From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 650F0A04B2 for ; Mon, 24 Aug 2020 19:08:11 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 431421B53; Mon, 24 Aug 2020 19:08:11 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id F0FDEDE3; Mon, 24 Aug 2020 19:08:08 +0200 (CEST) IronPort-SDR: yDFuvvFr6CY3q7GOVi5++rrjtzArlEm0T4hpJmVvCRK8aFH3xPUfGRAjEoOlyvcsd7fVngkahf 6Wi6IANB6GQQ== X-IronPort-AV: E=McAfee;i="6000,8403,9723"; a="173989648" X-IronPort-AV: E=Sophos;i="5.76,349,1592895600"; d="scan'208";a="173989648" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Aug 2020 10:08:08 -0700 IronPort-SDR: NocwdrnXVqB6iuBAZq3CleXFOHF6wfK/S742BfP1K5xFl560dVGXSZck1rX2PiPgkAv516vH6v Nvw4j/ny3jug== X-IronPort-AV: E=Sophos;i="5.76,349,1592895600"; d="scan'208";a="443294129" Received: from bricha3-mobl.ger.corp.intel.com ([10.252.20.200]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA; 24 Aug 2020 10:08:06 -0700 Date: Mon, 24 Aug 2020 18:08:03 +0100 From: Bruce Richardson To: Anatoly Burakov Cc: dev@dpdk.org, John McNamara , Marko Kovacevic , ferruh.yigit@intel.com, padraig.j.connolly@intel.com, stable@dpdk.org Message-ID: <20200824170803.GD547@bricha3-MOBL.ger.corp.intel.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dpdk-stable] [PATCH 1/2] doc/linux_gsg: clarify instructions on running as non-root X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" On Mon, Aug 24, 2020 at 04:45:00PM +0100, Anatoly Burakov wrote: > The current instructions are slightly out of date when it comes to > providing information about setting up the system for using DPDK as > non-root, so update them. > > Cc: stable@dpdk.org > > Signed-off-by: Anatoly Burakov > --- > doc/guides/linux_gsg/enable_func.rst | 54 ++++++++++++++++++++-------- > 1 file changed, 39 insertions(+), 15 deletions(-) > > diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/enable_func.rst > index b2bda80bb7..78b0f7c012 100644 > --- a/doc/guides/linux_gsg/enable_func.rst > +++ b/doc/guides/linux_gsg/enable_func.rst > @@ -58,22 +58,34 @@ The application can then determine what action to take, if any, if the HPET is n > if any, and on what is available on the system at runtime. > > Running DPDK Applications Without Root Privileges > --------------------------------------------------------- > +------------------------------------------------- > > -.. note:: > +In order to run DPDK as non-root, the following Linux filesystem objects' > +permissions should be adjusted to ensure that the Linux account being used to > +run the DPDK application has access to them: > > - The instructions below will allow running DPDK as non-root with older > - Linux kernel versions. However, since version 4.0, the kernel does not allow > - unprivileged processes to read the physical address information from > - the pagemaps file, making it impossible for those processes to use HW > - devices which require physical addresses > +* All directories which serve as hugepage mount points, for example, ``/dev/hugepages`` > > -Although applications using the DPDK use network ports and other hardware resources directly, > -with a number of small permission adjustments it is possible to run these applications as a user other than "root". > -To do so, the ownership, or permissions, on the following Linux file system objects should be adjusted to ensure that > -the Linux user account being used to run the DPDK application has access to them: > +* If the HPET is to be used, ``/dev/hpet`` > > -* All directories which serve as hugepage mount points, for example, ``/mnt/huge`` > +When running as non-root user, there may be some additional resource limits > +that are imposed by the system. Specifically, the following resource limits may > +need to be adjusted in order to ensure normal DPDK operation: > + > +* RLIMIT_LOCKS (number of file locks that can be held by a process) > + > +* RLIMIT_NOFILE (number of open file descriptors that can be held open by a process) > + > +* RLIMIT_MEMLOCK (amount of pinned pages the process is allowed to have) > + > +The above limits can usually be adjusted by editing > +``/etc/security/limits.conf`` file, and rebooting. > + > +Additionally, depending on which kernel driver is in use, the relevant > +resources also should be accessible by the user running the DPDK application. > + > +For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following Linux file > +system objects' permissions should be adjusted: > > * The userspace-io device files in ``/dev``, for example, ``/dev/uio0``, ``/dev/uio1``, and so on > > @@ -82,11 +94,23 @@ the Linux user account being used to run the DPDK application has access to them > /sys/class/uio/uio0/device/config > /sys/class/uio/uio0/device/resource* > > -* If the HPET is to be used, ``/dev/hpet`` > - > .. note:: > > - On some Linux installations, ``/dev/hugepages`` is also a hugepage mount point created by default. > + The instructions above will allow running DPDK with ``igb_uio`` driver as > + non-root with older Linux kernel versions. However, since version 4.0, the > + kernel does not allow unprivileged processes to read the physical address > + information from the pagemaps file, making it impossible for those > + processes to be used by non-privileged users. In such cases, using the VFIO > + driver is recommended. > + > +For ``vfio-pci`` kernel driver, the following Linux file system objects' > +permissions should be adjusted: > + > +* The VFIO device file , ``/dev/vfio/vfio`` > + > +* The directories under ``/dev/vfio`` that correspond to IOMMU group numbers of > + devices intended to be used by DPDK, for example, ``/dev/vfio/50`` > + > Since we'd very much prefer in all cases people to use VFIO, I think the VFIO instructions should come first. Otherwise the text itself reads fine to me. /Bruce