[ovs-discuss] OVS+DPDK: socket permissions' problem

Aaron Conole aconole at redhat.com
Wed Mar 22 18:21:04 UTC 2017


Aynur Shakirov <ajnur.shakirov at tionix.ru> writes:

> libvirt-qemu user and kvm group exists in my system (autocreated after libvirt package in Ubuntu):
>
> root at dpdk-compute0:/opt/build# grep qemu /etc/passwd
> libvirt-qemu:x:64055:118:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>
> root at dpdk-compute0:/opt/build# groups libvirt-qemu
> libvirt-qemu : kvm
>
> root at dpdk-compute0:/opt/build# cat /etc/group | grep kvm
> kvm:x:118:
>
> OVS 2.7.0 doesn't write messages about permissions, but without changes for socket perms: 0000
> instead 0666. Because of this problem OStack Ocata cannot enable vhost socket to VM even with
> root:root.

The recommended method for integrating with vhost-user sockets is for
ovs to be in client mode.  Lots of attempts were made (some even by
yours truly) to get server mode to provide this functionality, but there
ended up being too many corner cases to provide it in a secure manner.

The issue you're most likely encountering with OvS 2.7 is related to
custom patches added to Ubuntu's dpdk to provide the perms= flags.  This
also was rejected by the dpdk community, though not outright.  As such,
building ovs+dpdk from upstream means you won't get clogged up with
messages about users and permissions.  You will have to add custom
behavior to set the permissions, however.

Maybe we can resurrect these efforts, but with client mode available, I
don't see a huge reason to do so.

> On 03/22/2017 03:37 AM, Darrell Ball wrote:
>
>   
>
>   
>
>  From: <ovs-discuss-bounces at openvswitch.org> on behalf of Aynur Shakirov
>  <ajnur.shakirov at tionix.ru>
>  Date: Tuesday, March 21, 2017 at 6:17 AM
>  To: "ovs-discuss at openvswitch.org" <ovs-discuss at openvswitch.org>
>  Subject: [ovs-discuss] OVS+DPDK: socket permissions' problem
>
>   
>
>  Hello.
>
>  Meta.
>  OVS ver: 2.7.90, today master (stp tests skipped)
>  Compiler: GCC 5.3.1, default flags
>  DPDK: 16.11.1 (from Ubuntu Cloud Archive: Ocata)
>  Env: Ubuntu 16.04.1 up-to-date.
>  Kernel: 4.8.0-41-generic
>
>  Problem. 
>  When I adds a vhost-interface into bridge OVS specifies incorrect rights for the socket:
>
>  root at dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
>  Interface vhost-user-1 type=dpdkvhostuser
>
>  2017-03-21T12:09:33.436Z|00115|dpdk|INFO|VHOST_CONFIG: vhost-user server: socket
>  created, fd: 46
>  2017-03-21T12:09:33.436Z|00116|dpdk|INFO|VHOST_CONFIG: bind to
>  /var/run/openvswitch/vhost-user-1
>  2017-03-21T12:09:33.436Z|00117|dpdk|INFO|EAL: Socket
>  /var/run/openvswitch/vhost-user-1 changed permissions to ����
>  2017-03-21T12:09:33.436Z|00118|dpdk|ERR|EAL: user �ƿ not found,  aborting.
>  2017-03-21T12:09:33.436Z|00119|dpdk|ERR|EAL: vhost-user socket unable to get
>  specified user/group: �ƿ
>
>   
>
>   
>
>   
>
>  This worked better for me. I am using similar ovs and dpdk versions, but older
>  kernel
>
>  and distro 3.16.0-77-generic #99~14.04.1-Ubuntu.
>
>   
>
>  .
>
>  .
>
>  2017-03-21T23:09:21.662Z|00104|netdev_dpdk|INFO|Socket
>  /usr/local/var/run/openvswitch/vhost-user-1 created for vhost-user port vhost-user-1
>
>  2017-03-21T23:09:21.662Z|00105|bridge|INFO|bridge br0: added interface vhost-user-1 on port 6
>
>  .
>
>  .
>
>   
>
>   
>
>  darrell at xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ ll
>  /usr/local/var/run/openvswitch/vhost-user-1 
>
>  srwxr-xr-x 1 root root 0 Mar 21 16:30 /usr/local/var/run/openvswitch/vhost-user-1=
>
>   
>
>   
>
>  However, I have the libvirt-qemu user, you seem to be missing; well, at least
>
>  based on the EAL logs.
>
>   
>
>  darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ cat /etc/passwd | grep libvirt
>
>  libvirt-qemu:x:105:109:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>
>   
>
>  darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ groups libvirt-qemu
>
>  libvirt-qemu : kvm
>
>   
>
>  darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ cat /etc/group | grep kvm
>
>  kvm:x:109:
>
>   
>
>   
>
>  Debug Log is here.
>
>  For past master (2 weeks ago and with -03/march=native compiler flags) OVS was trying to
>  configure the socket owner as fdb/show.
>
>  DPDK Settings:
>
>  root at dpdk-compute0:/opt/build# ovs-vsctl --no-wait get Open_vSwitch . other_config
>  {dpdk-alloc-mem="2048", dpdk-extra="--vhost-owner libvirt-qemu:kvm --vhost-perm
>  0666", dpdk-init="true", dpdk-lcore-mask="0x1", dpdk-socket-mem="1024,0"}
>
>  OVS config:
>
>  root at dpdk-compute0:/opt/build# ovs-vsctl show
>  972154fa-857e-45e8-b56b-77e5cb6eb685
>      Manager "ptcp:6640:127.0.0.1"
>          is_connected: true
>      Bridge br-int
>          Controller "tcp:127.0.0.1:6633"
>              is_connected: true
>          fail_mode: secure
>          Port int-br-ex
>              Interface int-br-ex
>                  type: patch
>                  options: {peer=phy-br-ex}
>          Port patch-tun
>              Interface patch-tun
>                  type: patch
>                  options: {peer=patch-int}
>          Port br-int
>              Interface br-int
>                  type: internal
>      Bridge br-ex
>          Controller "tcp:127.0.0.1:6633"
>              is_connected: true
>          fail_mode: secure
>          Port "vhost-user-1"
>              Interface "vhost-user-1"
>                  type: dpdkvhostuser
>          Port phy-br-ex
>              Interface phy-br-ex
>                  type: patch
>                  options: {peer=int-br-ex}
>          Port br-ex
>              Interface br-ex
>                  type: internal
>          Port "intel_1g_1"
>              Interface "intel_1g_1"
>                  type: dpdk
>                  options: {dpdk-devargs="0000:06:00.1"}
>      Bridge br-tun
>          Controller "tcp:127.0.0.1:6633"
>              is_connected: true
>          fail_mode: secure
>          Port patch-int
>              Interface patch-int
>                  type: patch
>                  options: {peer=patch-tun}
>          Port br-tun
>              Interface br-tun
>                  type: internal
>      ovs_version: "2.7.90"
>  root at dpdk-compute0:/opt/build#
>
>  Command for port add:
>
>  root at dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
>  Interface vhost-user-1 type=dpdkvhostuser
>
>  Actual socket rights after vhost create:
>
>  root at dpdk-compute0:/opt/build# ll /var/run/openvswitch/vhost-user-1 
>  s--------- 1 root root 0 Mar 21 07:14 /var/run/openvswitch/vhost-user-1=
>
>  Why this happening? And one more question: can enable a debug logs for EAL over OVS?
>
>  Thanks for help.
>
> -- 
>
> Sincerely,
>
> Aynur Shakirov, 27.
>
> TIONIX RUS.
>
> Planet Earth, Solar System, Milky Way.


More information about the discuss mailing list