doc: update doc to refer new trusted tag for SR-IOV

It allows Virtual Functions to become “trusted” by the Physical Function and perform some privileged operations, such as enabling VF promiscuous mode and changing VF MAC address within the guest. The inability to modify MAC addresses in the guest prevents the users from being able to easily set up two VFs in a fail-over bond in a guest. This spec aims to suggest a way for users to boot instances with trusted VFs. https://specs.openstack.org/openstack/nova-specs/specs/rocky/approved/sriov-trusted-vfs.html Change-Id: I58cbfd9698a6c7832abc52e0be70eab72f66e11a Depends-On: https://review.openstack.org/#/c/458820/ Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@redhat.com>
2018-05-30 12:45:05 +02:00 · 2018-05-30 12:45:05 +02:00 · 89133d0cb8
parent f486f0c476
commit 89133d0cb8
1 changed files with 35 additions and 0 deletions
--- a/doc/source/admin/config-sriov.rst
+++ b/doc/source/admin/config-sriov.rst
@ -257,6 +257,34 @@ Whitelist PCI devices nova-compute (Compute)
   SR-IOV PF, all VFs under the PF will match the entry. Multiple
   ``pci_passthrough_whitelist`` entries per host are supported.

+   In order to enable SR-IOV to request "trusted mode", the
+   ``[pci]/pci_passthrough_whitelist`` parameter also supports a ``trusted``
+   tag.
+
+   .. note::
+
+      This capability is only supported starting with version 18.0.0
+      (Rocky) release of the compute service configured to use the
+      libvirt driver.
+
+   .. important::
+
+      There are security implications of enabling trusted ports. The
+      trusted VFs can be set into VF promiscuous mode which will
+      enable it to receive unmatched and multicast traffic sent to the
+      physical function.
+
+   For example, to allow users to request SR-IOV devices with trusted
+   capabilities on device ``eth3``:
+
+   .. code-block:: ini
+
+      [pci]
+      passthrough_whitelist = { "devname": "eth3", "physical_network": "physnet2", "trusted":"true" }
+
+   The ports will have to be created with a binding profile to match the
+   ``trusted`` tag, see `Launching instances with SR-IOV ports`_.
+
 #. Restart the ``nova-compute`` service for the changes to go into effect.

 .. _configure_sriov_neutron_server:
@ -397,6 +425,13 @@ Once configuration is complete, you can launch instances with SR-IOV ports.

      $ port_id=`neutron port-create $net_id --name sriov_port --binding:vnic_type direct | grep "\ id\ " | awk '{ print $4 }'`

+   To request that the SR-IOV port accept trusted capabilities, the
+   binding profile should be enhanced with the ``trusted`` tag.
+
+   .. code-block:: console
+
+      $ port_id=`neutron port-create $net_id --name sriov_port --binding:vnic_type direct --binding:profile type=dict trusted=true | grep "\ id\ " | awk '{ print $4 }'`
+
 #. Create the instance. Specify the SR-IOV port created in step two for the
   NIC: