Bug 1402584 - [RFE][nova]: Trusted Virtual Functions
Summary: [RFE][nova]: Trusted Virtual Functions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: Upstream M2
: 14.0 (Rocky)
Assignee: Stephen Finucane
QA Contact: awaugama
URL: https://blueprints.launchpad.net/nova...
Whiteboard: upstream_milestone_none upstream_defi...
Depends On: 1379787 1384439
Blocks: 1500557 1382052 1442136 1476900 1615667 1636395 1656071 1656073 1687560 1732816
TreeView+ depends on / blocked
 
Reported: 2016-12-07 21:44 UTC by Stephen Gordon
Modified: 2022-03-13 14:09 UTC (History)
22 users (show)

Fixed In Version: openstack-nova-18.0.0-0.20180710150340.8469fa7
Doc Type: Enhancement
Doc Text:
With this update, the libvirt compute driver now allows users to create instances with trusted SR-IOV virtual functions. When trusted, a VF can perform certain operations, such as modifying the VF’s MAC address in the guest. Interface bonding requires that all slaves use the same MAC address, which in turn requires MAC address modifications on one of the VFs during a failover. Because MAC address altering is a privileged operation, participating VFs must be trusted in order to successfully configure bonding in the guest. Administrators can now configure trusted mode for VFs. This requires two steps. First, the 'trusted' value of the '[pci] passthrough_whitelist' JSON configuration option in nova.conf must be set to 'true'. For example: [pci] passthrough_whitelist = {"devname": "eth0", "trusted": "true", "physical_network":"sriovnet1"} Then, when creating the port, 'trusted=true' must be set for the binding profile. For example: $ neutron port-create <net-id> \ --name sriov_port \ --vnic-type direct \ --binding:profile type=dict trusted=true Because trusted mode only applies to SR-IOV VFs, the 'vnic-type' must be one of 'hw_veb' or 'direct'.
Clone Of:
: 1656073 (view as bug list)
Environment:
Last Closed: 2019-01-11 11:47:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 485522 0 'None' MERGED virt: allow instances to be booted with trusted VFs 2021-02-01 18:56:45 UTC
Red Hat Issue Tracker OSP-11289 0 None None None 2021-12-10 15:07:11 UTC
Red Hat Product Errata RHEA-2019:0045 0 None None None 2019-01-11 11:47:58 UTC

Description Stephen Gordon 2016-12-07 21:44:40 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/sriov-trusted-vfs.

Description:

A new kernel feature allows Virtual Functions to become "trusted" by
the Physical Function and perform some privileged operations, such as
enabling VF promiscuous mode and changing VF MAC address within the
guest. The inability to modify mac addresses in the guest prevents the
users from being able to easily setup up two VFs in a fail-over bond
in a guest. This spec aims to suggest a way for users to boot
instances with trusted VFs.

Specification URL (additional information):

None
Comment 6 Stephen Gordon 2017-01-25 19:18:20 UTC 
Nir can we get a lucky volunteer from the networking team to take a look over the current iteration of the spec (we intend to re-submit for Pike):

https://review.openstack.org/#/c/397932/

Vladik is interested in feedback on whether this will make sense from a Neutron POV.
Comment 9 Sahid Ferdjaoui 2017-04-20 14:00:03 UTC 
Upstream patches: 
  https://review.openstack.org/#/q/topic:bp/sriov-trusted-vfs
Comment 11 Sahid Ferdjaoui 2017-07-20 09:48:01 UTC 
New spec proposed for Queens
Comment 17 Sahid Ferdjaoui 2018-01-30 08:56:08 UTC 
Spec re-proposed for Rocky:

  https://review.openstack.org/#/c/485522/
Comment 20 Sahid Ferdjaoui 2018-06-04 08:09:34 UTC 
Patches merged upstream

https://review.openstack.org/#/q/status:merged+project:openstack/nova+branch:master+topic:bp/sriov-trusted-vfs
Comment 21 Sahid Ferdjaoui 2018-07-18 15:13:18 UTC 
For the tests you need to configure pci/passtrhough_whitelist with trusted=true

[pci]
passthrough_whitelist = {"devname": "eth0", "trusted": "true",
                         "physical_network": "phys0"}

Then you need to create a port that is asking for a trusted VF device:

 neutron port-create <net-id> --name sriov_port --vnic-type direct
                              --binding:profile type=dict trusted=true

Finally starting the instance using the port created.

The guest should start successfully and the vf assigned should indicate that trusted mode is active. using "ip link show eth" on host.
Comment 36 errata-xmlrpc 2019-01-11 11:47:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045
Note You need to log in before you can comment on or make changes to this bug.