I should be on the discuss mailing list. Let me just state a big _YES_ I am working on this problem from multiple facets.
Ansis Atteka <aatt...@vmware.com> writes: > Hi, > > > In fact I think we should remove any Discretionary Access Control > (--user) and ?implement proper Mandatory Access Control (SELinux and > Apparmor) support. Unless anyone can bring up a good case to keep > and/or extend DAC feature in OVS. There was a reason to implement it in the first place, yes? I don't know if NetBSD has MAC, but it is still listed as a supported platform. I know there's some kind of MAC in FreeBSD, but I don't know much else from that perspective. > The link you posted seems to mention Apparmor as the root cause for > Permission Denied issue and not File Access bits - however this > contradicts wit the fact that chown helped you to get rid of the > error. I have a bug open to resolve this from my side, and posted patches to get by the first hurdle (http://openvswitch.org/pipermail/dev/2015-December/063565.html and http://openvswitch.org/pipermail/dev/2015-December/063567.html) - but having DPDK initialize once and then drop privileges is my ultimate goal. > To verify this can you do: > > 1. ps -Af for both processes that create and connect to the sokcet. > > 2. ls -la for the socket that is getting permission denied? > > > Thanks, > > Ansis > > ________________________________ > From: discuss <discuss-boun...@openvswitch.org> on behalf of Christian > Ehrhardt <christian.ehrha...@canonical.com> > Sent: Monday, January 25, 2016 10:32 PM > To: dev@openvswitch.org; disc...@openvswitch.org > Subject: [ovs-discuss] Somebody making --user and dpdk compatible again? > > Hi, > to avoid missing another work already been done (and google didn't > find me anything). > Is there already work going on to get --user and dpdk working together? > (see http://openvswitch.org/pipermail/dev/2015-September/060382.html) I haven't posted anything yet for the initialization piece, but I am working on this. The problem is, DPDK wants to do things, but we may have already dropped privileges (among other issues). > Background: > While setting up a vhost_user based ovs-dpdk setup I'm struggling to > get access to the vhost user sockets from qemu/kvm due to permission > issues. > Various mailing list posts like > (http://openvswitch.org/pipermail/discuss/2015-August/018553.html) > indicate to change the user running OVS, since the sockets are > defaulting to process user/group. > To run OVS as different user --user seems to be the preferred way. > But as linked above, --user has other issues with DPDK and therefore > is mutually exclusive for now. > > I was able to fix the permission issue with some chown/chmod, but I > wonder if there would be cleaner way to do so at some point. Maybe > eventually the approach is totally different anyway (like only > specifying :group for the sockets to be created). But I wondered if > that old mail thread is still worked on by somebody atm. See the patches I linked earlier. This is my first step - get vhostuser configurable so that a flexible permissions system can be used (ie: why not have a :vhost group on the system to which ovs and qemu belong). I'll be reposting them once I hear back on the dpdk intialization series. > Christian Ehrhardt > Software Engineer, Ubuntu Server > Canonical Ltd > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
