From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 0EE6EA00C3; Wed, 7 Dec 2022 18:48:56 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A393A410FB; Wed, 7 Dec 2022 18:48:55 +0100 (CET) Received: from mta-174-87-135.smtp-out.sparkpostmail.com (mta-174-87-135.smtp-out.sparkpostmail.com [192.174.87.135]) by mails.dpdk.org (Postfix) with ESMTP id DD62140156 for ; Wed, 7 Dec 2022 18:48:53 +0100 (CET) X-MSFBL: 7aN2+bP9h/mq3yr6TEQh2g+RtGclsM7GgrSGn+u28to=|eyJtZXNzYWdlX2lkIjo iNjM5MDA0ZDI5MDYzYTkxNDllYTEiLCJjdXN0b21lcl9pZCI6IjQ4OTI3IiwidGV uYW50X2lkIjoic3BjIiwiciI6ImRldkBkcGRrLm9yZyIsInN1YmFjY291bnRfaWQ iOiIwIn0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail1.yoursunny.com; s=scph1018; t=1670435332; i=@mail1.yoursunny.com; bh=anq+z0616V2krOtq+Y+5zpkGjiexa7JLKc5YiqnQVBI=; h=From:Date:Message-ID:Subject:To:Cc:Content-Type:List-Unsubscribe: From:To:Cc:Subject; b=AAJWoBR399eTsaV4PilXYZ5DFZizWoBLf4fGA1eZVSRjAFzHGi0vfXWp67f3ZANFR vLdgAuc0GfQW/RaGwPTnOv/x9kdqaGZ1kac0Pz6DjgHRwkN5LAZQD5EFsFFSxEY3Pm oNKta8px6cvT5yT/jIK2sLt5v2cwT+8TiDSgWJAU= Authentication-Results: gc.mta1vsmtp.cc.prd.sparkpost smtp.user=; auth=pass (PLAIN) Received: from [209.85.167.48] ([209.85.167.48:33486] helo=mail-lf1-f48.google.com) by gc.mta1vsmtp.cc.prd.sparkpost (envelope-from ) (ecelerity 4.4.0.17999 r(msys-ecelerity:tags/4.4.0.45)) with ESMTPSA (cipher=AES-128-GCM) id E9/1A-11898-402D0936; Wed, 07 Dec 2022 17:48:52 +0000 Received: by mail-lf1-f48.google.com with SMTP id j4so29899140lfk.0 for ; Wed, 07 Dec 2022 09:48:52 -0800 (PST) X-Gm-Message-State: ANoB5pnm5ENWugBObZBqTbHzwhITAiwaORvWM3I9p/eSDRtFYNThrjqN 6NOTDf+iUpROhrwgIoc7YKh9D4XVP7fcJ/mQsYA= X-Google-Smtp-Source: AA0mqf7mZOlR8nODxedHT5n0F1mtRBZaQtIjbS2aLVcmsKqualbjlVfZG2hsCJjvh0gInFAziRN4kHWIZI3kmiN6p9k= X-Received: by 2002:a05:6512:3f89:b0:4ac:660b:1f02 with SMTP id x9-20020a0565123f8900b004ac660b1f02mr28282625lfa.9.1670435330728; Wed, 07 Dec 2022 09:48:50 -0800 (PST) MIME-Version: 1.0 References: <7046cb75-75e7-8be6-9efc-f37b70a1f2df@amd.com> In-Reply-To: <7046cb75-75e7-8be6-9efc-f37b70a1f2df@amd.com> From: Junxiao Shi Date: Wed, 7 Dec 2022 12:48:39 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] net/memif: change socket listener owner uid/gid To: Ferruh Yigit Cc: dev@dpdk.org Content-Type: multipart/alternative; boundary="000000000000827fc405ef408843" X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org --000000000000827fc405ef408843 Content-Type: text/plain; charset="UTF-8" Hi Ferruh > On 12/7/2022 2:41 PM, Junxiao Shi wrote: > > This allows a DPDK application running with root privilege to create a > > memif socket listener with non-root owner uid and gid, which can be > > connected from client applications running without root privilege. > > > > Do you have an easy way to test unprivileged memif client? This has been tested with NDN-DPDK software. https://github.com/usnistgov/ndn-dpdk revision 311de078aa4dc3ea28db5f8858e70a1bef7b9ccd The systemd service is running as root and it uses DPDK with the owner-uid and owner-gid args. The ndndpdk-godemo command is running as unprivileged process. Directory /run/ndn still needs to be created by root. These commands can perform a full test: git clone https://github.com/usnistgov/ndn-dpdk.git cd ndn-dpdk ./docs/ndndpdk-depends.sh --dpdk-patch=26031 corepack pnpm install make sudo make install sudo dpdk-hugepages.py --setup 8G sudo ndndpdk-ctrl systemd start jq -n {} | ndndpdk-ctrl activate-forwarder sudo mkdir -p /run/ndn ndndpdk-godemo pingserver --name /A ndndpdk-godemo pingclient --name /A You can see packets flowing through. Run `ls -l /run/ndn` and check the uid:gid of socket files too. > > > Signed-off-by: Junxiao Shi > > <...> > > > @@ -1827,47 +1859,58 @@ rte_pmd_memif_probe(struct rte_vdev_device *vdev) > > flags |= ETH_MEMIF_FLAG_SOCKET_ABSTRACT; > > > > kvlist = rte_kvargs_parse(rte_vdev_device_args(vdev), valid_arguments); > > + if (kvlist == NULL) { > > + MIF_LOG(ERR, "Invalid kvargs key"); > > + ret = -EINVAL; > > + goto exit; > > + } > > Thanks Junxiao for updating this, but since it is not really related to > this patch, can you please separate it to another patch? These are reverted and will be submitted separately in the future. --000000000000827fc405ef408843 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Ferruh

> On 12/7/2022 2:41 PM, Junxiao Shi wrote:
> > This allows a DPDK application running with root privilege to cre= ate a
> > memif socket listener with non-root owner uid and gid, which can = be
> > connected from client applications running without root privilege= .
> >
>
> Do you have an easy way to test unprivileged memif client?

This has been tested with NDN-DPDK software.
https://github.com/usnistgov/ndn-dpdk revision 3= 11de078aa4dc3ea28db5f8858e70a1bef7b9ccd

The systemd service is running as root and it uses DPDK with the owner-uid = and owner-gid args.
The ndndpdk-godemo command is running as unprivileged process.
Directory /run/ndn still needs to be created by root.

These commands can perform a full test:

git clone https://github.com/usnistgov/ndn-dpdk.= git
cd ndn-dpdk
./docs/ndndpdk-depends.sh --dpdk-patch=3D26031
corepack pnpm install
make
sudo make install
sudo dpdk-hugepages.py --setup 8G
sudo ndndpdk-ctrl systemd start
jq -n {} | ndndpdk-ctrl activate-forwarder
sudo mkdir -p /run/ndn
ndndpdk-godemo pingserver --name /A
ndndpdk-godemo pingclient --name /A

You can see packets flowing through.
Run `ls -l /run/ndn` and check the uid:gid of socket files too.


>
> > Signed-off-by: Junxiao Shi <git@mail1.yoursunny.com&g= t;
>
> <...>
>
> > @@ -1827,47 +1859,58 @@ rte_pmd_memif_probe(struct rte_vdev_devic= e *vdev)
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0flags |=3D ETH_MEMIF_FLAG_SOCKET_ABSTRA= CT;
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0kvlist =3D rte_kvargs_parse(rte_vdev_de= vice_args(vdev), valid_arguments);
> > +=C2=A0 =C2=A0 =C2=A0if (kvlist =3D=3D NULL) {
> > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0MIF_LOG(ERR, &qu= ot;Invalid kvargs key");
> > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ret =3D -EINVAL;=
> > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto exit;
> > +=C2=A0 =C2=A0 =C2=A0}
>
> Thanks Junxiao for updating this, but since it is not really related t= o
> this patch, can you please separate it to another patch?

These are reverted and will be submitted separately in the future.
--000000000000827fc405ef408843--