"Mooney, Sean K" <sean.k.moo...@intel.com> writes:

>> -----Original Message-----
>> From: dev [mailto:dev-boun...@openvswitch.org] On Behalf Of Aaron Conole
>> Sent: Saturday, August 20, 2016 12:48 AM
>> To: dev@openvswitch.org; Ben Pfaff <b...@ovn.org>; Daniele Di Proietto
>> <diproiet...@vmware.com>
>> Subject: [ovs-dev] [PATCH v4 0/3] vhost-user: Add the ability to control
>> ownership/permissions
>> 
>> Currently, when using Open vSwitch with DPDK and qemu guests, the
>> recommended method for joining the guests is via the dpdkvhostuser
>> interface. This
>> interface uses Unix Domain sockets to communicate. When these sockets are
>> created, they inherit the permissions and ownership from the vswitchd 
>> process.
>> This can lead to an undesirable state where the QEMU process cannot use the
>> socket file until manual intervention is performed (via `chown` and/or 
>> `chmod`
>> calls).
>> 
>> 
>> This patchset gives the ability to set the permissions and ownership of all
>> dpdkvhostuser sockets from the database, avoiding the manual intervention
>> required to connect QEMU and OVS via DPDK.
> [Mooney, Sean K] technically you don’t need to do any manual
> intervention today if you
> Start the ovs-vswitchd process with sudo sg <qemu group> -c "umask
> 200; ovs-vswitchd .."
> i.e. start it with the same group as qemu process and allow read write
> acess to members of the
> same group.
> This is how we have deployed ovs with dpdk in the networking-ovs-dpdk
> devstack plug for more then 2 years.

Well, I consider that manual intervention anyway.  With that approach,
you can't start using ovs-ctl and you have lots of permissions weirdness
on logfiles and non-dpdk sockets so there is still steps that have to be
taken - even if sure you can wrap them in a script.  OvS isn't setting
the permissions to be "usable values" for qemu user, which is what I
consider the issue (for some definitions of usable values).

> The new parameters make this simpler though as you no longer need to
> use the linux sg and umask command
> To adjust the socket permissions of all files created by the vswitchd
> process. Its also likely more secure
> As the permission change is limited to the vhost-user socket files.
>
>> 
>> 
>> The first patch adds chmod and chown calls to lib, with unit tests.  The 
>> second patch
>> adds a hardness amplification version as described in the paper "Portably 
>> Solving
>> File TOCTTOU Races with Hardness Amplification"
>> found at
>> https://www.usenix.org/legacy/event/fast08/tech/full_papers/tsafrir/tsafrir_html/i
>> ndex.html, while the third patch hooks those calls into the
>> netdev_dpdk_vhost_user_construct function, after the socket is created.
>> 
>> 
>> Changes from v3:
>> * Replaced patch 2/3 with hardness amplification version.  Retested on RHEL7
>>   and validated the travis builds.
>> 
>> Changes from v2:
>> * Added a new 2nd patch to series for chmod/chown on already opened files.
>>   There exist known implementations for other systems, including FreeBSD, but
>>   only linux is implemented.  ENOTSUP is set when these calls fail on 
>> non-linux
>>   systems.
>> 
>> Aaron Conole (3):
>>   chutil: introduce a new change-utils lib
>>   chutil: Add hardness amplification versions of chmod/chown
>>   netdev-dpdk: Support user-defined socket attribs
>> 
>>  INSTALL.DPDK.md      |   8 +
>>  configure.ac         |   2 +-
>>  lib/automake.mk      |   2 +
>>  lib/chutil-unix.c    | 652
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>  lib/chutil.h         |  36 +++
>>  lib/daemon-unix.c    | 149 +-----------
>>  lib/netdev-dpdk.c    |  37 +++
>>  tests/automake.mk    |   2 +
>>  tests/library.at     |   5 +
>>  tests/test-chutil.c  | 297 +++++++++++++++++++++++  vswitchd/vswitch.xml |  
>> 23
>> ++
>>  11 files changed, 1068 insertions(+), 145 deletions(-)  create mode 100644
>> lib/chutil-unix.c  create mode 100644 lib/chutil.h  create mode 100644 
>> tests/test-
>> chutil.c
>> 
>> --
>> 2.5.5
>> 
>> _______________________________________________
>> dev mailing list
>> dev@openvswitch.org
>> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to