Skip to content

v3.1.x: Do not use CMA in user namespaces #6999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 15, 2019
Merged

v3.1.x: Do not use CMA in user namespaces #6999

merged 1 commit into from
Oct 15, 2019

Conversation

jsquyres
Copy link
Member

Trying out to run processes via mpirun in Podman containers has shown
that the CMA btl_vader_single_copy_mechanism does not work when user
namespaces are involved.

Creating containers with Podman requires at least user namespaces to be
able to do unprivileged mounts in a container

Even if running the container with user namespace user ID mappings which
result in the same user ID on the inside and outside of all involved
containers, the check in the kernel to allow ptrace (and thus
process_vm_{read,write}v()), fails if the same IDs are not in the same
user namespace.

One workaround is to specify '--mca btl_vader_single_copy_mechanism none'
and this commit adds code to automatically skip CMA if user namespaces
are detected and fall back to MCA_BTL_VADER_EMUL.

Signed-off-by: Adrian Reber areber@redhat.com
(cherry picked from commit fc68d8a)

@jsquyres jsquyres added this to the v3.1.5 milestone Sep 21, 2019
@jsquyres
Copy link
Member Author

FYI @adrianreber

@bwbarrett Thoughts on bringing this back to v3.1.x?

@jsquyres jsquyres added the NEWS label Sep 21, 2019
@ibm-ompi
Copy link

The IBM CI (GNU Compiler) build failed! Please review the log, linked below.

Gist: https://gist.github.com/a4e9cc27cd5fc186815ed2c64bf90977

@ibm-ompi
Copy link

The IBM CI (XL Compiler) build failed! Please review the log, linked below.

Gist: https://gist.github.com/4d887b7ab041b69e82db35ee4d05a924

@jsquyres jsquyres force-pushed the pr/v3.1.x/vader-do-not-use-cma branch from 623d761 to c4fe1d6 Compare September 21, 2019 19:24
@jsquyres
Copy link
Member Author

@adrianreber It turns out that MCA_BTL_VADER_EMUL does not exist back on the v3.1.x/v3.0.x branches. I updated this PR to instead fall back to MCA_BTL_VADER_NONE.

Can you please test that the functionality still works correctly for you?

@adrianreber
Copy link
Member

@jsquyres

On top of this PR following one line change is needed:

diff --git a/opal/mca/btl/vader/btl_vader_module.c b/opal/mca/btl/vader/btl_vader_module.c
index 8f704c8fca..15071f968e 100644
--- a/opal/mca/btl/vader/btl_vader_module.c
+++ b/opal/mca/btl/vader/btl_vader_module.c
@@ -252,6 +252,7 @@ static int init_vader_endpoint (struct mca_btl_base_endpoint_t *ep, struct opal_
                     opal_show_help("help-btl-vader.txt", "cma-different-user-namespace-warning",
                                    true, opal_process_info.nodename);
                     mca_btl_vader_component.single_copy_mechanism = MCA_BTL_VADER_NONE;
+                    mca_btl_vader.super.btl_flags &= ~MCA_BTL_FLAGS_RDMA;
                     mca_btl_vader.super.btl_get = NULL;
                     mca_btl_vader.super.btl_put = NULL;
                     mca_btl_vader.super.btl_put_limit = 0;

Can you amend the existing commit?

@adrianreber @jsquyres
Do not use CMA in user namespaces
e19e210 
Trying out to run processes via mpirun in Podman containers has shown
that the CMA btl_vader_single_copy_mechanism does not work when user
namespaces are involved.

Creating containers with Podman requires at least user namespaces to be
able to do unprivileged mounts in a container

Even if running the container with user namespace user ID mappings which
result in the same user ID on the inside and outside of all involved
containers, the check in the kernel to allow ptrace (and thus
process_vm_{read,write}v()), fails if the same IDs are not in the same
user namespace.

One workaround is to specify '--mca btl_vader_single_copy_mechanism none'
and this commit adds code to automatically skip CMA if user namespaces
are detected and fall back to MCA_BTL_VADER_NONE (as opposed to
MCA_BTL_VADER_EMUL on master as of 2019-09-21 and the v4.0.x branch).

Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
(cherry picked from commit fc68d8a)
@jsquyres jsquyres force-pushed the pr/v3.1.x/vader-do-not-use-cma branch from c4fe1d6 to e19e210 Compare September 24, 2019 16:46
@jsquyres
Copy link
Member Author

@adrianreber Done!

@adrianreber
Copy link
Member

@adrianreber Done!

@jsquyres I tested the PR once more with the latest updates and it works as it should. 👍 from my side

@jsquyres
Copy link
Member Author

Thanks @adrianreber. I just updated #6998 (the v3.0.x version of this PR) with the same feedback from this PR.

@jsquyres
Copy link
Member Author

@hjelmn @bwbarrett This PR is now ready for review.

This was referenced Oct 4, 2019
Merged
Merged
@jsquyres jsquyres merged commit f221d67 into open-mpi:v3.1.x Oct 15, 2019
@jsquyres jsquyres deleted the pr/v3.1.x/vader-do-not-use-cma branch October 15, 2019 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwbarrett bwbarrett bwbarrett approved these changes

@hjelmn hjelmn Awaiting requested review from hjelmn

Assignees

No one assigned

Labels

enhancement NEWS RM approved Severity: critical Target: v3.1.x

Projects

None yet

Milestone

v3.1.5

Development

Successfully merging this pull request may close these issues.

4 participants

@jsquyres @ibm-ompi @adrianreber @bwbarrett