[v4,1/1] usertools/devbind: allow changing UID/GID for VFIO

Message ID c5d0388620157638338f67291f8862c6c96cec96.1733131888.git.anatoly.burakov@intel.com (mailing list archive)
State New
Delegated to: Thomas Monjalon
Headers
Series [v4,1/1] usertools/devbind: allow changing UID/GID for VFIO |

Checks

Context Check Description
ci/checkpatch warning coding style issues
ci/loongarch-compilation success Compilation OK
ci/loongarch-unit-testing success Unit Testing PASS
ci/Intel-compilation success Compilation OK
ci/intel-Testing success Testing PASS
ci/github-robot: build success github build: passed
ci/iol-broadcom-Performance success Performance Testing PASS
ci/intel-Functional success Functional PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-unit-amd64-testing success Testing PASS
ci/iol-unit-arm64-testing success Testing PASS
ci/iol-compile-amd64-testing warning Testing issues
ci/iol-sample-apps-testing success Testing PASS
ci/iol-compile-arm64-testing success Testing PASS

Commit Message

Burakov, Anatoly Dec. 2, 2024, 9:31 a.m. UTC
Currently, when binding a device to VFIO, the UID/GID for the device will
always stay as system default (`root`). Yet, when running DPDK as non-root
user, one has to change the UID/GID of the device to match the user's
UID/GID to use the device.

This patch adds an option to `dpdk-devbind.py` to change the UID/GID of
the device when binding it to VFIO.

Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
---

Notes:
    v3 -> v4:
    - Added documentation
    
    v2 -> v3:
    - Replaced error printout back to hard exit
    - Reworked UID/GID validation to be at command line parsing
    - Simplified chown code
    
    v1 -> v2:
    - Replaced hard exit with an error printout

 doc/guides/tools/devbind.rst |  6 ++++++
 usertools/dpdk-devbind.py    | 41 +++++++++++++++++++++++++++++++++---
 2 files changed, 44 insertions(+), 3 deletions(-)
  

Comments

Burakov, Anatoly Dec. 2, 2024, 9:35 a.m. UTC | #1
On 12/2/2024 10:31 AM, Anatoly Burakov wrote:
> Currently, when binding a device to VFIO, the UID/GID for the device will
> always stay as system default (`root`). Yet, when running DPDK as non-root
> user, one has to change the UID/GID of the device to match the user's
> UID/GID to use the device.
> 
> This patch adds an option to `dpdk-devbind.py` to change the UID/GID of
> the device when binding it to VFIO.
> 
> Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
> ---

Missed

Reviewed-by: Robin Jarry <rjarry@redhat.com>
  
Burakov, Anatoly Dec. 4, 2024, 12:33 p.m. UTC | #2
On 12/2/2024 10:31 AM, Anatoly Burakov wrote:
> Currently, when binding a device to VFIO, the UID/GID for the device will
> always stay as system default (`root`). Yet, when running DPDK as non-root
> user, one has to change the UID/GID of the device to match the user's
> UID/GID to use the device.
> 
> This patch adds an option to `dpdk-devbind.py` to change the UID/GID of
> the device when binding it to VFIO.
> 
> Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
> ---

This functionality is also included in my devbind rewrite:

https://patches.dpdk.org/project/dpdk/list/?series=34098
  

Patch

diff --git a/doc/guides/tools/devbind.rst b/doc/guides/tools/devbind.rst
index df4f3505ac..841615570f 100644
--- a/doc/guides/tools/devbind.rst
+++ b/doc/guides/tools/devbind.rst
@@ -56,6 +56,12 @@  OPTIONS
         WARNING: This can lead to loss of network connection and should be used
         with caution.
 
+* ``--uid uid, --gid gid``
+
+      By default, devices which are bound to VFIO will be owned by ``root``.
+      Use this flag to change ownership to the specified user and group, so that
+      devices bound to VFIO would be usable by unprivileged users.
+
 
 .. warning::
 
diff --git a/usertools/dpdk-devbind.py b/usertools/dpdk-devbind.py
index f2a2a9a12f..ed1ef0cabc 100755
--- a/usertools/dpdk-devbind.py
+++ b/usertools/dpdk-devbind.py
@@ -3,11 +3,13 @@ 
 # Copyright(c) 2010-2014 Intel Corporation
 #
 
-import sys
-import os
-import subprocess
 import argparse
+import grp
+import os
 import platform
+import pwd
+import subprocess
+import sys
 
 from glob import glob
 from os.path import exists, basename
@@ -108,6 +110,8 @@ 
 status_flag = False
 force_flag = False
 noiommu_flag = False
+vfio_uid = -1
+vfio_gid = -1
 args = []
 
 
@@ -544,6 +548,19 @@  def bind_all(dev_list, driver, force=False):
 
     for d in dev_list:
         bind_one(d, driver, force)
+        # if we're binding to vfio-pci, set the IOMMU user/group ownership if one was specified
+        if driver == "vfio-pci" and (vfio_uid != -1 or vfio_gid != -1):
+            # find IOMMU group for a particular PCI device
+            iommu_grp_base_path = os.path.join("/sys/bus/pci/devices", d, "iommu_group")
+            # extract the IOMMU group number
+            iommu_grp = os.path.basename(os.readlink(iommu_grp_base_path))
+            # find VFIO device correspondiong to this IOMMU group
+            dev_path = os.path.join("/dev/vfio", iommu_grp)
+            # set ownership
+            try:
+                os.chown(dev_path, vfio_uid, vfio_gid)
+            except OSError as err:
+                sys.exit(f"Error: failed to set IOMMU group ownership for {d}: {err}")
 
     # For kernels < 3.15 when binding devices to a generic driver
     # (i.e. one that doesn't have a PCI ID table) using new_id, some devices
@@ -697,6 +714,8 @@  def parse_args():
     global force_flag
     global noiommu_flag
     global args
+    global vfio_uid
+    global vfio_gid
 
     parser = argparse.ArgumentParser(
         description='Utility to bind and unbind devices from Linux kernel',
@@ -746,6 +765,20 @@  def parse_args():
         '--noiommu-mode',
         action='store_true',
         help="If IOMMU is not available, enable no IOMMU mode for VFIO drivers")
+    parser.add_argument(
+        "-U",
+        "--uid",
+        help="For VFIO, specify the UID to set IOMMU group ownership",
+        type=lambda u: pwd.getpwnam(u).pw_uid,
+        default=-1,
+    )
+    parser.add_argument(
+        "-G",
+        "--gid",
+        help="For VFIO, specify the GID to set IOMMU group ownership",
+        type=lambda g: grp.getgrnam(g).gr_gid,
+        default=-1,
+    )
     parser.add_argument(
         '--force',
         action='store_true',
@@ -778,6 +811,8 @@  def parse_args():
         b_flag = opt.bind
     elif opt.unbind:
         b_flag = "none"
+    vfio_uid = opt.uid
+    vfio_gid = opt.gid
     args = opt.devices
 
     if not b_flag and not status_flag: