[dpdk-dev] Running DPDK with Docker

[dpdk-dev] Running DPDK with Docker

[Karmarkar Suyash]

Hi,

Given the popularity of Docker it would be nice if we can run DPDK inside a Docker container but the challenge is the igb_uio.ko and rte_kni.ko kernel modules which need to be compiled with the exact kernel source running on the host.  Are there ways to seamlessly run DPDK with Docker? I came across an articles about running DPDK with Linux container but still the requirement is to insert igb_uio. Any plans to make the igb_uio and rte_kni modules as default modules of Linux source code or any other better approaches/suggestions ? Thanks.

http://dpdk.org/ml/archives/dev/2014-October/006373.html
http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479


Regards
Suyash Karmarkar

Re: [dpdk-dev] Running DPDK with Docker

[Stephen Hemminger]

On Wed, 1 Apr 2015 17:56:56 +0000
Karmarkar Suyash <skarmarkar@sonusnet.com> wrote:

> Hi,
> 
> Given the popularity of Docker it would be nice if we can run DPDK inside a Docker container but the challenge is the igb_uio.ko and rte_kni.ko kernel modules which need to be compiled with the exact kernel source running on the host.  Are there ways to seamlessly run DPDK with Docker? I came across an articles about running DPDK with Linux container but still the requirement is to insert igb_uio. Any plans to make the igb_uio and rte_kni modules as default modules of Linux source code or any other better approaches/suggestions ? Thanks.
> 
> http://dpdk.org/ml/archives/dev/2014-October/006373.html
> http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479

igb_uio and rte_kni are unlikely to be accepted upstream since they have
intrinsic security problems.

Can you use VFIO?

Re: [dpdk-dev] Running DPDK with Docker

[Zhou, Danny]

DPDK 2.0 support uio_pci_geneic this in_kernel module so you do not need to insmod igb_uio, and rte_kni module can hardly been
upstreamed to net_dev, but it is not a must-to-have module to load if you do not use KNI feaure.

> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Karmarkar Suyash
> Sent: Thursday, April 02, 2015 1:57 AM
> To: dev@dpdk.org
> Subject: [dpdk-dev] Running DPDK with Docker
> 
> Hi,
> 
> Given the popularity of Docker it would be nice if we can run DPDK inside a Docker container but the challenge is the igb_uio.ko
> and rte_kni.ko kernel modules which need to be compiled with the exact kernel source running on the host.  Are there ways to
> seamlessly run DPDK with Docker? I came across an articles about running DPDK with Linux container but still the requirement is to
> insert igb_uio. Any plans to make the igb_uio and rte_kni modules as default modules of Linux source code or any other better
> approaches/suggestions ? Thanks.
> 
> http://dpdk.org/ml/archives/dev/2014-October/006373.html
> http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479
> 
> 
> Regards
> Suyash Karmarkar

Re: [dpdk-dev] Running DPDK with Docker

[Karmarkar Suyash]

<< igb_uio and rte_kni are unlikely to be accepted upstream since they have intrinsic security problems.

Can you use VFIO?>>

Hi Stephen,

Thanks for the reply. Can you please elaborate on the security issue?Thanks.

Regards
Suyash

-----Original Message-----
From: Stephen Hemminger [mailto:stephen@networkplumber.org] 
Sent: Thursday, April 02, 2015 12:12 AM
To: Karmarkar Suyash
Cc: dev@dpdk.org
Subject: Re: [dpdk-dev] Running DPDK with Docker

On Wed, 1 Apr 2015 17:56:56 +0000
Karmarkar Suyash <skarmarkar@sonusnet.com> wrote:

> Hi,
> 
> Given the popularity of Docker it would be nice if we can run DPDK inside a Docker container but the challenge is the igb_uio.ko and rte_kni.ko kernel modules which need to be compiled with the exact kernel source running on the host.  Are there ways to seamlessly run DPDK with Docker? I came across an articles about running DPDK with Linux container but still the requirement is to insert igb_uio. Any plans to make the igb_uio and rte_kni modules as default modules of Linux source code or any other better approaches/suggestions ? Thanks.
> 
> http://dpdk.org/ml/archives/dev/2014-October/006373.html
> http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479

igb_uio and rte_kni are unlikely to be accepted upstream since they have intrinsic security problems.

Can you use VFIO?

Re: [dpdk-dev] Running DPDK with Docker

[Andre Richter]

The uio drivers are not secured by an iommu.
Therefore, you could misuse the NIC to DMA read/write into any part of
memory, e.g. reading or writing to memory of the host or other containers.

This is a security breach if you enable a container to do this by giving it
access via uio, because you have them to isolate processes against each
other in the first place.

VFIO uses iommus to protect against that, but you need capable hardware,
e.g. Intel VT-d support on x86.

http://en.m.wikipedia.org/wiki/IOMMU

Cheers,
Andre

Karmarkar Suyash <skarmarkar@sonusnet.com> schrieb am Do., 2. Apr. 2015 um
05:28:

> << igb_uio and rte_kni are unlikely to be accepted upstream since they
> have intrinsic security problems.
>
> Can you use VFIO?>>
>
> Hi Stephen,
>
> Thanks for the reply. Can you please elaborate on the security
> issue?Thanks.
>
> Regards
> Suyash
>
> -----Original Message-----
> From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> Sent: Thursday, April 02, 2015 12:12 AM
> To: Karmarkar Suyash
> Cc: dev@dpdk.org
> Subject: Re: [dpdk-dev] Running DPDK with Docker
>
> On Wed, 1 Apr 2015 17:56:56 +0000
> Karmarkar Suyash <skarmarkar@sonusnet.com> wrote:
>
> > Hi,
> >
> > Given the popularity of Docker it would be nice if we can run DPDK
> inside a Docker container but the challenge is the igb_uio.ko and
> rte_kni.ko kernel modules which need to be compiled with the exact kernel
> source running on the host.  Are there ways to seamlessly run DPDK with
> Docker? I came across an articles about running DPDK with Linux container
> but still the requirement is to insert igb_uio. Any plans to make the
> igb_uio and rte_kni modules as default modules of Linux source code or any
> other better approaches/suggestions ? Thanks.
> >
> > http://dpdk.org/ml/archives/dev/2014-October/006373.html
> > http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479
>
> igb_uio and rte_kni are unlikely to be accepted upstream since they have
> intrinsic security problems.
>
> Can you use VFIO?
>

Re: [dpdk-dev] Running DPDK with Docker

[Zhou, Danny]

Container itself is not considered as a secured solution that could provide strict resource isolation which
VT could provide. Basically, we have 4 different configuration as below, you could pick most appropriate one
depending on usage scenarios.

1) VT + VFIO: supposed to be the most secured solution, but unfortunately VFIO cannot run in a VM unless 
either software IOMMU(at performance degradation cost) or nested Vt-d(unavailable on any architecture) hardware 
feature is enable.
2) VT + UIO: secured solution in both host(uio to drive VF on host) and VM(uio to driver a pass-through VF in a VM), but VT 
has overhead comparing to container which is basically native performance.
3) Container + VFIO: Container itself does not provide strict resource isolation even VFIO could avoid changed PMD to DMA
packets to arbitrary memory regions.
4) Container + UIO: least secured solution, but might fit NFV use cases in which it runs trusted L4-L7 virtualized service functions
rather than customer applications in containers.

> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Andre Richter
> Sent: Thursday, April 02, 2015 2:36 PM
> To: Karmarkar Suyash; Stephen Hemminger
> Cc: dev@dpdk.org
> Subject: Re: [dpdk-dev] Running DPDK with Docker
> 
> The uio drivers are not secured by an iommu.
> Therefore, you could misuse the NIC to DMA read/write into any part of
> memory, e.g. reading or writing to memory of the host or other containers.
> 
> This is a security breach if you enable a container to do this by giving it
> access via uio, because you have them to isolate processes against each
> other in the first place.
> 
> VFIO uses iommus to protect against that, but you need capable hardware,
> e.g. Intel VT-d support on x86.
> 
> http://en.m.wikipedia.org/wiki/IOMMU
> 
> Cheers,
> Andre
> 
> Karmarkar Suyash <skarmarkar@sonusnet.com> schrieb am Do., 2. Apr. 2015 um
> 05:28:
> 
> > << igb_uio and rte_kni are unlikely to be accepted upstream since they
> > have intrinsic security problems.
> >
> > Can you use VFIO?>>
> >
> > Hi Stephen,
> >
> > Thanks for the reply. Can you please elaborate on the security
> > issue?Thanks.
> >
> > Regards
> > Suyash
> >
> > -----Original Message-----
> > From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> > Sent: Thursday, April 02, 2015 12:12 AM
> > To: Karmarkar Suyash
> > Cc: dev@dpdk.org
> > Subject: Re: [dpdk-dev] Running DPDK with Docker
> >
> > On Wed, 1 Apr 2015 17:56:56 +0000
> > Karmarkar Suyash <skarmarkar@sonusnet.com> wrote:
> >
> > > Hi,
> > >
> > > Given the popularity of Docker it would be nice if we can run DPDK
> > inside a Docker container but the challenge is the igb_uio.ko and
> > rte_kni.ko kernel modules which need to be compiled with the exact kernel
> > source running on the host.  Are there ways to seamlessly run DPDK with
> > Docker? I came across an articles about running DPDK with Linux container
> > but still the requirement is to insert igb_uio. Any plans to make the
> > igb_uio and rte_kni modules as default modules of Linux source code or any
> > other better approaches/suggestions ? Thanks.
> > >
> > > http://dpdk.org/ml/archives/dev/2014-October/006373.html
> > > http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479
> >
> > igb_uio and rte_kni are unlikely to be accepted upstream since they have
> > intrinsic security problems.
> >
> > Can you use VFIO?
> >