"Mooney, Sean K" <sean.k.moo...@intel.com> writes: >> -----Original Message----- >> From: dev [mailto:dev-boun...@openvswitch.org] On Behalf Of Aaron Conole >> Sent: Saturday, August 20, 2016 12:48 AM >> To: dev@openvswitch.org; Ben Pfaff <b...@ovn.org>; Daniele Di Proietto >> <diproiet...@vmware.com> >> Subject: [ovs-dev] [PATCH v4 0/3] vhost-user: Add the ability to control >> ownership/permissions >> >> Currently, when using Open vSwitch with DPDK and qemu guests, the >> recommended method for joining the guests is via the dpdkvhostuser >> interface. This >> interface uses Unix Domain sockets to communicate. When these sockets are >> created, they inherit the permissions and ownership from the vswitchd >> process. >> This can lead to an undesirable state where the QEMU process cannot use the >> socket file until manual intervention is performed (via `chown` and/or >> `chmod` >> calls). >> >> >> This patchset gives the ability to set the permissions and ownership of all >> dpdkvhostuser sockets from the database, avoiding the manual intervention >> required to connect QEMU and OVS via DPDK. > [Mooney, Sean K] technically you don’t need to do any manual > intervention today if you > Start the ovs-vswitchd process with sudo sg <qemu group> -c "umask > 200; ovs-vswitchd .." > i.e. start it with the same group as qemu process and allow read write > acess to members of the > same group. > This is how we have deployed ovs with dpdk in the networking-ovs-dpdk > devstack plug for more then 2 years.
Well, I consider that manual intervention anyway. With that approach, you can't start using ovs-ctl and you have lots of permissions weirdness on logfiles and non-dpdk sockets so there is still steps that have to be taken - even if sure you can wrap them in a script. OvS isn't setting the permissions to be "usable values" for qemu user, which is what I consider the issue (for some definitions of usable values). > The new parameters make this simpler though as you no longer need to > use the linux sg and umask command > To adjust the socket permissions of all files created by the vswitchd > process. Its also likely more secure > As the permission change is limited to the vhost-user socket files. > >> >> >> The first patch adds chmod and chown calls to lib, with unit tests. The >> second patch >> adds a hardness amplification version as described in the paper "Portably >> Solving >> File TOCTTOU Races with Hardness Amplification" >> found at >> https://www.usenix.org/legacy/event/fast08/tech/full_papers/tsafrir/tsafrir_html/i >> ndex.html, while the third patch hooks those calls into the >> netdev_dpdk_vhost_user_construct function, after the socket is created. >> >> >> Changes from v3: >> * Replaced patch 2/3 with hardness amplification version. Retested on RHEL7 >> and validated the travis builds. >> >> Changes from v2: >> * Added a new 2nd patch to series for chmod/chown on already opened files. >> There exist known implementations for other systems, including FreeBSD, but >> only linux is implemented. ENOTSUP is set when these calls fail on >> non-linux >> systems. >> >> Aaron Conole (3): >> chutil: introduce a new change-utils lib >> chutil: Add hardness amplification versions of chmod/chown >> netdev-dpdk: Support user-defined socket attribs >> >> INSTALL.DPDK.md | 8 + >> configure.ac | 2 +- >> lib/automake.mk | 2 + >> lib/chutil-unix.c | 652 >> +++++++++++++++++++++++++++++++++++++++++++++++++++ >> lib/chutil.h | 36 +++ >> lib/daemon-unix.c | 149 +----------- >> lib/netdev-dpdk.c | 37 +++ >> tests/automake.mk | 2 + >> tests/library.at | 5 + >> tests/test-chutil.c | 297 +++++++++++++++++++++++ vswitchd/vswitch.xml | >> 23 >> ++ >> 11 files changed, 1068 insertions(+), 145 deletions(-) create mode 100644 >> lib/chutil-unix.c create mode 100644 lib/chutil.h create mode 100644 >> tests/test- >> chutil.c >> >> -- >> 2.5.5 >> >> _______________________________________________ >> dev mailing list >> dev@openvswitch.org >> http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
