[dpdk-dev] [RFC 2/2] nfp: allow for non-root user
Alejandro Lucero
alejandro.lucero at netronome.com
Thu Apr 19 08:05:57 CEST 2018
On Wed, Apr 18, 2018 at 1:32 PM, Aaron Conole <aconole at redhat.com> wrote:
> Alejandro Lucero <alejandro.lucero at netronome.com> writes:
>
> > On Tue, Apr 17, 2018 at 8:19 PM, Aaron Conole <aconole at redhat.com>
> wrote:
> >
> > Alejandro Lucero <alejandro.lucero at netronome.com> writes:
> >
> > > I was just wondering, if device device PCI sysfs resource files or
> VFIO group /dev files
> > require to change
> > > permissions for non-root users, does it not make sense to adjust also
> /var/lock in the
> > system?
> >
> > For the /dev, we use udev rules - so the correct individual vfio device
> > files get assigned the correct permissions. No such mechanism exists
> > for /var/lock as far as I can tell.
> >
> > Ex. see:
> >
> > https://github.com/openvswitch/ovs/blob/master/
> rhel/usr_lib_udev_rules.d_91-vfio.rules
> >
> >
> > Maybe something similar exists that we could use to generate the lock
> > file automatically?
> >
> > What about /sysfs/bus/pci/device/$PCI_DEV/resource file?
> >
> > Is RH forcing OVS DPDK to only work if the host has IOMMU support?
>
> Yes.
>
Ok then. It makes sense now to apply this patch to stable versions.
Acked-by: Alejandro Lucero <alejandro.lucero at netronome.com>
>
> > > On Tue, Apr 17, 2018 at 4:44 PM, Alejandro Lucero
> > <alejandro.lucero at netronome.com> wrote:
> > >
> > > I have seen that VFIO also requires explicitly to set the right
> permissions for non-root
> > users to VFIO
> > > groups under /dev/vfio.
> > >
> > > I assume then that running OVS or other DPDK apps as non-root is
> possible,
> > although requiring
> > > those explicit permissions changes, and therefore this patch is
> necessary.
> > >
> > > Adding stable@ and Thomas for discussing how can this be added to
> stable DPDK
> > versions even if
> > > this is not going to be a patch for current DPDK version.
> > >
> > > Acked-by: Alejandro Lucero <alejandro.lucero at netronome.com>
> > >
> > > On Fri, Apr 13, 2018 at 4:31 PM, Alejandro Lucero
> > <alejandro.lucero at netronome.com> wrote:
> > >
> > > On Fri, Apr 13, 2018 at 2:31 PM, Aaron Conole <aconole at redhat.com>
> wrote:
> > >
> > > Alejandro Lucero <alejandro.lucero at netronome.com> writes:
> > >
> > > > Again, this patch is correct, but because NFP PMD needs to access
> > > > /sys/bus/pci/devices/$DEVICE_PCI_STRING/resource$RESOURCE_ID, and
> these files
> > have
> > > just
> > > > read/write accesses for root, I do not know if this is really
> necessary.
> > > >
> > > > Being honest, I have not used a DPDK app with NFP PMD and not
> being root. Does
> > it
> > > work
> > > > with non-root users and other PMDs with same requirements
> regarding sysfs
> > resource
> > > files?
> > >
> > > We do run as non-root user definitely with Intel PMDs.
> > >
> > > I'm not very sure about other vendors, but I think mlx pmd runs as
> > > non-root user (and it was modified to move off of sysfs for that
> > > reason[1]).
> > >
> > > It is possible to not rely on sysfs resource files if device is
> attached to VFIO, but I
> > think that is a
> > > must with UIO.
> > >
> > >
> > > I'll continue to push for more information from the testing side to
> find
> > > out though.
> > >
> > > [1]: http://dpdk.org/ml/archives/dev/2018-February/090586.html
> > >
> > > > On Fri, Apr 13, 2018 at 12:22 AM, Aaron Conole <aconole at redhat.com>
> wrote:
> > > >
> > > > Currently, the nfp lock files are taken from the global lock file
> > > > location, which will work when the user is running as root.
> However,
> > > > some distributions and applications (notably ovs 2.8+ on
> RHEL/Fedora)
> > > > run as a non-root user.
> > > >
> > > > Signed-off-by: Aaron Conole <aconole at redhat.com>
> > > > ---
> > > > drivers/net/nfp/nfp_nfpu.c | 23 ++++++++++++++++++-----
> > > > 1 file changed, 18 insertions(+), 5 deletions(-)
> > > >
> > > > diff --git a/drivers/net/nfp/nfp_nfpu.c
> b/drivers/net/nfp/nfp_nfpu.c
> > > > index 2ed985ff4..ae2e07220 100644
> > > > --- a/drivers/net/nfp/nfp_nfpu.c
> > > > +++ b/drivers/net/nfp/nfp_nfpu.c
> > > > @@ -18,6 +18,22 @@
> > > > #define NFP_CFG_EXP_BAR 7
> > > >
> > > > #define NFP_CFG_EXP_BAR_CFG_BASE 0x30000
> > > > +#define NFP_LOCKFILE_PATH_FMT "%s/nfp%d"
> > > > +
> > > > +/* get nfp lock file path (/var/lock if root, $HOME otherwise) */
> > > > +static void
> > > > +nspu_get_lockfile_path(char *buffer, int bufsz, nfpu_desc_t
> *desc)
> > > > +{
> > > > + const char *dir = "/var/lock";
> > > > + const char *home_dir = getenv("HOME");
> > > > +
> > > > + if (getuid() != 0 && home_dir != NULL)
> > > > + dir = home_dir;
> > > > +
> > > > + /* use current prefix as file path */
> > > > + snprintf(buffer, bufsz, NFP_LOCKFILE_PATH_FMT, dir,
> > > > + desc->nfp);
> > > > +}
> > > >
> > > > /* There could be other NFP userspace tools using the NSP
> interface.
> > > > * Make sure there is no other process using it and locking the
> access for
> > > > @@ -30,9 +46,7 @@ nspv_aquire_process_lock(nfpu_desc_t *desc)
> > > > struct flock lock;
> > > > char lockname[30];
> > > >
> > > > - memset(&lock, 0, sizeof(lock));
> > > > -
> > > > - snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d",
> desc->nfp);
> > > > + nspu_get_lockfile_path(lockname, sizeof(lockname), desc);
> > > >
> > > > /* Using S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH
> | S_IWOTH */
> > > > desc->lock = open(lockname, O_RDWR | O_CREAT, 0666);
> > > > @@ -106,7 +120,6 @@ nfpu_close(nfpu_desc_t *desc)
> > > > rte_free(desc->nspu);
> > > > close(desc->lock);
> > > >
> > > > - snprintf(lockname, sizeof(lockname), "/var/lock/nfp%d",
> desc->nfp);
> > > > - unlink(lockname);
> > > > + nspu_get_lockfile_path(lockname, sizeof(lockname), desc);
> > > > return 0;
> > > > }
> > > > --
> > > > 2.14.3
>
More information about the dev
mailing list