Re: [SPDK] Running SPDK As Non-root User

Re: [SPDK] Running SPDK As Non-root User

[Walker, Benjamin]

[-- Attachment #1: Type: text/plain, Size: 4393 bytes --]

On Fri, 2016-12-23 at 16:46 +0530, karthi wrote:
> Hi All,
>  
> I’m trying to run SPDK (NVMf target) in a non-root user mode. I’m ending up in
> rte_mempool_init always returns 0MB Available memory. But if I run the same as
> a root user, everything works fine.  Can Someone help me out on this and I
> have come across some DPDK mail thread for the same issue.
>  
> http://dpdk.org/ml/archives/users/2016-July/000709.html
>  
> Can DPDK currently run in non-root user mode?

Yes, it can, although it isn't well tested or heavily used as far as I can tell.

>  
> Is someone tried experimenting this in either DPDK or SPDK?

SPDK's scripts/setup.sh will do all of the things necessary to run your
application as an unprivileged user if your system has your IOMMU enabled in the
kernel boot parameters. The script will automatically use vfio instead of uio
and correctly set the permissions on all of the devices and hugepage files to
the user you ran the script as. Note that you do need to run the script as the
user you want to grant permission, but under 'sudo' because it needs root
permission to do the initial setup.

I'd like to dive into the details here a bit so that everyone knows where we
really stand on this. I see running as an unprivileged user a key feature for
production deployments, so it's one of those things that we really do want to
get functioning as a first class citizen in our test pool and documentation as
soon as possible.

DPDK and SPDK (and user space drivers in general) need two features from the
kernel to function.

First, they must be able to allocate memory that has a fixed virtual to physical
address mapping, which is usually called 'pinned' memory. This memory is used
for DMA operations that happen asynchronously and off of the CPU, e.g. the data
for reads and writes from the SSD or NIC. DPDK/SPDK accomplish this by
allocating the memory from hugepages, which happen to meet this requirement
today.

Second, they must be able to map the memory region described by the base address
register (BAR) in the PCI header into a virtual address accessible by the
process they are running in. DPDK/SPDK can do this using one of two Linux kernel
mechanisms - uio and vfio - where vfio is the newer of the two. Both mechanisms
present the user with a file in sysfs that can be mmap'd for this purpose.

Running SPDK as a non-root user, then, is a matter of finding ways to accomplish
the above two tasks without root. Hugepages are documented here:

https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt

The BAR is harder and it wasn't possible to map this as an unprivileged user
until the introduction of vfio. With vfio, a privileged user can simply grant
access to the resource file in sysfs to any other unprivileged user. See:

https://www.kernel.org/doc/Documentation/vfio.txt

Note that SPDK's scripts/setup.sh does all of this automatically if it detects
that your system has the IOMMU enabled. The IOMMU is a critical piece security-
wise for unprivileged execution because it will prevent your otherwise
unprivileged user from having free reign to DMA to any memory address.

The above all sounds great, except I just actually tried this and when I run the
NVMe identify example at ./examples/nvme/identify, DPDK gives me an error! After
much debugging, it turns out that in kernel 4.0 the kernel devs removed the
ability to get physical addresses for pages from /proc/self/pagemap without
elevated privileges in response to the Rowhammer exploit. Everything should work
fine on a 3.x series kernel, but I don't have access to a machine to test it out
right now.

The simplest solution would be to make your program start up with elevated
permissions and initialize DPDK. That provides the required virtual to physical
memory mappings, which should be static for hugepages. After initialization, the
privilege can be dropped back down. That's the strategy I would pursue for your
application today. We'll keep looking at this and working with the kernel
community to come up with a better long term solution.

Thanks,
Ben

>  
>  
> Regards,
>  
> Karthi | +91 9036339210
> CloudSimple Inc.
>  
> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org
> https://lists.01.org/mailman/listinfo/spdk

Re: [SPDK] Running SPDK As Non-root User

[Walker, Benjamin]

[-- Attachment #1: Type: text/plain, Size: 1581 bytes --]

On Tue, 2017-12-05 at 16:55 +0000, Dave Boutcher wrote:
> There was some discussion back in 2016 about running SPDK (and DPDK)
> applications as non-root users.  I finally got annoyed enough about this to
> figure it out.
> 
> You can run SPDK applications as non-root if you set the following
> capabilities:
> 
>  $ sudo setcap "cap_dac_read_search,cap_sys_admin+ep" myapplication
> 
> Note that this is a fairly big hammer...by the time you give the application
> sys_admin and dac_read_search, it is fairly powerful, but it is a smaller
> hammer than running as root :-)

Fortunately, it is totally possible to run SPDK and DPDK without granting your
user any additional permissions (except for one catch). If you just run the SPDK
scripts/setup.sh under sudo, it automatically sets up whatever user invoked the
sudo command to be able to run as an entirely unprivileged user. The only
requirement is that you have VT-d and your IOMMU enabled. You'll know you have
it right if you see scripts/setup.sh binding your devices to vfio-pci instead of
uio.

The catch is that we accidentally broke this a few months ago on some
distributions because they don't allow unprivileged users to call shm_open with
the O_CREAT flag. To make it work again, you need to grant your user permission
to write to /dev/shm. I just tried it and it works, at least on Fedora 26. We'll
try to come up with a better strategy here.

> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org
> https://lists.01.org/mailman/listinfo/spdk

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3274 bytes --]

[SPDK] Running SPDK As Non-root User

[Dave Boutcher]

[-- Attachment #1: Type: text/plain, Size: 508 bytes --]

There was some discussion back in 2016 about running SPDK (and DPDK) applications as non-root users.  I finally got annoyed enough about this to figure it out.


You can run SPDK applications as non-root if you set the following capabilities:


 $ sudo setcap "cap_dac_read_search,cap_sys_admin+ep" myapplication


Note that this is a fairly big hammer...by the time you give the application sys_admin and dac_read_search, it is fairly powerful, but it is a smaller hammer than running as root :-)

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 1243 bytes --]

Re: [SPDK] Running SPDK As Non-root User

[Kariuki, John K]

[-- Attachment #1: Type: text/plain, Size: 2787 bytes --]

Karthi
Using huge pages is essential for good performance because larger pages result in fewer translation lookaside buffer (TLB) entries and enable SPDK to efficiently use the TLB. Huge pages are 2MB memory pages (instead of 4K) which are reserve to hold the control and data queues used to pipe data from system memory into the NVMe device. The hugepages are pinned memory to ensure DMA operations never target swapped out memory.

From: SPDK [mailto:spdk-bounces(a)lists.01.org] On Behalf Of Andrey Kuzmin
Sent: Saturday, December 24, 2016 7:26 AM
To: Storage Performance Development Kit <spdk(a)lists.01.org>
Subject: Re: [SPDK] Running SPDK As Non-root User


On Sat, Dec 24, 2016, 07:04 Karthi M <karthi(a)cloudsimple.com<mailto:karthi(a)cloudsimple.com>> wrote:
Thanks Andrey and John for quick response.

Is it possible to run without using physical memory just by virtual memory i.e with —no-huge option while starting the DPDK.

--no-huge works with page-size memory buffers only.

Why exactly DPDK has that option in case physical memory is unavoidable requirement?

I guess to serve virtual NICs, but DPDK mail list is definitely a better place to ask. Overall, DPDK and SPDK access raw memory and (memory-mapped) hardware (registers), so elevated privileges are a natural requirement.

Regards,
Andrey


Regards,

Karthi | +91 9036339210
CloudSimple Inc

On 23-Dec-2016, at 10:20 PM, Andrey Kuzmin <andrey.v.kuzmin(a)gmail.com<mailto:andrey.v.kuzmin(a)gmail.com>> wrote:



On Fri, Dec 23, 2016, 14:16 karthi <karthi(a)cloudsimple.com<mailto:karthi(a)cloudsimple.com>> wrote:
Hi All,

I’m trying to run SPDK (NVMf target) in a non-root user mode. I’m ending up in rte_mempool_init always returns 0MB Available memory. But if I run the same as a root user, everything works fine.  Can Someone help me out on this and I have come across some DPDK mail thread for the same issue.

DPDK accesses physical memory and thus needs elevated privileges.

Regards,
Andrey

http://dpdk.org/ml/archives/users/2016-July/000709.html

Can DPDK currently run in non-root user mode?

Is someone tried experimenting this in either DPDK or SPDK?


Regards,

Karthi | +91 9036339210
CloudSimple Inc.

_______________________________________________
SPDK mailing list
SPDK(a)lists.01.org<mailto:SPDK(a)lists.01.org>
https://lists.01.org/mailman/listinfo/spdk
--

Regards,
Andrey
_______________________________________________
SPDK mailing list
SPDK(a)lists.01.org<mailto:SPDK(a)lists.01.org>
https://lists.01.org/mailman/listinfo/spdk

_______________________________________________
SPDK mailing list
SPDK(a)lists.01.org<mailto:SPDK(a)lists.01.org>
https://lists.01.org/mailman/listinfo/spdk
--

Regards,
Andrey

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 14588 bytes --]

Re: [SPDK] Running SPDK As Non-root User

[Andrey Kuzmin]

[-- Attachment #1: Type: text/plain, Size: 2109 bytes --]

On Sat, Dec 24, 2016, 07:04 Karthi M <karthi(a)cloudsimple.com> wrote:

> Thanks Andrey and John for quick response.
>
> Is it possible to run without using physical memory just by virtual memory
> i.e with —no-huge option while starting the DPDK.
>

--no-huge works with page-size memory buffers only.

>
> Why exactly DPDK has that option in case physical memory is unavoidable
> requirement?
>

I guess to serve virtual NICs, but DPDK mail list is definitely a better
place to ask. Overall, DPDK and SPDK access raw memory and (memory-mapped)
hardware (registers), so elevated privileges are a natural requirement.

Regards,
Andrey

>
>
> Regards,
>
> Karthi | +91 9036339210
> CloudSimple Inc
>
> On 23-Dec-2016, at 10:20 PM, Andrey Kuzmin <andrey.v.kuzmin(a)gmail.com>
> wrote:
>
>
>
> On Fri, Dec 23, 2016, 14:16 karthi <karthi(a)cloudsimple.com> wrote:
>
> Hi All,
>
>
>
> I’m trying to run SPDK (NVMf target) in a non-root user mode. I’m ending
> up in rte_mempool_init always returns 0MB Available memory. But if I run
> the same as a root user, everything works fine.  Can Someone help me out on
> this and I have come across some DPDK mail thread for the same issue.
>
>
> DPDK accesses physical memory and thus needs elevated privileges.
>
> Regards,
> Andrey
>
>
>
> http://dpdk.org/ml/archives/users/2016-July/000709.html
>
>
>
> Can DPDK currently run in non-root user mode?
>
>
>
> Is someone tried experimenting this in either DPDK or SPDK?
>
>
>
>
>
> Regards,
>
>
>
> Karthi | +91 9036339210
>
> CloudSimple Inc.
>
>
> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org
> https://lists.01.org/mailman/listinfo/spdk
>
> --
>
> Regards,
> Andrey
> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org
> https://lists.01.org/mailman/listinfo/spdk
>
>
> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org
> https://lists.01.org/mailman/listinfo/spdk
>
-- 

Regards,
Andrey

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 13010 bytes --]

Re: [SPDK] Running SPDK As Non-root User

[Karthi M]

[-- Attachment #1: Type: text/plain, Size: 1793 bytes --]

Thanks Andrey and John for quick response. 

Is it possible to run without using physical memory just by virtual memory i.e with —no-huge option while starting the DPDK. 

Why exactly DPDK has that option in case physical memory is unavoidable requirement?


Regards, 

Karthi | +91 9036339210
CloudSimple Inc 

> On 23-Dec-2016, at 10:20 PM, Andrey Kuzmin <andrey.v.kuzmin(a)gmail.com> wrote:
> 
> 
> 
> On Fri, Dec 23, 2016, 14:16 karthi <karthi(a)cloudsimple.com <mailto:karthi(a)cloudsimple.com>> wrote:
> Hi All, 
> 
>  
> 
> I’m trying to run SPDK (NVMf target) in a non-root user mode. I’m ending up in rte_mempool_init always returns 0MB Available memory. But if I run the same as a root user, everything works fine.  Can Someone help me out on this and I have come across some DPDK mail thread for the same issue.
> 
> 
> DPDK accesses physical memory and thus needs elevated privileges.
> 
> Regards,
> Andrey
> 
>  
> 
> http://dpdk.org/ml/archives/users/2016-July/000709.html <http://dpdk.org/ml/archives/users/2016-July/000709.html>
>  
> 
> Can DPDK currently run in non-root user mode? 
> 
>  
> 
> Is someone tried experimenting this in either DPDK or SPDK?
> 
>  
> 
>  
> 
> Regards,
> 
>  
> 
> Karthi | +91 9036339210
> 
> CloudSimple Inc.
> 
>  
> 
> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org <mailto:SPDK(a)lists.01.org>
> https://lists.01.org/mailman/listinfo/spdk <https://lists.01.org/mailman/listinfo/spdk>
> -- 
> Regards,
> Andrey
> 
> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org <mailto:SPDK(a)lists.01.org>
> https://lists.01.org/mailman/listinfo/spdk <https://lists.01.org/mailman/listinfo/spdk>

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 12429 bytes --]

Re: [SPDK] Running SPDK As Non-root User

[Andrey Kuzmin]

[-- Attachment #1: Type: text/plain, Size: 950 bytes --]

On Fri, Dec 23, 2016, 14:16 karthi <karthi(a)cloudsimple.com> wrote:

> Hi All,
>
>
>
> I’m trying to run SPDK (NVMf target) in a non-root user mode. I’m ending
> up in rte_mempool_init always returns 0MB Available memory. But if I run
> the same as a root user, everything works fine.  Can Someone help me out on
> this and I have come across some DPDK mail thread for the same issue.
>

DPDK accesses physical memory and thus needs elevated privileges.

Regards,
Andrey

>
>
> http://dpdk.org/ml/archives/users/2016-July/000709.html
>
>
>
> Can DPDK currently run in non-root user mode?
>
>
>
> Is someone tried experimenting this in either DPDK or SPDK?
>
>
>
>
>
> Regards,
>
>
>
> Karthi | +91 9036339210
>
> CloudSimple Inc.
>
>
> _______________________________________________
> SPDK mailing list
> SPDK(a)lists.01.org
> https://lists.01.org/mailman/listinfo/spdk
>
-- 

Regards,
Andrey

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4481 bytes --]

Re: [SPDK] Running SPDK As Non-root User

[Kariuki, John K]

[-- Attachment #1: Type: text/plain, Size: 855 bytes --]

Hello Karthi
Right now, the SPDK NVMf target requires elevated privileges (root) to run.

From: SPDK [mailto:spdk-bounces(a)lists.01.org] On Behalf Of karthi
Sent: Friday, December 23, 2016 4:16 AM
To: Storage Performance Development Kit <spdk(a)lists.01.org>
Subject: [SPDK] Running SPDK As Non-root User

Hi All,

I’m trying to run SPDK (NVMf target) in a non-root user mode. I’m ending up in rte_mempool_init always returns 0MB Available memory. But if I run the same as a root user, everything works fine.  Can Someone help me out on this and I have come across some DPDK mail thread for the same issue.

http://dpdk.org/ml/archives/users/2016-July/000709.html

Can DPDK currently run in non-root user mode?

Is someone tried experimenting this in either DPDK or SPDK?


Regards,

Karthi | +91 9036339210
CloudSimple Inc.


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4930 bytes --]

[SPDK] Running SPDK As Non-root User

[karthi]

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]

Hi All, 

 

I’m trying to run SPDK (NVMf target) in a non-root user mode. I’m ending up in rte_mempool_init always returns 0MB Available memory. But if I run the same as a root user, everything works fine.  Can Someone help me out on this and I have come across some DPDK mail thread for the same issue. 

 

http://dpdk.org/ml/archives/users/2016-July/000709.html

 

Can DPDK currently run in non-root user mode? 

 

Is someone tried experimenting this in either DPDK or SPDK?

 

 

Regards,

 

Karthi | +91 9036339210

CloudSimple Inc.

 


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 3445 bytes --]