Bug 1652554 - [RHOS14] Non admin user creation of guest instance with Trusted VF fails due to not having access to binding:profile
Summary: [RHOS14] Non admin user creation of guest instance with Trusted VF fails due ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: nova-maint
QA Contact: nova-maint
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-22 11:16 UTC by Vadim Khitrin
Modified: 2019-09-09 14:25 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-29 18:53:29 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Vadim Khitrin 2018-11-22 11:16:26 UTC
Description of problem:

When attempting to leverage nova's trusted VF capabilities (as per nova's spec https://specs.openstack.org/openstack/nova-specs/specs/rocky/implemented/sriov-trusted-vfs.html), port creation has to be done as admin user but not all cloud operators have admin privileges. Even if the port is created as admin user on a different tenant where the cloud operator user exists, guest will be spawned without custom binding:profile.

(overcloud-Admin) [stack@undercloud-0 ~]$ openstack port create --vnic-type direct --project tempest-TestNfvBasic-909024731 --binding-profile trusted=true --network sriovone port100-sriov
+-----------------------+------------------------------------------------------------------------------+
| Field                 | Value                                                                        |
+-----------------------+------------------------------------------------------------------------------+
| admin_state_up        | UP                                                                           |
| allowed_address_pairs |                                                                              |
| binding_host_id       |                                                                              |
| binding_profile       | trusted='true'                                                               |
| binding_vif_details   |                                                                              |
| binding_vif_type      | unbound                                                                      |
| binding_vnic_type     | direct                                                                       |
| created_at            | 2018-11-22T10:27:50Z                                                         |
| data_plane_status     | None                                                                         |
| description           |                                                                              |
| device_id             |                                                                              |
| device_owner          |                                                                              |
| dns_assignment        | None                                                                         |
| dns_domain            | None                                                                         |
| dns_name              | None                                                                         |
| extra_dhcp_opts       |                                                                              |
| fixed_ips             | ip_address='60.20.135.101', subnet_id='50c6bd91-7b1b-4c8d-a27b-f85663a5dc49' |
| id                    | 17a9d426-1bda-47df-8d6f-2e3f6457c039                                         |
| mac_address           | fa:16:3e:6c:72:42                                                            |
| name                  | port100-sriov                                                                |
| network_id            | a03c1203-5af6-4377-942b-e5a30a1339c9                                         |
| port_security_enabled | False                                                                        |
| project_id            | 0540ed01fb134f28b12c7e024f5d72bd                                             |
| qos_policy_id         | None                                                                         |
| revision_number       | 2                                                                            |
| security_group_ids    |                                                                              |
| status                | DOWN                                                                         |
| tags                  |                                                                              |
| trunk_details         | None                                                                         |
| updated_at            | 2018-11-22T10:27:51Z                                                         |
+-----------------------+------------------------------------------------------------------------------+

Viewing the port as admin user will show the binding:profile:
(overcloud-Admin) [stack@undercloud-0 ~]$ openstack port show 17a9d426-1bda-47df-8d6f-2e3f6457c039
+-----------------------+------------------------------------------------------------------------------+
| Field                 | Value                                                                        |
+-----------------------+------------------------------------------------------------------------------+
| admin_state_up        | UP                                                                           |
| allowed_address_pairs |                                                                              |
| binding_host_id       |                                                                              |
| binding_profile       | trusted='true'                                                               |
| binding_vif_details   |                                                                              |
| binding_vif_type      | unbound                                                                      |
| binding_vnic_type     | direct                                                                       |
| created_at            | 2018-11-22T10:27:50Z                                                         |
| data_plane_status     | None                                                                         |
| description           |                                                                              |
| device_id             |                                                                              |
| device_owner          |                                                                              |
| dns_assignment        | None                                                                         |
| dns_domain            | None                                                                         |
| dns_name              | None                                                                         |
| extra_dhcp_opts       |                                                                              |
| fixed_ips             | ip_address='60.20.135.101', subnet_id='50c6bd91-7b1b-4c8d-a27b-f85663a5dc49' |
| id                    | 17a9d426-1bda-47df-8d6f-2e3f6457c039                                         |
| mac_address           | fa:16:3e:6c:72:42                                                            |
| name                  | port100-sriov                                                                |
| network_id            | a03c1203-5af6-4377-942b-e5a30a1339c9                                         |
| port_security_enabled | False                                                                        |
| project_id            | 0540ed01fb134f28b12c7e024f5d72bd                                             |
| qos_policy_id         | None                                                                         |
| revision_number       | 2                                                                            |
| security_group_ids    |                                                                              |
| status                | DOWN                                                                         |
| tags                  |                                                                              |
| trunk_details         | None                                                                         |
| updated_at            | 2018-11-22T10:27:51Z                                                         |
+-----------------------+------------------------------------------------------------------------------+

Viewing the port as a non admin user will show 'None' in binding:profile:
(overcloud-demo) [stack@undercloud-0 ~]$ openstack port show 17a9d426-1bda-47df-8d6f-2e3f6457c039
+-----------------------+------------------------------------------------------------------------------+
| Field                 | Value                                                                        |
+-----------------------+------------------------------------------------------------------------------+
| admin_state_up        | UP                                                                           |
| allowed_address_pairs |                                                                              |
| binding_host_id       | None                                                                         |
| binding_profile       | None                                                                         |
| binding_vif_details   | None                                                                         |
| binding_vif_type      | None                                                                         |
| binding_vnic_type     | direct                                                                       |
| created_at            | 2018-11-22T10:27:50Z                                                         |
| data_plane_status     | None                                                                         |
| description           |                                                                              |
| device_id             |                                                                              |
| device_owner          |                                                                              |
| dns_assignment        | None                                                                         |
| dns_domain            | None                                                                         |
| dns_name              | None                                                                         |
| extra_dhcp_opts       |                                                                              |
| fixed_ips             | ip_address='60.20.135.101', subnet_id='50c6bd91-7b1b-4c8d-a27b-f85663a5dc49' |
| id                    | 17a9d426-1bda-47df-8d6f-2e3f6457c039                                         |
| mac_address           | fa:16:3e:6c:72:42                                                            |
| name                  | port100-sriov                                                                |
| network_id            | a03c1203-5af6-4377-942b-e5a30a1339c9                                         |
| port_security_enabled | False                                                                        |
| project_id            | 0540ed01fb134f28b12c7e024f5d72bd                                             |
| qos_policy_id         | None                                                                         |
| revision_number       | 2                                                                            |
| security_group_ids    |                                                                              |
| status                | DOWN                                                                         |
| tags                  |                                                                              |
| trunk_details         | None                                                                         |
| updated_at            | 2018-11-22T10:27:51Z                                                         |
+-----------------------+------------------------------------------------------------------------------+

Spawning the server as non admin user with the port:
(overcloud-demo) [stack@undercloud-0 ~]$ openstack server create --image rhel-guest-image-7.5-192.x86_64.qcow2 --flavor m1.medium.huge_pages_cpu_pinning_numa_node-0 --nic port-id=17a9d426-1bda-47df-8d6f-2e3f6457c039 TrustedServer
(overcloud-demo) [stack@undercloud-0 ~]$ openstack server list
+--------------------------------------+---------------+--------+------------------------+---------------------------------------+----------------------------------------------+
| ID                                   | Name          | Status | Networks               | Image                                 | Flavor                                       |
+--------------------------------------+---------------+--------+------------------------+---------------------------------------+----------------------------------------------+
| f0c6c53a-eb85-4460-883f-d799e5df8663 | TrustedServer | ACTIVE | sriovone=60.20.135.101 | rhel-guest-image-7.5-192.x86_64.qcow2 | m1.medium.huge_pages_cpu_pinning_numa_node-0 |
+--------------------------------------+---------------+--------+------------------------+---------------------------------------+----------------------------------------------+

Viewing port as a non-admin:
(overcloud-demo) [stack@undercloud-0 ~]$ openstack port show 17a9d426-1bda-47df-8d6f-2e3f6457c039
+-----------------------+------------------------------------------------------------------------------+
| Field                 | Value                                                                        |
+-----------------------+------------------------------------------------------------------------------+
| admin_state_up        | UP                                                                           |
| allowed_address_pairs |                                                                              |
| binding_host_id       | None                                                                         |
| binding_profile       | None                                                                         |
| binding_vif_details   | None                                                                         |
| binding_vif_type      | None                                                                         |
| binding_vnic_type     | direct                                                                       |
| created_at            | 2018-11-22T10:27:50Z                                                         |
| data_plane_status     | None                                                                         |
| description           |                                                                              |
| device_id             | f0c6c53a-eb85-4460-883f-d799e5df8663                                         |
| device_owner          | compute:nova                                                                 |
| dns_assignment        | None                                                                         |
| dns_domain            | None                                                                         |
| dns_name              | None                                                                         |
| extra_dhcp_opts       |                                                                              |
| fixed_ips             | ip_address='60.20.135.101', subnet_id='50c6bd91-7b1b-4c8d-a27b-f85663a5dc49' |
| id                    | 17a9d426-1bda-47df-8d6f-2e3f6457c039                                         |
| mac_address           | fa:16:3e:6c:72:42                                                            |
| name                  | port100-sriov                                                                |
| network_id            | a03c1203-5af6-4377-942b-e5a30a1339c9                                         |
| port_security_enabled | False                                                                        |
| project_id            | 0540ed01fb134f28b12c7e024f5d72bd                                             |
| qos_policy_id         | None                                                                         |
| revision_number       | 20                                                                           |
| security_group_ids    |                                                                              |
| status                | ACTIVE                                                                       |
| tags                  |                                                                              |
| trunk_details         | None                                                                         |
| updated_at            | 2018-11-22T10:49:52Z                                                         |
+-----------------------+------------------------------------------------------------------------------+

Viewing port as an admin:
(overcloud-Admin) [stack@undercloud-0 ~]$ openstack port show 17a9d426-1bda-47df-8d6f-2e3f6457c039
+-----------------------+----------------------------------------------------------------------------------+
| Field                 | Value                                                                            |
+-----------------------+----------------------------------------------------------------------------------+
| admin_state_up        | UP                                                                               |
| allowed_address_pairs |                                                                                  |
| binding_host_id       | overcloud-computeovsdpdksriov-1.localdomain                                      |
| binding_profile       | pci_slot='0000:05:0a.4', pci_vendor_info='8086:154c', physical_network='sriov-1' |
| binding_vif_details   | port_filter='False', vlan='600'                                                  |
| binding_vif_type      | hw_veb                                                                           |
| binding_vnic_type     | direct                                                                           |
| created_at            | 2018-11-22T10:27:50Z                                                             |
| data_plane_status     | None                                                                             |
| description           |                                                                                  |
| device_id             | f0c6c53a-eb85-4460-883f-d799e5df8663                                             |
| device_owner          | compute:nova                                                                     |
| dns_assignment        | None                                                                             |
| dns_domain            | None                                                                             |
| dns_name              | None                                                                             |
| extra_dhcp_opts       |                                                                                  |
| fixed_ips             | ip_address='60.20.135.101', subnet_id='50c6bd91-7b1b-4c8d-a27b-f85663a5dc49'     |
| id                    | 17a9d426-1bda-47df-8d6f-2e3f6457c039                                             |
| mac_address           | fa:16:3e:6c:72:42                                                                |
| name                  | port100-sriov                                                                    |
| network_id            | a03c1203-5af6-4377-942b-e5a30a1339c9                                             |
| port_security_enabled | False                                                                            |
| project_id            | 0540ed01fb134f28b12c7e024f5d72bd                                                 |
| qos_policy_id         | None                                                                             |
| revision_number       | 20                                                                               |
| security_group_ids    |                                                                                  |
| status                | ACTIVE                                                                           |
| tags                  |                                                                                  |
| trunk_details         | None                                                                             |
| updated_at            | 2018-11-22T10:49:52Z                                                             |
+-----------------------+----------------------------------------------------------------------------------+

Verify that no VFs are trusted on hypervisor:
[root@overcloud-computeovsdpdksriov-1 ~]# ip link | grep trust
    vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
    vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
    vf 2 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
    vf 3 MAC 62:8a:16:26:62:65, spoof checking off, link-state enable, trust off
    vf 4 MAC fa:16:3e:6c:72:42, vlan 600, spoof checking off, link-state enable, trust off
    vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
    vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
    vf 2 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
    vf 3 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
    vf 4 MAC c2:29:d2:e5:34:aa, spoof checking off, link-state enable, trust off


Version-Release number of selected component (if applicable):
Encountered in in all OSP14 puddles so far

How reproducible: 
Always

Steps to Reproduce:
1. Create tenant with non admin user
2. Create port with custom binding:profile as admin user on the non admin tenant
3. Spawn guest instance as non admin user with the admin created port

Actual results:
Custom binding:profile is omitted

Expected results:
Custom binding:profile is kept

Additional info:

Comment 1 Artom Lifshitz 2018-11-23 01:35:42 UTC
Hello, thanks for the bug report!

Port binding extended attributes are admin-only (both setting and getting) [1]. In addition, trusted mode on the devices is set by the libvirt driver when plugging or unplugging, so unless an instance is actually using a trusted VF, no trusted devices will show up on the host.

Because of that, I think this is all working as expected. If I've misunderstood something, by all means reopen this bug.

[1] https://developer.openstack.org/api-ref/network/v2/index.html#port-binding-extended-attributes

Comment 2 Artom Lifshitz 2018-11-23 04:48:15 UTC
(In reply to Artom Lifshitz from comment #1)
> Hello, thanks for the bug report!
> 
> Port binding extended attributes are admin-only (both setting and getting)
> [1]. In addition, trusted mode on the devices is set by the libvirt driver
> when plugging or unplugging, so unless an instance is actually using a
> trusted VF, no trusted devices will show up on the host.

Err, apologies, I completely missed that an instance had in fact been created. The fact that no interfaces show up as trusted on the host is indeed weird. I assume passthrough_whitelist has been configured correctly? Would it be possible to reproduce the bug with debug enabled and attach nova logs from the compute host to this BZ? Thanks!

Comment 3 Artom Lifshitz 2018-11-23 20:44:25 UTC
(In reply to Artom Lifshitz from comment #2)

> Err, apologies, I completely missed that an instance had in fact been
> created. The fact that no interfaces show up as trusted on the host is
> indeed weird.

I discussed this with a colleague, and without hardware capable of trusted VFs we're not entirely sure whether a VF that has been passed through to a guest would still show up on the host - after all, once passed through, it is the guest's kernel that's managing it, not the host. So it could be that what you're seeing is expected.

The quickest way to make the trusted VF is working as expected is to perform an operation from within the guest that can only succeed with a trusted VF - for example, changing its MAC address. If this works, there's no bug here.

Comment 4 Vadim Khitrin 2018-11-25 08:30:32 UTC
Hi Artom, thanks for your replies.

We have the hardware and tested that everything works as it should when done as an admin user.

I think that the binding:profile is omitted due to oslo policy(mentioned here https://docs.openstack.org/newton/config-reference/networking/samples/policy.json.html) '"get_port:binding:profile": "rule:admin_only"', I'm trying to verify if it's caused by this policy. Will update.

Comment 7 Artom Lifshitz 2018-11-29 18:53:29 UTC
(In reply to Vadim Khitrin from comment #4)
> Hi Artom, thanks for your replies.
> 
> We have the hardware and tested that everything works as it should when done
> as an admin user.
> 
> I think that the binding:profile is omitted due to oslo policy(mentioned
> here
> https://docs.openstack.org/newton/config-reference/networking/samples/policy.
> json.html) '"get_port:binding:profile": "rule:admin_only"', I'm trying to
> verify if it's caused by this policy. Will update.

Yeah, policy can be changed, it's just admin-only by default. If it's OK with you I'd like to close this BZ to avoid it taking up time in the compute DFG's triage process.  If you do notice a bug with trusted VFs and policy, by all means re-open this.

Thanks!


Note You need to log in before you can comment on or make changes to this bug.