Open taylor opened 5 years ago
Updated ticket with additional information
We have now two jira tickets tracking unprivileged VPP in FD.io:
VPP-1787 Running VPP as unprivileged process
CSIT-1627 Running VPP in unprivileged containers
Pursuing both actively with LFN FD.io community. Will update here when any of above jira ticket states changes.
Note that collected error logs are from @pmikus tests in FD.io CSIT labs. They have been reviewed by FD.io VPP committer and validated as correct.
To start with baseline tests there are two minimal settings required
Huge pages
Manual way
$ sudo umount /dev/hugepages
$ sudo mount -t hugetlbfs hugetlbfs /dev/hugepages -o uid=testuser -o gid=testuser
$ echo 1000 | sudo tee /proc/sys/vm/hugetlb_shm_group
Automated way (ideal for persistence and bootstrapping - preffered)
$ echo "hugetlbfs /dev/hugepages hugetlbfs mode=1777,uid=$(id -u),gid=$(id -g) 0 0" | sudo tee -a /etc/fstab
$ echo "vm.hugetlb_shm_group=$(id -g)" | sudo tee -a /etc/sysctl.conf
VFIO-PCI
$ sudo chown $(id -nu):$(id -ng) /dev/vfio/*
Containers This requires more understanding and depends on use-cases (Docker/LXC/K8S, base image used, etc...)
Been looking into the vfio part of this over the last couple of days.
--device
attachmentsecho "Y" > /sys/module/vfio/parameters/enable_unsafe_noiommu_mode
/sys/module/vfio
is added as Volume MountFor now I don't see any ways of running VPP containers without the privileged
flag.
I will take a look
When running VPP inside a container, some issues have been seen when trying to use NIC ports/interfaces (PFs/VFs) through the dpdk plugin.
Running the container as privileged (
securityContext -> privileged: true
) works as expected, and can be sufficient - But still not ideal for various reasons.Consider the following configuration file:
Running the POD results in the following error from VPP:
Several variations of the above configuration, with additional mounts and capabilities added, has been tested as well. So far these tests have all been unsuccessful, and the only solution that has worked it to run the POD as privileged.
At this point, any container using PFs/VFs will be run a privileged. An example of this can be seen in https://github.com/cncf/cnf-testbed/pull/288. While each POD is able to see and use all of the interfaces, using a CNI such as SRIOV Network Device Plugin it is possible to assign a subset of interfaces to each POD, and by using this when generating the VPP configuration the interfaces used by each POD can be limited to the desired amount. This solution works in a controlled environment, under the assumption that each POD will stick to its requested resources. It is however possible for a POD to use a modified VPP configuration which uses more or all resources on the host.