[ovs-dev] [PATCH 2/2] dpdk docs: Drop file share in libvirt config.

Lam, Tiago tiago.lam at intel.com
Thu Apr 12 07:24:17 UTC 2018

On 11/04/2018 15:03, Stephen Finucane wrote:
> On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
>> Tiago Lam <tiago.lam at intel.com> writes:
>>> When explaining on how to add vhost-user ports to a guest, using
>>> libvirt, the following piece of configuration is used:
>>>      <disk type='dir' device='disk'>
>>>        <driver name='qemu' type='fat'/>
>>>        <source dir='/usr/src/dpdk-stable-17.11.1'/>
>>>        <target dev='vdb' bus='virtio'/>
>>>        <readonly/>
>>>      </disk>
>>> This is used to facilitate sharing of a DPDK directory between the host
>>> and the guest. However, for this to work selinux also needs to be
>>> configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
>>> would need to be added to complain only in AppArmor. Instead, in [1] it
>>> is advised to use wget to get the DPDK sources over the internet, which
>>> avoids this differentiation. Thus, we drop this piece of configuration
>>> here as well and keep the example configuration as simple as possible.
>>> This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
>>> image.
>>> [1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
>>> Signed-off-by: Tiago Lam <tiago.lam at intel.com>
>>> ---
>>> CC'ed Stephen,
>>> I took the liberty of removing your TODO from here, as I read it to be related
>>> to the (now removed) SELinux instruction below. If you think it should still be
>>> there let me know and I'll gladly send a v2.
>> I think it should remain until the selinux issues have been addressed.
>> Is there a list somewhere of the AVC denials?  Maybe it makes sense to
>> allow them.
> If I'm reading this correctly, Tiago is saying these exceptions only
> happen because we're sharing an arbitrary directory with the guest to
> avoid downloading the DPDK sources twice. Given that there's a valid
> workaround (just fetching sources twice), simply removing that section
> of the XML removes the need to disable SELinux. If so, dropping the
> warning does make sense in my mind.
> Stephen

Thanks, Stephen. Yeah, that's what I was aiming at. In order to get the 
file sharing working properly, one must fiddle around with either 
SELinux or AppArmor, and that seems to be the sole reason why 
`setenforce 0` is there. Losing the dependency on the file sharing means 
we can lose any instructions that tell the user how to fiddle with 
either of those systems.

Just a note though, in that the user won't have to download the DPDK 
sources twice, only once. Following the guide, the user first sets up 
the vhost-user ports using libvirt, and once inside the VM he should 
follow up on running `testpmd` inside the guest [1], where he will be 
instructed to download the DPDK sources. This makes this piece of the 
docs a bit more consistent, I think.


More information about the dev mailing list