test suite reviews and discussions
 help / color / Atom feed
* [dts] Userspace testing
@ 2020-07-29 14:34 Owen Hilyard
       [not found] ` <c70020a2-8948-dda4-bf1f-f5c29ec151b1@intel.com>
  2020-07-31  7:43 ` David Marchand
  0 siblings, 2 replies; 4+ messages in thread
From: Owen Hilyard @ 2020-07-29 14:34 UTC (permalink / raw)
  To: dts, dev; +Cc: Lincoln Lavoie

[-- Attachment #1: Type: text/plain, Size: 647 bytes --]

Hello all,

I was wondering what everyone's thoughts on doing both userspace testing
and unprivileged testing of dpdk applications is. DTS currently runs all
commands on the tester and the dut as the root user. Please correct me if
I'm wrong, but I was under the assumption that most applications written
with dpdk would not run as root. This could present a problem since it is
possible that permissions errors could arise and we wouldn't notice it due
to the way we currently test. Given that, I was wondering what should and
should not be possible as a normal (non-root) user, and what would be the
best way to go about verifying this.

Thanks

[-- Attachment #2: Type: text/html, Size: 733 bytes --]

<div dir="ltr">Hello all,<div><br></div><div>I was wondering what everyone&#39;s thoughts on doing both userspace testing and unprivileged testing of dpdk applications is. DTS currently runs all commands on the tester and the dut as the root user. Please correct me if I&#39;m wrong, but I was under the assumption that most applications written with dpdk would not run as root. This could present a problem since it is possible that permissions errors could arise and we wouldn&#39;t notice it due to the way we currently test. Given that, I was wondering what should and should not be possible as a normal (non-root) user, and what would be the best way to go about verifying this. </div><div><br></div><div>Thanks</div></div>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dts] [dpdk-dev] Userspace testing
       [not found] ` <c70020a2-8948-dda4-bf1f-f5c29ec151b1@intel.com>
@ 2020-07-30 16:54   ` " Owen Hilyard
       [not found]     ` <bbd7d9a1-09bc-3fc8-b9f1-ab9c71e6c113@intel.com>
  0 siblings, 1 reply; 4+ messages in thread
From: Owen Hilyard @ 2020-07-30 16:54 UTC (permalink / raw)
  To: Burakov, Anatoly; +Cc: dts, dev, Lincoln Lavoie

[-- Attachment #1: Type: text/plain, Size: 1978 bytes --]

Thanks for the advice.

I was wondering about the state of the "Setup VFIO permissions" option in
the setup script. It seems to just modify the character device's
permissions and then check their memory limit. Should this option also
handle the hugepages setup?

Thanks

On Wed, Jul 29, 2020 at 11:35 AM Burakov, Anatoly <anatoly.burakov@intel.com>
wrote:

> On 29-Jul-20 3:34 PM, Owen Hilyard wrote:
> > Hello all,
> >
> > I was wondering what everyone's thoughts on doing both userspace testing
> > and unprivileged testing of dpdk applications is. DTS currently runs all
> > commands on the tester and the dut as the root user. Please correct me if
> > I'm wrong, but I was under the assumption that most applications written
> > with dpdk would not run as root. This could present a problem since it is
> > possible that permissions errors could arise and we wouldn't notice it
> due
> > to the way we currently test. Given that, I was wondering what should and
> > should not be possible as a normal (non-root) user, and what would be the
> > best way to go about verifying this.
> >
> > Thanks
> >
>
> This is useful, but not everything is supposed to work with limited
> privileges. Things that definitely *won't* work are KNI and anything
> igb_uio-related. Everything VFIO should work fine, and setting up
> correct permissions for hugepages and VFIO is one of the trickier things
> that even I don't know how to do correctly off the top of my head :D
>
> An easy stopgap way of running almost everything as an unprivileged user
> is to use in-memory mode (--in-memory EAL switch); this will cause EAL
> to reserve hugepages etc. without touching the filesystem, sacrificing
> secondary process support in the process (so e.g. EAL autotest won't
> work in --in-memory mode as it relies on secondary process support).
>
> So, i would say that it would be a valuable thing to test for, but be
> aware that not everything is expected to work.
>
> --
> Thanks,
> Anatoly
>

[-- Attachment #2: Type: text/html, Size: 2509 bytes --]

<div dir="ltr"><div dir="ltr">Thanks for the advice.<br><br>I was wondering about the state of the &quot;Setup VFIO permissions&quot; option in the setup script. It seems to just modify the character device&#39;s permissions and then check their memory limit. Should this option also handle the hugepages setup?<div><br></div><div>Thanks</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 29, 2020 at 11:35 AM Burakov, Anatoly &lt;<a href="mailto:anatoly.burakov@intel.com">anatoly.burakov@intel.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 29-Jul-20 3:34 PM, Owen Hilyard wrote:<br>
&gt; Hello all,<br>
&gt; <br>
&gt; I was wondering what everyone&#39;s thoughts on doing both userspace testing<br>
&gt; and unprivileged testing of dpdk applications is. DTS currently runs all<br>
&gt; commands on the tester and the dut as the root user. Please correct me if<br>
&gt; I&#39;m wrong, but I was under the assumption that most applications written<br>
&gt; with dpdk would not run as root. This could present a problem since it is<br>
&gt; possible that permissions errors could arise and we wouldn&#39;t notice it due<br>
&gt; to the way we currently test. Given that, I was wondering what should and<br>
&gt; should not be possible as a normal (non-root) user, and what would be the<br>
&gt; best way to go about verifying this.<br>
&gt; <br>
&gt; Thanks<br>
&gt; <br>
<br>
This is useful, but not everything is supposed to work with limited <br>
privileges. Things that definitely *won&#39;t* work are KNI and anything <br>
igb_uio-related. Everything VFIO should work fine, and setting up <br>
correct permissions for hugepages and VFIO is one of the trickier things <br>
that even I don&#39;t know how to do correctly off the top of my head :D<br>
<br>
An easy stopgap way of running almost everything as an unprivileged user <br>
is to use in-memory mode (--in-memory EAL switch); this will cause EAL <br>
to reserve hugepages etc. without touching the filesystem, sacrificing <br>
secondary process support in the process (so e.g. EAL autotest won&#39;t <br>
work in --in-memory mode as it relies on secondary process support).<br>
<br>
So, i would say that it would be a valuable thing to test for, but be <br>
aware that not everything is expected to work.<br>
<br>
-- <br>
Thanks,<br>
Anatoly<br>
</blockquote></div></div>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dts] [dpdk-dev] Userspace testing
  2020-07-29 14:34 [dts] Userspace testing Owen Hilyard
       [not found] ` <c70020a2-8948-dda4-bf1f-f5c29ec151b1@intel.com>
@ 2020-07-31  7:43 ` David Marchand
  1 sibling, 0 replies; 4+ messages in thread
From: David Marchand @ 2020-07-31  7:43 UTC (permalink / raw)
  To: Owen Hilyard; +Cc: dts, dev, Lincoln Lavoie, Aaron Conole

On Wed, Jul 29, 2020 at 4:35 PM Owen Hilyard <ohilyard@iol.unh.edu> wrote:
> I was wondering what everyone's thoughts on doing both userspace testing
> and unprivileged testing of dpdk applications is. DTS currently runs all
> commands on the tester and the dut as the root user. Please correct me if
> I'm wrong, but I was under the assumption that most applications written
> with dpdk would not run as root. This could present a problem since it is
> possible that permissions errors could arise and we wouldn't notice it due
> to the way we currently test. Given that, I was wondering what should and
> should not be possible as a normal (non-root) user, and what would be the
> best way to go about verifying this.

That is an interesting idea.

There are things that won't work unless you give proper permissions
(vfio, hugepages) or capabilities (like for bifurcated solutions: mlx
being the first example that comes to mind).
Additionally, some distributions apply further restrictions, like
SElinux in RHEL. But on this side, I don't think it makes sense, as
selinux rules are distrib specific.

-- 
David Marchand


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dts] [dpdk-dev] Userspace testing
       [not found]     ` <bbd7d9a1-09bc-3fc8-b9f1-ab9c71e6c113@intel.com>
@ 2020-08-03 14:31       ` Owen Hilyard
  0 siblings, 0 replies; 4+ messages in thread
From: Owen Hilyard @ 2020-08-03 14:31 UTC (permalink / raw)
  To: Burakov, Anatoly; +Cc: dts, dev, Lincoln Lavoie

[-- Attachment #1: Type: text/plain, Size: 679 bytes --]

On Fri, Jul 31, 2020 at 5:12 AM Burakov, Anatoly <anatoly.burakov@intel.com>
wrote:

> On 30-Jul-20 5:54 PM, Owen Hilyard wrote:
> > Thanks for the advice.
> >
> > I was wondering about the state of the "Setup VFIO permissions" option
> > in the setup script. It seems to just modify the character device's
> > permissions and then check their memory limit. Should this option also
> > handle the hugepages setup?
>
> I was under the (mis?)impression that the hugepage setup part of the
> script did that?
>
>
It doesn't appear to set them up so that non-root users can use them. From
what I can tell it only creates the pages, but doesn't change permissions
on them in any way.

[-- Attachment #2: Type: text/html, Size: 1090 bytes --]

<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jul 31, 2020 at 5:12 AM Burakov, Anatoly &lt;<a href="mailto:anatoly.burakov@intel.com">anatoly.burakov@intel.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 30-Jul-20 5:54 PM, Owen Hilyard wrote:<br>
&gt; Thanks for the advice.<br>
&gt; <br>
&gt; I was wondering about the state of the &quot;Setup VFIO permissions&quot; option <br>
&gt; in the setup script. It seems to just modify the character device&#39;s <br>
&gt; permissions and then check their memory limit. Should this option also <br>
&gt; handle the hugepages setup?<br>
<br>
I was under the (mis?)impression that the hugepage setup part of the <br>
script did that?<br><br></blockquote><div> </div><div>It doesn&#39;t appear to set them up so that non-root users can use them. From what I can tell it only creates the pages, but doesn&#39;t change permissions on them in any way. </div></div></div>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-29 14:34 [dts] Userspace testing Owen Hilyard
     [not found] ` <c70020a2-8948-dda4-bf1f-f5c29ec151b1@intel.com>
2020-07-30 16:54   ` [dts] [dpdk-dev] " Owen Hilyard
     [not found]     ` <bbd7d9a1-09bc-3fc8-b9f1-ab9c71e6c113@intel.com>
2020-08-03 14:31       ` Owen Hilyard
2020-07-31  7:43 ` David Marchand

test suite reviews and discussions

Archives are clonable:
	git clone --mirror http://inbox.dpdk.org/dts/0 dts/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dts dts/ http://inbox.dpdk.org/dts \
		dts@dpdk.org
	public-inbox-index dts


Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dts


AGPL code for this site: git clone https://public-inbox.org/ public-inbox