[Bug 1546565] Re: Ownership/Permissions of vhost_user sockets for openvswitch-dpdk make them unusable by libvirt/qemu/kvm
OpenStack Infra
1546565 at bugs.launchpad.net
Wed Jun 8 18:45:05 UTC 2016
Reviewed: https://review.openstack.org/314472
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-openvswitch/commit/?id=4f6e2ca2512e298faf17b1db532625132623a628
Submitter: Jenkins
Branch: master
commit 4f6e2ca2512e298faf17b1db532625132623a628
Author: James Page <james.page at ubuntu.com>
Date: Tue May 10 10:16:06 2016 +0100
Set correct permissions for vhostuser sockets
The latest updates to DPDK in 16.04 and above introduce two new
parameters for DPDK initialization which avoid the need to run
qemu processes with vhostuser sockets as root.
Use these options to ensure that sockets are created with the
correct ownership and permissions for OpenStack/KVM.
Change-Id: I04bbd514d1bdb9b3249ed69e8d64eb66d9839944
Closes-Bug: 1546565
** Changed in: neutron-openvswitch (Juju Charms Collection)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openvswitch in Ubuntu.
https://bugs.launchpad.net/bugs/1546565
Title:
Ownership/Permissions of vhost_user sockets for openvswitch-dpdk make
them unusable by libvirt/qemu/kvm
Status in dpdk package in Ubuntu:
Fix Released
Status in openvswitch package in Ubuntu:
New
Status in dpdk source package in Xenial:
Fix Released
Status in openvswitch source package in Xenial:
New
Status in neutron-openvswitch package in Juju Charms Collection:
Fix Committed
Bug description:
As of today the vhost_user sockets created by openvswitch have root:root file ownership.
In fact creation is actually done by code the DPDK lib, but the path is passed to it from openvswitch.
The API called to DPDK has no notion of ownership/groups.
It just "inherits" what the current running process has.
But due to LP:1546556 the process ownership/group can't be changed the usual way openvsiwtch would when using dpdk.
KVM as invoked by libvirt will run under libvirt-qemu:kvm and will
thereby be unable to access these sockets.
The current workaround is:
1. wait after start of openvswitch (only then the sockets exist)
2. chown all created vhost_iuser sockets that are to be used
e.g. sudo chown libvirt-qemu /var/run/openvswitch/vhost-user-1
3. if one wants to separate vhost_user sockets from the "rest" of openvswitch /var/run files use e.g.:
DPDK_OPTS='[...] -vhost_sock_dir /var/run/openvswitch-vhost [...]
X. this has to be redone every start/restart of oepnvswitch
Y. if permissions are changed in a way that openvswitch can no more remove them on shutdown they won't re-initialize properly on the next start
That is a severe shortcoming and not really applicable to a supported production environment.
There are discussions ongoing about providing an option to specify owner/group/permissions of vhost_user sockets which would solve the issue.
Unfortunately the patch series is blocked by a wider discussion about moving the dpdk configuration to the ovsdb (which makes sense, but stalls the acceptance of the patches providing the interface to modify permissions.
Link to the last thread about moving dpdk config to ovsdb: http://comments.gmane.org/gmane.network.openvswitch.devel/59186
Link to the last thread about making vhost_user socket user/group configurable - patch 4&5 of this: http://openvswitch.org/pipermail/dev/2015-December/063568.html
But as mentioned it was decided to get the db config discussion done first.
It is unsure if the patches once final will make it into openvswitch 2.5 - it would be great if they would.
But even if not they shouldn't appear too much after and we might be able to cherry pick them?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1546565/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list