Dropping privileges in openvswitch-switch via --user is incompatible with --dpdk
Bug #1546556 reported by
Christian Ehrhardt
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Neutron Open vSwitch Charm |
Triaged
|
Wishlist
|
Unassigned | ||
dpdk (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
openvswitch-dpdk (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Openvswitch has a nice security feature where one can drop privileges via --user option.
Unfortunately due to the nature of DPDK it needs root permissions to initialize most of its resources.
Thereby --dpdk and --user are mutually exclusive.
There are upstream discussions ongoing if it could first initialize DPDK and then drop permissions.
But then it was identified that this would imply no adding/removing of dpdk devices at runtime.
So the discussions go on for now.
Once an upstream solution is ready we can decide if we backport or wait until we merge a newer version - therefore just wishlist for now.
Changed in dpdk (Ubuntu): | |
status: | New → Triaged |
Changed in openvswitch-dpdk (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
Changed in dpdk (Ubuntu): | |
importance: | Undecided → Wishlist |
Changed in charm-neutron-openvswitch: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
To post a comment you must log in.
Guys,
I'm trying to use OVS with DPDK to create a bridge between 2 x 10G NIC cards, however, it is not working, the log shows:
--- 08T04:19: 19Z|00001| ovs_numa| INFO|Discovered 24 CPU cores on NUMA node 0 08T04:19: 19Z|00002| ovs_numa| INFO|Discovered 24 CPU cores on NUMA node 1 08T04:19: 19Z|00003| ovs_numa| INFO|Discovered 2 NUMA nodes and 48 CPU cores 08T04:19: 19Z|00004| reconnect| INFO|log: connecting... 08T04:19: 19Z|00005| reconnect| INFO|log: connection attempt failed (Address family not supported by protocol) 08T04:19: 19Z|00006| reconnect| INFO|log: waiting 1 seconds before reconnect 08T04:19: 20Z|00007| reconnect| INFO|log: connecting... 08T04:19: 20Z|00008| reconnect| INFO|log: connection attempt failed (Address family not supported by protocol) 08T04:19: 20Z|00009| reconnect| INFO|log: waiting 2 seconds before reconnect 08T04:19: 22Z|00010| reconnect| INFO|log: connecting... 08T04:19: 22Z|00011| reconnect| INFO|log: connection attempt failed (Address family not supported by protocol) 08T04:19: 22Z|00012| reconnect| INFO|log: waiting 4 seconds before reconnect 08T04:19: 23Z|00013| fatal_signal| WARN|terminatin g with signal 2 (Interrupt)
root@xenial-1:~# ovs-vswitchd log
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
2016-03-
---
After a bit of research on the Internet, I'm thinking that it might be related to this problem... Or not?