From: Aaron Conole <aconole@redhat.com>
To: Alejandro Lucero <alejandro.lucero@netronome.com>
Cc: dev <dev@dpdk.org>, Adrien Mazarguil <adrien.mazarguil@6wind.com>,
stable@dpdk.org, Thomas Monjalon <thomas@monjalon.net>
Subject: Re: [dpdk-dev] [RFC 2/2] nfp: allow for non-root user
Date: Wed, 18 Apr 2018 08:32:54 -0400 [thread overview]
Message-ID: <f7tpo2wn18p.fsf@dhcp-25.97.bos.redhat.com> (raw)
In-Reply-To: <CAD+H992fiOF3ApEd_67VM9Ld=z-n=wSUQ+RHfcna27-r7g6g1g@mail.gmail.com> (Alejandro Lucero's message of "Wed, 18 Apr 2018 11:53:20 +0100")
Alejandro Lucero <alejandro.lucero@netronome.com> writes:
> On Tue, Apr 17, 2018 at 8:19 PM, Aaron Conole <aconole@redhat.com> wrote:
>
> Alejandro Lucero <alejandro.lucero@netronome.com> writes:
>
> > I was just wondering, if device device PCI sysfs resource files or VFIO group /dev files
> require to change
> > permissions for non-root users, does it not make sense to adjust also /var/lock in the
> system?
>
> For the /dev, we use udev rules - so the correct individual vfio device
> files get assigned the correct permissions. No such mechanism exists
> for /var/lock as far as I can tell.
>
> Ex. see:
>
> https://github.com/openvswitch/ovs/blob/master/rhel/usr_lib_udev_rules.d_91-vfio.rules
>
>
> Maybe something similar exists that we could use to generate the lock
> file automatically?
>
> What about /sysfs/bus/pci/device/$PCI_DEV/resource file?
>
> Is RH forcing OVS DPDK to only work if the host has IOMMU support?
Yes.
> > On Tue, Apr 17, 2018 at 4:44 PM, Alejandro Lucero
> <alejandro.lucero@netronome.com> wrote:
> >
> > I have seen that VFIO also requires explicitly to set the right permissions for non-root
> users to VFIO
> > groups under /dev/vfio.
> >
> > I assume then that running OVS or other DPDK apps as non-root is possible,
> although requiring
> > those explicit permissions changes, and therefore this patch is necessary.
> >
> > Adding stable@ and Thomas for discussing how can this be added to stable DPDK
> versions even if
> > this is not going to be a patch for current DPDK version.
> >
> > Acked-by: Alejandro Lucero <alejandro.lucero@netronome.com>
> >
> > On Fri, Apr 13, 2018 at 4:31 PM, Alejandro Lucero
> <alejandro.lucero@netronome.com> wrote:
> >
> > On Fri, Apr 13, 2018 at 2:31 PM, Aaron Conole <aconole@redhat.com> wrote:
> >
> > Alejandro Lucero <alejandro.lucero@netronome.com> writes:
> >
> > > Again, this patch is correct, but because NFP PMD needs to access
> > > /sys/bus/pci/devices/$DEVICE_PCI_STRING/resource$RESOURCE_ID, and these files
> have
> > just
> > > read/write accesses for root, I do not know if this is really necessary.
> > >
> > > Being honest, I have not used a DPDK app with NFP PMD and not being root. Does
> it
> > work
> > > with non-root users and other PMDs with same requirements regarding sysfs
> resource
> > files?
> >
> > We do run as non-root user definitely with Intel PMDs.
> >
> > I'm not very sure about other vendors, but I think mlx pmd runs as
> > non-root user (and it was modified to move off of sysfs for that
> > reason[1]).
> >
> > It is possible to not rely on sysfs resource files if device is attached to VFIO, but I
> think that is a
> > must with UIO.
> >
> >
> > I'll continue to push for more information from the testing side to find
> > out though.
> >
> > [1]: http://dpdk.org/ml/archives/dev/2018-February/090586.html
> >
> > > On Fri, Apr 13, 2018 at 12:22 AM, Aaron Conole <aconole@redhat.com> wrote:
> > >
> > > Currently, the nfp lock files are taken from the global lock file
> > > location, which will work when the user is running as root. However,
> > > some distributions and applications (notably ovs 2.8+ on RHEL/Fedora)
> > > run as a non-root user.
> > >
> > > Signed-off-by: Aaron Conole <aconole@redhat.com>
> > > ---
> > > drivers/net/nfp/nfp_nfpu.c | 23 ++++++++++++++++++-----
> > > 1 file changed, 18 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/drivers/net/nfp/nfp_nfpu.c b/drivers/net/nfp/nfp_nfpu.c
> > > index 2ed985ff4..ae2e07220 100644
> > > --- a/drivers/net/nfp/nfp_nfpu.c
> > > +++ b/drivers/net/nfp/nfp_nfpu.c
> > > @@ -18,6 +18,22 @@
> > > #define NFP_CFG_EXP_BAR 7
> > >
> > > #define NFP_CFG_EXP_BAR_CFG_BASE 0x30000
> > > +#define NFP_LOCKFILE_PATH_FMT "%s/nfp%d"
> > > +
> > > +/* get nfp lock file path (/var/lock if root, $HOME otherwise) */
> > > +static void
> > > +nspu_get_lockfile_path(char *buffer, int bufsz, nfpu_desc_t *desc)
> > > +{
> > > + const char *dir = "/var/lock";
> > > + const char *home_dir = getenv("HOME");
> > > +
> > > + if (getuid() != 0 && home_dir != NULL)
> > > + dir = home_dir;
> > > +
> > > + /* use current prefix as file path */
> > > + snprintf(buffer, bufsz, NFP_LOCKFILE_PATH_FMT, dir,
> > > + desc->nfp);
> > > +}
> > >
> > > /* There could be other NFP userspace tools using the NSP interface.
> > > * Make sure there is no other process using it and locking the access for
> > > @@ -30,9 +46,7 @@ nspv_aquire_process_lock(nfpu_desc_t *desc)
> > > struct flock lock;
> > > char lockname[30];
> > >
> > > - memset(&lock, 0, sizeof(lock));
> > > -
> > > - snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d", desc->nfp);
> > > + nspu_get_lockfile_path(lockname, sizeof(lockname), desc);
> > >
> > > /* Using S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH */
> > > desc->lock = open(lockname, O_RDWR | O_CREAT, 0666);
> > > @@ -106,7 +120,6 @@ nfpu_close(nfpu_desc_t *desc)
> > > rte_free(desc->nspu);
> > > close(desc->lock);
> > >
> > > - snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d", desc->nfp);
> > > - unlink(lockname);
> > > + nspu_get_lockfile_path(lockname, sizeof(lockname), desc);
> > > return 0;
> > > }
> > > --
> > > 2.14.3
next prev parent reply other threads:[~2018-04-18 12:32 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-12 22:22 [dpdk-dev] [RFC 0/2] nfp driver fixes Aaron Conole
2018-04-12 22:22 ` [dpdk-dev] [RFC 1/2] nfp: unlink the appropriate lock file Aaron Conole
2018-04-13 7:31 ` Alejandro Lucero
2018-04-13 13:24 ` Aaron Conole
2018-04-12 22:22 ` [dpdk-dev] [RFC 2/2] nfp: allow for non-root user Aaron Conole
2018-04-13 7:37 ` Alejandro Lucero
2018-04-13 13:31 ` Aaron Conole
2018-04-13 15:31 ` Alejandro Lucero
2018-04-17 15:44 ` Alejandro Lucero
2018-04-17 15:54 ` Alejandro Lucero
2018-04-17 19:19 ` Aaron Conole
2018-04-18 10:53 ` Alejandro Lucero
2018-04-18 12:32 ` Aaron Conole [this message]
2018-04-19 6:05 ` Alejandro Lucero
2018-04-20 14:12 ` [dpdk-dev] [dpdk-stable] " Ferruh Yigit
2018-04-20 14:56 ` Aaron Conole
2018-04-17 15:54 ` [dpdk-dev] " Thomas Monjalon
2018-04-17 16:24 ` Alejandro Lucero
2018-04-17 19:06 ` Thomas Monjalon
2018-04-13 7:26 ` [dpdk-dev] [RFC 0/2] nfp driver fixes Alejandro Lucero
2018-04-13 13:23 ` Aaron Conole
2018-04-13 15:36 ` Alejandro Lucero
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7tpo2wn18p.fsf@dhcp-25.97.bos.redhat.com \
--to=aconole@redhat.com \
--cc=adrien.mazarguil@6wind.com \
--cc=alejandro.lucero@netronome.com \
--cc=dev@dpdk.org \
--cc=stable@dpdk.org \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).