Re: [ovs-dev] [RFC] dpdk: Allow retaining cap_sys_rawio privileges

Thu, 23 Feb 2023 13:33:51 -0800 

> -----Original Message-----
> From: Robin Jarry <rja...@redhat.com <mailto:rja...@redhat.com>>
> Date: Thursday 23 February 2023 at 22:14
> To: Aaron Conole <acon...@redhat.com <mailto:acon...@redhat.com>>
> Cc: "d...@openvswitch.org <mailto:d...@openvswitch.org>" 
> <d...@openvswitch.org <mailto:d...@openvswitch.org>>, Eli Britstein 
> <el...@nvidia.com <mailto:el...@nvidia.com>>, Gaetan Rivet 
> <gaet...@nvidia.com <mailto:gaet...@nvidia.com>>, Ilya Maximets 
> <i.maxim...@ovn.org <mailto:i.      maxim...@ovn.org>>, Maxime Coquelin 
> <maxime.coque...@redhat.com <mailto:maxime.coque...@redhat.com>>, Jason 
> Gunthorpe <j...@nvidia.com <mailto:j...@nvidia.com>>, Majd Dibbiny 
> <m...@nvidia.com <mailto:m...@nvidia.com>>, David Marchand 
> <david.march...@redhat.com <mailto:david.march...@redhat.com>>, Gaetan Rivet 
> <gr...@u256.net <mailto:gr...@u256.net>>, Eelco Chaudron <echau...@redhat.com 
> <mailto:echau...@redhat.com>>
> Subject: Re: [ovs-dev] [RFC] dpdk: Allow retaining cap_sys_rawio privileges
>
>
> External email: Use caution opening links or attachments
>
>
>
>
> Aaron Conole, Feb 23, 2023 at 22:09:
> > Thanks for taking a look. You're saying that you tested without this
> > patch applied, yes? That could be. I only know of one hardware which
> > requires CAP_SYS_RAWIO for rte_flow to function.
>
>
> Yes that is correct, I tested *without* this patch applied and with
> a non-root user (ovs-vswitchd linked with libcap-ng).
>
>
> ovs-ctl --ovs-user="openvswitch:hugetlbfs" start
>
>
> The basic RTE flow rules (matching of the ether type field and redirect
> to a specific queue) were created without errors returned with both NICs
> I had available (Intel X710 and Mellanox ConnectX-5 Ex)
>
>
> cp-protection: redirected lacp traffic to rx queue 1
> cp-protection: redirected other traffic to rx queue 0

Hello,

I've looked at your patch Robin and the offloads you insert in 
dpdk_cp_prot_add_flow
use the following:

    const struct rte_flow_attr attr = { .ingress = 1 };

implicitly setting transfer and group to 0. If either of those had been 
non-zero instead,
cap_sys_rawio would be required.

Otherwise thank you very much Aaron for you patch, I was reading it and will
comment directly to it.

Best regards,
Gaetan 

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to