[ovs-discuss] OVS+DPDK: socket permissions' problem

Aynur Shakirov ajnur.shakirov at tionix.ru
Mon Mar 27 06:44:47 UTC 2017


After building the deb-packages of DPDK 16.11.1 without fix-perm patch 
and adds necessary apparmor rules for vhost-user socket creation my 
problem is solved.

Thanks to all.

On 03/22/2017 09:21 PM, Aaron Conole wrote:
> Aynur Shakirov <ajnur.shakirov at tionix.ru> writes:
>
>> libvirt-qemu user and kvm group exists in my system (autocreated after libvirt package in Ubuntu):
>>
>> root at dpdk-compute0:/opt/build# grep qemu /etc/passwd
>> libvirt-qemu:x:64055:118:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>>
>> root at dpdk-compute0:/opt/build# groups libvirt-qemu
>> libvirt-qemu : kvm
>>
>> root at dpdk-compute0:/opt/build# cat /etc/group | grep kvm
>> kvm:x:118:
>>
>> OVS 2.7.0 doesn't write messages about permissions, but without changes for socket perms: 0000
>> instead 0666. Because of this problem OStack Ocata cannot enable vhost socket to VM even with
>> root:root.
> The recommended method for integrating with vhost-user sockets is for
> ovs to be in client mode.  Lots of attempts were made (some even by
> yours truly) to get server mode to provide this functionality, but there
> ended up being too many corner cases to provide it in a secure manner.
>
> The issue you're most likely encountering with OvS 2.7 is related to
> custom patches added to Ubuntu's dpdk to provide the perms= flags.  This
> also was rejected by the dpdk community, though not outright.  As such,
> building ovs+dpdk from upstream means you won't get clogged up with
> messages about users and permissions.  You will have to add custom
> behavior to set the permissions, however.
>
> Maybe we can resurrect these efforts, but with client mode available, I
> don't see a huge reason to do so.
>
>> On 03/22/2017 03:37 AM, Darrell Ball wrote:
>>
>>    
>>
>>    
>>
>>   From: <ovs-discuss-bounces at openvswitch.org> on behalf of Aynur Shakirov
>>   <ajnur.shakirov at tionix.ru>
>>   Date: Tuesday, March 21, 2017 at 6:17 AM
>>   To: "ovs-discuss at openvswitch.org" <ovs-discuss at openvswitch.org>
>>   Subject: [ovs-discuss] OVS+DPDK: socket permissions' problem
>>
>>    
>>
>>   Hello.
>>
>>   Meta.
>>   OVS ver: 2.7.90, today master (stp tests skipped)
>>   Compiler: GCC 5.3.1, default flags
>>   DPDK: 16.11.1 (from Ubuntu Cloud Archive: Ocata)
>>   Env: Ubuntu 16.04.1 up-to-date.
>>   Kernel: 4.8.0-41-generic
>>
>>   Problem.
>>   When I adds a vhost-interface into bridge OVS specifies incorrect rights for the socket:
>>
>>   root at dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
>>   Interface vhost-user-1 type=dpdkvhostuser
>>
>>   2017-03-21T12:09:33.436Z|00115|dpdk|INFO|VHOST_CONFIG: vhost-user server: socket
>>   created, fd: 46
>>   2017-03-21T12:09:33.436Z|00116|dpdk|INFO|VHOST_CONFIG: bind to
>>   /var/run/openvswitch/vhost-user-1
>>   2017-03-21T12:09:33.436Z|00117|dpdk|INFO|EAL: Socket
>>   /var/run/openvswitch/vhost-user-1 changed permissions to ����
>>   2017-03-21T12:09:33.436Z|00118|dpdk|ERR|EAL: user �ƿ not found,  aborting.
>>   2017-03-21T12:09:33.436Z|00119|dpdk|ERR|EAL: vhost-user socket unable to get
>>   specified user/group: �ƿ
>>
>>    
>>
>>    
>>
>>    
>>
>>   This worked better for me. I am using similar ovs and dpdk versions, but older
>>   kernel
>>
>>   and distro 3.16.0-77-generic #99~14.04.1-Ubuntu.
>>
>>    
>>
>>   .
>>
>>   .
>>
>>   2017-03-21T23:09:21.662Z|00104|netdev_dpdk|INFO|Socket
>>   /usr/local/var/run/openvswitch/vhost-user-1 created for vhost-user port vhost-user-1
>>
>>   2017-03-21T23:09:21.662Z|00105|bridge|INFO|bridge br0: added interface vhost-user-1 on port 6
>>
>>   .
>>
>>   .
>>
>>    
>>
>>    
>>
>>   darrell at xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ ll
>>   /usr/local/var/run/openvswitch/vhost-user-1
>>
>>   srwxr-xr-x 1 root root 0 Mar 21 16:30 /usr/local/var/run/openvswitch/vhost-user-1=
>>
>>    
>>
>>    
>>
>>   However, I have the libvirt-qemu user, you seem to be missing; well, at least
>>
>>   based on the EAL logs.
>>
>>    
>>
>>   darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ cat /etc/passwd | grep libvirt
>>
>>   libvirt-qemu:x:105:109:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>>
>>    
>>
>>   darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ groups libvirt-qemu
>>
>>   libvirt-qemu : kvm
>>
>>    
>>
>>   darrell@ xxxx-xxxx-xxxx-server125:~/ovs/ovs_master$ cat /etc/group | grep kvm
>>
>>   kvm:x:109:
>>
>>    
>>
>>    
>>
>>   Debug Log is here.
>>
>>   For past master (2 weeks ago and with -03/march=native compiler flags) OVS was trying to
>>   configure the socket owner as fdb/show.
>>
>>   DPDK Settings:
>>
>>   root at dpdk-compute0:/opt/build# ovs-vsctl --no-wait get Open_vSwitch . other_config
>>   {dpdk-alloc-mem="2048", dpdk-extra="--vhost-owner libvirt-qemu:kvm --vhost-perm
>>   0666", dpdk-init="true", dpdk-lcore-mask="0x1", dpdk-socket-mem="1024,0"}
>>
>>   OVS config:
>>
>>   root at dpdk-compute0:/opt/build# ovs-vsctl show
>>   972154fa-857e-45e8-b56b-77e5cb6eb685
>>       Manager "ptcp:6640:127.0.0.1"
>>           is_connected: true
>>       Bridge br-int
>>           Controller "tcp:127.0.0.1:6633"
>>               is_connected: true
>>           fail_mode: secure
>>           Port int-br-ex
>>               Interface int-br-ex
>>                   type: patch
>>                   options: {peer=phy-br-ex}
>>           Port patch-tun
>>               Interface patch-tun
>>                   type: patch
>>                   options: {peer=patch-int}
>>           Port br-int
>>               Interface br-int
>>                   type: internal
>>       Bridge br-ex
>>           Controller "tcp:127.0.0.1:6633"
>>               is_connected: true
>>           fail_mode: secure
>>           Port "vhost-user-1"
>>               Interface "vhost-user-1"
>>                   type: dpdkvhostuser
>>           Port phy-br-ex
>>               Interface phy-br-ex
>>                   type: patch
>>                   options: {peer=int-br-ex}
>>           Port br-ex
>>               Interface br-ex
>>                   type: internal
>>           Port "intel_1g_1"
>>               Interface "intel_1g_1"
>>                   type: dpdk
>>                   options: {dpdk-devargs="0000:06:00.1"}
>>       Bridge br-tun
>>           Controller "tcp:127.0.0.1:6633"
>>               is_connected: true
>>           fail_mode: secure
>>           Port patch-int
>>               Interface patch-int
>>                   type: patch
>>                   options: {peer=patch-tun}
>>           Port br-tun
>>               Interface br-tun
>>                   type: internal
>>       ovs_version: "2.7.90"
>>   root at dpdk-compute0:/opt/build#
>>
>>   Command for port add:
>>
>>   root at dpdk-compute0:/opt/build# ovs-vsctl add-port br-ex vhost-user-1 -- set
>>   Interface vhost-user-1 type=dpdkvhostuser
>>
>>   Actual socket rights after vhost create:
>>
>>   root at dpdk-compute0:/opt/build# ll /var/run/openvswitch/vhost-user-1
>>   s--------- 1 root root 0 Mar 21 07:14 /var/run/openvswitch/vhost-user-1=
>>
>>   Why this happening? And one more question: can enable a debug logs for EAL over OVS?
>>
>>   Thanks for help.
>>
>> -- 
>>
>> Sincerely,
>>
>> Aynur Shakirov, 27.
>>
>> TIONIX RUS.
>>
>> Planet Earth, Solar System, Milky Way.

-- 
Sincerely,
Aynur Shakirov, 26.
TIONIX RUS.
Planet Earth, Solar System, Milky Way.



More information about the discuss mailing list