Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimize capabilities, emulate k8s env closely with pause #68

Merged
merged 3 commits into from
Jun 12, 2020
Merged

Minimize capabilities, emulate k8s env closely with pause #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
400449f
Makefile error on exit in for loop
krsna1729 Jun 12, 2020
2045ff0
Introduce pause container, reduce permissions
krsna1729 Jun 12, 2020
1da7d6e
Handle AF_PACKET without NET_ADMIN
krsna1729 Jun 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ RUN git clone -b $DPDK_VER -q --depth 1 $DPDK_URL $DPDK_DIR

# Customizing DPDK install
WORKDIR $DPDK_DIR
COPY patches/dpdk patches
RUN cat patches/* | patch -p1

ARG CPU=native
ARG RTE_TARGET='x86_64-native-linuxapp-gcc'
Expand Down
3 changes: 2 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@ docker-build:
--build-arg org_label_schema_vcs_ref="${DOCKER_LABEL_VCS_REF}" \
--build-arg org_label_schema_build_date="${DOCKER_LABEL_BUILD_DATE}" \
--build-arg org_opencord_vcs_commit_date="${DOCKER_LABEL_COMMIT_DATE}" \
.; \
. \
|| exit 1; \
done

docker-push:
Expand Down
55 changes: 35 additions & 20 deletions docker_setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,18 +51,18 @@ num_ipaddrs=${#ipaddrs[@]}
# Set up static route and neighbor table entries of the SPGW
function setup_trafficgen_routes() {
for ((i = 0; i < num_ipaddrs; i++)); do
sudo ip netns exec bess ip neighbor add "${nhipaddrs[$i]}" lladdr "${nhmacaddrs[$i]}" dev "${ifaces[$i % num_ifaces]}"
sudo ip netns exec pause ip neighbor add "${nhipaddrs[$i]}" lladdr "${nhmacaddrs[$i]}" dev "${ifaces[$i % num_ifaces]}"
routelist=${routes[$i]}
for route in $routelist; do
sudo ip netns exec bess ip route add "$route" via "${nhipaddrs[$i]}"
sudo ip netns exec pause ip route add "$route" via "${nhipaddrs[$i]}"
done
done
}

# Assign IP address(es) of gateway interface(s) within the network namespace
function setup_addrs() {
for ((i = 0; i < num_ipaddrs; i++)); do
sudo ip netns exec bess ip addr add "${ipaddrs[$i]}" dev "${ifaces[$i % $num_ifaces]}"
sudo ip netns exec pause ip addr add "${ipaddrs[$i]}" dev "${ifaces[$i % $num_ifaces]}"
done
}

Expand All @@ -73,53 +73,68 @@ function setup_addrs() {
# ARP/ICMP responses are captured and relayed out of the dpdk ports.
function setup_mirror_links() {
for ((i = 0; i < num_ifaces; i++)); do
sudo ip netns exec bess ip link add "${ifaces[$i]}" type veth peer name "${ifaces[$i]}"-vdev
sudo ip netns exec bess ip link set "${ifaces[$i]}" up
sudo ip netns exec bess ip link set "${ifaces[$i]}-vdev" up
sudo ip netns exec bess ip link set dev "${ifaces[$i]}" address "${macaddrs[$i]}"
sudo ip netns exec pause ip link add "${ifaces[$i]}" type veth peer name "${ifaces[$i]}"-vdev
sudo ip netns exec pause ip link set "${ifaces[$i]}" up
sudo ip netns exec pause ip link set "${ifaces[$i]}-vdev" up
sudo ip netns exec pause ip link set dev "${ifaces[$i]}" address "${macaddrs[$i]}"
done
setup_addrs
}

# Set up interfaces in the network namespace. For non-"dpdk" mode(s)
function move_ifaces() {
for ((i = 0; i < num_ifaces; i++)); do
sudo ip link set "${ifaces[$i]}" netns bess up
sudo ip link set "${ifaces[$i]}" netns pause up
sudo ip netns exec pause ip link set "${ifaces[$i]}" promisc off
done
setup_addrs
}

# Stop previous instances of bess-web, bess-cpiface, bess-routectl and bess before restarting
docker stop bess bess-routectl bess-web bess-cpiface || true
docker rm -f bess bess-routectl bess-web bess-cpiface || true
sudo rm -rf /var/run/netns/bess
docker stop pause bess bess-routectl bess-web bess-cpiface || true
docker rm -f pause bess bess-routectl bess-web bess-cpiface || true
sudo rm -rf /var/run/netns/pause

# Build
make docker-build

[ "$mode" == 'dpdk' ] && DEVICES=${DEVICES:-'--device=/dev/vfio/48 --device=/dev/vfio/49 --device=/dev/vfio/vfio'} || DEVICES=''
[ "$mode" == 'af_xdp' ] && PRIVS='--privileged' || PRIVS='--cap-add SYS_NICE --cap-add NET_ADMIN'
if [ "$mode" == 'dpdk' ]; then
DEVICES=${DEVICES:-'--device=/dev/vfio/48 --device=/dev/vfio/49 --device=/dev/vfio/vfio'}
PRIVS='--cap-add IPC_LOCK'

elif [ "$mode" == 'af_xdp' ]; then
PRIVS='--privileged'

elif [ "$mode" == 'af_packet' ]; then
PRIVS='--cap-add IPC_LOCK'

fi

# Run pause
docker run --name pause -td --restart unless-stopped \
-p $gui_port:$gui_port \
k8s.gcr.io/pause

# Run bessd
docker run --name bess -td --restart unless-stopped \
--cpuset-cpus=12-13 \
--ulimit memlock=-1 -v /dev/hugepages:/dev/hugepages \
-v "$PWD/conf":/opt/bess/bessctl/conf \
-p $gui_port:$gui_port \
--net container:pause \
$PRIVS \
$DEVICES \
upf-epc-bess:"$(<VERSION)"

sudo mkdir -p /var/run/netns
sandbox=$(docker inspect --format='{{.NetworkSettings.SandboxKey}}' bess)
sudo ln -s "$sandbox" /var/run/netns/bess
sandbox=$(docker inspect --format='{{.NetworkSettings.SandboxKey}}' pause)
sudo ln -s "$sandbox" /var/run/netns/pause

case $mode in
"dpdk") setup_mirror_links ;;
*)
move_ifaces
# Make sure that kernel does not send back icmp dest unreachable msg(s)
sudo ip netns exec bess iptables -I OUTPUT -p icmp --icmp-type port-unreachable -j DROP
sudo ip netns exec pause iptables -I OUTPUT -p icmp --icmp-type port-unreachable -j DROP
;;
esac

Expand All @@ -131,18 +146,18 @@ docker logs bess
# Run bess-routectl
docker run --name bess-routectl -td --restart unless-stopped \
-v "$PWD/conf/route_control.py":/route_control.py \
--net container:bess --pid container:bess \
--net container:pause --pid container:bess \
--entrypoint /route_control.py \
upf-epc-bess:"$(<VERSION)" -i "${ifaces[@]}"

# Run bess-web
docker run --name bess-web -d --restart unless-stopped \
--net container:bess \
--net container:pause \
--entrypoint bessctl \
upf-epc-bess:"$(<VERSION)" http 0.0.0.0 $gui_port

# Run bess-cpiface
docker run --name bess-cpiface -td --restart unless-stopped \
--net container:bess \
--net container:pause \
--entrypoint zmq-cpiface \
upf-epc-cpiface:"$(<VERSION)"
46 changes: 46 additions & 0 deletions patches/bess/0006-Add-switch-for-promiscuous-mode.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
From 260ef6f9bef9cce1a1c171e9da7b6ba854e9f994 Mon Sep 17 00:00:00 2001
From: Saikrishna Edupuganti <saikrishna.edupuganti@intel.com>
Date: Fri, 12 Jun 2020 00:11:50 +0000
Subject: [PATCH] Add switch for promiscuous mode

Set promiscuous only if explicitly asked by user

Signed-off-by: Saikrishna Edupuganti <saikrishna.edupuganti@intel.com>
---
core/drivers/pmd.cc | 7 ++++++-
protobuf/ports/port_msg.proto | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/drivers/pmd.cc b/core/drivers/pmd.cc
index a3cbf1fd..733b50ec 100644
--- a/core/drivers/pmd.cc
+++ b/core/drivers/pmd.cc
@@ -313,7 +313,12 @@ CommandResponse PMDPort::Init(const bess::pb::PMDPortArg &arg) {
}
}

- rte_eth_promiscuous_enable(ret_port_id);
+ if (arg.promiscuous_mode()) {
+ ret = rte_eth_promiscuous_enable(ret_port_id);
+ if (ret != 0) {
+ return CommandFailure(-ret, "rte_eth_promiscuous_enable() failed");
+ }
+ }

int offload_mask = 0;
offload_mask |= arg.vlan_offload_rx_strip() ? ETH_VLAN_STRIP_OFFLOAD : 0;
diff --git a/protobuf/ports/port_msg.proto b/protobuf/ports/port_msg.proto
index 1e8b6af8..853380e1 100644
--- a/protobuf/ports/port_msg.proto
+++ b/protobuf/ports/port_msg.proto
@@ -50,6 +50,7 @@ message PMDPortArg {
oneof socket {
int32 socket_id = 8;
}
+ bool promiscuous_mode = 9;
}

message UnixSocketPortArg {
--
2.25.1

52 changes: 52 additions & 0 deletions patches/dpdk/0001-af_packet-Avoid-set-ioctl-if-there-is-no-flag-diff.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
From e1bc63488d346cb84ae7e76f2bc480247f577abb Mon Sep 17 00:00:00 2001
From: Saikrishna Edupuganti <saikrishna.edupuganti@intel.com>
Date: Fri, 12 Jun 2020 21:36:53 +0000
Subject: [PATCH] af_packet Avoid set ioctl if there is no flag diff

rte_eth_dev_start -> rte_eth_dev_config_restore
In 19.11 DPDK started returning errors
https://github.com/DPDK/dpdk/commit/9039c8125730adfd46b8c891e7f205eb4ac43c67
https://github.com/DPDK/dpdk/commit/69d0e7092874db1909bc40986c06219f1880dc23

Gist
https://gist.github.com/krsna1729/0c7160920343f9fa55f760c770286155

We also patch af_packet PMD to change set flags only when needed

Signed-off-by: Saikrishna Edupuganti <saikrishna.edupuganti@intel.com>
---
drivers/net/af_packet/rte_eth_af_packet.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/drivers/net/af_packet/rte_eth_af_packet.c b/drivers/net/af_packet/rte_eth_af_packet.c
index f5806bf42..29d45eb47 100644
--- a/drivers/net/af_packet/rte_eth_af_packet.c
+++ b/drivers/net/af_packet/rte_eth_af_packet.c
@@ -472,6 +472,7 @@ static int
eth_dev_change_flags(char *if_name, uint32_t flags, uint32_t mask)
{
struct ifreq ifr;
+ uint32_t cur_flags;
int ret = 0;
int s;

@@ -484,8 +485,16 @@ eth_dev_change_flags(char *if_name, uint32_t flags, uint32_t mask)
ret = -errno;
goto out;
}
+
+ cur_flags = ifr.ifr_flags;
ifr.ifr_flags &= mask;
ifr.ifr_flags |= flags;
+
+ // Return if there is no change
+ if (cur_flags == ifr.ifr_flags){
+ goto out;
+ }
+
if (ioctl(s, SIOCSIFFLAGS, &ifr) < 0) {
ret = -errno;
goto out;
--
2.25.1