On 12/14/2022 3:41 PM, Shibin Koikkara Reeny wrote:
Integrate support for the AF_XDP CNI and device plugin [1] so that the
DPDK AF_XDP PMD can work in an unprivileged container environment.
Part of the AF_XDP PMD initialization process involves loading
an eBPF program onto the given netdev. This operation requires
privileges, which prevents the PMD from being able to work in an
unprivileged container (without root access). The plugin CNI handles
the program loading. CNI open Unix Domain Socket (UDS) and waits
listening for a client to make requests over that UDS. The client(DPDK)
connects and a "handshake" occurs, then the File Descriptor which points
to the XSKMAP associated with the loaded eBPF program is handed over
to the client. The client can then proceed with creating an AF_XDP
socket and inserting the socket into the XSKMAP pointed to by the
FD received on the UDS.
A new vdev arg "use_cni" is created to indicate user wishes to run
the PMD in unprivileged mode and to receive the XSKMAP FD from the CNI.
When this flag is set, the XSK_LIBBPF_FLAGS__INHIBIT_PROG_LOAD libbpf flag
should be used when creating the socket, which tells libbpf not to load the
default libbpf program on the netdev. We tell libbpf not to do this because
the loading is handled by the CNI in this scenario.
[1]: https://github.com/intel/afxdp-plugins-for-kubernetes
Signed-off-by: Shibin Koikkara Reeny <shibin.koikkara.re...@intel.com>
---
Tested-by: Anatoly Burakov <anatoly.bura...@intel.com>
The testing setup is a bit involved, but everything seems to work once
all the pieces fall into place.
--
Thanks,
Anatoly
