From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 80FE0A00C2 for ; Tue, 9 Aug 2022 17:09:05 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5835A40143; Tue, 9 Aug 2022 17:09:05 +0200 (CEST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2081.outbound.protection.outlook.com [40.107.223.81]) by mails.dpdk.org (Postfix) with ESMTP id 57B02400EF for ; Tue, 9 Aug 2022 17:09:03 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cg6SKF0OWihqK3uVLqEavW57r/Tal+9eIDpTdqaMNt0N82xz3N96SgDsXySeeDPQbAjR4b3zjTJsb/uFOAWJ/8nvBmFHKfh/pnSKsOCB3aVrPI27ijN/0auctFVxZIycy87g/BaZW9aX5vF+evukAw6azS7veYGW47MlSzH3Fa+rDqfzbbAwYgtS8udnPLCoZoUdkom8xMUBRVGQJJWD7Z+rE4esFu4WaxljF6j3g22JoijLiNtw2XBmGm505ZMNFaEApi97tqTyKzXVyLI/eGnu1pWRMv19AoKyUDE4IBiEBVGYubOCx0MoQrh7uLA2zkCyQpdKmuAbH+q8XXzVjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mPubaDWHPGSA5OsQiKWpUc8JDh4+7rU2h3+d1OI8qgw=; b=Xu+m8q98hE7LE4XCUp0LBylD7UhlieoFimOZsk228nghdVX8OxHZax9VGPaY5p9ddfM03KJ6pt9CZ+yrP3TGdR35fmgQWzv7Zl6N7F+m1cOoGo+CDDP3iO142Ja2plpxyfBSHMcC9FFDMZZeZ/ed1IB8h/nUH9IstSkgPXGE19C8jwIiY0fTLaVqy6x+6VM7Xz+vBHo9cbCSDtBB9xkJE1kj8C1WvY/1M05Go0f1JnSJrLuRRBXoEPCWDyZWT1def977G1nqwB3urr84+ajDtrPnFtknjANGjQP7hpFoI46AghQhPmSsxAxVf6YpbM6oJvTNyCorovmDaSKlJsknqQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mPubaDWHPGSA5OsQiKWpUc8JDh4+7rU2h3+d1OI8qgw=; b=lApHm4W7ylTD0k9ly2m4NB6h2hgBGzV2YkuVVoXq8eCxVbJUw9m4dYnIhaeJsHooTh2u7HOBSEpqPlzHIBJc0WdVkdsyzYdr8ci2e58QlSMRvbJ6SXWJB0AfqxPLdaSkGsKPIAc02Vs8KpCqrwO/nu8eYyfke3VVvjn2d6OtdlnQzuPyF8nCbqmmmKHctVKmqQUxVSqjU6aGQlMSTGIJvWqYsUGJ33VvFsLG0gcOJZqBCAABIuCcbLk+8eGBcPMb/L3h4ORpAIIDBPCWABmOjGGjUzjmAATq6r+IwQYBpDSHHcmnxtSv9L4m/sAUtyHe2hzQ7XEMKi9iUkoQyzJm5g== Received: from DM4PR12MB5373.namprd12.prod.outlook.com (2603:10b6:5:39d::14) by BY5PR12MB5015.namprd12.prod.outlook.com (2603:10b6:a03:1db::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.15; Tue, 9 Aug 2022 15:09:01 +0000 Received: from DM4PR12MB5373.namprd12.prod.outlook.com ([fe80::8f0:3589:7050:3d9]) by DM4PR12MB5373.namprd12.prod.outlook.com ([fe80::8f0:3589:7050:3d9%5]) with mapi id 15.20.5504.020; Tue, 9 Aug 2022 15:09:00 +0000 From: "Xueming(Steven) Li" To: Dmitry Kozlyuk , "stable@dpdk.org" CC: Bruce Richardson Subject: RE: [PATCH 20.11] doc: add more instructions for running as non-root Thread-Topic: [PATCH 20.11] doc: add more instructions for running as non-root Thread-Index: AQHYpaEDXaeeV7KkRkOmCpzlfvfk8q2mt7vw Date: Tue, 9 Aug 2022 15:09:00 +0000 Message-ID: References: <20220801121924.2631663-1-dkozlyuk@nvidia.com> In-Reply-To: <20220801121924.2631663-1-dkozlyuk@nvidia.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8d346175-4e7d-499f-4069-08da7a19173f x-ms-traffictypediagnostic: BY5PR12MB5015:EE_ x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: DxMxyJ1xcdIyLamap6w1owcvELE461iTw6A1fogwA11nYjb5hjh+n6+KQulUgUxDeBQJRSFfFDq1VXW1XJAvvkybU0XJ4yyR1hmEuc7VCGRXJdZw0aiYmniMC1Di/5CtSxh2kkd3DLrHWMJRlfUF4iXP/wsVIIyIVYnmNqikueaDUKO/rcmKEzUadfxkUgMkAqbb8p2oVd4xzdZ2HeHKzGUQx46sqoxGdis6drvRgsUBRyCaFbkkAkD8u7JKAReCuY//wXtzReLq0Ne4hqX/hlfY58zjna2aXe6HHt2Vjo6/fTZ5By5Eqn18zlfv/IdW58WUGnGIh7yQIBVTNBsbQjxSljU9t+asoJkef5js4YlGMLIpfVhqFDuDe/fGB8D4afI8ohWiDz41CXxrph7PvRjJc3KxY+H2OaY42xMWRZKNUZKJpGYKC5tfbVSqJG6tdN+vOHN8rgQ2G0A7nnkChb3LpTxrudQLLwMEnFgRg6L4qqrPkB42vn8V7TrNzbZKp/Ay4beeSXy3GLg8pEGLhBp4ev/iMk+uFTpGVJSlMzrwejb2/inlzIBcO3n8+ukd8i2IQXsZC/idOoUMzDrhYLi7O9AcivrC9DzGgCOI37kP/35eh+MlqivMECpsmGXy6b4JG8j0P+E1ymTVNY1tHTBRCfyfscuftT2zQV/7cMn/1ZHuk5S0WEaR6MUdSRaaO7Fu+uLZlpllaw74FifQBPcxbx7QXkDe2qBs2NLkj+a0a0j2xTpZnNtDS+Ke4Yj0I8TGwpx8mwg6FqSQD3oHC4VAll98XZftJnBkKoeypIgFo6i8csNzVdAzyYtxolusFecLXl6YDcqKSqAYOswGJsixd++SC9Vy9aeG09l9JaJxYm0fShKFxmZQW9/M1zMod3mhnQ7D+aY0/Pak3mQftOc8q1fnfW/ptb0t7gNDRJ8= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR12MB5373.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(366004)(376002)(39860400002)(396003)(136003)(76116006)(83380400001)(66556008)(66476007)(41300700001)(478600001)(2906002)(66946007)(52536014)(110136005)(4326008)(64756008)(66446008)(316002)(8676002)(86362001)(8936002)(38100700002)(26005)(33656002)(5660300002)(966005)(55016003)(71200400001)(122000001)(38070700005)(7696005)(53546011)(9686003)(6506007)(186003); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?A5ghmtUDOJyeh3nMmxiLXpkU+nBcqzYZrawWJzCpP2q8NieLW/NUhkTLYtG6?= =?us-ascii?Q?z2JBuKRqWN7J8Xwh3Zpi9D/c/9mApTtHnEknAKx8Hn52mmK9NaCOzBDlfyM0?= =?us-ascii?Q?IJhdEwd1pYbJNopCH9XE1G7swYw2xc0ZJEv77HScMwQGznxmQw+1U2RgD8sO?= =?us-ascii?Q?WH2/qSIMH8XNGPG6Ue7yHzWl7GpgV1HVRKSQGFqc5W4+SPi/QU79pPKIZaUa?= =?us-ascii?Q?Z+n0Ku/CKgjEgXQ25RcYlUhCMBWdODygjkT+YDfRbb2UOxLtozk9Rn+FposS?= =?us-ascii?Q?g8iwGkjDp9u/5cDjhg/Bq4I6KrKRBvBvIDuTNFiISAi2DHv5KC896IBw5MRl?= =?us-ascii?Q?DBbECcOucuQhLlyZ29SDQBxMcuqIJo3CaJs5QYUyQzpm8a0K1cnDWo+je4Tr?= =?us-ascii?Q?D1W3qV5CSpBLpitOzhoBO5VbygFbaixlLCA6WJZ9ddO9KNJSqN6zKdGybpLt?= =?us-ascii?Q?vkkT6k8PvovYSTc4vsVUfaONOLW6Kih87ChDNJXy6P7mMwloeoukNGsuQdPp?= =?us-ascii?Q?XphoTfe33LV2dsL5lbqoX/LZqp0lC32FJr5rJOV2zjuI23U/4UB73QU1rVpa?= =?us-ascii?Q?/Q+YgYePuPjh5MF5NIkgeWwIBwIwTu4ViBuzveAzG/NqQO1uPzng9DHWstwa?= =?us-ascii?Q?GJecficnMpLXprCmfFoEVUzFsTHfgKtgeurzcOR3GkT7Ref/oXoWvrV6jrrC?= =?us-ascii?Q?RD2jMPyZjldm2m9iJSBvGfRF3uUxi5F/mrRoI3gqeF4ddJsDo1b3pb62Q5NA?= =?us-ascii?Q?VJD+fLeFn8Wi+jIj5OX4GySCyWIhoAJ1M775jnDwDj7IW09x7BYNr7A/yqX2?= =?us-ascii?Q?broZzhQ8puJG3/mVD14m4aTByfs+HqjLvA2CXtA2aA+++ABjuDgeGEqM5MVi?= =?us-ascii?Q?MWJMGwpbHQVR+vZVtowSLSbG/DRbPFV85lZcnFIwKVEX5Rq3tAEnxigbhhuB?= =?us-ascii?Q?d0WPJhaOEz94JDI51pI+V2XjTH4AZYXyOq3NjFnm5h3kX49a568XwXEIwviH?= =?us-ascii?Q?Nt3tJqqHCd3Oe9jdu1hMs/9FBXdZzXddo8YZKsSwfeK5SPKWNBEEiJbmX9z/?= =?us-ascii?Q?OEMq+r8TyVSLFp6f1rf8QfEBc3BlUy/KVyEQcYET50qW5q6TZa+nFCowZvML?= =?us-ascii?Q?uqJ6iJ4YJBaVytt95LyeM4o8Yq3aehOYk4/6WQjJM+cCRELAW4seiA75FX4W?= =?us-ascii?Q?CmGWnSL0FaY04d8aw8iGwOdK36+KyXAAK3hCtHQGL3gAj2kBQS6mjr6VAHaD?= =?us-ascii?Q?wjjzAwEKfcQulWeBzt1kL7jJ4k+Ndu+w4KopzgaEcao8H5ktcLj45GUUb45+?= =?us-ascii?Q?BbQhTmFQDne0g/Y3XS+gwF7/ywRhfKiU44MMyIabbjZMImPik2rwxRQMgmQm?= =?us-ascii?Q?5RP02e2MhHM2sYuodrHTrXUjugp9xACM5fCePbycXgvzG/RGLV8BKuhY1wYy?= =?us-ascii?Q?G3Nw7t1gKixEMKbzWLydL6QZ18VLRVfbm0TlfNCaluQwvADLezn9mW/aZEfK?= =?us-ascii?Q?SzPxg2vX2vXYvtzeo704Xy699DoyIZ7oYv39GNBiyu6wwCDn+IaqGGg3svWb?= =?us-ascii?Q?UOaYfw7iV2YHYjG423MmLKuj+Z9xA0TN+IyfIfB8?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5373.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8d346175-4e7d-499f-4069-08da7a19173f X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2022 15:09:00.8982 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: lY9x5P1imMXEL/mVWGSuTU6bqyVQIjEmAfS7tvdoWvopXhgOe7PrWp9MB8B5IVQjutGATep/07gfmDwVcV7umA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB5015 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org > -----Original Message----- > From: Dmitry Kozlyuk > Sent: Monday, August 1, 2022 8:19 PM > To: stable@dpdk.org > Cc: Xueming(Steven) Li ; Bruce Richardson > Subject: [PATCH 20.11] doc: add more instructions for running as non-root >=20 > [ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ] >=20 > The guide to run DPDK applications as non-root in Linux did not provide s= pecific instructions to configure the required access and did not > explain why each bit is needed. > The latter is important because running as non-root is one of the ways to= tighten security and grant minimal permissions. >=20 > Signed-off-by: Dmitry Kozlyuk > Acked-by: Bruce Richardson > --- > Upstream commit references things missing from 21.11: Maybe this is the root cause that the patch can't merge, please retry with = 20.11: https://github.com/steevenlee/dpdk Branch: 20.11 > new dpdk-hugepages.py options and memory mapping documentation. > The script call replaced with a direct mount command. > Documentation reference is dropped as non-essential. >=20 > doc/guides/linux_gsg/enable_func.rst | 85 +++++++++++++++++++--------- > 1 file changed, 58 insertions(+), 27 deletions(-) >=20 > diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/= enable_func.rst > index 25f87f6b1a..7538d04d97 100644 > --- a/doc/guides/linux_gsg/enable_func.rst > +++ b/doc/guides/linux_gsg/enable_func.rst > @@ -66,13 +66,62 @@ The application can then determine what action to tak= e, if any, if the HPET is n Running DPDK Applications Without > Root Privileges > ------------------------------------------------- >=20 > -In order to run DPDK as non-root, the following Linux filesystem objects= ' > -permissions should be adjusted to ensure that the Linux account being us= ed to -run the DPDK application has access to them: > +The following sections describe generic requirements and configuration > +for running DPDK applications as non-root. > +There may be additional requirements documented for some drivers. >=20 > -* All directories which serve as hugepage mount points, for example, `= `/dev/hugepages`` > +Hugepages > +~~~~~~~~~ >=20 > -* If the HPET is to be used, ``/dev/hpet`` > +Hugepages must be reserved as root before running the application as > +non-root, for example:: > + > + sudo dpdk-hugepages.py --reserve 1G > + > +If multi-process is not required, running with ``--in-memory`` bypasses > +the need to access hugepage mount point and files within it. > +Otherwise, hugepage directory must be made accessible for writing to > +the unprivileged user. > +A good way for managing multiple applications using hugepages is to > +mount the filesystem with group permissions and add a supplementary > +group to each application or container. > + > +One option is to mount manually:: > + > + mount -t hugetlbfs -o pagesize=3D1G,uid=3D`id -u`,gid=3D`id -g` nodev > + $HOME/huge-1G > + > +In production environment, the OS can manage mount points (`systemd > +example `_). > + > +The ``hugetlb`` filesystem has additional options to guarantee or limit > +the amount of memory that is possible to allocate using the mount point. > +Refer to the `documentation `_. > + > +.. note:: > + > + Using ``vfio-pci`` kernel driver, if applicable, can eliminate the ne= ed > + for physical addresses and therefore eliminate the permission require= ments > + described below. > + > +If the driver requires using physical addresses (PA), the executable > +file must be granted additional capabilities: > + > +* ``SYS_ADMIN`` to read ``/proc/self/pagemaps`` > +* ``IPC_LOCK`` to lock hugepages in memory > + > +.. code-block:: console > + > + setcap cap_ipc_lock,cap_sys_admin+ep > + > +If physical addresses are not accessible, the following message will > +appear during EAL initialization:: > + > + EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission > + denied > + > +It is harmless in case PA are not needed. > + > +Resource Limits > +~~~~~~~~~~~~~~~ >=20 > When running as non-root user, there may be some additional resource lim= its that are imposed by the system. Specifically, the following > resource limits may @@ -87,8 +136,10 @@ need to be adjusted in order to e= nsure normal DPDK operation: > The above limits can usually be adjusted by editing ``/etc/security/lim= its.conf`` file, and rebooting. >=20 > -Additionally, depending on which kernel driver is in use, the relevant -= resources also should be accessible by the user running the DPDK > application. > +Device Control > +~~~~~~~~~~~~~~ > + > +If the HPET is to be used, ``/dev/hpet`` permissions must be adjusted. >=20 > For ``vfio-pci`` kernel driver, the following Linux file system objects' > permissions should be adjusted: > @@ -98,26 +149,6 @@ permissions should be adjusted: > * The directories under ``/dev/vfio`` that correspond to IOMMU group num= bers of > devices intended to be used by DPDK, for example, ``/dev/vfio/50`` >=20 > -.. note:: > - > - The instructions below will allow running DPDK with ``igb_uio`` or > - ``uio_pci_generic`` drivers as non-root with older Linux kernel vers= ions. > - However, since version 4.0, the kernel does not allow unprivileged p= rocesses > - to read the physical address information from the pagemaps file, mak= ing it > - impossible for those processes to be used by non-privileged users. I= n such > - cases, using the VFIO driver is recommended. > - > -For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following Lin= ux file -system objects' permissions should be adjusted: > - > -* The userspace-io device files in ``/dev``, for example, ``/dev/uio= 0``, ``/dev/uio1``, and so on > - > -* The userspace-io sysfs config and resource files, for example for ``= uio0``:: > - > - /sys/class/uio/uio0/device/config > - /sys/class/uio/uio0/device/resource* > - > - > Power Management and Power Saving Functionality > ----------------------------------------------- >=20 > -- > 2.25.1