From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 26802A00C5 for ; Mon, 15 Aug 2022 10:22:46 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id F301E40143; Mon, 15 Aug 2022 10:22:45 +0200 (CEST) Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2087.outbound.protection.outlook.com [40.107.100.87]) by mails.dpdk.org (Postfix) with ESMTP id D38CB400EF for ; Mon, 15 Aug 2022 10:22:44 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BLryaBH9f0HFbhfWTsiXGirxc8S2DvF0oXfhcTpS7XnQ3QULLzIdY+yWEIXfRR4nLbwIn8fTsv5BVRRuZHevkp/PAMlHP4MOgrDY/NeBIL/AsRr8vi8VCt/d+6LaLgXzbcRJfdN6Z1BodVdiJa1+i4SJgzec3bgn2qSMS25BcXfRxR5g7v2jotBtUx8RObe8bE5AAs9tfSPUU37VViQIhqqoQsTvpRACw9H4xTuIziXSGQL0vhEPsAV6VNQWIcgGYQfClcvuo01Q96FaJozPayEn1mRXdIR1/vyhutd3EBER3X/G7gpSNG38OQazUsinSV4GGO9ixiXNUg6S4DE7bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Awpz6KZ0tXHUHTn4bnXD4mkdJrkJ3WlLHpYOn20loDY=; b=RfOvPCS2f9sCWAAx+mW5M802A51QTTPaAcB9GqH5T2O7BC+WLOzseTeJhl2S6JaBy4/b8wZo5yH38PWRx+5wU8HWjx58aPCfmM56AEq9RCz/1rInIJl3YQ8M9QRre3hKVvhA3mp9dZxF3Xba9fwa1K2YydC0UzOjIVXxNG7ZF1vaiyZvMks5ipixKt2wQ09ztKE4x7+HXJ/fnirbNmTQfbj8+7VzT4AW6gsNwZ+uNWkgZPQIMKxJ9/4y92xKTLFJPRrmwWmAsbPoErc6fy8ABoJqaOL6GLVK+2LqYA+htsbj0GkvHikegKK3wmAOLciiEGWspQBThfn1DJxtOHlh2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Awpz6KZ0tXHUHTn4bnXD4mkdJrkJ3WlLHpYOn20loDY=; b=LH3yv4cHAKb4dRIeOeqZZjXzVCAAUDEcTA34ifZ0tu0VjbrbkRM7lMhVj8oBVruJvzwDHthh+MFgvk1R8zk131aLiH/SDN+DV1VbBRzlJwCuVn9lL3JCnafkAqg+z5qbb5ULOUKJ/yecR15OQoVgC+3xYOmw+biHsRLRct5RrpGpoilw4/krRgwTO52t8tiRyjXmtFk8l6xSSwZJW81cTrvzB54PXNTkYUZ6bbbpws+Aif+LV4RLfs7fMfG8kQApOvIz3u+YKH0aXVTPwsxBCNIOSAPlQ7gwMubRQFiQewL5pAQRThTIlI1sXsqXcGAwYDUvZaiwR443GM3PdIUH/w== Received: from DM4PR12MB5373.namprd12.prod.outlook.com (2603:10b6:5:39d::14) by DM6PR12MB4779.namprd12.prod.outlook.com (2603:10b6:5:172::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.23; Mon, 15 Aug 2022 08:22:43 +0000 Received: from DM4PR12MB5373.namprd12.prod.outlook.com ([fe80::442b:be8b:c1ec:a6ee]) by DM4PR12MB5373.namprd12.prod.outlook.com ([fe80::442b:be8b:c1ec:a6ee%3]) with mapi id 15.20.5504.027; Mon, 15 Aug 2022 08:22:42 +0000 From: "Xueming(Steven) Li" To: Dmitry Kozlyuk , "stable@dpdk.org" CC: Bruce Richardson Subject: RE: [PATCH 20.11] doc: add more instructions for running as non-root Thread-Topic: [PATCH 20.11] doc: add more instructions for running as non-root Thread-Index: AQHYpaEDXaeeV7KkRkOmCpzlfvfk8q2mt7vwgAj9Q2A= Date: Mon, 15 Aug 2022 08:22:42 +0000 Message-ID: References: <20220801121924.2631663-1-dkozlyuk@nvidia.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 3c652de6-3e74-45da-fe14-08da7e975342 x-ms-traffictypediagnostic: DM6PR12MB4779:EE_ x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 7yiDPPKtyAYyzaVAQYPo04ffVMG1xiALiMN1u8EkSKKnKgWM+HHVaeVIqEJvOqGMDnjr7mrp8wJ2QBG5kMkx0SGV/73lV8tmE/AHh1B0Y/XnKwIQo8H0t1ChiGFK1nfKp70flGeWMIvrwYG9s9otv12f5yxIaI+IWzYaZEDDA02X72vljSXuAojUo9BjVOB2E9/Liz+UREMy/280c7qwg+h9GQv6pVzxLEL7YW56ALaGH/Pt05G1D6WNdm1gua0wCoc7aG3NzB8M3KVNk5/pcNpFh/Cg+2Br0dTcaaLIXhrDY7fmyiAxzNusDBiLmMkofO0ySSpLhyiYLpNmhHLtCUSfij3yQbyRrz3llfZZZh9giF2evjCe+NEkFYWAezmBJv1pRzwVrdX5t7GvHH7SBoXvQH3hfJw8I9P7RaRII5KC8TxQ4abgkOwz4AB2Tc2GZeMLyyh3Vtd1P/unsbQPvWmAt5+QTmU3LFwiTEFVXze5AQKaLa32JpPXL/mW+XCX8a0TBj8e7b2TPz8gkjn3h36NKiv02hw/3ny250NgYlVLq4grgZitm3DKII2XfXGkk3OzdWJ8h7db1hPVbLz2J3L1rMA9HiNNkK52BKdWsJHK1Z5YLI9gVeYKHS5WJ6mtHTi482HfB2OG6tUXwBgI31513sKs6nEu6254/JJ6xcaF2WpfCuMvcy8/sQ7lw3GJbxm53lkjS8dYeXd6rF6DLHZBtMgKrBgy7cpv5wgITLwCl8C8Zi2G7Hy0kR6hRqE8/VrsNCl4wmXE81gydyerT5lpSl3I20Ex9sHdbepi329dsLzh99HPuzPYF9nIV54bTsBLp4r+uYJh0fkQOFq26pLBtWVK9Rs7rJ0o+2IwHEWpB8y50ZHGXoB9tYjn9F/bF8RyNUvE+8IBco468AaSvnrl8usbrIYiUsMeprEkLLU= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR12MB5373.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(366004)(136003)(39860400002)(376002)(396003)(2906002)(52536014)(55016003)(4326008)(8676002)(64756008)(66446008)(66476007)(66556008)(8936002)(66946007)(76116006)(110136005)(6506007)(7696005)(33656002)(316002)(478600001)(26005)(53546011)(9686003)(966005)(71200400001)(41300700001)(38070700005)(86362001)(186003)(122000001)(5660300002)(83380400001)(38100700002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?PVPx09HUsTUsOKrRyeGDxcDZpTPM15wUiFb9DOjOxW4JoSnis0ZgS4PWNQSD?= =?us-ascii?Q?+zz4YZeSFwDNjkZ72RTSYZ9OfQ/dAxeW5YL/eJWGaG6GhEdkWAP1UGgj9tPR?= =?us-ascii?Q?QdvySb+HcPWWuG5WGRDHt0E/MaUlcCL+9zP14l4JW8zBJq5iUaJ+fjrbS3dP?= =?us-ascii?Q?mjDw9VTpnf5aaHrscEwmILMTFlpBqv7Hxf27PIzy9fbOdc7a+y/mCcKrWF15?= =?us-ascii?Q?ToBdKC//ZRl7vT6zIw+1DxenRoRKHtOwB60x7jgBU9OjlhMhNlTvqhSNgwIb?= =?us-ascii?Q?yzRBEHITfaQNhIvBLyi3DKMee1NJcGoK6lRcgKnM0lRnHeeS1GvYfuGi6e5e?= =?us-ascii?Q?keTS5WNFZdEaegFLLng9glO7IofXxSHjT+eK+nr+Ysk7QI5SkU1R6X9XRozN?= =?us-ascii?Q?LTG/0/QzHmmBJCnia27CRbmd/tvKJMFvq+a+H8gA6Lnosf2ZCZsEWYrxN5sB?= =?us-ascii?Q?mcv8ihROCG0uJ9JxAlURsTSUQcgg7zH86agvC/uY/YH8uk4AhUAabZlzslcL?= =?us-ascii?Q?9TgYV7YzHrHU0jL5TSFFWeKqu9KSaC/yhMFnnYgC83JP7rJduLwaGbkXH/7h?= =?us-ascii?Q?z9Fi8hRdrlpUaXLDUAkQRbZxGKd9jFR9lJH9JLysZYSxdr/L8J0bTJdu0loa?= =?us-ascii?Q?meKTG6fH062VtU3bTl2k5ZnJeiEl2jrlnZk+S0RxCvaYbuHZa0yDRQ/uJ/OU?= =?us-ascii?Q?Ob/PprXJIXxjzxp6qVto8RKx/IxAjZX/0M/1575O+Ev1b3MdBkumMPc0Lk4V?= =?us-ascii?Q?qTg7Sv2g83RhwXwH1oksAjvezg94uhgAUZCruMA8g+z/BNini7W4eyp/R3UM?= =?us-ascii?Q?+YuCf4TgMeSAF3J0E46jSprJ848o1119ONdf3Yk7b9eo1JwVVA9uPJneP4+9?= =?us-ascii?Q?nTYR1KlYoa+2WOq0BXfL9UMjCqNNG0143bFDGHMlW7wxVzAzBWWUR3QyX5Tp?= =?us-ascii?Q?AeWprZU8bPpCJN64CDa05hFur2u+FMpIZ27fEDsnk/zzkvgYs0fNq56c8rk4?= =?us-ascii?Q?Eo+GJuFJ9maoS3ifVLIODaklW/Hv2MTcR+DVIrJzqKPM41Ir0KB/Fk91+YI+?= =?us-ascii?Q?ugTK72FHPLD34Of2SYfg4+yOtX60aLJbFRunHaJ6I+Okld2w8Yw+ey4DUH7N?= =?us-ascii?Q?rSUzKOtI/LgSzCayqXv0DjQ+rvNn1iNpEfy6vbdZIidB3wrBaRAmtYAo+OVr?= =?us-ascii?Q?ptVuyy/7Ww457U8zLmKD521SyqSJdfXGYZO4mpTOE1NQ/epFR/woe0Mpt6kA?= =?us-ascii?Q?MIN+0+LoIvtYMyDnTKI7IErfUIqm8GxSidt5Ao4dC0WemGE/oA3R0J+bUwVe?= =?us-ascii?Q?r9bXC3502sGfOmwC8bDx8SWvq8SzToA97pN9v4T17T1e5agd2vct1y8S/Wx9?= =?us-ascii?Q?jLLUTk7Uew4UaajxgDC1J86GdDm+30YddDGztKtE9GuJXWN8nTr1NkKXDFjB?= =?us-ascii?Q?noa87Mwb/PdksDbU/CbeEGIKvPKNY1YjWZmomV0mVdfSR3spGI44jdlqPdRg?= =?us-ascii?Q?KC6k9IH6liIeiWGEM8cJFcRG6BfaHqv5lsGzvrHcaNIgz1k8guNLwa+y2MUd?= =?us-ascii?Q?KbbA6FM/HWeJ4BAY7WLdX6Q60DWFKT8W+MLetY04?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5373.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3c652de6-3e74-45da-fe14-08da7e975342 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2022 08:22:42.8250 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: IG9TGX/3diT0sjCUmFkHCXwsw1mO/55ZVChU2XVnGnQ95Ercj5gQAsdKK7i6E+jVsDpU18z6CCYNzH0Kh+UD9w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4779 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sorry, my bad, applied now. Thanks! > -----Original Message----- > From: Xueming(Steven) Li > Sent: Tuesday, August 9, 2022 11:09 PM > To: Dmitry Kozlyuk ; stable@dpdk.org > Cc: Bruce Richardson > Subject: RE: [PATCH 20.11] doc: add more instructions for running as non-= root >=20 >=20 >=20 > > -----Original Message----- > > From: Dmitry Kozlyuk > > Sent: Monday, August 1, 2022 8:19 PM > > To: stable@dpdk.org > > Cc: Xueming(Steven) Li ; Bruce Richardson > > > > Subject: [PATCH 20.11] doc: add more instructions for running as > > non-root > > > > [ upstream commit 979bb5d493fbbce77eaaf2b4a01ee98f93f76dd9 ] > > > > The guide to run DPDK applications as non-root in Linux did not > > provide specific instructions to configure the required access and did = not explain why each bit is needed. > > The latter is important because running as non-root is one of the ways = to tighten security and grant minimal permissions. > > > > Signed-off-by: Dmitry Kozlyuk > > Acked-by: Bruce Richardson > > --- > > Upstream commit references things missing from 21.11: >=20 > Maybe this is the root cause that the patch can't merge, please retry wit= h 20.11: > https://github.com/steevenlee/dpdk > Branch: 20.11 >=20 > > new dpdk-hugepages.py options and memory mapping documentation. > > The script call replaced with a direct mount command. > > Documentation reference is dropped as non-essential. > > > > doc/guides/linux_gsg/enable_func.rst | 85 > > +++++++++++++++++++--------- > > 1 file changed, 58 insertions(+), 27 deletions(-) > > > > diff --git a/doc/guides/linux_gsg/enable_func.rst > > b/doc/guides/linux_gsg/enable_func.rst > > index 25f87f6b1a..7538d04d97 100644 > > --- a/doc/guides/linux_gsg/enable_func.rst > > +++ b/doc/guides/linux_gsg/enable_func.rst > > @@ -66,13 +66,62 @@ The application can then determine what action to > > take, if any, if the HPET is n Running DPDK Applications Without Root > > Privileges > > ------------------------------------------------- > > > > -In order to run DPDK as non-root, the following Linux filesystem objec= ts' > > -permissions should be adjusted to ensure that the Linux account being = used to -run the DPDK application has access to them: > > +The following sections describe generic requirements and > > +configuration for running DPDK applications as non-root. > > +There may be additional requirements documented for some drivers. > > > > -* All directories which serve as hugepage mount points, for example,= ``/dev/hugepages`` > > +Hugepages > > +~~~~~~~~~ > > > > -* If the HPET is to be used, ``/dev/hpet`` > > +Hugepages must be reserved as root before running the application as > > +non-root, for example:: > > + > > + sudo dpdk-hugepages.py --reserve 1G > > + > > +If multi-process is not required, running with ``--in-memory`` > > +bypasses the need to access hugepage mount point and files within it. > > +Otherwise, hugepage directory must be made accessible for writing to > > +the unprivileged user. > > +A good way for managing multiple applications using hugepages is to > > +mount the filesystem with group permissions and add a supplementary > > +group to each application or container. > > + > > +One option is to mount manually:: > > + > > + mount -t hugetlbfs -o pagesize=3D1G,uid=3D`id -u`,gid=3D`id -g` node= v > > + $HOME/huge-1G > > + > > +In production environment, the OS can manage mount points (`systemd > > +example `_). > > + > > +The ``hugetlb`` filesystem has additional options to guarantee or > > +limit the amount of memory that is possible to allocate using the moun= t point. > > +Refer to the `documentation `_. > > + > > +.. note:: > > + > > + Using ``vfio-pci`` kernel driver, if applicable, can eliminate the = need > > + for physical addresses and therefore eliminate the permission requi= rements > > + described below. > > + > > +If the driver requires using physical addresses (PA), the executable > > +file must be granted additional capabilities: > > + > > +* ``SYS_ADMIN`` to read ``/proc/self/pagemaps`` > > +* ``IPC_LOCK`` to lock hugepages in memory > > + > > +.. code-block:: console > > + > > + setcap cap_ipc_lock,cap_sys_admin+ep > > + > > +If physical addresses are not accessible, the following message will > > +appear during EAL initialization:: > > + > > + EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission > > + denied > > + > > +It is harmless in case PA are not needed. > > + > > +Resource Limits > > +~~~~~~~~~~~~~~~ > > > > When running as non-root user, there may be some additional resource > > limits that are imposed by the system. Specifically, the following res= ource limits may @@ -87,8 +136,10 @@ need to be adjusted in order > to ensure normal DPDK operation: > > The above limits can usually be adjusted by editing ``/etc/security/l= imits.conf`` file, and rebooting. > > > > -Additionally, depending on which kernel driver is in use, the > > relevant -resources also should be accessible by the user running the D= PDK application. > > +Device Control > > +~~~~~~~~~~~~~~ > > + > > +If the HPET is to be used, ``/dev/hpet`` permissions must be adjusted. > > > > For ``vfio-pci`` kernel driver, the following Linux file system object= s' > > permissions should be adjusted: > > @@ -98,26 +149,6 @@ permissions should be adjusted: > > * The directories under ``/dev/vfio`` that correspond to IOMMU group n= umbers of > > devices intended to be used by DPDK, for example, ``/dev/vfio/50`` > > > > -.. note:: > > - > > - The instructions below will allow running DPDK with ``igb_uio`` or > > - ``uio_pci_generic`` drivers as non-root with older Linux kernel ve= rsions. > > - However, since version 4.0, the kernel does not allow unprivileged= processes > > - to read the physical address information from the pagemaps file, m= aking it > > - impossible for those processes to be used by non-privileged users.= In such > > - cases, using the VFIO driver is recommended. > > - > > -For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following L= inux file -system objects' permissions should be adjusted: > > - > > -* The userspace-io device files in ``/dev``, for example, ``/dev/u= io0``, ``/dev/uio1``, and so on > > - > > -* The userspace-io sysfs config and resource files, for example for = ``uio0``:: > > - > > - /sys/class/uio/uio0/device/config > > - /sys/class/uio/uio0/device/resource* > > - > > - > > Power Management and Power Saving Functionality > > ----------------------------------------------- > > > > -- > > 2.25.1