Welcome! Log In Create A New Profile

Advanced

haproxy with QAT requires root

Posted by Christian Braun 
Christian Braun
haproxy with QAT requires root
June 12, 2018 01:10PM
Hello,

i am testing haproxy with a QAT card (Intel QuickAssit-Technology). I am
getting "SSL handshake failure" running haproxy with user nobody and
ssl-engine qat. When running haproxy with user root the card gets used
and the SSL connection works.
Is running haproxy as root required when using a QAT card?

haproxy v1.8.9
OpenSSL_1_1_0h
QAT_Engine v0.5.36
qat1.7.l.4.1.0


Thank you,
Christian
Aleksandar Lazic
Re: haproxy with QAT requires root
June 12, 2018 01:10PM
Hi.

On 12/06/2018 12:58, Christian Braun wrote:
>Hello,
>
>i am testing haproxy with a QAT card (Intel QuickAssit-Technology). I
>am getting "SSL handshake failure" running haproxy with user nobody and
>ssl-engine qat. When running haproxy with user root the card gets used
>and the SSL connection works.
>Is running haproxy as root required when using a QAT card?

What's Intel answer to the question about usage of the card as none
root user?

>haproxy v1.8.9
>OpenSSL_1_1_0h
>QAT_Engine v0.5.36
>qat1.7.l.4.1.0

What do you see when you call `openssl engine -t -c -vvvv qat` as none
root user ?

I found this command on this page https://github.com/intel/QAT_Engine
as I don't know the QAT Engine.

Do you use haproxy in nbproc?

https://github.com/intel/QAT_Engine#limitations

>Thank you,
>Christian

Best regards
aleks
Christian Braun
Re: haproxy with QAT requires root
June 13, 2018 10:30AM
Hello Aleks,

On 2018-06-12 13:05, Aleksandar Lazic wrote:
> Hi.
>
> On 12/06/2018 12:58, Christian Braun wrote:
>> Hello,
>>
>> i am testing haproxy with a QAT card (Intel QuickAssit-Technology). I
>> am getting "SSL handshake failure" running haproxy with user nobody and
>> ssl-engine qat. When running haproxy with user root the card gets used
>> and the SSL connection works.
>> Is running haproxy as root required when using a QAT card?
>
> What's Intel answer to the question about usage of the card as none
> root user?
>
>> haproxy v1.8.9
>> OpenSSL_1_1_0h
>> QAT_Engine v0.5.36
>> qat1.7.l.4.1.0
>
> What do you see when you call `openssl engine -t -c -vvvv qat` as none
> root user ?

Thanks for pointing that out. I should have tried that first. The test
works with root and fails with a unprivileged user:

$ LD_LIBRARY_PATH=/usr/local/ssl/lib /usr/local/ssl/bin/openssl engine
-t -c -vvvv qat
(qat) Reference implementation of QAT crypto engine
[RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256,
AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF]
ioctl_alloc_slab:936 mmap on memory allocated through ioctl failed
ADF_UIO_PROXY err: adf_init_ring: unable to get
ringbuf(v:(nil),p:(nil)) for rings in bank(0)
ADF_UIO_PROXY err: icp_adf_transCreateHandle: adf_init_ring failed
[error] SalCtrl_ServiceInit() - : Failed to initialise all service instances
ADF_UIO_PROXY err: adf_user_subsystemInit: Failed to initialise
Subservice SAL
[error] SalCtrl_ServiceEventStart() - : Private data is NULL
ADF_UIO_PROXY err: adf_user_subsystemStart: Failed to start Subservice SAL
[error] SalCtrl_AdfServicesStartedCheck() - : Sal Ctrl failed to start
in given time

[error] do_userStart() - : Failed to start services


>
> I found this command on this page https://github.com/intel/QAT_Engine
> as I don't know the QAT Engine.
>
> Do you use haproxy in nbproc?
>
> https://github.com/intel/QAT_Engine#limitations
>
>> Thank you,
>> Christian
>
> Best regards
> aleks

Thank you,
Christian
Sorry, only registered users may post in this forum.

Click here to login