From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by dpdk.org (Postfix) with ESMTP id B9074D018; Tue, 17 Apr 2018 21:19:24 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4B993814DF4C; Tue, 17 Apr 2018 19:19:24 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B27CA111DD0E; Tue, 17 Apr 2018 19:19:23 +0000 (UTC) From: Aaron Conole To: Alejandro Lucero Cc: dev , Adrien Mazarguil , stable@dpdk.org, Thomas Monjalon References: <20180412222208.11770-1-aconole@redhat.com> <20180412222208.11770-3-aconole@redhat.com> Date: Tue, 17 Apr 2018 15:19:23 -0400 In-Reply-To: (Alejandro Lucero's message of "Tue, 17 Apr 2018 16:54:01 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 17 Apr 2018 19:19:24 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 17 Apr 2018 19:19:24 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:'' Subject: Re: [dpdk-stable] [RFC 2/2] nfp: allow for non-root user X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2018 19:19:25 -0000 Alejandro Lucero writes: > I was just wondering, if device device PCI sysfs resource files or VFIO group /dev files require to change > permissions for non-root users, does it not make sense to adjust also /var/lock in the system? For the /dev, we use udev rules - so the correct individual vfio device files get assigned the correct permissions. No such mechanism exists for /var/lock as far as I can tell. Ex. see: https://github.com/openvswitch/ovs/blob/master/rhel/usr_lib_udev_rules.d_91-vfio.rules Maybe something similar exists that we could use to generate the lock file automatically? > On Tue, Apr 17, 2018 at 4:44 PM, Alejandro Lucero wrote: > > I have seen that VFIO also requires explicitly to set the right permissions for non-root users to VFIO > groups under /dev/vfio. > > I assume then that running OVS or other DPDK apps as non-root is possible, although requiring > those explicit permissions changes, and therefore this patch is necessary. > > Adding stable@ and Thomas for discussing how can this be added to stable DPDK versions even if > this is not going to be a patch for current DPDK version. > > Acked-by: Alejandro Lucero > > On Fri, Apr 13, 2018 at 4:31 PM, Alejandro Lucero wrote: > > On Fri, Apr 13, 2018 at 2:31 PM, Aaron Conole wrote: > > Alejandro Lucero writes: > > > Again, this patch is correct, but because NFP PMD needs to access > > /sys/bus/pci/devices/$DEVICE_PCI_STRING/resource$RESOURCE_ID, and these files have > just > > read/write accesses for root, I do not know if this is really necessary. > > > > Being honest, I have not used a DPDK app with NFP PMD and not being root. Does it > work > > with non-root users and other PMDs with same requirements regarding sysfs resource > files? > > We do run as non-root user definitely with Intel PMDs. > > I'm not very sure about other vendors, but I think mlx pmd runs as > non-root user (and it was modified to move off of sysfs for that > reason[1]). > > It is possible to not rely on sysfs resource files if device is attached to VFIO, but I think that is a > must with UIO. > > > I'll continue to push for more information from the testing side to find > out though. > > [1]: http://dpdk.org/ml/archives/dev/2018-February/090586.html > > > On Fri, Apr 13, 2018 at 12:22 AM, Aaron Conole wrote: > > > > Currently, the nfp lock files are taken from the global lock file > > location, which will work when the user is running as root. However, > > some distributions and applications (notably ovs 2.8+ on RHEL/Fedora) > > run as a non-root user. > > > > Signed-off-by: Aaron Conole > > --- > > drivers/net/nfp/nfp_nfpu.c | 23 ++++++++++++++++++----- > > 1 file changed, 18 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/net/nfp/nfp_nfpu.c b/drivers/net/nfp/nfp_nfpu.c > > index 2ed985ff4..ae2e07220 100644 > > --- a/drivers/net/nfp/nfp_nfpu.c > > +++ b/drivers/net/nfp/nfp_nfpu.c > > @@ -18,6 +18,22 @@ > > #define NFP_CFG_EXP_BAR 7 > > > > #define NFP_CFG_EXP_BAR_CFG_BASE 0x30000 > > +#define NFP_LOCKFILE_PATH_FMT "%s/nfp%d" > > + > > +/* get nfp lock file path (/var/lock if root, $HOME otherwise) */ > > +static void > > +nspu_get_lockfile_path(char *buffer, int bufsz, nfpu_desc_t *desc) > > +{ > > + const char *dir = "/var/lock"; > > + const char *home_dir = getenv("HOME"); > > + > > + if (getuid() != 0 && home_dir != NULL) > > + dir = home_dir; > > + > > + /* use current prefix as file path */ > > + snprintf(buffer, bufsz, NFP_LOCKFILE_PATH_FMT, dir, > > + desc->nfp); > > +} > > > > /* There could be other NFP userspace tools using the NSP interface. > > * Make sure there is no other process using it and locking the access for > > @@ -30,9 +46,7 @@ nspv_aquire_process_lock(nfpu_desc_t *desc) > > struct flock lock; > > char lockname[30]; > > > > - memset(&lock, 0, sizeof(lock)); > > - > > - snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d", desc->nfp); > > + nspu_get_lockfile_path(lockname, sizeof(lockname), desc); > > > > /* Using S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH */ > > desc->lock = open(lockname, O_RDWR | O_CREAT, 0666); > > @@ -106,7 +120,6 @@ nfpu_close(nfpu_desc_t *desc) > > rte_free(desc->nspu); > > close(desc->lock); > > > > - snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d", desc->nfp); > > - unlink(lockname); > > + nspu_get_lockfile_path(lockname, sizeof(lockname), desc); > > return 0; > > } > > -- > > 2.14.3