergio.gonzalez.monroy at intel.com
Wed Aug 2 14:02:42 UTC 2017
Hi Aaron,
On 01/08/2017 23:05, Aaron Conole wrote:
> After this commit, users may start a dpdk-enabled ovs setup as a
> non-root user. This is accomplished by exporting the $HOME directory,
> which dpdk uses to fill in it's semi-persistent RTE configuration.
>
> This change may be a bit controversial since it modifies /dev/hugepages
> as part of starting the ovs-vswitchd to set a hugetlbfs group
> ownership. This is used to enable writing to /dev/hugepages so that the
> dpdk_init will successfully complete. There is an alternate way of
> accomplishing this - namely to initialize DPDK before dropping
> privileges. However, this would mean that if DPDK ever grows an uninit
> / reinit function, non-root ovs likely could never use it.
>
> This does not change OvS+DPDK's SELinux requirements. It still must be
> disabled.
>
> Signed-off-by: Aaron Conole <aconole at redhat.com>
> ---
Instead of modifying /dev/hugepages, what about creating a hugetlbfs
mount point for OvS? You could then point DPDK to use that specific
mount (--huge-dir).
The only downside I can think of for this approach is that OvS would be
fixed to use a single size (either 2MB or 1GB whatever the mount point
is set to).
Without specifying the mount point directory, DPDK could use both
hugepage sizes.
Could you elaborate on the OvS+DPDK's SELinux requirements?
Quick summary of DPDK privileged/unprivileged user (assuming the
unprivileged user has permissions for hugepage allocation):
- if all devices are bound to vfio-pci driver (thus IOMMU enabled
system), then the DPDK can run as unprivileged user. This is the
recommended mode is possible.
- if any device is bound to igb_uio/uio_pci_generic (likely scenario
when running in VMs), then the DPDK needs privileged user to be able to
read each hugepage physical address from /proc/self/pagemap.
Thanks,
Sergio
> Documentation/intro/install/dpdk.rst | 7 +++++++
> NEWS | 1 +
> rhel/README.RHEL.rst | 11 +++++++++++
> rhel/openvswitch-fedora.spec.in | 13 +++++++++++++
> rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 5 +++++
> 5 files changed, 37 insertions(+)
>
> diff --git a/Documentation/intro/install/dpdk.rst b/Documentation/intro/install/dpdk.rst
> index a05aa1a..0585c6a 100644
> --- a/Documentation/intro/install/dpdk.rst
> +++ b/Documentation/intro/install/dpdk.rst
> @@ -134,6 +134,13 @@ has to be configured with DPDK support (``--with-dpdk``).
>
> Additional information can be found in :doc:`general`.
>
> +.. note::
> + If you are running using the Fedora or Red Hat package, the Open vSwitch
> + daemon will run as a non-root user. This implies that you must have a
> + working IOMMU. Visit the `RHEL README`__ for additional information.
> +
> +__ https://github.com/openvswitch/ovs/blob/master/rhel/README.RHEL.rst
> +
> Setup
> -----
>
> diff --git a/NEWS b/NEWS
> index facea02..095272a 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -64,6 +64,7 @@ Post-v2.7.0
> * OpenFlow 1.5 packet-out is now supported.
> - Fedora Packaging:
> * OVN services are no longer restarted automatically after upgrade.
> + * ovs-vswitchd and ovsdb-server run as non-root users by default.
> - Add --cleanup option to command 'ovs-appctl exit' (see ovs-vswitchd(8)).
> - L3 tunneling:
> * Use new tunnel port option "packet_type" to configure L2 vs. L3.
> diff --git a/rhel/README.RHEL.rst b/rhel/README.RHEL.rst
> index 1845e8f..5f7a99a 100644
> --- a/rhel/README.RHEL.rst
> +++ b/rhel/README.RHEL.rst
> @@ -337,6 +337,17 @@ running. All other commands where executed when Open vSwitch was successfully
> running.
>
>
> +Non-root User Support
> +-----------------------
> +Fedora and RHEL support running the Open vSwitch daemons as a non-root user.
> +By default, a fresh installation will create an *openvswitch* user, along
> +with any additional support groups needed (such as *hugetlbfs* for DPDK
> +support).
> +
> +This is controlled by modifying the ``OVS_USER_ID`` option. Setting this
> +to 'root:root', or commenting the variable out will revert this behavior.
> +
> +
> Reporting Bugs
> --------------
>
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
> index 959aa2e..ccf6ea0 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -95,6 +95,10 @@ Requires: openssl hostname iproute module-init-tools
> Requires(post): /usr/bin/getent
> Requires(post): /usr/sbin/useradd
> Requires(post): /usr/bin/sed
> +%if %{with dpdk}
> +Requires(post): /usr/sbin/usermod
> +Requires(post): /usr/sbin/groupadd
> +%endif
> Requires(post): systemd-units
> Requires(preun): systemd-units
> Requires(postun): systemd-units
> @@ -370,6 +374,15 @@ if [ $1 -eq 1 ]; then
>
> sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
>
> +%if %{with dpdk}
> + getent group hugetlbfs >/dev/null || \
> + groupadd hugetlbfs
> + usermod -a -G hugetlbfs openvswitch
> + sed -i \
> + 's at OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\
> + /etc/sysconfig/openvswitch
> +%endif
> +
> # In the case of upgrade, this is not needed.
> chown -R openvswitch:openvswitch /etc/openvswitch
> fi
> diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
> index 9aff70b..bf0f058 100644
> --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
> +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
> @@ -10,8 +10,13 @@ PartOf=openvswitch.service
> [Service]
> Type=forking
> Restart=on-failure
> +Environment=HOME=/var/run/openvswitch
> EnvironmentFile=/etc/openvswitch/default.conf
> EnvironmentFile=-/etc/sysconfig/openvswitch
> + at begin_dpdk@
> +ExecStartPre=/usr/bin/chown :hugetlbfs /dev/hugepages
> +ExecStartPre=/usr/bin/chmod 0775 /dev/hugepages
> + at end_dpdk@
> ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
> --no-ovsdb-server --no-monitor --system-id=random \
> --ovs-user=${OVS_USER_ID} \
More information about the dev
mailing list