[dpdk-dev] Running DPDK with Docker

Andre Richter andre.o.richter at gmail.com
Thu Apr 2 08:36:08 CEST 2015

Previous message: [dpdk-dev] Running DPDK with Docker
Next message: [dpdk-dev] Running DPDK with Docker
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The uio drivers are not secured by an iommu.
Therefore, you could misuse the NIC to DMA read/write into any part of
memory, e.g. reading or writing to memory of the host or other containers.

This is a security breach if you enable a container to do this by giving it
access via uio, because you have them to isolate processes against each
other in the first place.

VFIO uses iommus to protect against that, but you need capable hardware,
e.g. Intel VT-d support on x86.

http://en.m.wikipedia.org/wiki/IOMMU

Cheers,
Andre

Karmarkar Suyash <skarmarkar at sonusnet.com> schrieb am Do., 2. Apr. 2015 um
05:28:

> << igb_uio and rte_kni are unlikely to be accepted upstream since they
> have intrinsic security problems.
>
> Can you use VFIO?>>
>
> Hi Stephen,
>
> Thanks for the reply. Can you please elaborate on the security
> issue?Thanks.
>
> Regards
> Suyash
>
> -----Original Message-----
> From: Stephen Hemminger [mailto:stephen at networkplumber.org]
> Sent: Thursday, April 02, 2015 12:12 AM
> To: Karmarkar Suyash
> Cc: dev at dpdk.org
> Subject: Re: [dpdk-dev] Running DPDK with Docker
>
> On Wed, 1 Apr 2015 17:56:56 +0000
> Karmarkar Suyash <skarmarkar at sonusnet.com> wrote:
>
> > Hi,
> >
> > Given the popularity of Docker it would be nice if we can run DPDK
> inside a Docker container but the challenge is the igb_uio.ko and
> rte_kni.ko kernel modules which need to be compiled with the exact kernel
> source running on the host.  Are there ways to seamlessly run DPDK with
> Docker? I came across an articles about running DPDK with Linux container
> but still the requirement is to insert igb_uio. Any plans to make the
> igb_uio and rte_kni modules as default modules of Linux source code or any
> other better approaches/suggestions ? Thanks.
> >
> > http://dpdk.org/ml/archives/dev/2014-October/006373.html
> > http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479
>
> igb_uio and rte_kni are unlikely to be accepted upstream since they have
> intrinsic security problems.
>
> Can you use VFIO?
>

Previous message: [dpdk-dev] Running DPDK with Docker
Next message: [dpdk-dev] Running DPDK with Docker
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list