From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6CB75A04B1; Tue, 25 Aug 2020 11:29:45 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 49B971C19C; Tue, 25 Aug 2020 11:29:45 +0200 (CEST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 138281C11E; Tue, 25 Aug 2020 11:29:42 +0200 (CEST) IronPort-SDR: 6C44uJegSDIK5YrXwCDeq9rq12Xy1xsRSCTOEwfwYRfvfZHrfK9ebtFg1SYQu/+RRQya7M6ibV H1dp+XYvMJdw== X-IronPort-AV: E=McAfee;i="6000,8403,9723"; a="217626097" X-IronPort-AV: E=Sophos;i="5.76,352,1592895600"; d="scan'208";a="217626097" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Aug 2020 02:29:42 -0700 IronPort-SDR: WSuZklRU/bntjp5pezhklrtarCA5/SrOhUQ+4Nm5RZJuz/C7EoYzJ3Vzy18l081JvL35lp9tod XlXbtqQj8jNg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,352,1592895600"; d="scan'208";a="322695660" Received: from aburakov-mobl.ger.corp.intel.com (HELO [10.213.236.34]) ([10.213.236.34]) by fmsmga004.fm.intel.com with ESMTP; 25 Aug 2020 02:29:40 -0700 To: Bruce Richardson Cc: dev@dpdk.org, John McNamara , Marko Kovacevic , ferruh.yigit@intel.com, padraig.j.connolly@intel.com, stable@dpdk.org References: <20200824170803.GD547@bricha3-MOBL.ger.corp.intel.com> From: "Burakov, Anatoly" Message-ID: <539dc73e-b582-feca-cf72-374f974a3ee8@intel.com> Date: Tue, 25 Aug 2020 10:29:39 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <20200824170803.GD547@bricha3-MOBL.ger.corp.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH 1/2] doc/linux_gsg: clarify instructions on running as non-root X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 24-Aug-20 6:08 PM, Bruce Richardson wrote: > On Mon, Aug 24, 2020 at 04:45:00PM +0100, Anatoly Burakov wrote: >> The current instructions are slightly out of date when it comes to >> providing information about setting up the system for using DPDK as >> non-root, so update them. >> >> Cc: stable@dpdk.org >> >> Signed-off-by: Anatoly Burakov >> --- >> doc/guides/linux_gsg/enable_func.rst | 54 ++++++++++++++++++++-------- >> 1 file changed, 39 insertions(+), 15 deletions(-) >> >> diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/enable_func.rst >> index b2bda80bb7..78b0f7c012 100644 >> --- a/doc/guides/linux_gsg/enable_func.rst >> +++ b/doc/guides/linux_gsg/enable_func.rst >> @@ -58,22 +58,34 @@ The application can then determine what action to take, if any, if the HPET is n >> if any, and on what is available on the system at runtime. >> >> Running DPDK Applications Without Root Privileges >> --------------------------------------------------------- >> +------------------------------------------------- >> >> -.. note:: >> +In order to run DPDK as non-root, the following Linux filesystem objects' >> +permissions should be adjusted to ensure that the Linux account being used to >> +run the DPDK application has access to them: >> >> - The instructions below will allow running DPDK as non-root with older >> - Linux kernel versions. However, since version 4.0, the kernel does not allow >> - unprivileged processes to read the physical address information from >> - the pagemaps file, making it impossible for those processes to use HW >> - devices which require physical addresses >> +* All directories which serve as hugepage mount points, for example, ``/dev/hugepages`` >> >> -Although applications using the DPDK use network ports and other hardware resources directly, >> -with a number of small permission adjustments it is possible to run these applications as a user other than "root". >> -To do so, the ownership, or permissions, on the following Linux file system objects should be adjusted to ensure that >> -the Linux user account being used to run the DPDK application has access to them: >> +* If the HPET is to be used, ``/dev/hpet`` >> >> -* All directories which serve as hugepage mount points, for example, ``/mnt/huge`` >> +When running as non-root user, there may be some additional resource limits >> +that are imposed by the system. Specifically, the following resource limits may >> +need to be adjusted in order to ensure normal DPDK operation: >> + >> +* RLIMIT_LOCKS (number of file locks that can be held by a process) >> + >> +* RLIMIT_NOFILE (number of open file descriptors that can be held open by a process) >> + >> +* RLIMIT_MEMLOCK (amount of pinned pages the process is allowed to have) >> + >> +The above limits can usually be adjusted by editing >> +``/etc/security/limits.conf`` file, and rebooting. >> + >> +Additionally, depending on which kernel driver is in use, the relevant >> +resources also should be accessible by the user running the DPDK application. >> + >> +For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following Linux file >> +system objects' permissions should be adjusted: >> >> * The userspace-io device files in ``/dev``, for example, ``/dev/uio0``, ``/dev/uio1``, and so on >> >> @@ -82,11 +94,23 @@ the Linux user account being used to run the DPDK application has access to them >> /sys/class/uio/uio0/device/config >> /sys/class/uio/uio0/device/resource* >> >> -* If the HPET is to be used, ``/dev/hpet`` >> - >> .. note:: >> >> - On some Linux installations, ``/dev/hugepages`` is also a hugepage mount point created by default. >> + The instructions above will allow running DPDK with ``igb_uio`` driver as >> + non-root with older Linux kernel versions. However, since version 4.0, the >> + kernel does not allow unprivileged processes to read the physical address >> + information from the pagemaps file, making it impossible for those >> + processes to be used by non-privileged users. In such cases, using the VFIO >> + driver is recommended. >> + >> +For ``vfio-pci`` kernel driver, the following Linux file system objects' >> +permissions should be adjusted: >> + >> +* The VFIO device file , ``/dev/vfio/vfio`` >> + >> +* The directories under ``/dev/vfio`` that correspond to IOMMU group numbers of >> + devices intended to be used by DPDK, for example, ``/dev/vfio/50`` >> + >> > Since we'd very much prefer in all cases people to use VFIO, I think the > VFIO instructions should come first. > Otherwise the text itself reads fine to me. OK, will fix in v2. > > /Bruce > -- Thanks, Anatoly