Bug 1652554
Summary: | [RHOS14] Non admin user creation of guest instance with Trusted VF fails due to not having access to binding:profile | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Vadim Khitrin <vkhitrin> |
Component: | openstack-nova | Assignee: | OSP DFG:Compute <osp-dfg-compute> |
Status: | CLOSED NOTABUG | QA Contact: | OSP DFG:Compute <osp-dfg-compute> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 14.0 (Rocky) | CC: | berrange, cfontain, dasmith, eglynn, jhakimra, kchamart, sbauza, sgordon, vkhitrin, vromanso, yrachman |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-29 18:53:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vadim Khitrin
2018-11-22 11:16:26 UTC
Hello, thanks for the bug report! Port binding extended attributes are admin-only (both setting and getting) [1]. In addition, trusted mode on the devices is set by the libvirt driver when plugging or unplugging, so unless an instance is actually using a trusted VF, no trusted devices will show up on the host. Because of that, I think this is all working as expected. If I've misunderstood something, by all means reopen this bug. [1] https://developer.openstack.org/api-ref/network/v2/index.html#port-binding-extended-attributes (In reply to Artom Lifshitz from comment #1) > Hello, thanks for the bug report! > > Port binding extended attributes are admin-only (both setting and getting) > [1]. In addition, trusted mode on the devices is set by the libvirt driver > when plugging or unplugging, so unless an instance is actually using a > trusted VF, no trusted devices will show up on the host. Err, apologies, I completely missed that an instance had in fact been created. The fact that no interfaces show up as trusted on the host is indeed weird. I assume passthrough_whitelist has been configured correctly? Would it be possible to reproduce the bug with debug enabled and attach nova logs from the compute host to this BZ? Thanks! (In reply to Artom Lifshitz from comment #2) > Err, apologies, I completely missed that an instance had in fact been > created. The fact that no interfaces show up as trusted on the host is > indeed weird. I discussed this with a colleague, and without hardware capable of trusted VFs we're not entirely sure whether a VF that has been passed through to a guest would still show up on the host - after all, once passed through, it is the guest's kernel that's managing it, not the host. So it could be that what you're seeing is expected. The quickest way to make the trusted VF is working as expected is to perform an operation from within the guest that can only succeed with a trusted VF - for example, changing its MAC address. If this works, there's no bug here. Hi Artom, thanks for your replies. We have the hardware and tested that everything works as it should when done as an admin user. I think that the binding:profile is omitted due to oslo policy(mentioned here https://docs.openstack.org/newton/config-reference/networking/samples/policy.json.html) '"get_port:binding:profile": "rule:admin_only"', I'm trying to verify if it's caused by this policy. Will update. (In reply to Vadim Khitrin from comment #4) > Hi Artom, thanks for your replies. > > We have the hardware and tested that everything works as it should when done > as an admin user. > > I think that the binding:profile is omitted due to oslo policy(mentioned > here > https://docs.openstack.org/newton/config-reference/networking/samples/policy. > json.html) '"get_port:binding:profile": "rule:admin_only"', I'm trying to > verify if it's caused by this policy. Will update. Yeah, policy can be changed, it's just admin-only by default. If it's OK with you I'd like to close this BZ to avoid it taking up time in the compute DFG's triage process. If you do notice a bug with trusted VFs and policy, by all means re-open this. Thanks! |