From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <dev-bounces@dpdk.org> Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 081A6A0032; Fri, 24 Jun 2022 11:09:15 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C431240A8A; Fri, 24 Jun 2022 11:09:14 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mails.dpdk.org (Postfix) with ESMTP id BFCEA4069D; Fri, 24 Jun 2022 11:09:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1656061753; x=1687597753; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=yyDPXdoCGucs6qCg1/FAcj2rzBcq2fSA2Qu40Xnk41A=; b=iKatgkebR25m5tr1uuFwQFdgXhJ37bNDTsBt2tIcLoV4HawZ0M9X5H0n MVwjcmPzQ6hkkXynFCE45lohL1Wl8qRHrgr6TG8acF0bvtVWRw8ehwOjk yHnJsH8X6IcZr/eyNziqxrZRmhk3/tbxO5WARgKjYLawLXqQRN6pcPgQz B+yVTjjfjhnsNZj2k5xzKLkxUPYmN0f3wAyGMmuBZ7PKsEmM/Ba6ZSWb8 ODhYY1ialSST0OvvfBwlQxeGi9Oq36Ta4fv4R9FzGkn+Z19WroQgRLd2W 7xQStA0TiB8jVrstM95kwNDTN8qYVCp42xUygCGmRA0Y2Omad90eHXiow w==; X-IronPort-AV: E=McAfee;i="6400,9594,10387"; a="260777042" X-IronPort-AV: E=Sophos;i="5.92,218,1650956400"; d="scan'208";a="260777042" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jun 2022 02:09:11 -0700 X-IronPort-AV: E=Sophos;i="5.92,218,1650956400"; d="scan'208";a="593142953" Received: from bricha3-mobl.ger.corp.intel.com ([10.252.25.171]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA; 24 Jun 2022 02:09:10 -0700 Date: Fri, 24 Jun 2022 10:09:07 +0100 From: Bruce Richardson <bruce.richardson@intel.com> To: Dmitry Kozlyuk <dkozlyuk@nvidia.com> Cc: dev@dpdk.org, stable@dpdk.org, Anatoly Burakov <anatoly.burakov@intel.com> Subject: Re: [PATCH v3 3/5] doc: give specific instructions for running as non-root Message-ID: <YrV/MweYIVtNAh9i@bricha3-MOBL.ger.corp.intel.com> References: <20220617112508.3823291-1-dkozlyuk@nvidia.com> <20220624084817.63145-1-dkozlyuk@nvidia.com> <20220624084817.63145-4-dkozlyuk@nvidia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220624084817.63145-4-dkozlyuk@nvidia.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions <dev.dpdk.org> List-Unsubscribe: <https://mails.dpdk.org/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://mails.dpdk.org/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <https://mails.dpdk.org/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org On Fri, Jun 24, 2022 at 11:48:15AM +0300, Dmitry Kozlyuk wrote: > The guide to run DPDK applications as non-root in Linux > did not provide specific instructions to configure the required access > and did not explain why each bit is needed. > The latter is important because running as non-root > is one of the ways to tighten security and grant minimal permissions. > > Cc: stable@dpdk.org > > Signed-off-by: Dmitry Kozlyuk <dkozlyuk@nvidia.com> Good improvements. One small suggestion below, otherwise: Acked-by: Bruce Richardson <bruce.richardson@intel.com> > --- > doc/guides/linux_gsg/enable_func.rst | 89 +++++++++++++------ > .../prog_guide/env_abstraction_layer.rst | 2 + > 2 files changed, 64 insertions(+), 27 deletions(-) > > diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/enable_func.rst > index 1df3ab0255..0b57417c94 100644 > --- a/doc/guides/linux_gsg/enable_func.rst > +++ b/doc/guides/linux_gsg/enable_func.rst > @@ -13,13 +13,63 @@ Enabling Additional Functionality > Running DPDK Applications Without Root Privileges > ------------------------------------------------- > > -In order to run DPDK as non-root, the following Linux filesystem objects' > -permissions should be adjusted to ensure that the Linux account being used to > -run the DPDK application has access to them: > +The following sections describe generic requirements and configuration > +for running DPDK applications as non-root. > +There may be additional requirements documented for some drivers. > > -* All directories which serve as hugepage mount points, for example, ``/dev/hugepages`` > +Hugepages > +~~~~~~~~~ > > -* If the HPET is to be used, ``/dev/hpet`` > +Hugepages must be reserved as root before running the application as non-root, > +for example:: > + > + sudo dpdk-hugepages.py --reserve 1G > + > +If multi-process is not required, running with ``--in-memory`` > +bypasses the need to access hugepage mount point and files within it. > +Otherwise, hugepage directory must be made accessible > +for writing to the unprivileged user. > +A good way for managing multiple applications using hugepages > +is to mount the filesystem with group permissions > +and add a supplementary group to each application or container. > + > +One option is to use the script provided by this project:: > + > + export HUGEDIR=$HOME/huge-1G > + mkdir -p $HUGEDIR > + sudo dpdk-hugepages.py --mount --directory $HUGEDIR --owner `id -u`:`id -g` > + > +In production environment, the OS can manage mount points > +(`systemd example <https://github.com/systemd/systemd/blob/main/units/dev-hugepages.mount>`_). > + > +The ``hugetlb`` filesystem has additional options to guarantee or limit > +the amount of memory that is possible to allocate using the mount point. > +Refer to the `documentation <https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt>`_. > + > +If the driver requires using physical addresses (PA), > +the executable file must be granted additional capabilities: > + > +* ``SYS_ADMIN`` to read ``/proc/self/pagemaps`` > +* ``IPC_LOCK`` to lock hugepages in memory > + > +.. code-block:: console > + > + setcap cap_ipc_lock,cap_sys_admin+ep <executable> > + > +If physical addresses are not accessible, > +the following message will appear during EAL initialization:: > + > + EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission denied > + > +It is harmless in case PA are not needed. > + > +.. note:: > + > + Using ``vfio-pci`` kernel driver, if applicable, can eliminate the need > + for physical addresses and therefore reduce the permission requirements. > + Can we move this note up a bit, to immediately after the paragraph about requiring physical addresses. It's better to inform the user immediately if a section is not relevant to them, than only telling them at the end once they have already read it. /Bruce