[ovs-dev] [PATCH 1/1] daemon-unix: Support OVS-DPDK HW offloads for non-root user
david.marchand at redhat.com
Thu Mar 11 20:44:02 UTC 2021
On Wed, Sep 16, 2020 at 10:06 PM Aaron Conole <aconole at redhat.com> wrote:
> David Marchand <david.marchand at redhat.com> writes:
> > On Tue, Sep 15, 2020 at 12:52 PM Ameer Mahagneh <ameerm at nvidia.com> wrote:
> >> For security reasons only root or privileged user can allocate Interconnect
> >> Context Memory (ICM). Add this capability for vendors that require ICM
> >> allocation when applying DPDK rte flows.
> >> Signed-off-by: Ameer Mahagneh <ameerm at nvidia.com>
> >> Acked-by: Eli Britstein <elibr at nvidia.com>
> >> ---
> Why is this needed? SYS_RAWIO is extremely privileged and means that
> there is no point even in dropping privs or changing UID - the process
> with these caps is allowed to alter anything, map /dev/mem and
> /dev/kmem, etc.
> Is there really no other way of doing this? This feels somewhat like a
> security regression rather than an improvement. NOTE that we cannot
> even use an LSM to protect against this - sys_rawio is able to perform
> operations that can subvert LSMs.
I had forgotten about this patch... I was expecting someone from
Nvidia to reply but I see nothing on the ml.
I do not have the full story, but I hit an issue just yesterday and
spent today figuring this out.
For me, the impact is simple: without this capability, full
hw-offloads with mlx5 devices are unavailable with ovs running as non
The logs are not helping btw, example:
rte_flow creation failed: 1 ((null)).
Failed flow: flow create 2 ingress priority 0 group 0 transfer
pattern eth src is 0c:42:a1:00:a8:7c dst is 6a:20:8f:82:52:49 type is
0x0800 / ipv4 / end actions count / port_id original 0 id 5 / end
And OVS automatically falls back to partial offloading.
Can nvidia people explain the need for this capability and if other
options have been considered?
More information about the dev