From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5274EA00C5 for ; Wed, 20 Jul 2022 10:25:35 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4D85E40697; Wed, 20 Jul 2022 10:25:35 +0200 (CEST) Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2053.outbound.protection.outlook.com [40.107.101.53]) by mails.dpdk.org (Postfix) with ESMTP id 67F7F4003C for ; Wed, 20 Jul 2022 10:25:34 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LQ8XRy+QWr8lzWkZXPptotA8YkLFLcroDqiCX6aX9YEi1zk7q3pELdNe8pJd20JKbsA0iJfFziq0NVkYm6ptm5c67NgdmKFXgrpqBofQ8DtvIY2kF5mqOp8ZTGE97wm3jSdL8KkMh7mdJmLUXz+cg/rHG/ojO45sh63DtjoSg5NCa4NmgI2RYlX3jcsuCGuJCZEMHXx4t68tinvCb9GwvDTn8ku6Ac1BZ0zCNBxcxytmQfqjZOf0ecTanASnCkv06EDEj95hRKkYnga9szEz4tv9Z6ZmMravJetiix6Wmazc3roQUJEjmWA+XQUdge0ntgNg1IQQgc7UhPRQ6S+Osw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ydK9YNzzyNsXazqM7rRm6oDECPBwKVDMehSmjR+zw9E=; b=SagNQ8Ym8As/ILbyLZXg0v/8MlhsdXD3ZhdoXLLxOM1tx1iCuNCsNDrOZANnUERVBBaRPSz9YzEOBnZ5aiS/Ij7AtF03y3TYRIY+iI/DJtLcmlK6QTO93WMjBE5bIF52ma9SyxFQjoCeyjouhOLd07KhpcY6BMhYlGYy159TsfB1JXTucaSgqPWxslK5tNSN+tFXeDt/H8iP6e/TMpKdjcb0sHeDVqibC+FJHAlaS9q5xsrDDGVWZC/b510/bhZYgAnq4N6BGkDvsOoKGuCDcaNXXD9378lGloTq5hKmIL/WfiJgmCE/h9tVhB3aSa91ePWsNZrf765ZEmKmbPAz0w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.235) smtp.rcpttodomain=dpdk.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ydK9YNzzyNsXazqM7rRm6oDECPBwKVDMehSmjR+zw9E=; b=slLJ8QxVnbH7NxA7c118kGdx42nhKc/jgPVbL+nrN1rNbZTujlDmwq60WLEexw+nVTeKsjzV3d1nvcX+VYV6EIQ+smWeEuOlebhHOsjtl+Is6DGh1aWsVl3oJ12Z0bfGMAt7AzVPylRaHMyKOiL+jKyQ5aDt7LCP10M3gfiEryxFimDphr++HMTkHG3yvK3YeT6N5poZUOn6gTAZ6JpRslP85ntGIHgjDadipWzqWKJVSdTvdWzLW9LshBk6eRpOr1Icctz+bLEduCDluUUiOaNiJFskA2VcAS8T4TdLlUEjfdyPWJjerx077P9EMyawIwVkQZY+kwQsimQWvG+xTA== Received: from MW4PR03CA0074.namprd03.prod.outlook.com (2603:10b6:303:b6::19) by DM6PR12MB3898.namprd12.prod.outlook.com (2603:10b6:5:1c6::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.14; Wed, 20 Jul 2022 08:25:32 +0000 Received: from CO1NAM11FT038.eop-nam11.prod.protection.outlook.com (2603:10b6:303:b6:cafe::f3) by MW4PR03CA0074.outlook.office365.com (2603:10b6:303:b6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.17 via Frontend Transport; Wed, 20 Jul 2022 08:25:32 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.235) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.235 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.235; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (12.22.5.235) by CO1NAM11FT038.mail.protection.outlook.com (10.13.174.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5458.17 via Frontend Transport; Wed, 20 Jul 2022 08:25:32 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by DRHQMAIL107.nvidia.com (10.27.9.16) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 20 Jul 2022 08:25:31 +0000 Received: from nvidia.com (10.126.231.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.26; Wed, 20 Jul 2022 01:25:29 -0700 From: Xueming Li To: Dmitry Kozlyuk CC: , Bruce Richardson , "dpdk stable" Subject: patch 'doc: add more instructions for running as non-root' has been queued to stable release 20.11.6 Date: Wed, 20 Jul 2022 11:21:11 +0300 Message-ID: <20220720082132.3954126-42-xuemingl@nvidia.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220720082132.3954126-1-xuemingl@nvidia.com> References: <20220621080301.2315720-1-xuemingl@nvidia.com> <20220720082132.3954126-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.231.35] X-ClientProxiedBy: rnnvmail202.nvidia.com (10.129.68.7) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 571275ca-537c-4b5e-6002-08da6a29698c X-MS-TrafficTypeDiagnostic: DM6PR12MB3898:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?UzLCfcwfnmDH9ea73tLR4A1p97vrk8ANwXarXudq0SZcNahLIfjloTFgLS4l?= =?us-ascii?Q?6yyX67I8qLldo9MgPI+ulMWhZLGOilg/NiTweXZNo+J6WenIxsLxNklSlnpL?= =?us-ascii?Q?XmJAcnvIuxt0BBq5a0qwwvyCb+GuhqMmUX6CvES1qokyTKSynHG1XqOhPwMx?= =?us-ascii?Q?xX+32zsVNqjyxZ+AVjJO/WHydOPCjMLORv3W+JKRHSlQu0QCz0NYFlp8gNSp?= =?us-ascii?Q?FJazU33QDayLO8xMSkubkC2QBK01m0r9Wow9jtqx/A6eRvN+VZxKRcDdddlZ?= =?us-ascii?Q?XvaoCnbFqg96uo8NRclAaVnec535lkm5YRXGuE0RJdCismFYFFnarPOyl1Rv?= =?us-ascii?Q?q00jFKdUKUACR2SGgFsN/GyH7CReTpKI1KrZg3qYdUzQmkdFTeRbSC8m0f/8?= =?us-ascii?Q?Lpx/slsJ6LkH+3mDOJZSXSiCxHIJjUZHVWdS2bJcJ68yXVH8vSGJyDO6e5ws?= =?us-ascii?Q?5lSSOhOn+5SFcf2nUoDxfQiBKdxY1WPOEesl3fC8FziG39z0TRF8IQMWCGTG?= =?us-ascii?Q?wuyBgg2H0X5xawJmoZozpK1Ey69UbvC/ktCuKDgFA7cgtGiufHVo4oUQUsV2?= =?us-ascii?Q?Ei/Yg3tRje86mff6IMzQlVh5MEtqj2uSACqU/l/6M86rL7Z+adC7kAl7XMR/?= =?us-ascii?Q?9dANHPaiR2nOYXDBtcKbws7PbeaJ9WaWTu/nyrmjY04EasHpvxuGc+HUdrKI?= =?us-ascii?Q?5s+C5FGj6Yu45nKOSHZXxfnYxioHKl9kG0lf09ZpJSLLpYvq+z2UiHt8oR/C?= =?us-ascii?Q?wqq1cw07DtLckKz1DrzRkDj1AceEdWRswz/sWXe7hYBub4Y06nRia8jVplu8?= =?us-ascii?Q?dgly9Pd78NwHKlNVbLRb2BK6KQwJfOOBZw5sRGjw3ssuBIR+OrS/o4hvGbj/?= =?us-ascii?Q?F3Rd8oh8Bpq93mOivGfGkCioDCQ0M5fWx/TI2IbtM1Uawv+teaTiLLjcNoDE?= =?us-ascii?Q?Cjd3VX0g3DssE+TBT7gUPw=3D=3D?= X-Forefront-Antispam-Report: CIP:12.22.5.235; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:InfoNoRecords; CAT:NONE; SFS:(13230016)(4636009)(396003)(39860400002)(376002)(136003)(346002)(46966006)(40470700004)(36840700001)(36756003)(4326008)(82310400005)(5660300002)(6862004)(8936002)(40460700003)(55016003)(8676002)(70206006)(36860700001)(2616005)(70586007)(40480700001)(2906002)(86362001)(7696005)(356005)(82740400003)(966005)(478600001)(41300700001)(6666004)(37006003)(53546011)(47076005)(6636002)(83380400001)(316002)(186003)(81166007)(16526019)(426003)(1076003)(6286002)(26005)(54906003)(336012)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2022 08:25:32.1951 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 571275ca-537c-4b5e-6002-08da6a29698c X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[12.22.5.235]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT038.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB3898 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 20.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 07/22/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/steevenlee/dpdk This queued commit can be viewed at: https://github.com/steevenlee/dpdk/commit/d4418de9d62b5bdea88f084bb431b18a93567013 Thanks. Xueming Li --- >From d4418de9d62b5bdea88f084bb431b18a93567013 Mon Sep 17 00:00:00 2001 From: Dmitry Kozlyuk Date: Fri, 24 Jun 2022 16:19:54 +0300 Subject: [PATCH] doc: add more instructions for running as non-root Cc: Xueming Li [ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ] The guide to run DPDK applications as non-root in Linux did not provide specific instructions to configure the required access and did not explain why each bit is needed. The latter is important because running as non-root is one of the ways to tighten security and grant minimal permissions. Signed-off-by: Dmitry Kozlyuk Acked-by: Bruce Richardson --- doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++++++++--------- 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/enable_func.rst index 25f87f6b1a..4f7a8a1522 100644 --- a/doc/guides/linux_gsg/enable_func.rst +++ b/doc/guides/linux_gsg/enable_func.rst @@ -66,13 +66,64 @@ The application can then determine what action to take, if any, if the HPET is n Running DPDK Applications Without Root Privileges ------------------------------------------------- -In order to run DPDK as non-root, the following Linux filesystem objects' -permissions should be adjusted to ensure that the Linux account being used to -run the DPDK application has access to them: +The following sections describe generic requirements and configuration +for running DPDK applications as non-root. +There may be additional requirements documented for some drivers. -* All directories which serve as hugepage mount points, for example, ``/dev/hugepages`` +Hugepages +~~~~~~~~~ -* If the HPET is to be used, ``/dev/hpet`` +Hugepages must be reserved as root before running the application as non-root, +for example:: + + sudo dpdk-hugepages.py --reserve 1G + +If multi-process is not required, running with ``--in-memory`` +bypasses the need to access hugepage mount point and files within it. +Otherwise, hugepage directory must be made accessible +for writing to the unprivileged user. +A good way for managing multiple applications using hugepages +is to mount the filesystem with group permissions +and add a supplementary group to each application or container. + +One option is to use the script provided by this project:: + + export HUGEDIR=$HOME/huge-1G + mkdir -p $HUGEDIR + sudo dpdk-hugepages.py --mount --directory $HUGEDIR --user `id -u` --group `id -g` + +In production environment, the OS can manage mount points +(`systemd example `_). + +The ``hugetlb`` filesystem has additional options to guarantee or limit +the amount of memory that is possible to allocate using the mount point. +Refer to the `documentation `_. + +.. note:: + + Using ``vfio-pci`` kernel driver, if applicable, can eliminate the need + for physical addresses and therefore eliminate the permission requirements + described below. + +If the driver requires using physical addresses (PA), +the executable file must be granted additional capabilities: + +* ``SYS_ADMIN`` to read ``/proc/self/pagemaps`` +* ``IPC_LOCK`` to lock hugepages in memory + +.. code-block:: console + + setcap cap_ipc_lock,cap_sys_admin+ep + +If physical addresses are not accessible, +the following message will appear during EAL initialization:: + + EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission denied + +It is harmless in case PA are not needed. + +Resource Limits +~~~~~~~~~~~~~~~ When running as non-root user, there may be some additional resource limits that are imposed by the system. Specifically, the following resource limits may @@ -87,8 +138,13 @@ need to be adjusted in order to ensure normal DPDK operation: The above limits can usually be adjusted by editing ``/etc/security/limits.conf`` file, and rebooting. -Additionally, depending on which kernel driver is in use, the relevant -resources also should be accessible by the user running the DPDK application. +See `Hugepage Mapping `_ +section to learn how these limits affect EAL. + +Device Control +~~~~~~~~~~~~~~ + +If the HPET is to be used, ``/dev/hpet`` permissions must be adjusted. For ``vfio-pci`` kernel driver, the following Linux file system objects' permissions should be adjusted: @@ -98,26 +154,6 @@ permissions should be adjusted: * The directories under ``/dev/vfio`` that correspond to IOMMU group numbers of devices intended to be used by DPDK, for example, ``/dev/vfio/50`` -.. note:: - - The instructions below will allow running DPDK with ``igb_uio`` or - ``uio_pci_generic`` drivers as non-root with older Linux kernel versions. - However, since version 4.0, the kernel does not allow unprivileged processes - to read the physical address information from the pagemaps file, making it - impossible for those processes to be used by non-privileged users. In such - cases, using the VFIO driver is recommended. - -For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following Linux file -system objects' permissions should be adjusted: - -* The userspace-io device files in ``/dev``, for example, ``/dev/uio0``, ``/dev/uio1``, and so on - -* The userspace-io sysfs config and resource files, for example for ``uio0``:: - - /sys/class/uio/uio0/device/config - /sys/class/uio/uio0/device/resource* - - Power Management and Power Saving Functionality ----------------------------------------------- -- 2.35.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-07-20 15:01:00.712980901 +0800 +++ 0042-doc-add-more-instructions-for-running-as-non-root.patch 2022-07-20 15:00:58.751000431 +0800 @@ -1 +1 @@ -From 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 Mon Sep 17 00:00:00 2001 +From d4418de9d62b5bdea88f084bb431b18a93567013 Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ] @@ -12,2 +14,0 @@ -Cc: stable@dpdk.org - @@ -17,3 +18,2 @@ - doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++------ - .../prog_guide/env_abstraction_layer.rst | 2 + - 2 files changed, 65 insertions(+), 27 deletions(-) + doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++++++++--------- + 1 file changed, 63 insertions(+), 27 deletions(-) @@ -22 +22 @@ -index 1df3ab0255..b15bfb2f9f 100644 +index 25f87f6b1a..4f7a8a1522 100644 @@ -25 +25 @@ -@@ -13,13 +13,64 @@ Enabling Additional Functionality +@@ -66,13 +66,64 @@ The application can then determine what action to take, if any, if the HPET is n @@ -95 +95 @@ -@@ -34,8 +85,13 @@ need to be adjusted in order to ensure normal DPDK operation: +@@ -87,8 +138,13 @@ need to be adjusted in order to ensure normal DPDK operation: @@ -111 +111 @@ -@@ -45,26 +101,6 @@ permissions should be adjusted: +@@ -98,26 +154,6 @@ permissions should be adjusted: @@ -137,13 +136,0 @@ - -diff --git a/doc/guides/prog_guide/env_abstraction_layer.rst b/doc/guides/prog_guide/env_abstraction_layer.rst -index 42def41e61..67842ae272 100644 ---- a/doc/guides/prog_guide/env_abstraction_layer.rst -+++ b/doc/guides/prog_guide/env_abstraction_layer.rst -@@ -228,6 +228,8 @@ Normally, these options do not need to be changed. - can later be mapped into that preallocated VA space (if dynamic memory mode - is enabled), and can optionally be mapped into it at startup. - -+.. _hugepage_mapping: -+ - Hugepage Mapping - ^^^^^^^^^^^^^^^^