From: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
To: Alex K <aiklimov@hotmail.com>
Cc: "users@dpdk.org" <users@dpdk.org>,
"Burakov, Anatoly" <anatoly.burakov@intel.com>
Subject: Re: Multiple Users Running DPDK Apps
Date: Thu, 2 Jan 2025 23:48:13 +0300 [thread overview]
Message-ID: <20250102234813.32d75421@sovereign> (raw)
In-Reply-To: <CH3PR06MB9411938DBBE26829798A26E3DD142@CH3PR06MB9411.namprd06.prod.outlook.com>
2025-01-02 19:44 (UTC+0000), Alex K:
> Should multiple users be able to take turns running DPDK apps on the same system without using sudo?
>
> Hugepages setup is required for multi-process support. The usertools/dpdk-hugepages.py script accepts user id and group id arguments when mounting hugepages directory. And I was hoping that files created in this directory would be created such that they would be accessible by the users in this same group. However, I'm seeing that those created hugepages files get the 0600 permissions (read/write by the user only) and group ownership is not set to the group specified in the dpdk-hugepages.py script. So another user attempting to run DPDK apps gets a Permission denied error attempting to access hugepages files.
> Is this a bug or by design?
> Should each user have a separate hugepages directory setup somehow?
>
> I'm using vfio-pci kernel module with IOMMU, DPDK 23.11.1 LTS on RHEL 9. Seeing same behavior with 24.11.1 LTS. Tried to follow the instructions at: https://doc.dpdk.org/guides-23.11/linux_gsg/enable_func.html#running-dpdk-applications-without-root-privileges
>
> Would like to understand if what I'm attempting is supported and if there's anything I'm missing.
> Thank you.
Hi Alex,
If you want to run independent applications as different users,
you can use a common directory but specify different --file-prefix
for each application (group of processes sharing hugepages).
If you want to run different processes of one multi-process DPDK app as
different users, they must use the common directory,
so the current behavior with 0600 permissions is a blocker.
They are set intentionally:
http://git.dpdk.org/dpdk/commit/?id=da5d107207910fc318862579e7b588481c72c668
Ownership is not controlled, so default open(2) semantics apply,
but there's still no way past the disabled group-writable bit.
If this is the case, I wonder why this is needed?
There isn't real privilege separation if processes share hugepages,
which particularly means that both processes have access to HW and DMA.
next prev parent reply other threads:[~2025-01-02 20:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-02 19:44 Alex K
2025-01-02 20:48 ` Dmitry Kozlyuk [this message]
2025-01-02 21:26 ` Stephen Hemminger
2025-01-03 19:03 ` Alex K
-- strict thread matches above, loose matches on Subject: below --
2024-12-20 15:25 Alex K
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250102234813.32d75421@sovereign \
--to=dmitry.kozliuk@gmail.com \
--cc=aiklimov@hotmail.com \
--cc=anatoly.burakov@intel.com \
--cc=users@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).