[ovs-dev,2/2] dpdk docs: Drop file share in libvirt config.

When explaining on how to add vhost-user ports to a guest, using
libvirt, the following piece of configuration is used:
    <disk type='dir' device='disk'>
      <driver name='qemu' type='fat'/>
      <source dir='/usr/src/dpdk-stable-17.11.1'/>
      <target dev='vdb' bus='virtio'/>
      <readonly/>
    </disk>

This is used to facilitate sharing of a DPDK directory between the host
and the guest. However, for this to work selinux also needs to be
configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
would need to be added to complain only in AppArmor. Instead, in [1] it
is advised to use wget to get the DPDK sources over the internet, which
avoids this differentiation. Thus, we drop this piece of configuration
here as well and keep the example configuration as simple as possible.

This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
image.

[1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest

Signed-off-by: Tiago Lam <tiago.lam@intel.com>
---

CC'ed Stephen,

I took the liberty of removing your TODO from here, as I read it to be related
to the (now removed) SELinux instruction below. If you think it should still be
there let me know and I'll gladly send a v2.

 Documentation/topics/dpdk/vhost-user.rst | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

Tiago Lam <tiago.lam@intel.com> writes:

> When explaining on how to add vhost-user ports to a guest, using
> libvirt, the following piece of configuration is used:
>     <disk type='dir' device='disk'>
>       <driver name='qemu' type='fat'/>
>       <source dir='/usr/src/dpdk-stable-17.11.1'/>
>       <target dev='vdb' bus='virtio'/>
>       <readonly/>
>     </disk>
>
> This is used to facilitate sharing of a DPDK directory between the host
> and the guest. However, for this to work selinux also needs to be
> configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
> would need to be added to complain only in AppArmor. Instead, in [1] it
> is advised to use wget to get the DPDK sources over the internet, which
> avoids this differentiation. Thus, we drop this piece of configuration
> here as well and keep the example configuration as simple as possible.
>
> This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
> image.
>
> [1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
>
> Signed-off-by: Tiago Lam <tiago.lam@intel.com>
> ---
>
> CC'ed Stephen,
>
> I took the liberty of removing your TODO from here, as I read it to be related
> to the (now removed) SELinux instruction below. If you think it should still be
> there let me know and I'll gladly send a v2.

I think it should remain until the selinux issues have been addressed.

Is there a list somewhere of the AVC denials?  Maybe it makes sense to
allow them.

On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
> Tiago Lam <tiago.lam@intel.com> writes:
> 
> > When explaining on how to add vhost-user ports to a guest, using
> > libvirt, the following piece of configuration is used:
> >     <disk type='dir' device='disk'>
> >       <driver name='qemu' type='fat'/>
> >       <source dir='/usr/src/dpdk-stable-17.11.1'/>
> >       <target dev='vdb' bus='virtio'/>
> >       <readonly/>
> >     </disk>
> > 
> > This is used to facilitate sharing of a DPDK directory between the host
> > and the guest. However, for this to work selinux also needs to be
> > configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
> > would need to be added to complain only in AppArmor. Instead, in [1] it
> > is advised to use wget to get the DPDK sources over the internet, which
> > avoids this differentiation. Thus, we drop this piece of configuration
> > here as well and keep the example configuration as simple as possible.
> > 
> > This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
> > image.
> > 
> > [1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
> > 
> > Signed-off-by: Tiago Lam <tiago.lam@intel.com>
> > ---
> > 
> > CC'ed Stephen,
> > 
> > I took the liberty of removing your TODO from here, as I read it to be related
> > to the (now removed) SELinux instruction below. If you think it should still be
> > there let me know and I'll gladly send a v2.
> 
> I think it should remain until the selinux issues have been addressed.
> 
> Is there a list somewhere of the AVC denials?  Maybe it makes sense to
> allow them.

If I'm reading this correctly, Tiago is saying these exceptions only
happen because we're sharing an arbitrary directory with the guest to
avoid downloading the DPDK sources twice. Given that there's a valid
workaround (just fetching sources twice), simply removing that section
of the XML removes the need to disable SELinux. If so, dropping the
warning does make sense in my mind.

Stephen

Stephen Finucane <stephen@that.guru> writes:

> On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
>> Tiago Lam <tiago.lam@intel.com> writes:
>> 
>> > When explaining on how to add vhost-user ports to a guest, using
>> > libvirt, the following piece of configuration is used:
>> >     <disk type='dir' device='disk'>
>> >       <driver name='qemu' type='fat'/>
>> >       <source dir='/usr/src/dpdk-stable-17.11.1'/>
>> >       <target dev='vdb' bus='virtio'/>
>> >       <readonly/>
>> >     </disk>
>> > 
>> > This is used to facilitate sharing of a DPDK directory between the host
>> > and the guest. However, for this to work selinux also needs to be
>> > configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
>> > would need to be added to complain only in AppArmor. Instead, in [1] it
>> > is advised to use wget to get the DPDK sources over the internet, which
>> > avoids this differentiation. Thus, we drop this piece of configuration
>> > here as well and keep the example configuration as simple as possible.
>> > 
>> > This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
>> > image.
>> > 
>> > [1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
>> > 
>> > Signed-off-by: Tiago Lam <tiago.lam@intel.com>
>> > ---
>> > 
>> > CC'ed Stephen,
>> > 
>> > I took the liberty of removing your TODO from here, as I read it to be related
>> > to the (now removed) SELinux instruction below. If you think it should still be
>> > there let me know and I'll gladly send a v2.
>> 
>> I think it should remain until the selinux issues have been addressed.
>> 
>> Is there a list somewhere of the AVC denials?  Maybe it makes sense to
>> allow them.
>
> If I'm reading this correctly, Tiago is saying these exceptions only
> happen because we're sharing an arbitrary directory with the guest to
> avoid downloading the DPDK sources twice.

Okay, I guess I read the change in the section a bit differently.  If
you think it's okay, then I'm fine (I'm always happy to see a
'setenforce 0' disappear).

> Given that there's a valid
> workaround (just fetching sources twice), simply removing that section
> of the XML removes the need to disable SELinux. If so, dropping the
> warning does make sense in my mind.
>
> Stephen

On 11/04/2018 15:03, Stephen Finucane wrote:
> On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
>> Tiago Lam <tiago.lam@intel.com> writes:
>>
>>> When explaining on how to add vhost-user ports to a guest, using
>>> libvirt, the following piece of configuration is used:
>>>      <disk type='dir' device='disk'>
>>>        <driver name='qemu' type='fat'/>
>>>        <source dir='/usr/src/dpdk-stable-17.11.1'/>
>>>        <target dev='vdb' bus='virtio'/>
>>>        <readonly/>
>>>      </disk>
>>>
>>> This is used to facilitate sharing of a DPDK directory between the host
>>> and the guest. However, for this to work selinux also needs to be
>>> configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
>>> would need to be added to complain only in AppArmor. Instead, in [1] it
>>> is advised to use wget to get the DPDK sources over the internet, which
>>> avoids this differentiation. Thus, we drop this piece of configuration
>>> here as well and keep the example configuration as simple as possible.
>>>
>>> This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
>>> image.
>>>
>>> [1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
>>>
>>> Signed-off-by: Tiago Lam <tiago.lam@intel.com>
>>> ---
>>>
>>> CC'ed Stephen,
>>>
>>> I took the liberty of removing your TODO from here, as I read it to be related
>>> to the (now removed) SELinux instruction below. If you think it should still be
>>> there let me know and I'll gladly send a v2.
>>
>> I think it should remain until the selinux issues have been addressed.
>>
>> Is there a list somewhere of the AVC denials?  Maybe it makes sense to
>> allow them.
> 
> If I'm reading this correctly, Tiago is saying these exceptions only
> happen because we're sharing an arbitrary directory with the guest to
> avoid downloading the DPDK sources twice. Given that there's a valid
> workaround (just fetching sources twice), simply removing that section
> of the XML removes the need to disable SELinux. If so, dropping the
> warning does make sense in my mind.
> 
> Stephen
> 

Thanks, Stephen. Yeah, that's what I was aiming at. In order to get the 
file sharing working properly, one must fiddle around with either 
SELinux or AppArmor, and that seems to be the sole reason why 
`setenforce 0` is there. Losing the dependency on the file sharing means 
we can lose any instructions that tell the user how to fiddle with 
either of those systems.

Just a note though, in that the user won't have to download the DPDK 
sources twice, only once. Following the guide, the user first sets up 
the vhost-user ports using libvirt, and once inside the VM he should 
follow up on running `testpmd` inside the guest [1], where he will be 
instructed to download the DPDK sources. This makes this piece of the 
docs a bit more consistent, I think.

[1] 
http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest

On Thu, 2018-04-12 at 08:24 +0100, Lam, Tiago wrote:
> On 11/04/2018 15:03, Stephen Finucane wrote:
> > On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
> > > Tiago Lam <tiago.lam@intel.com> writes:
> > > 
> > > > When explaining on how to add vhost-user ports to a guest, using
> > > > libvirt, the following piece of configuration is used:
> > > >      <disk type='dir' device='disk'>
> > > >        <driver name='qemu' type='fat'/>
> > > >        <source dir='/usr/src/dpdk-stable-17.11.1'/>
> > > >        <target dev='vdb' bus='virtio'/>
> > > >        <readonly/>
> > > >      </disk>
> > > > 
> > > > This is used to facilitate sharing of a DPDK directory between the host
> > > > and the guest. However, for this to work selinux also needs to be
> > > > configured (or disabled).  Furthermore, if one is using Ubuntu, libvirtd
> > > > would need to be added to complain only in AppArmor. Instead, in [1] it
> > > > is advised to use wget to get the DPDK sources over the internet, which
> > > > avoids this differentiation. Thus, we drop this piece of configuration
> > > > here as well and keep the example configuration as simple as possible.
> > > > 
> > > > This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
> > > > image.
> > > > 
> > > > [1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
> > > > 
> > > > Signed-off-by: Tiago Lam <tiago.lam@intel.com>
> > > > ---
> > > > 
> > > > CC'ed Stephen,
> > > > 
> > > > I took the liberty of removing your TODO from here, as I read it to be related
> > > > to the (now removed) SELinux instruction below. If you think it should still be
> > > > there let me know and I'll gladly send a v2.
> > > 
> > > I think it should remain until the selinux issues have been addressed.
> > > 
> > > Is there a list somewhere of the AVC denials?  Maybe it makes sense to
> > > allow them.
> > 
> > If I'm reading this correctly, Tiago is saying these exceptions only
> > happen because we're sharing an arbitrary directory with the guest to
> > avoid downloading the DPDK sources twice. Given that there's a valid
> > workaround (just fetching sources twice), simply removing that section
> > of the XML removes the need to disable SELinux. If so, dropping the
> > warning does make sense in my mind.
> > 
> > Stephen
> > 
> 
> Thanks, Stephen. Yeah, that's what I was aiming at. In order to get the 
> file sharing working properly, one must fiddle around with either 
> SELinux or AppArmor, and that seems to be the sole reason why 
> `setenforce 0` is there. Losing the dependency on the file sharing means 
> we can lose any instructions that tell the user how to fiddle with 
> either of those systems.
> 
> Just a note though, in that the user won't have to download the DPDK 
> sources twice, only once. Following the guide, the user first sets up 
> the vhost-user ports using libvirt, and once inside the VM he should 
> follow up on running `testpmd` inside the guest [1], where he will be 
> instructed to download the DPDK sources. This makes this piece of the 
> docs a bit more consistent, I think.
> 
> [1] 
> http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest

That all sounds fair to me.

Acked-by: Stephen Finucane <stephen@that.guru>

> On Thu, 2018-04-12 at 08:24 +0100, Lam, Tiago wrote:
> > On 11/04/2018 15:03, Stephen Finucane wrote:
> > > On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
> > > > Tiago Lam <tiago.lam@intel.com> writes:
> > > >
> > > > > When explaining on how to add vhost-user ports to a guest, using
> > > > > libvirt, the following piece of configuration is used:
> > > > >      <disk type='dir' device='disk'>
> > > > >        <driver name='qemu' type='fat'/>
> > > > >        <source dir='/usr/src/dpdk-stable-17.11.1'/>
> > > > >        <target dev='vdb' bus='virtio'/>
> > > > >        <readonly/>
> > > > >      </disk>
> > > > >
> > > > > This is used to facilitate sharing of a DPDK directory between
> > > > > the host and the guest. However, for this to work selinux also
> > > > > needs to be configured (or disabled).  Furthermore, if one is
> > > > > using Ubuntu, libvirtd would need to be added to complain only
> > > > > in AppArmor. Instead, in [1] it is advised to use wget to get
> > > > > the DPDK sources over the internet, which avoids this
> > > > > differentiation. Thus, we drop this piece of configuration here as
> well and keep the example configuration as simple as possible.
> > > > >
> > > > > This has been verified on both a Fedora 27 image and a Ubuntu
> > > > > 16.04 LTS image.
> > > > >
> > > > > [1]
> > > > > http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dp
> > > > > dk-in-the-guest
> > > > >
> > > > > Signed-off-by: Tiago Lam <tiago.lam@intel.com>
> > > > > ---
> > > > >
> > > > > CC'ed Stephen,
> > > > >
> > > > > I took the liberty of removing your TODO from here, as I read it
> > > > > to be related to the (now removed) SELinux instruction below. If
> > > > > you think it should still be there let me know and I'll gladly
> send a v2.
> > > >
> > > > I think it should remain until the selinux issues have been
> addressed.
> > > >
> > > > Is there a list somewhere of the AVC denials?  Maybe it makes
> > > > sense to allow them.
> > >
> > > If I'm reading this correctly, Tiago is saying these exceptions only
> > > happen because we're sharing an arbitrary directory with the guest
> > > to avoid downloading the DPDK sources twice. Given that there's a
> > > valid workaround (just fetching sources twice), simply removing that
> > > section of the XML removes the need to disable SELinux. If so,
> > > dropping the warning does make sense in my mind.
> > >
> > > Stephen
> > >
> >
> > Thanks, Stephen. Yeah, that's what I was aiming at. In order to get
> > the file sharing working properly, one must fiddle around with either
> > SELinux or AppArmor, and that seems to be the sole reason why
> > `setenforce 0` is there. Losing the dependency on the file sharing
> > means we can lose any instructions that tell the user how to fiddle
> > with either of those systems.
> >
> > Just a note though, in that the user won't have to download the DPDK
> > sources twice, only once. Following the guide, the user first sets up
> > the vhost-user ports using libvirt, and once inside the VM he should
> > follow up on running `testpmd` inside the guest [1], where he will be
> > instructed to download the DPDK sources. This makes this piece of the
> > docs a bit more consistent, I think.
> >
> > [1]
> > http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-
> > the-guest
> 
> That all sounds fair to me.
> 
> Acked-by: Stephen Finucane <stephen@that.guru>

Thanks all, pushed to DPDK_MERGE, I'll back port this to previous releases also.

Ian

> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev