On Mon, Aug 24, 2020 at 04:45:00PM +0100, Anatoly Burakov wrote: > The current instructions are slightly out of date when it comes to > providing information about setting up the system for using DPDK as > non-root, so update them. > > Cc: sta...@dpdk.org > > Signed-off-by: Anatoly Burakov <anatoly.bura...@intel.com> > --- > doc/guides/linux_gsg/enable_func.rst | 54 ++++++++++++++++++++-------- > 1 file changed, 39 insertions(+), 15 deletions(-) > > diff --git a/doc/guides/linux_gsg/enable_func.rst > b/doc/guides/linux_gsg/enable_func.rst > index b2bda80bb7..78b0f7c012 100644 > --- a/doc/guides/linux_gsg/enable_func.rst > +++ b/doc/guides/linux_gsg/enable_func.rst > @@ -58,22 +58,34 @@ The application can then determine what action to take, > if any, if the HPET is n > if any, and on what is available on the system at runtime. > > Running DPDK Applications Without Root Privileges > --------------------------------------------------------- > +------------------------------------------------- > > -.. note:: > +In order to run DPDK as non-root, the following Linux filesystem objects' > +permissions should be adjusted to ensure that the Linux account being used to > +run the DPDK application has access to them: > > - The instructions below will allow running DPDK as non-root with older > - Linux kernel versions. However, since version 4.0, the kernel does not > allow > - unprivileged processes to read the physical address information from > - the pagemaps file, making it impossible for those processes to use HW > - devices which require physical addresses > +* All directories which serve as hugepage mount points, for example, > ``/dev/hugepages`` > > -Although applications using the DPDK use network ports and other hardware > resources directly, > -with a number of small permission adjustments it is possible to run these > applications as a user other than "root". > -To do so, the ownership, or permissions, on the following Linux file system > objects should be adjusted to ensure that > -the Linux user account being used to run the DPDK application has access to > them: > +* If the HPET is to be used, ``/dev/hpet`` > > -* All directories which serve as hugepage mount points, for example, > ``/mnt/huge`` > +When running as non-root user, there may be some additional resource limits > +that are imposed by the system. Specifically, the following resource limits > may > +need to be adjusted in order to ensure normal DPDK operation: > + > +* RLIMIT_LOCKS (number of file locks that can be held by a process) > + > +* RLIMIT_NOFILE (number of open file descriptors that can be held open by a > process) > + > +* RLIMIT_MEMLOCK (amount of pinned pages the process is allowed to have) > + > +The above limits can usually be adjusted by editing > +``/etc/security/limits.conf`` file, and rebooting. > + > +Additionally, depending on which kernel driver is in use, the relevant > +resources also should be accessible by the user running the DPDK application. > + > +For ``igb_uio`` or ``uio_pci_generic`` kernel drivers, the following Linux > file > +system objects' permissions should be adjusted: > > * The userspace-io device files in ``/dev``, for example, ``/dev/uio0``, > ``/dev/uio1``, and so on > > @@ -82,11 +94,23 @@ the Linux user account being used to run the DPDK > application has access to them > /sys/class/uio/uio0/device/config > /sys/class/uio/uio0/device/resource* > > -* If the HPET is to be used, ``/dev/hpet`` > - > .. note:: > > - On some Linux installations, ``/dev/hugepages`` is also a hugepage > mount point created by default. > + The instructions above will allow running DPDK with ``igb_uio`` driver as > + non-root with older Linux kernel versions. However, since version 4.0, > the > + kernel does not allow unprivileged processes to read the physical address > + information from the pagemaps file, making it impossible for those > + processes to be used by non-privileged users. In such cases, using the > VFIO > + driver is recommended. > + > +For ``vfio-pci`` kernel driver, the following Linux file system objects' > +permissions should be adjusted: > + > +* The VFIO device file , ``/dev/vfio/vfio`` > + > +* The directories under ``/dev/vfio`` that correspond to IOMMU group numbers > of > + devices intended to be used by DPDK, for example, ``/dev/vfio/50`` > + > Since we'd very much prefer in all cases people to use VFIO, I think the VFIO instructions should come first. Otherwise the text itself reads fine to me.
/Bruce
