From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179]) by dpdk.org (Postfix) with ESMTP id 700C3376C for ; Thu, 2 Apr 2015 08:36:09 +0200 (CEST) Received: by lboc7 with SMTP id c7so52424778lbo.1 for ; Wed, 01 Apr 2015 23:36:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=jweWDR83nFPoYXk3XxBs1ICEdNjXKGUTK6XAFv+dPXs=; b=icGPPoIhPogz+j56e2kRqH9mkmmXqsm2843OGzsqb+Khnxq9nzdierJtlj4LJBf8lm J5A9xxpUwoIeUkTmLfF1w7EXQXYpYii0Lp2yYmKa59xmXNkR6PMB1BVckFxnevwLW3CN SypS1pEu2YCWQJHiDF3ZRC8Idw2BiVTG90hONwF1joSTbKZpnpx85BX/78XdZfpnECHM kpjthVokgz1XHcA2EMHhpw/eJq+qnZUxwLKptgOQIEJaEweLV1RoTHv9AAA89TwiXVMA 9bu10xMyRJiuHgWf2DppdWWwDNYcyYdoAqyr/Svp7KiHM5g3wIO6kFa3XyUrzcP8OLgp oeKw== X-Received: by 10.112.26.106 with SMTP id k10mr19113081lbg.23.1427956569006; Wed, 01 Apr 2015 23:36:09 -0700 (PDT) MIME-Version: 1.0 References: <20150401114159.5aabb5fb@urahara> In-Reply-To: From: Andre Richter Date: Thu, 02 Apr 2015 06:36:08 +0000 Message-ID: To: Karmarkar Suyash , Stephen Hemminger Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Cc: "dev@dpdk.org" Subject: Re: [dpdk-dev] Running DPDK with Docker X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2015 06:36:09 -0000 The uio drivers are not secured by an iommu. Therefore, you could misuse the NIC to DMA read/write into any part of memory, e.g. reading or writing to memory of the host or other containers. This is a security breach if you enable a container to do this by giving it access via uio, because you have them to isolate processes against each other in the first place. VFIO uses iommus to protect against that, but you need capable hardware, e.g. Intel VT-d support on x86. http://en.m.wikipedia.org/wiki/IOMMU Cheers, Andre Karmarkar Suyash schrieb am Do., 2. Apr. 2015 um 05:28: > << igb_uio and rte_kni are unlikely to be accepted upstream since they > have intrinsic security problems. > > Can you use VFIO?>> > > Hi Stephen, > > Thanks for the reply. Can you please elaborate on the security > issue?Thanks. > > Regards > Suyash > > -----Original Message----- > From: Stephen Hemminger [mailto:stephen@networkplumber.org] > Sent: Thursday, April 02, 2015 12:12 AM > To: Karmarkar Suyash > Cc: dev@dpdk.org > Subject: Re: [dpdk-dev] Running DPDK with Docker > > On Wed, 1 Apr 2015 17:56:56 +0000 > Karmarkar Suyash wrote: > > > Hi, > > > > Given the popularity of Docker it would be nice if we can run DPDK > inside a Docker container but the challenge is the igb_uio.ko and > rte_kni.ko kernel modules which need to be compiled with the exact kernel > source running on the host. Are there ways to seamlessly run DPDK with > Docker? I came across an articles about running DPDK with Linux container > but still the requirement is to insert igb_uio. Any plans to make the > igb_uio and rte_kni modules as default modules of Linux source code or any > other better approaches/suggestions ? Thanks. > > > > http://dpdk.org/ml/archives/dev/2014-October/006373.html > > http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479 > > igb_uio and rte_kni are unlikely to be accepted upstream since they have > intrinsic security problems. > > Can you use VFIO? >