patch 'doc: add more instructions for running as non-root' has been queued to stable release 21.11.2

[Kevin Traynor <ktraynor@redhat.com>]

Hi,

FYI, your patch has been queued to stable release 21.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/30/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/dcc59bfed7bfdcf4183763fec368f5874176df4c

Thanks.

Kevin

---
From dcc59bfed7bfdcf4183763fec368f5874176df4c Mon Sep 17 00:00:00 2001
From: Dmitry Kozlyuk <dkozlyuk@nvidia.com>
Date: Fri, 24 Jun 2022 16:19:54 +0300
Subject: [PATCH] doc: add more instructions for running as non-root

[ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ]

The guide to run DPDK applications as non-root in Linux
did not provide specific instructions to configure the required access
and did not explain why each bit is needed.
The latter is important because running as non-root
is one of the ways to tighten security and grant minimal permissions.

Signed-off-by: Dmitry Kozlyuk <dkozlyuk@nvidia.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
---
 doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++++++++---------
 1 file changed, 63 insertions(+), 27 deletions(-)

diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/enable_func.rst
index 25f87f6b1a..4f7a8a1522 100644
--- a/doc/guides/linux_gsg/enable_func.rst
+++ b/doc/guides/linux_gsg/enable_func.rst
@@ -67,11 +67,62 @@ Running DPDK Applications Without Root Privileges
 -------------------------------------------------
 
-In order to run DPDK as non-root, the following Linux filesystem objects'
-permissions should be adjusted to ensure that the Linux account being used to
-run the DPDK application has access to them:
+The following sections describe generic requirements and configuration
+for running DPDK applications as non-root.
+There may be additional requirements documented for some drivers.
 
-*   All directories which serve as hugepage mount points, for example, ``/dev/hugepages``
+Hugepages
+~~~~~~~~~
 
-*   If the HPET is to be used,  ``/dev/hpet``
+Hugepages must be reserved as root before running the application as non-root,
+for example::
+
+  sudo dpdk-hugepages.py --reserve 1G
+
+If multi-process is not required, running with ``--in-memory``
+bypasses the need to access hugepage mount point and files within it.
+Otherwise, hugepage directory must be made accessible
+for writing to the unprivileged user.
+A good way for managing multiple applications using hugepages
+is to mount the filesystem with group permissions
+and add a supplementary group to each application or container.
+
+One option is to use the script provided by this project::
+
+  export HUGEDIR=$HOME/huge-1G
+  mkdir -p $HUGEDIR
+  sudo dpdk-hugepages.py --mount --directory $HUGEDIR --user `id -u` --group `id -g`
+
+In production environment, the OS can manage mount points
+(`systemd example <https://github.com/systemd/systemd/blob/main/units/dev-hugepages.mount>`_).
+
+The ``hugetlb`` filesystem has additional options to guarantee or limit
+the amount of memory that is possible to allocate using the mount point.
+Refer to the `documentation <https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt>`_.
+
+.. note::
+
+   Using ``vfio-pci`` kernel driver, if applicable, can eliminate the need
+   for physical addresses and therefore eliminate the permission requirements
+   described below.
+
+If the driver requires using physical addresses (PA),
+the executable file must be granted additional capabilities:
+
+* ``SYS_ADMIN`` to read ``/proc/self/pagemaps``
+* ``IPC_LOCK`` to lock hugepages in memory
+
+.. code-block:: console
+
+   setcap cap_ipc_lock,cap_sys_admin+ep <executable>
+
+If physical addresses are not accessible,
+the following message will appear during EAL initialization::
+
+  EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission denied
+
+It is harmless in case PA are not needed.
+
+Resource Limits
+~~~~~~~~~~~~~~~
 
 When running as non-root user, there may be some additional resource limits
@@ -88,6 +139,11 @@ The above limits can usually be adjusted by editing
 ``/etc/security/limits.conf`` file, and rebooting.
 
-Additionally, depending on which kernel driver is in use, the relevant
-resources also should be accessible by the user running the DPDK application.
+See `Hugepage Mapping <hugepage_mapping>`_
+section to learn how these limits affect EAL.
+
+Device Control
+~~~~~~~~~~~~~~
+
+If the HPET is to be used, ``/dev/hpet`` permissions must be adjusted.
 
 For ``vfio-pci`` kernel driver, the following Linux file system objects'
@@ -99,24 +155,4 @@ permissions should be adjusted:
   devices intended to be used by DPDK, for example, ``/dev/vfio/50``
 
-.. note::
-
-    The instructions below will allow running DPDK with ``igb_uio`` or
-    ``uio_pci_generic`` drivers as non-root with older Linux kernel versions.
-    However, since version 4.0, the kernel does not allow unprivileged processes
-    to read the physical address information from the pagemaps file, making it
-    impossible for those processes to be used by non-privileged users. In such
-    cases, using the VFIO driver is recommended.
-
-For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following Linux file
-system objects' permissions should be adjusted:
-
-*   The userspace-io device files in  ``/dev``, for example,  ``/dev/uio0``, ``/dev/uio1``, and so on
-
-*   The userspace-io sysfs config and resource files, for example for ``uio0``::
-
-       /sys/class/uio/uio0/device/config
-       /sys/class/uio/uio0/device/resource*
-
-
 Power Management and Power Saving Functionality
 -----------------------------------------------
-- 
2.34.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-06-28 16:18:04.511264898 +0100
+++ 0020-doc-add-more-instructions-for-running-as-non-root.patch	2022-06-28 16:18:04.045387175 +0100
@@ -1 +1 @@
-From 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 Mon Sep 17 00:00:00 2001
+From dcc59bfed7bfdcf4183763fec368f5874176df4c Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ]
+
@@ -12,2 +13,0 @@
-Cc: stable@dpdk.org
-
@@ -17,3 +17,2 @@
- doc/guides/linux_gsg/enable_func.rst          | 90 +++++++++++++------
- .../prog_guide/env_abstraction_layer.rst      |  2 +
- 2 files changed, 65 insertions(+), 27 deletions(-)
+ doc/guides/linux_gsg/enable_func.rst | 90 +++++++++++++++++++---------
+ 1 file changed, 63 insertions(+), 27 deletions(-)
@@ -22 +21 @@
-index 1df3ab0255..b15bfb2f9f 100644
+index 25f87f6b1a..4f7a8a1522 100644
@@ -25 +24 @@
-@@ -14,11 +14,62 @@ Running DPDK Applications Without Root Privileges
+@@ -67,11 +67,62 @@ Running DPDK Applications Without Root Privileges
@@ -93 +92 @@
-@@ -35,6 +86,11 @@ The above limits can usually be adjusted by editing
+@@ -88,6 +139,11 @@ The above limits can usually be adjusted by editing
@@ -107 +106 @@
-@@ -46,24 +102,4 @@ permissions should be adjusted:
+@@ -99,24 +155,4 @@ permissions should be adjusted:
@@ -132,11 +130,0 @@
-diff --git a/doc/guides/prog_guide/env_abstraction_layer.rst b/doc/guides/prog_guide/env_abstraction_layer.rst
-index 42def41e61..67842ae272 100644
---- a/doc/guides/prog_guide/env_abstraction_layer.rst
-+++ b/doc/guides/prog_guide/env_abstraction_layer.rst
-@@ -229,4 +229,6 @@ Normally, these options do not need to be changed.
-     is enabled), and can optionally be mapped into it at startup.
- 
-+.. _hugepage_mapping:
-+
- Hugepage Mapping
- ^^^^^^^^^^^^^^^^