Bug 1281911
| Summary: | ovs-dpdk: vhost-user socket has wrong permissions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Flavio Leitner <fleitner> |
| Component: | openvswitch-dpdk | Assignee: | Aaron Conole <aconole> |
| Status: | CLOSED CANTFIX | QA Contact: | Jean-Tsung Hsiao <jhsiao> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | aconole, aloughla, atragler, jean-mickael.guerin, jkurik, kzhang, maxime.leroy, mleitner, mzhan, nyechiel, rkhan, twilson, vchundur, vincent.jardin |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-28 14:33:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1301628, 1313485 | ||
|
Description
Flavio Leitner
2015-11-13 19:04:17 UTC
Should adding: RuntimeDirectoryMode=0775 Group=qemu UMask=0002 to /usr/lib/systemd/system/openvswitch-nonetwork.service fix this issue? I think a better approach is to use a separate directory for the vhost_user sockets, which would require passing the -vhost_sock_dir option to ovs-vswitchd, and updating the selinux permissions. That way we could make a sgid directory where vhost sockets go. I will look into this and have a formal proposal (in the form of patches) soon. There is a discussion upstream at http://openvswitch.org/pipermail/dev/2015-December/062845.html regarding when and how to apply DPDK parameters to Open vSwitch. Since my solution is based on the -vhost_sock_dir option, and there's a possibility that it will need to be re-architected. That said, the packages (which haven't been fully tested) are at: https://copr.fedoraproject.org/coprs/aconole/qemu-kvm/ and https://copr.fedoraproject.org/coprs/aconole/openvswitch-dpdk/ I will be testing them later today/tomorrow to see that the idea is sound, and then the implementation may need further discussion. Aaron: how'd the testing go? Sorry for the late response. There are issues in the initial implementation that need to be cleaned up. I will respin and update the bug with corrected patches. The solution _should_ work, but may not be a final one that upstream accepts. I have a working set of packages, on COPR: https://copr.fedoraproject.org/coprs/aconole/openvswitch-dpdk/ and https://copr.fedoraproject.org/coprs/aconole/qemu-kvm/ The following are the changes that I did: On package install: 1. QEMU adds itself to the vhost group (if no such group exists, it creates) 2. Openvswitch-DPDK adds the vhost group if it doesn't already exist Open vSwitch DPDK package has the following changes: ovs-ctl accepts an (not-required) option in /etc/sysconf/openvswitch called VHOST_SOCK_DIR which should be a path in the filesystem. This variable is only used when DPDK_OPTIONS are specified. If the path specified by VHOST_SOCK_DIR does not exist, ovs-ctl creates it during openvswitch startup, and sets mode to rwxrwsr-x with a group of vhost Once the path specified in VHOST_SOCK_DIR exists, openvswitch passes it and DPDK_OPTIONS has a value, ovs-ctl sets umask to 0002, launches ovs-vswitchd, and restores umask. I will post the patches for Panu and Flavio to review, and then bring it to wider audience (because it may not be the solution upstream accepts). The upstream solution is posted at http://openvswitch.org/pipermail/dev/2016-January/063959.html This is the first series to reorganize under the database. The second will be to set vhost-sock permissions and ownership. |