[ovs-dev] [PATCH 2/2] dpdk docs: Drop file share in libvirt config.

Aaron Conole aconole at redhat.com
Wed Apr 11 14:55:53 UTC 2018


Stephen Finucane <stephen at that.guru> writes:

> On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
>> Tiago Lam <tiago.lam at intel.com> writes:
>> 
>> > When explaining on how to add vhost-user ports to a guest, using
>> > libvirt, the following piece of configuration is used:
>> >     <disk type='dir' device='disk'>
>> >       <driver name='qemu' type='fat'/>
>> >       <source dir='/usr/src/dpdk-stable-17.11.1'/>
>> >       <target dev='vdb' bus='virtio'/>
>> >       <readonly/>
>> >     </disk>
>> > 
>> > This is used to facilitate sharing of a DPDK directory between the host
>> > and the guest. However, for this to work selinux also needs to be
>> > configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
>> > would need to be added to complain only in AppArmor. Instead, in [1] it
>> > is advised to use wget to get the DPDK sources over the internet, which
>> > avoids this differentiation. Thus, we drop this piece of configuration
>> > here as well and keep the example configuration as simple as possible.
>> > 
>> > This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
>> > image.
>> > 
>> > [1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
>> > 
>> > Signed-off-by: Tiago Lam <tiago.lam at intel.com>
>> > ---
>> > 
>> > CC'ed Stephen,
>> > 
>> > I took the liberty of removing your TODO from here, as I read it to be related
>> > to the (now removed) SELinux instruction below. If you think it should still be
>> > there let me know and I'll gladly send a v2.
>> 
>> I think it should remain until the selinux issues have been addressed.
>> 
>> Is there a list somewhere of the AVC denials?  Maybe it makes sense to
>> allow them.
>
> If I'm reading this correctly, Tiago is saying these exceptions only
> happen because we're sharing an arbitrary directory with the guest to
> avoid downloading the DPDK sources twice.

Okay, I guess I read the change in the section a bit differently.  If
you think it's okay, then I'm fine (I'm always happy to see a
'setenforce 0' disappear).

> Given that there's a valid
> workaround (just fetching sources twice), simply removing that section
> of the XML removes the need to disable SELinux. If so, dropping the
> warning does make sense in my mind.
>
> Stephen


More information about the dev mailing list