Bug 1741121 - vm should not start with direct type bridge mode interface with vlan tag
Summary: vm should not start with direct type bridge mode interface with vlan tag
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: libvirt
Version: 8.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 8.2
Assignee: Laine Stump
QA Contact: Jing Qi
URL:
Whiteboard:
Depends On:
Blocks: 1585087 1771318
TreeView+ depends on / blocked
 
Reported: 2019-08-14 10:17 UTC by yalzhang@redhat.com
Modified: 2020-12-20 07:08 UTC (History)
5 users (show)

Fixed In Version: libvirt-5.10.0-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-05 09:47:43 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description yalzhang@redhat.com 2019-08-14 10:17:05 UTC 
Description of problem:
vm can start successfully with direct type bridge mode interface with vlan tag, but this is not a supported configuration.

Version-Release number of selected component (if applicable):
libvirt-5.6.0-1.virtcov.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare a vm with direct type interface with bridge mode:
<interface type='direct'>
      <mac address='52:54:00:56:dd:f5'/>
      <source dev='eno27v3' mode='bridge'/>
      <vlan>
        <tag id='47'/>
      </vlan>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>

2. Start the vm, it started successfully. But it should not start successfully as this vlan tag is not supported on such configuration.
# virsh start rhel
Domain rhel started

Actual results:
guest start successfully with unsupported configuration, same for bridge/vepa/private mode.

Expected results:
guest should fail to start and report error

Additional info:
On libvirt-5.0.0-12.module+el8.0.1+3755+6782b0ed.x86_64, it will report error with direct type bridge mode with vlan tag:
# virsh start rhel
error: Failed to start domain rhel
error: unsupported configuration: an interface of type 'direct' is requesting a vlan tag, but that is not supported for this type of connection

Refer to libvirtd.org:
Network connections that support guest-transparent VLAN tagging include 1) type='bridge' interfaces connected to an Open vSwitch bridge Since 0.10.0, 2) SRIOV Virtual Functions (VF) used via type='hostdev' (direct device assignment) Since 0.10.0, and 3) SRIOV VFs used via type='direct' with mode='passthrough' (macvtap "passthru" mode) Since 1.3.5. All other connection types, including standard linux bridges and libvirt's own virtual networks, do not support it.
Comment 1 Laine Stump 2019-08-16 02:50:26 UTC 
The code that checks for this was previously in networkAllocateActualDevice(), and that was called for all <interface> elements, even if they weren't type='network'. When the network port APIs were added this was changed, so that now only <interface type='network'> is sent to the network driver, so the validation is no longer done. We will need to duplicate that validation (which is now in networkAllocatePort()) in the hypervisor drivers.
Comment 2 Laine Stump 2019-10-23 01:29:36 UTC 
Patches posted upstream:

https://www.redhat.com/archives/libvir-list/2019-October/msg01571.html

The prerequisite patches in this series also provide a convenient place for other runtime validation of network interfaces.
Comment 3 Laine Stump 2019-11-26 22:39:30 UTC 
Patches pushed upstream, will be in libvirt 5.10.0:

commit 1b029a929d09904485fba0c9778f6da9abf37158
Author: Laine Stump <laine>
Date:   Fri Sep 27 11:47:21 2019 -0400

    qemu: add mac address to error messages in qemuDomainValidateActualNetDef

Author: Laine Stump <laine>
Date:   Tue Oct 1 12:25:47 2019 -0400

    conf: make virDomainNetGetActualVlan arg/return val const
    
commit 583ac17f5da0c2154ec89b3585519d8a321941a1
Author: Laine Stump <laine>
Date:   Tue Oct 1 12:52:03 2019 -0400

    conf: make virDomainNetGetActualBandwidth arg/return value const
    
commit fdcd273be2d8249240ed2787e35ed9b825d11ad3
Author: Laine Stump <laine>
Date:   Tue Oct 1 13:56:35 2019 -0400

    conf: return a const from virDomainNetGetActualVirtPortProfile
    
commit 012624217e173e7cc9504cfc1930f9e753f215e7
Author: Laine Stump <laine>
Date:   Tue Oct 1 13:06:24 2019 -0400

    conf: change args/return values of remaining virDomainNetGetActual*() to const
    
commit b03d9e95932e978f0857582b1e5efc73f13132c1
Author: Laine Stump <laine>
Date:   Fri Oct 18 15:48:13 2019 -0400

    conf: add hypervisor agnostic, domain start-time, validation function for NetDef
    
commit 9d6920bd7de3f92be1894790adeb689060ab25eb
Author: Laine Stump <laine>
Date:   Tue Oct 1 14:05:58 2019 -0400

    net/qemu: move vlan/bandwidth validation out of network driver
Comment 5 Jing Qi 2019-12-05 04:01:19 UTC 
Verified with 
libvirt-5.10.0-1.scrmod+el8.2.0+5042+dcf7c81e.x86_64 & qemu-kvm-4.2.0-1.module+el8.2.0+4793+b09dd2fb.x86_64

Using below interface configuration to start domain

<interface type='direct'>
      <mac address='20:04:0f:f3:25:84'/>
      <source dev='eno1' mode='bridge'/>
      <vlan>
        <tag id='47'/>
      </vlan>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </interface>

# virsh start avocado-vt-vm
error: Failed to start domain avocado-vt-vm
error: unsupported configuration: interface 20:04:0f:f3:25:84 - vlan tag not supported for this connection type
Comment 7 errata-xmlrpc 2020-05-05 09:47:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2017
Note You need to log in before you can comment on or make changes to this bug.