Ownership/Permissions of vhost_user sockets for openvswitch-dpdk make them unusable by libvirt/qemu/kvm
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dpdk (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
neutron-openvswitch (Juju Charms Collection) |
Fix Released
|
High
|
James Page | ||
openvswitch (Ubuntu) |
Won't Fix
|
High
|
Unassigned | ||
Xenial |
Won't Fix
|
High
|
Unassigned |
Bug Description
As of today the vhost_user sockets created by openvswitch have root:root file ownership.
In fact creation is actually done by code the DPDK lib, but the path is passed to it from openvswitch.
The API called to DPDK has no notion of ownership/groups.
It just "inherits" what the current running process has.
But due to LP:1546556 the process ownership/group can't be changed the usual way openvsiwtch would when using dpdk.
KVM as invoked by libvirt will run under libvirt-qemu:kvm and will thereby be unable to access these sockets.
The current workaround is:
1. wait after start of openvswitch (only then the sockets exist)
2. chown all created vhost_iuser sockets that are to be used
e.g. sudo chown libvirt-qemu /var/run/
3. if one wants to separate vhost_user sockets from the "rest" of openvswitch /var/run files use e.g.:
DPDK_
X. this has to be redone every start/restart of oepnvswitch
Y. if permissions are changed in a way that openvswitch can no more remove them on shutdown they won't re-initialize properly on the next start
That is a severe shortcoming and not really applicable to a supported production environment.
There are discussions ongoing about providing an option to specify owner/group/
Unfortunately the patch series is blocked by a wider discussion about moving the dpdk configuration to the ovsdb (which makes sense, but stalls the acceptance of the patches providing the interface to modify permissions.
Link to the last thread about moving dpdk config to ovsdb: http://
Link to the last thread about making vhost_user socket user/group configurable - patch 4&5 of this: http://
But as mentioned it was decided to get the db config discussion done first.
It is unsure if the patches once final will make it into openvswitch 2.5 - it would be great if they would.
But even if not they shouldn't appear too much after and we might be able to cherry pick them?
Changed in dpdk (Ubuntu): | |
status: | New → Triaged |
Changed in openvswitch-dpdk (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in dpdk (Ubuntu): | |
importance: | Undecided → High |
Changed in dpdk (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in openvswitch-dpdk (Ubuntu Xenial): | |
importance: | Undecided → High |
milestone: | none → ubuntu-16.04.1 |
Changed in openvswitch-dpdk (Ubuntu): | |
milestone: | ubuntu-16.04 → none |
Changed in openvswitch-dpdk (Ubuntu): | |
status: | Triaged → Invalid |
no longer affects: | openvswitch-dpdk (Ubuntu) |
no longer affects: | openvswitch-dpdk (Ubuntu Xenial) |
Changed in neutron-openvswitch (Juju Charms Collection): | |
milestone: | none → 16.07 |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → James Page (james-page) |
Changed in openvswitch (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in openvswitch (Ubuntu): | |
status: | New → Triaged |
Changed in neutron-openvswitch (Juju Charms Collection): | |
status: | Fix Committed → Fix Released |
Changed in openvswitch (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in openvswitch (Ubuntu): | |
importance: | Undecided → High |
Changed in neutron-openvswitch (Juju Charms Collection): | |
status: | Fix Released → Fix Committed |
Changed in neutron-openvswitch (Juju Charms Collection): | |
status: | Fix Committed → Fix Released |
Discussion slowed down and patch series grew - still not committed. /msg57821. html
=> https://<email address hidden>
The way the discussion went this included more and more of the change from commandline to ovsdb config for dpdk.
That makes it uncertain if it will get into branch 2.5