[MIR] dpdk

We can't have texlive-fonts-extra as a build dependency if it is in universe. We can put some binaries that we build in universe, but the build itself must be able to operate entirely out of main. During the build of a source package that is in main, universe is not in sources.list and so the build would fail otherwise.

Can we pull texlive-fonts-extra out of the build depends but arrange the build to still succeed? If we miss building some specific version of the documentation then that's OK, though preferably we'd still have non-TeX documentation available.

The only simple way to pull the font dependency out would be not to build documentation. The whole of "make doc" fails at some point without. Ok, the other option would be to remove the dependency, check on what font the build fails and add a patch which replaces its use everywhere. I am not sure I could easily come up with a suggestion for a replacement that keeps the produced documents in a reasonable state.

Some quality issues that I think we should consider in this MIR:

It is a userspace library but upstream does not yet comply with ecosystem best practices for shipping a shared library with respect to FHS paths. It is required to use upstream's build system or do fairly hacky things with cpp and ld flags for an application that uses DPDK to build. I described this to upstream in http://dpdk.org/ml/archives/dev/2015-September/023180.html and they seem receptive to patches to fix this, but this still needs doing. The dpdk-dev binary package (as opposed to libdpdk-dev) shouldn't need to exist. Fixing this will likely require API and ABI bumps upstream. How does this fit with MIR requirements in respect to maintainability of the packaging?

Hey guys,

Can next Ubuntu version enable Xen on DPDK (both DOM0 and XENVIRT) ?

I'm trying to rebuild and package DPDK Ubuntu package with Xen but, I found a bug on DPDK, and I'm stucked now) here is the mail thread on DPDK-dev mail list:

http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/28658

Here is a patch that works with DPDK 2.2.*

http://dpdk.org/dev/patchwork/patch/9088/

With this patch, it is possible to enable COMBINE_LIBS and XENVIRT at the same time but, it breaks Ubuntu's Lib ABI versioning scheme (patch "ubuntu-combined-shared-lib-abiversion.patch doesn't work anymore, if above patch applied).

Also, DPDK 2.3 will be available in March 2016, before Xenial final freeze (I believe), maybe, Ubuntu Xenaial can ship with it...

I would love to see Ubuntu DPDK package compiled with Xen! ;-)

Cheers!
Thiago

Hi Thiago,
I'll take a look at enabling XEN once I have eliminated a few other DPDK roadblockers.
But this request is not part of the MIR Request you posted in.

I unfortunately don't have a way to move your comment to a new bug.
To provide you with proper tracking and keep the MIR bug free of discussions around this new topic it would be great if you could post just the same in a separate bug against DPDK.

Hi Christian,

Sorry to mix subjects... I just filled another bug report about this (DPDK with Xen):

Here it is:

https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1521289

I would love to help you guys with this! Specially with tests during Xenial development cycle.

Best,
Thiago

As you mention applications not wanting to use the dpdk makefiles have to do hacky things with CFLAGS and LDFLAGS.
So that other build systems can be used to build dpdk using applications would be great if dpdk generated and installed a pkg-config .pc file that these could use.
I first mentioned this here: http://dpdk.org/ml/archives/dev/2015-November/027391.html

We did consider supplying a pkg-config .pc file but it was pointed out to me that this isn't what pkg-config is supposed to be used for. It would still be a hack. The real fix is for upstream to rearrange things so that this isn't necessary.

Agreed, upstream having regular include/link flags would be ideal.
That said, even then, shipping a .pc file with traditional CFLAGS/LD_LIBS would be useful for many packaging applications. Many other libraries provides these, and are widely used by things like PKG_CHECK_MODULES in autoconf FindPkgConfig in CMake.

Seth is in the process of performing the security review for DPDK.

Christian reported he's working on a DPDK 2.2 for Xenial; should I be reviewing the packages at https://launchpad.net/~paelzer/+archive/ubuntu/dpdk-merge-2.2 instead of the 2.0.0-0ubuntu3 that is currently underway?

Thanks

Hi Seth,
much of the code should be still similar.
But making you aware that such an upgrade might come was just the point of
my mail.
The final decision 2.0/2.1/2.2 which way we will go will be taken on the
sprint next week.
I'll let you know asap then.
Am 05.01.2016 01:35 schrieb "Seth Arnold" <email address hidden>:

> Christian reported he's working on a DPDK 2.2 for Xenial; should I be
> reviewing the packages at https://launchpad.net/~paelzer/+archive/ubuntu
> /dpdk-merge-2.2 instead of the 2.0.0-0ubuntu3 that is currently
> underway?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1492186
>
> Title:
> [MIR] dpdk
>
> Status in dpdk package in Ubuntu:
> In Progress
>
> Bug description:
> *** Still processing FFE and filling in the template ***
>
> [Availability]
> The source code is available from: git://dpdk.org/dpdk
> General information: http://dpdk.org
> The package is already part of universe and builds for the target
> architecture https://launchpad.net/ubuntu/+source/dpdk/2.0.0-0ubuntu1
>
> In the Xenial cycle we intend to upgrade to 2.2 which gets released
> end of November which - due to being more recent should be good for
> maintenance and security.
>
> [Rationale]
> The DPDK library will be a build dependency for openvswitch package
> (extra variant using DPDK instead of kernel network stack).
> So it will be useful for a large part of our user base around OpenStack.
> Potentially there will be more projects doing the same, so this should
> be part of the endorsed set of packages.
>
> [Security]
> As of today there are no known CVEs nor any advisories on Secunia.
>
> There is only one /sbin executable in the form of /sbin/dpdk_nic_bind
> to get a hold on the network devices.
>
> There is one service that gets started in the form of /etc/init.d/dpdk
> which eventually comes down to "/lib/dpdk/dpdk-init --start"
>
> It does not have privileged privileged ports (ports < 1024) bound.
>
> [Quality assurance]
> While configuration is quite complex, since the dpdk package itself is
> only a library it does not require *user* configuration. That is a job of
> the consumers of the library e.g. openvswitch-switch-dpdk.
>
> There are no long-term outstanding bugs which affect the usability of
> the program to a major degree. Upstream is very active and supports
> and cares for the package.
>
> There is no Debian package to consider and the Ubuntu bug tracking
> system currently only hold this MIR request as an open bug.
> https://bugs.launchpad.net/ubuntu/+source/dpdk
>
> The package in the meantime supports various network cards and even
> virtio-net so not only exotic hardware that we cannot support.
>
> The package ships a full test suite as can be seen on
> http://dpdk.org/doc/dts/gsg/config.html but it is extremely complex.
> Still it could and should one day become part of semi-manual QA on
> that package.
>
> There is a quick test which requires network, but not really network
> access (to the outside) that might be possible to implement as a Dep8
> test for build...

It was decided in Capetown that 2.2 will the version we choose for 16.04.
So regarding testing, security review and so on please focus on that one.

For now:
Package: https://launchpad.net/~paelzer/+archive/ubuntu/dpdk-merge-2.2
Upstream Code: http://dpdk.org/browse/dpdk/tag/?id=v2.2.0

How is the security review progressing?

Jon, I just re-started with Christian's newer packages; there's a lot more to this package than I at first expected.

Thanks

I reviewed dpdk 2.2.0-0ubuntu1 as checked into Christian Ehrhardt's PPA.
This should not be considedred a full security audit; it is instead a
quick gauge of maintainability.

I didn't find any previous CVEs for DPDK.

- DPDK provides userspace drivers and interface for a few high-end NICs to
  support high-speed low-latency networking applications without requiring
  every packet to go through the Linux kernel's networking stack. The plus
  side is extremely fast networking, the downside is that the library
  links in huge portions of the drivers of the NICs that are supported, so
  the NICs can be driven from userspace.
- Build-Depends: debhelper, libcap-dev, doxygen, python-sphinx, graphviz,
  inkscape, texlive-latex-extra, texlive-fonts-recommended, python,
  dh-python, dh-systemd, libpcap-dev, libxen-dev, libxenstore3.0
- Does not itself daemonize
- pre/post inst/rm all automatically generated
- No dbus services
- No setuid executables
- testpmd, dpdk_proc_info, and dpdk_nic_bind executables in PATH
- No sudo fragments
- Extensive use of sudo in /usr/share/dpdk/tools/setup.sh -- it appears
  this script is unused, thankfully
- No udev rules
- Extensive tests, nothing is run during build or via debian/tests/
- No cronjobs
- Clean build logs: -Werror, many warnings turned on

- Very little use of system(), popen(), etc., mostly static strings,
  mostly in examples. Not ideal but convenient.
- Memory management is complicated: custom allocators are used
  extensively, wrappers perform multiplication without checking
  for integer overflows.
- Most file accesses are to specific named files
- Logging looked careful
- A few uses of environment variables, not much checking; best to consider
  them part of the trusted environment for DPDK applications
- Extensive use of ioctl() operations
- Extensive cryptography infrastructure in drivers/crypto/ -- I did not
  inspect any of the cryptography code
- Extensive networking, it's the purpose of the library
- It's probably best to consider the entire library a privileged interface
- Three uses of /tmp in strings -- two in examples/, the other is properly
  used mkstemp() call
- cppcheck reported some false positives, some legitimate style issues,
  and one example/ program with uninitialized variable use
- shellcheck reported extensive issues, some can be ignored, some should
  be addressed
- No policykit

Affects main codebase and should be investigated quickly:

- shellcheck reports extensive cases of forgotten quotes to prevent word
  splitting or globbing, potentially unused variables, error-prone printf
  formatting. The scripts that are going to be used at runtime should be
  fixed:
  - ./debian/dpdk-init
  - ./debian/dpdk.init
  - ./tools/setup.sh ? (Hard to tell)
- ./drivers/net/cxgbe/cxgbe_ethdev.c eth_cxgbe_dev_init() memory leak in
  out_free_adapter: that doesn't free adapter
- ./drivers/net/virtio/virtio_ethdev.c virtio_set_multiple_queues() calls
  virtio_send_command(), which performs:
  memcpy(vq->virtio_net_hdr_mz->addr, ctrl, sizeof(struct virtio_pmd_ctrl));
  This copies a potentially huge amount of uninitialized data into ->addr
  because the struct virtio_pmd_ctrl ctrl was not ze...

I forwarded the more interesting bits of my notes to the DPDK dev list:
http://dpdk.org/ml/archives/dev/2016-February/033013.html

Thanks Seth:

>>Please confirm in this bug that the server team has the
equipment, knowledge, and enthusiasm to help maintain this package.

As manager of the server team, I confirm this. Christian can provide more information on his plans for enabling tests and automation of tests when he is back next week. FWIW, the primary use case we are interested in at the moment in time is OVS/DPDK (and for OpenStack), so some of the testing we desire will include testing e2e flows through those components.

Thanks Seth! Looking at this a bit from a MIR team perspective:

- This is a complicated package :-/

- Needs a team bug subscriber

- Needs a look at running tests, as Seth says

- What's the story with this in Debian? As I said, our packaging is a little complicated, and it would be good to line ourselves up with the same package names and such if and when Debian packages this. And share the maintenance burden.

Hi Seth,
I'll take a look into the two debian/dpdk scripts this week as part of handling all the upload review I got this morning from a reviewer as well.

I'll contact you directly to share the current test plan and would like to have a discussion at the end of the week about the remaining pieces (I'll send an invite)
Until then the dpdk mailing List also has a bit more time to respond to your findings.

[...]
- Needs a team bug subscriber
=> FYI - Done

Regarding the State in Debian:
I filed an ITP offering joint effort work on it.
If someone in Debian cares about dpdk we would keep it "compatible" together, if not we have no collision.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815760

Regarding Tests
As I mentioned multiple times the nature of dpdk makes it almost totally unsuitable for d/t/* autopkgtests. This is why we only covered a few bits of the init scripts in there.
But as I have send we have a test plan that will work in a jenkins CI environment.
So we are as good (or working on it) as we can get it.

I wanted to summarize that we addressed all MIR feedback.
Note: Also the merge to DPDK2.2 is done and in universe for a few days now.

So @Seth/Michael - does this qualify for your conditional ACK in post #16 and we are fine to go now and promote it to main?

OK, understood about tests. At least there's something in dep8 now, so the package at least gets run. And good about CI.

Override component to main
dpdk 2.2.0-0ubuntu1 in xenial: universe/libs -> main
dpdk 2.2.0-0ubuntu1 in xenial amd64: universe/devel/optional/100% -> main
dpdk 2.2.0-0ubuntu1 in xenial i386: universe/devel/optional/100% -> main
dpdk-dev 2.2.0-0ubuntu1 in xenial amd64: universe/devel/optional/100% -> main
dpdk-dev 2.2.0-0ubuntu1 in xenial i386: universe/devel/optional/100% -> main
dpdk-doc 2.2.0-0ubuntu1 in xenial amd64: universe/doc/optional/100% -> main
dpdk-doc 2.2.0-0ubuntu1 in xenial arm64: universe/doc/optional/100% -> main
dpdk-doc 2.2.0-0ubuntu1 in xenial armhf: universe/doc/optional/100% -> main
dpdk-doc 2.2.0-0ubuntu1 in xenial i386: universe/doc/optional/100% -> main
dpdk-doc 2.2.0-0ubuntu1 in xenial powerpc: universe/doc/optional/100% -> main
dpdk-doc 2.2.0-0ubuntu1 in xenial ppc64el: universe/doc/optional/100% -> main
dpdk-doc 2.2.0-0ubuntu1 in xenial s390x: universe/doc/optional/100% -> main
libdpdk-dev 2.2.0-0ubuntu1 in xenial amd64: universe/libdevel/optional/100% -> main
libdpdk-dev 2.2.0-0ubuntu1 in xenial i386: universe/libdevel/optional/100% -> main
libdpdk0 2.2.0-0ubuntu1 in xenial amd64: universe/libs/optional/100% -> main
libdpdk0 2.2.0-0ubuntu1 in xenial i386: universe/libs/optional/100% -> main
16 publications overridden.

This bug was fixed in the package openvswitch - 2.5.0~git20160219.522aca6-0ubuntu2

---------------
openvswitch (2.5.0~git20160219.522aca6-0ubuntu2) xenial; urgency=medium

  * [9c970b06] d/rules,*.manpages,*.install: Prepare for dual build.
  * [f7dff3e7] DPDK enablement (LP: #1492186):
    - d/p/system-dpdk.patch: Pick patch from openvswitch-dpdk to
      support use with libdpdk-dev.
    - d/control: Add DPDK dependencies for supported archs.
    - d/rules: Build DPDK enabled binaries for supported archs.
    - d/openvswitch-switch.p*: Install ovs-vswitch-dpdk binary as an
      alternative.
    - d/openvswitch-switch.README.Debian: Let users know how to use
      the DPDK binary.

 -- James Page <email address hidden> Wed, 24 Feb 2016 21:44:41 +0000