From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 61C48A04B6; Fri, 11 Sep 2020 14:46:48 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id CF2791B13C; Fri, 11 Sep 2020 14:46:47 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by dpdk.org (Postfix) with ESMTP id 5F907E07; Fri, 11 Sep 2020 14:46:45 +0200 (CEST) IronPort-SDR: 9BanScjtN5JvW/mvqKBWPaT75CLuFKUCDhkjy9B+c+oVDSbPz3IGqOAPLnoScGyReeOTVW0k2l ppcw3fR03DmQ== X-IronPort-AV: E=McAfee;i="6000,8403,9740"; a="138262490" X-IronPort-AV: E=Sophos;i="5.76,415,1592895600"; d="scan'208";a="138262490" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Sep 2020 05:46:44 -0700 IronPort-SDR: 3w4NzpcyIuyHq3TllkW/lm83Mt/dL1UtqAERlo7PZSBY3xHlPx7FShmdrpZUSr/vVpd5NRa1ok Bi1/ckzfEIgQ== X-IronPort-AV: E=Sophos;i="5.76,415,1592895600"; d="scan'208";a="449974608" Received: from aburakov-mobl.ger.corp.intel.com (HELO [10.213.224.244]) ([10.213.224.244]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Sep 2020 05:46:42 -0700 To: David Marchand , dev@dpdk.org Cc: maxime.coquelin@redhat.com, sscheink@redhat.com, stable@dpdk.org References: <20200910162407.12669-1-david.marchand@redhat.com> From: "Burakov, Anatoly" Message-ID: Date: Fri, 11 Sep 2020 13:46:40 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20200910162407.12669-1-david.marchand@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH] eal/linux: fix memory allocations in containers+SELinux X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 10-Sep-20 5:24 PM, David Marchand wrote: > This is something we encountered while working in an OpenShift > environment with SELinux enabled. > In this environment, a DPDK application could create/write to hugepage > files but removing them was refused. > This resulted in dirty files being reused when starting a new DPDK > application and triggered random crashes / erratic behavior. > > Getting a SELinux setup can be a challenge, and even more if you add > containers to the picture :-). > So here is a reproducer for the interested testers: > > # cat >wrap.c < #define _GNU_SOURCE > #include > #include > #include > #include > #include > #include > #include > > int unlink(const char *pathname) > { > static int (*orig)(const char *pathname) = NULL; > struct stat st; > > if (orig == NULL) > orig = dlsym(RTLD_NEXT, "unlink"); > if (strstr(pathname, "rtemap_") != NULL && > stat(pathname, &st) == 0) { > fprintf(stderr, "### refused unlink for %s\n", > pathname); > errno = EACCES; > return -1; > } > fprintf(stderr, "### called unlink for %s\n", pathname); > return orig(pathname); > } > > int unlinkat(int dirfd, const char *pathname, int flags) > { > static int (*orig)(int dirfd, const char *pathname, int flags) = > NULL; > struct stat st; > > if (orig == NULL) > orig = dlsym(RTLD_NEXT, "unlinkat"); > if (strstr(pathname, "rtemap_") != NULL && > fstatat(dirfd, pathname, &st, flags) == 0) { > fprintf(stderr, "### refused unlinkat for %s\n", > pathname); > errno = EACCES; > return -1; > } > fprintf(stderr, "### called unlinkat for %s\n", pathname); > return orig(dirfd, pathname, flags); > } > EOF > > # gcc -fPIC -shared -o libwrap.so wrap.c -ldl > # \rm /dev/hugepages/rtemap* > > # # First run is fine > # LD_PRELOAD=libwrap.so dpdk-testpmd -w 0000:01:00.0 -- -i > [...] > Configuring Port 0 (socket 0) > Port 0: 24:6E:96:3C:52:D8 > Checking link statuses... > Done > testpmd> > > # # Second run we have dirty memory > # LD_PRELOAD=libwrap.so dpdk-testpmd -w 0000:01:00.0 -- -i > [...] > ### refused unlinkat for rtemap_0 > [...] > Port 0 is now not stopped > Please stop the ports first > Done > testpmd> > > Removing hugepage files is done in multiple places and the memory > allocation code is complex. > This fix tries to do the minimum and avoids touching other paths. > > If trying to remove the hugepage file before allocating a page fails, > the error is reported to the caller and the user will see a memory > allocation error log. > > Fixes: 582bed1e1d1d ("mem: support mapping hugepages at runtime") > Cc: stable@dpdk.org > > Signed-off-by: David Marchand > --- I believe only the primary will try to allocate new pages, but this only covers the page-per-file scenario. There's also legacy mem option (which would attempt to remove files prior to creating new ones - not sure if it's refused in that case), and single file segments option (which will mostly fallocate holes rather than delete files, but may still attempt to delete files - by the way, how does fallocate work with SELinux?). So, for the contents of the patch in question, it's good, but *might* be incomplete for the above reasons. I can't test this right this moment so i'll leave this up to you :P -- Thanks, Anatoly