From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 0E8322C8 for ; Fri, 7 Jul 2017 17:40:48 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 576D4C0587D2; Fri, 7 Jul 2017 15:40:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 576D4C0587D2 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=aconole@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 576D4C0587D2 Received: from dhcp-25-97.bos.redhat.com (ovpn-121-229.rdu2.redhat.com [10.10.121.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7319C70494; Fri, 7 Jul 2017 15:40:44 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org, dev@dpdk.org Cc: Flavio Leitner , Ansis Atteka , Timothy Redaelli References: <20170705175634.7957-1-aconole@redhat.com> Date: Fri, 07 Jul 2017 11:40:43 -0400 In-Reply-To: <20170705175634.7957-1-aconole@redhat.com> (Aaron Conole's message of "Wed, 5 Jul 2017 13:56:30 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Fri, 07 Jul 2017 15:40:47 +0000 (UTC) Subject: Re: [dpdk-dev] [ovs-dev] [PATCH v2 0/4] rhel/fedora: non-root OvS out of the box X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jul 2017 15:40:48 -0000 Aaron Conole writes: > This series attempts to introduce the ability to start and use > Open vSwitch 'out of the box' as a non-root user. It does this by > modifying the service files to pass the recently introduced --ovs-user > argument around, and by making some minor tweaks to the passwd, group, > and filesystem information. > > I prefixed the packaging work with 'redhat', but if rpm or packaging > is a preferred prefx for that work, I can respin. > > The more controversial changes are: > > * This modifies the /etc/sysconfig/ file on install. > * The dpdk support directly modifies /dev/hugepages with a call to chmod > * A new user 'openvswitch', and up to two new groups 'openvswitch', and > 'hugetlbfs' are created > * A change to soexpand.pl to allow conditional inclusion of dpdk-related > options > An interesting development has occurred while testing this series. It seems that as part of a rowhammer mitigation, access to /proc/self/pagemap ends up being restricted. This makes DPDK break in a catastrophic way. One way of mitigating this is to keep the CAP_SYS_ADMIN capability when DPDK is enabled (not sure whether it would be a runtime or compile time change). This means we end up keeping many root-user level permissions that we probably shouldn't need or want. I was thinking that when DPDK is compiled in, we would keep the CAP_SYS_ADMIN for the first iteration of DB synchronization, and then drop it after calling DPDK-init. That would prevent lazy loading, or being able to turn it on without restarting the daemon (which I don't like). Another is to say that if DPDK is enabled at compile time, just don't drop permissions at all. That approach seems really wrong, but it's a possibility. Not sure what else can be done from the OvS side for this. I think it could be possible to do something where before dropping privs, we cache the pagemap and then feed it to DPDK during initialization, but that will require work from DPDK side, and I'm not sure if it actually works with DPDK (because I haven't looked into why the pagemap is being read to begin with). So, I'm a bit stuck on this work, and asking for some opinions. -Aaron