From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3545EA0524; Fri, 19 Mar 2021 18:21:54 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0031514100E; Fri, 19 Mar 2021 18:21:53 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mails.dpdk.org (Postfix) with ESMTP id 320A140143 for ; Fri, 19 Mar 2021 18:21:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1616174511; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7Vywh4oesXl6X/oJKcD5Un7Btp0nqR+27jlabfe2XA8=; b=UazzFgQY0oEESzPp02Z7uvhfIrDrgOWAiqfIjUDeuhz1EMKyIwRxMaa2lJWc6Cf2x4urxp g1zn5QslX9HChnZXs6P6OlKbvCxo7ELuY6HdknQ4vQLav8dfiwM3GcXAzr/i+KXAtL19KZ aL3tqGKQn+CvujFyyyo/BhcvKvjPwO0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-386-Dzuz3arUNIGS2N0pKp309g-1; Fri, 19 Mar 2021 13:21:48 -0400 X-MC-Unique: Dzuz3arUNIGS2N0pKp309g-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0F7299CDA3; Fri, 19 Mar 2021 17:21:47 +0000 (UTC) Received: from localhost (ovpn-112-90.ams2.redhat.com [10.36.112.90]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0A6FE5C1D1; Fri, 19 Mar 2021 17:21:36 +0000 (UTC) Date: Fri, 19 Mar 2021 17:21:35 +0000 From: Stefan Hajnoczi To: Ilya Maximets Cc: Maxime Coquelin , Chenbo Xia , dev@dpdk.org, Adrian Moreno , Julia Suvorova , =?iso-8859-1?Q?Marc-Andr=E9?= Lureau , Daniel Berrange Message-ID: References: <20210317202530.4145673-1-i.maximets@ovn.org> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E4jRqNQogdMITznK" Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: [dpdk-dev] [RFC 0/4] SocketPair Broker support for vhost and virtio-user. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" --E4jRqNQogdMITznK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 19, 2021 at 04:29:21PM +0100, Ilya Maximets wrote: > On 3/19/21 3:05 PM, Stefan Hajnoczi wrote: > > On Thu, Mar 18, 2021 at 08:47:12PM +0100, Ilya Maximets wrote: > >> On 3/18/21 6:52 PM, Stefan Hajnoczi wrote: > >>> On Wed, Mar 17, 2021 at 09:25:26PM +0100, Ilya Maximets wrote: > >>>> And some housekeeping usually required for applications in case the > >>>> socket server terminated abnormally and socket files left on a file > >>>> system: > >>>> "failed to bind to vhu: Address already in use; remove it and try a= gain" > >>> > >>> QEMU avoids this by unlinking before binding. The drawback is that us= ers > >>> might accidentally hijack an existing listen socket, but that can be > >>> solved with a pidfile. > >> > >> How exactly this could be solved with a pidfile? > >=20 > > A pidfile prevents two instances of the same service from running at th= e > > same time. > >=20 > > The same effect can be achieved by the container orchestrator, systemd, > > etc too because it refuses to run the same service twice. >=20 > Sure. I understand that. My point was that these could be 2 different > applications and they might not know which process to look for. >=20 > >=20 > >> And what if this is > >> a different application that tries to create a socket on a same path? > >> e.g. QEMU creates a socket (started in a server mode) and user > >> accidentally created dpdkvhostuser port in Open vSwitch instead of > >> dpdkvhostuserclient. This way rte_vhost library will try to bind > >> to an existing socket file and will fail. Subsequently port creation > >> in OVS will fail. We can't allow OVS to unlink files because this > >> way OVS users will have ability to unlink random sockets that OVS has > >> access to and we also has no idea if it's a QEMU that created a file > >> or it was a virtio-user application or someone else. > >=20 > > If rte_vhost unlinks the socket then the user will find that networking > > doesn't work. They can either hot unplug the QEMU vhost-user-net device > > or restart QEMU, depending on whether they need to keep the guest > > running or not. This is a misconfiguration that is recoverable. >=20 > True, it's recoverable, but with a high cost. Restart of a VM is rarely > desirable. And the application inside the guest might not feel itself > well after hot re-plug of a device that it actively used. I'd expect > a DPDK application that runs inside a guest on some virtio-net device > to crash after this kind of manipulations. Especially, if it uses some > older versions of DPDK. This unlink issue is probably something we think differently about. There are many ways for users to misconfigure things when working with system tools. If it's possible to catch misconfigurations that is preferrable. In this case it's just the way pathname AF_UNIX domain sockets work and IMO it's better not to have problems starting the service due to stale files than to insist on preventing misconfigurations. QEMU and DPDK do this differently and both seem to be successful, so =C2=AF\_(=E3=83=84)_/=C2=AF. > >=20 > > Regarding letting OVS unlink files, I agree that it shouldn't if this > > create a security issue. I don't know the security model of OVS. >=20 > In general privileges of a ovs-vswitchd daemon might be completely > different from privileges required to invoke control utilities or > to access the configuration database. SO, yes, we should not allow > that. That can be locked down by restricting the socket path to a file beneath /var/run/ovs/vhost-user/. > >=20 > >> There are, probably, ways to detect if there is any alive process that > >> has this socket open, but that sounds like too much for this purpose, > >> also I'm not sure if it's possible if actual user is in a different > >> container. > >> So I don't see a good reliable way to detect these conditions. This > >> falls on shoulders of a higher level management software or a user to > >> clean these socket files up before adding ports. > >=20 > > Does OVS always run in the same net namespace (pod) as the DPDK > > application? If yes, then abstract AF_UNIX sockets can be used. Abstrac= t > > AF_UNIX sockets don't have a filesystem path and the socket address > > disappears when there is no process listening anymore. >=20 > OVS is usually started right on the host in a main network namespace. > In case it's started in a pod, it will run in a separate container but > configured with a host network. Applications almost exclusively runs > in separate pods. Okay. > >>>> This patch-set aims to eliminate most of the inconveniences by > >>>> leveraging an infrastructure service provided by a SocketPair Broker= . > >>> > >>> I don't understand yet why this is useful for vhost-user, where the > >>> creation of the vhost-user device backend and its use by a VMM are > >>> closely managed by one piece of software: > >>> > >>> 1. Unlink the socket path. > >>> 2. Create, bind, and listen on the socket path. > >>> 3. Instantiate the vhost-user device backend (e.g. talk to DPDK/SPDK > >>> RPC, spawn a process, etc) and pass in the listen fd. > >>> 4. In the meantime the VMM can open the socket path and call connect(= 2). > >>> As soon as the vhost-user device backend calls accept(2) the > >>> connection will proceed (there is no need for sleeping). > >>> > >>> This approach works across containers without a broker. > >> > >> Not sure if I fully understood a question here, but anyway. > >> > >> This approach works fine if you know what application to run. > >> In case of a k8s cluster, it might be a random DPDK application > >> with virtio-user ports running inside a container and want to > >> have a network connection. Also, this application needs to run > >> virtio-user in server mode, otherwise restart of the OVS will > >> require restart of the application. So, you basically need to > >> rely on a third-party application to create a socket with a right > >> name and in a correct location that is shared with a host, so > >> OVS can find it and connect. > >> > >> In a VM world everything is much more simple, since you have > >> a libvirt and QEMU that will take care of all of these stuff > >> and which are also under full control of management software > >> and a system administrator. > >> In case of a container with a "random" DPDK application inside > >> there is no such entity that can help. Of course, some solution > >> might be implemented in docker/podman daemon to create and manage > >> outside-looking sockets for an application inside the container, > >> but that is not available today AFAIK and I'm not sure if it > >> ever will. > >=20 > > Wait, when you say there is no entity like management software or a > > system administrator, then how does OVS know to instantiate the new > > port? I guess something still needs to invoke ovs-ctl add-port? >=20 > I didn't mean that there is no any application that configures > everything. Of course, there is. I mean that there is no such > entity that abstracts all that socket machinery from the user's > application that runs inside the container. QEMU hides all the > details of the connection to vhost backend and presents the device > as a PCI device with a network interface wrapping from the guest > kernel. So, the application inside VM shouldn't care what actually > there is a socket connected to OVS that implements backend and > forward traffic somewhere. For the application it's just a usual > network interface. > But in case of a container world, application should handle all > that by creating a virtio-user device that will connect to some > socket, that has an OVS on the other side. >=20 > >=20 > > Can you describe the steps used today (without the broker) for > > instantiating a new DPDK app container and connecting it to OVS? > > Although my interest is in the vhost-user protocol I think it's > > necessary to understand the OVS requirements here and I know little > > about them. >=20 > I might describe some things wrong since I worked with k8s and CNI > plugins last time ~1.5 years ago, but the basic schema will look > something like this: >=20 > 1. user decides to start a new pod and requests k8s to do that > via cmdline tools or some API calls. >=20 > 2. k8s scheduler looks for available resources asking resource > manager plugins, finds an appropriate physical host and asks > local to that node kubelet daemon to launch a new pod there. >=20 > 3. kubelet asks local CNI plugin to allocate network resources > and annotate the pod with required mount points, devices that > needs to be passed in and environment variables. > (this is, IIRC, a gRPC connection. It might be a multus-cni > or kuryr-kubernetes or any other CNI plugin. CNI plugin is > usually deployed as a system DaemonSet, so it runs in a > separate pod. >=20 > 4. Assuming that vhost-user connection requested in server mode. > CNI plugin will: > 4.1 create a directory for a vhost-user socket. > 4.2 add this directory to pod annotations as a mount point. > 4.3 create a port in OVS by invoking 'ovs-vsctl port-add' or > by connecting to ovsdb-server by JSONRPC directly. > It will set port type as dpdkvhostuserclient and specify > socket-path as a path inside the directory it created. > (OVS will create a port and rte_vhost will enter the > re-connection loop since socket does not exist yet.) > 4.4 Set up socket file location as environment variable in > pod annotations. > 4.5 report success to kubelet. >=20 > 5. kubelet will finish all other preparations and resource > allocations and will ask docker/podman to start a container > with all mount points, devices and environment variables from > the pod annotation. >=20 > 6. docker/podman starts a container. > Need to mention here that in many cases initial process of > a container is not the actual application that will use a > vhost-user connection, but likely a shell that will invoke > the actual application. >=20 > 7. Application starts inside the container, checks the environment > variables (actually, checking of environment variables usually > happens in a shell script that invokes the application with > correct arguments) and creates a net_virtio_user port in server > mode. At this point socket file will be created. > (since we're running third-party application inside the container > we can only assume that it will do what is written here, it's > a responsibility of an application developer to do the right > thing.) >=20 > 8. OVS successfully re-connects to the newly created socket in a > shared directory and vhost-user protocol establishes the network > connectivity. >=20 > As you can wee, there are way too many entities and communication > methods involved. So, passing a pre-opened file descriptor from > CNI all the way down to application is not that easy as it is in > case of QEMU+LibVirt. File descriptor passing isn't necessary if OVS owns the listen socket and the application container is the one who connects. That's why I asked why dpdkvhostuser was deprecated in another email. The benefit of doing this would be that the application container can instantly connect to OVS without a sleep loop. I still don't get the attraction of the broker idea. The pros: + Overcomes the issue with stale UNIX domain socket files + Eliminates the re-connect sleep loop Neutral: * vhost-user UNIX domain socket directory container volume is replaced by broker UNIX domain socket bind mount * UNIX domain socket naming conflicts become broker key naming conflicts The cons: - Requires running a new service on the host with potential security issues - Requires support in third-party applications, QEMU, and DPDK/OVS - The old code must be kept for compatibility with non-broker configurations, especially since third-party applications may not support the broker. Developers and users will have to learn about both options and decide which one to use. This seems like a modest improvement for the complexity and effort involved. The same pros can be achieved by: * Adding unlink(2) to rte_vhost (or applications can add rm -f $PATH_TO_SOCKET to their docker-entrypoint.sh). The disadvantage is it doesn't catch a misconfiguration where the user launches two processes with the same socket path. * Reversing the direction of the client/server relationship to eliminate the re-connect sleep loop at startup. I'm unsure whether this is possible. That said, the broker idea doesn't affect the vhost-user protocol itself and is more of an OVS/DPDK topic. I may just not be familiar enough with OVS/DPDK to understand the benefits of the approach. Stefan --E4jRqNQogdMITznK--