From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aconole@redhat.com>
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73])
 by dpdk.org (Postfix) with ESMTP id B9074D018;
 Tue, 17 Apr 2018 21:19:24 +0200 (CEST)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
 [10.11.54.3])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 4B993814DF4C;
 Tue, 17 Apr 2018 19:19:24 +0000 (UTC)
Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id B27CA111DD0E;
 Tue, 17 Apr 2018 19:19:23 +0000 (UTC)
From: Aaron Conole <aconole@redhat.com>
To: Alejandro Lucero <alejandro.lucero@netronome.com>
Cc: dev <dev@dpdk.org>, Adrien Mazarguil <adrien.mazarguil@6wind.com>,
 stable@dpdk.org, Thomas Monjalon <thomas@monjalon.net>
References: <20180412222208.11770-1-aconole@redhat.com>
 <20180412222208.11770-3-aconole@redhat.com>
 <CAD+H991rVEhppb1ubjer9mjd0kg6aYBunuqd-mufKa=EPPJ3-w@mail.gmail.com>
 <f7ta7u7z10q.fsf@dhcp-25.97.bos.redhat.com>
 <CAD+H990SjAFWFjgF=xj7hTZuhnZ42bGkwuesaH6UaWM4UKb8Zg@mail.gmail.com>
 <CAD+H990-cE-UL73cQU7v9hd-RsB-6rNt7NRnpS+2JUEDzqmM4g@mail.gmail.com>
 <CAD+H992fmaux6hioFdq9+AEY6yWjpOQ5VAYLUcnkSamBEKxKoA@mail.gmail.com>
Date: Tue, 17 Apr 2018 15:19:23 -0400
In-Reply-To: <CAD+H992fmaux6hioFdq9+AEY6yWjpOQ5VAYLUcnkSamBEKxKoA@mail.gmail.com>
 (Alejandro Lucero's message of "Tue, 17 Apr 2018 16:54:01 +0100")
Message-ID: <f7tpo2xmyis.fsf@dhcp-25.97.bos.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.11.55.8]); Tue, 17 Apr 2018 19:19:24 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]);
 Tue, 17 Apr 2018 19:19:24 +0000 (UTC) for IP:'10.11.54.3'
 DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com'
 HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:''
Subject: Re: [dpdk-dev] [RFC 2/2] nfp: allow for non-root user
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 19:19:25 -0000

Alejandro Lucero <alejandro.lucero@netronome.com> writes:

> I was just wondering, if device device PCI sysfs resource files or VFIO group /dev files require to change
> permissions for non-root users, does it not make sense to adjust also /var/lock in the system?

For the /dev, we use udev rules - so the correct individual vfio device
files get assigned the correct permissions.  No such mechanism exists
for /var/lock as far as I can tell.

Ex. see:

https://github.com/openvswitch/ovs/blob/master/rhel/usr_lib_udev_rules.d_91-vfio.rules

Maybe something similar exists that we could use to generate the lock
file automatically?

> On Tue, Apr 17, 2018 at 4:44 PM, Alejandro Lucero <alejandro.lucero@netronome.com> wrote:
>
>  I have seen that VFIO also requires explicitly to set the right permissions for non-root users to VFIO
>  groups under /dev/vfio. 
>
>  I assume then that running OVS or other DPDK apps as non-root is possible, although requiring
>  those explicit permissions changes, and therefore this patch is necessary.
>
>  Adding stable@ and Thomas for discussing how can this be added to stable DPDK versions even if
>  this is not going to be a patch for current DPDK version.
>
>  Acked-by: Alejandro Lucero <alejandro.lucero@netronome.com>
>
>  On Fri, Apr 13, 2018 at 4:31 PM, Alejandro Lucero <alejandro.lucero@netronome.com> wrote:
>
>  On Fri, Apr 13, 2018 at 2:31 PM, Aaron Conole <aconole@redhat.com> wrote:
>
>  Alejandro Lucero <alejandro.lucero@netronome.com> writes:
>
>  > Again, this patch is correct, but because NFP PMD needs to access
>  > /sys/bus/pci/devices/$DEVICE_PCI_STRING/resource$RESOURCE_ID, and these files have
>  just
>  > read/write accesses for root, I do not know if this is really necessary.
>  >
>  > Being honest, I have not used a DPDK app with NFP PMD and not being root. Does it
>  work
>  > with non-root users and other PMDs with same requirements regarding sysfs resource
>  files?
>
>  We do run as non-root user definitely with Intel PMDs.
>
>  I'm not very sure about other vendors, but I think mlx pmd runs as
>  non-root user (and it was modified to move off of sysfs for that
>  reason[1]).
>
>  It is possible to not rely on sysfs resource files if device is attached to VFIO, but I think that is a
>  must with UIO.
>
>   
>  I'll continue to push for more information from the testing side to find
>  out though.
>
>  [1]: http://dpdk.org/ml/archives/dev/2018-February/090586.html
>
>  > On Fri, Apr 13, 2018 at 12:22 AM, Aaron Conole <aconole@redhat.com> wrote:
>  >
>  >  Currently, the nfp lock files are taken from the global lock file
>  >  location, which will work when the user is running as root.  However,
>  >  some distributions and applications (notably ovs 2.8+ on RHEL/Fedora)
>  >  run as a non-root user.
>  >
>  >  Signed-off-by: Aaron Conole <aconole@redhat.com>
>  >  ---
>  >   drivers/net/nfp/nfp_nfpu.c | 23 ++++++++++++++++++-----
>  >   1 file changed, 18 insertions(+), 5 deletions(-)
>  >
>  >  diff --git a/drivers/net/nfp/nfp_nfpu.c b/drivers/net/nfp/nfp_nfpu.c
>  >  index 2ed985ff4..ae2e07220 100644
>  >  --- a/drivers/net/nfp/nfp_nfpu.c
>  >  +++ b/drivers/net/nfp/nfp_nfpu.c
>  >  @@ -18,6 +18,22 @@
>  >   #define NFP_CFG_EXP_BAR         7
>  >
>  >   #define NFP_CFG_EXP_BAR_CFG_BASE       0x30000
>  >  +#define NFP_LOCKFILE_PATH_FMT "%s/nfp%d"
>  >  +
>  >  +/* get nfp lock file path (/var/lock if root, $HOME otherwise) */
>  >  +static void
>  >  +nspu_get_lockfile_path(char *buffer, int bufsz, nfpu_desc_t *desc)
>  >  +{
>  >  +       const char *dir = "/var/lock";
>  >  +       const char *home_dir = getenv("HOME");
>  >  +
>  >  +       if (getuid() != 0 && home_dir != NULL)
>  >  +               dir = home_dir;
>  >  +
>  >  +       /* use current prefix as file path */
>  >  +       snprintf(buffer, bufsz, NFP_LOCKFILE_PATH_FMT, dir,
>  >  +                       desc->nfp);
>  >  +}
>  >
>  >   /* There could be other NFP userspace tools using the NSP interface.
>  >    * Make sure there is no other process using it and locking the access for
>  >  @@ -30,9 +46,7 @@ nspv_aquire_process_lock(nfpu_desc_t *desc)
>  >          struct flock lock;
>  >          char lockname[30];
>  >
>  >  -       memset(&lock, 0, sizeof(lock));
>  >  -
>  >  -       snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d", desc->nfp);
>  >  +       nspu_get_lockfile_path(lockname, sizeof(lockname), desc);
>  >
>  >          /* Using S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH */
>  >          desc->lock = open(lockname, O_RDWR | O_CREAT, 0666);
>  >  @@ -106,7 +120,6 @@ nfpu_close(nfpu_desc_t *desc)
>  >          rte_free(desc->nspu);
>  >          close(desc->lock);
>  >
>  >  -       snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d", desc->nfp);
>  >  -       unlink(lockname);
>  >  +       nspu_get_lockfile_path(lockname, sizeof(lockname), desc);
>  >          return 0;
>  >   }
>  >  -- 
>  >  2.14.3