From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 137DEA057F for ; Tue, 28 Jun 2022 17:20:16 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0EC7842B71; Tue, 28 Jun 2022 17:20:16 +0200 (CEST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id AED9740042 for ; Tue, 28 Jun 2022 17:20:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1656429614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X0W/8TL/GtDBKjf4evV9ED5Y/MszPfgMqOre1HS1w9g=; b=ai1JZNLQw7Mt1zBvVfbQV//iGOW/zAI6Zo/icY6AebLBN+g0PiQGcx2e+k+Zzwo73wBite CUKSCwlxDmF+p0nFog9uuThJAeqIB4yIikeIAg+PP2GeqtNdOYMNrs+LMVGbHB18l+kFIf /mWJrnJacmhCj/yw7sXGaRyswqq7FLQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-331-FKiO0z3UO0G38ECQ225DEw-1; Tue, 28 Jun 2022 11:20:12 -0400 X-MC-Unique: FKiO0z3UO0G38ECQ225DEw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C9F2181D9E8; Tue, 28 Jun 2022 15:20:10 +0000 (UTC) Received: from rh.redhat.com (unknown [10.39.194.217]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1FCDD1415108; Tue, 28 Jun 2022 15:20:09 +0000 (UTC) From: Kevin Traynor To: Dmitry Kozlyuk Cc: Bruce Richardson , dpdk stable Subject: patch 'doc: add more instructions for running as non-root' has been queued to stable release 21.11.2 Date: Tue, 28 Jun 2022 16:19:32 +0100 Message-Id: <20220628151938.2278711-20-ktraynor@redhat.com> In-Reply-To: <20220628151938.2278711-1-ktraynor@redhat.com> References: <20220628151938.2278711-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ktraynor@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 21.11.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 06/30/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/dcc59bfed7bfdcf4183763fec368f5874176df4c Thanks. Kevin --- >From dcc59bfed7bfdcf4183763fec368f5874176df4c Mon Sep 17 00:00:00 2001 From: Dmitry Kozlyuk Date: Fri, 24 Jun 2022 16:19:54 +0300 Subject: [PATCH] doc: add more instructions for running as non-root [ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ] The guide to run DPDK applications as non-root in Linux did not provide specific instructions to configure the required access and did not explain why each bit is needed. The latter is important because running as non-root is one of the ways to tighten security and grant minimal permissions. Signed-off-by: Dmitry Kozlyuk Acked-by: Bruce Richardson --- doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++++++++--------- 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/enable_func.rst index 25f87f6b1a..4f7a8a1522 100644 --- a/doc/guides/linux_gsg/enable_func.rst +++ b/doc/guides/linux_gsg/enable_func.rst @@ -67,11 +67,62 @@ Running DPDK Applications Without Root Privileges ------------------------------------------------- -In order to run DPDK as non-root, the following Linux filesystem objects' -permissions should be adjusted to ensure that the Linux account being used to -run the DPDK application has access to them: +The following sections describe generic requirements and configuration +for running DPDK applications as non-root. +There may be additional requirements documented for some drivers. -* All directories which serve as hugepage mount points, for example, ``/dev/hugepages`` +Hugepages +~~~~~~~~~ -* If the HPET is to be used, ``/dev/hpet`` +Hugepages must be reserved as root before running the application as non-root, +for example:: + + sudo dpdk-hugepages.py --reserve 1G + +If multi-process is not required, running with ``--in-memory`` +bypasses the need to access hugepage mount point and files within it. +Otherwise, hugepage directory must be made accessible +for writing to the unprivileged user. +A good way for managing multiple applications using hugepages +is to mount the filesystem with group permissions +and add a supplementary group to each application or container. + +One option is to use the script provided by this project:: + + export HUGEDIR=$HOME/huge-1G + mkdir -p $HUGEDIR + sudo dpdk-hugepages.py --mount --directory $HUGEDIR --user `id -u` --group `id -g` + +In production environment, the OS can manage mount points +(`systemd example `_). + +The ``hugetlb`` filesystem has additional options to guarantee or limit +the amount of memory that is possible to allocate using the mount point. +Refer to the `documentation `_. + +.. note:: + + Using ``vfio-pci`` kernel driver, if applicable, can eliminate the need + for physical addresses and therefore eliminate the permission requirements + described below. + +If the driver requires using physical addresses (PA), +the executable file must be granted additional capabilities: + +* ``SYS_ADMIN`` to read ``/proc/self/pagemaps`` +* ``IPC_LOCK`` to lock hugepages in memory + +.. code-block:: console + + setcap cap_ipc_lock,cap_sys_admin+ep + +If physical addresses are not accessible, +the following message will appear during EAL initialization:: + + EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission denied + +It is harmless in case PA are not needed. + +Resource Limits +~~~~~~~~~~~~~~~ When running as non-root user, there may be some additional resource limits @@ -88,6 +139,11 @@ The above limits can usually be adjusted by editing ``/etc/security/limits.conf`` file, and rebooting. -Additionally, depending on which kernel driver is in use, the relevant -resources also should be accessible by the user running the DPDK application. +See `Hugepage Mapping `_ +section to learn how these limits affect EAL. + +Device Control +~~~~~~~~~~~~~~ + +If the HPET is to be used, ``/dev/hpet`` permissions must be adjusted. For ``vfio-pci`` kernel driver, the following Linux file system objects' @@ -99,24 +155,4 @@ permissions should be adjusted: devices intended to be used by DPDK, for example, ``/dev/vfio/50`` -.. note:: - - The instructions below will allow running DPDK with ``igb_uio`` or - ``uio_pci_generic`` drivers as non-root with older Linux kernel versions. - However, since version 4.0, the kernel does not allow unprivileged processes - to read the physical address information from the pagemaps file, making it - impossible for those processes to be used by non-privileged users. In such - cases, using the VFIO driver is recommended. - -For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following Linux file -system objects' permissions should be adjusted: - -* The userspace-io device files in ``/dev``, for example, ``/dev/uio0``, ``/dev/uio1``, and so on - -* The userspace-io sysfs config and resource files, for example for ``uio0``:: - - /sys/class/uio/uio0/device/config - /sys/class/uio/uio0/device/resource* - - Power Management and Power Saving Functionality ----------------------------------------------- -- 2.34.3 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-06-28 16:18:04.511264898 +0100 +++ 0020-doc-add-more-instructions-for-running-as-non-root.patch 2022-06-28 16:18:04.045387175 +0100 @@ -1 +1 @@ -From 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 Mon Sep 17 00:00:00 2001 +From dcc59bfed7bfdcf4183763fec368f5874176df4c Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ] + @@ -12,2 +13,0 @@ -Cc: stable@dpdk.org - @@ -17,3 +17,2 @@ - doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++------ - .../prog_guide/env_abstraction_layer.rst | 2 + - 2 files changed, 65 insertions(+), 27 deletions(-) + doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++++++++--------- + 1 file changed, 63 insertions(+), 27 deletions(-) @@ -22 +21 @@ -index 1df3ab0255..b15bfb2f9f 100644 +index 25f87f6b1a..4f7a8a1522 100644 @@ -25 +24 @@ -@@ -14,11 +14,62 @@ Running DPDK Applications Without Root Privileges +@@ -67,11 +67,62 @@ Running DPDK Applications Without Root Privileges @@ -93 +92 @@ -@@ -35,6 +86,11 @@ The above limits can usually be adjusted by editing +@@ -88,6 +139,11 @@ The above limits can usually be adjusted by editing @@ -107 +106 @@ -@@ -46,24 +102,4 @@ permissions should be adjusted: +@@ -99,24 +155,4 @@ permissions should be adjusted: @@ -132,11 +130,0 @@ -diff --git a/doc/guides/prog_guide/env_abstraction_layer.rst b/doc/guides/prog_guide/env_abstraction_layer.rst -index 42def41e61..67842ae272 100644 ---- a/doc/guides/prog_guide/env_abstraction_layer.rst -+++ b/doc/guides/prog_guide/env_abstraction_layer.rst -@@ -229,4 +229,6 @@ Normally, these options do not need to be changed. - is enabled), and can optionally be mapped into it at startup. - -+.. _hugepage_mapping: -+ - Hugepage Mapping - ^^^^^^^^^^^^^^^^