1. Background

A DPDK container is being enhanced to include a power-saving feature aimed at improving energy efficiency in server environments. However, this feature currently relies on direct access to host-level system files and paths related to CPU frequency and power state management.

Historically, some of these files (e.g., energy_uj) were accessible without elevated privileges. However, a recent Linux kernel update (commit 949dd0104) tightened access restrictions, now requiring elevated permissions, which introduces deployment challenges in containerized, rootless environments. 

2. Business Impact

• Security Risk: Running containers with root privileges contradicts best practices for container security and increases the attack surface, particularly in multi-tenant or production environments.

• Deployment Challenges: Air-gapped and secure environments often mandate rootless container operation, blocking adoption of the power-saving feature unless alternative access mechanisms are provided.

• Power Efficiency Goal: Delays in implementing this feature in a rootless context slow down energy efficiency optimization efforts, impacting operational costs and environmental sustainability targets.

A solution is needed that enables this functionality without sacrificing container isolation or compliance with industry-standard security practices.

3. Requirements

We request the following:

• Enable Power Management Without Root: Allow the DPDK container to interact with the following files without requiring full root privileges:

• • /sys/devices/system/cpu/cpuX/cpufreq/scaling_governor (R/W)

• • /sys/devices/system/cpu/cpuX/cpufreq/scaling_setspeed (R/W)

• • /sys/devices/system/cpu/cpuX/cpufreq/scaling_min_freq (R)

• • /sys/devices/system/cpu/cpuX/cpufreq/scaling_max_freq (R/W)

• • /sys/devices/system/cpu/cpuX/cpufreq/scaling_available_frequencies (R)

• • /sys/devices/system/cpu/cpuX/cpuidle/state (R/W)

• • /sys/devices/virtual/powercap/intel-rapl/intel-rapl:X/energy_uj (R)

• • /sys/class/powercap/intel-rapl*/*/energy_uj (R)

• Investigate Alternative Access Mechanisms, such as:

• • Host-side privileged helper or proxy service with scoped API access.

• • Granting fine-grained Linux capabilities (e.g., CAP_SYS_ADMIN, CAP_DAC_OVERRIDE) as minimally as possible.

• • Controlled hostPath mounts for specific sysfs locations, scoped to required files only.

• • Collaboration with upstream kernel/platform teams to define new APIs or permissions that support safe rootless power management.

• Retain Rootless Compatibility: Any proposed solution should be deployable in standard Kubernetes/OpenShift environments using rootless containers or non-root service accounts.

4. Affected Components

• DPDK Container

• OpenShift/Kubernetes SecurityContext Policies

• Linux Kernel Interfaces (Sysfs, PowerCap, RAPL)

• Container Runtime Capabilities (CRI-O, Podman, etc.)

• Node Configuration/Access Control (e.g., host mounts, SELinux, AppArmor)

5. Rationale

Power management is a critical capability for modern data centers seeking energy efficiency and performance optimization. At the same time, container security is paramount. Enabling this feature in a rootless context supports:

• Compliance with cloud-native security models

• Seamless integration into automated and regulated environments

• Broader adoption of energy-aware containerized workloads

We request the investigation and implementation of a secure, rootless-compatible approach to support this functionality in upcoming versions of the DPDK container.