Merge "Translate VF network capabilities to port binding" into stable/2023.1
This commit is contained in:
commit
2d05ee3747
|
@ -1601,6 +1601,13 @@ class API:
|
|||
'pf_mac_address': pf_mac,
|
||||
'vf_num': vf_num,
|
||||
})
|
||||
|
||||
# Update port binding capabilities using PCI device's network
|
||||
# capabilities if they exist.
|
||||
pci_net_caps = pci_dev.network_caps
|
||||
if pci_net_caps:
|
||||
vf_profile.update({'capabilities': pci_net_caps})
|
||||
|
||||
return vf_profile
|
||||
|
||||
def _get_pci_device_profile(self, pci_dev):
|
||||
|
|
|
@ -588,6 +588,13 @@ class PciDevice(base.NovaPersistentObject, base.NovaObject):
|
|||
"""
|
||||
return self.extra_info.get('mac_address')
|
||||
|
||||
@property
|
||||
def network_caps(self):
|
||||
"""PCI device network capabilities or empty list if not available"""
|
||||
caps_json = self.extra_info.get('capabilities', '{}')
|
||||
caps = jsonutils.loads(caps_json)
|
||||
return caps.get('network', [])
|
||||
|
||||
|
||||
@base.NovaObjectRegistry.register
|
||||
class PciDeviceList(base.ObjectListBase, base.NovaObject):
|
||||
|
|
|
@ -2182,6 +2182,7 @@ _fake_NodeDevXml = {
|
|||
<feature name='rxvlan'/>
|
||||
<feature name='txvlan'/>
|
||||
<feature name='rxhash'/>
|
||||
<feature name='switchdev'/>
|
||||
<capability type='80203'/>
|
||||
</capability>
|
||||
</device>""", # noqa:E501
|
||||
|
|
|
@ -8144,17 +8144,20 @@ class TestAPIPortbinding(TestAPIBase):
|
|||
'pf_mac_address': '52:54:00:1e:59:c6',
|
||||
'vf_num': 1,
|
||||
},
|
||||
'network_caps': ['gso', 'sg', 'tso', 'tx'],
|
||||
'dev_type': obj_fields.PciDeviceType.SRIOV_VF,
|
||||
}
|
||||
PciDevice = collections.namedtuple('PciDevice',
|
||||
['vendor_id', 'product_id', 'address',
|
||||
'card_serial_number', 'sriov_cap',
|
||||
'dev_type', 'parent_addr'])
|
||||
'dev_type', 'parent_addr',
|
||||
'network_caps'])
|
||||
mydev = PciDevice(**pci_dev)
|
||||
self.assertEqual(self.api._get_vf_pci_device_profile(mydev),
|
||||
{'pf_mac_address': '52:54:00:1e:59:c6',
|
||||
'vf_num': 1,
|
||||
'card_serial_number': 'MT2113X00000'})
|
||||
'card_serial_number': 'MT2113X00000',
|
||||
'capabilities': ['gso', 'sg', 'tso', 'tx']})
|
||||
|
||||
@mock.patch.object(
|
||||
neutronapi.API, '_get_vf_pci_device_profile',
|
||||
|
|
|
@ -171,6 +171,16 @@ class _TestPciDeviceObject(object):
|
|||
self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
|
||||
self.assertEqual(self.pci_device.card_serial_number, '42')
|
||||
|
||||
def test_pci_device_extra_info_network_capabilities(self):
|
||||
self.dev_dict = copy.copy(dev_dict)
|
||||
self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
|
||||
self.assertEqual(self.pci_device.network_caps, [])
|
||||
|
||||
self.dev_dict = copy.copy(dev_dict)
|
||||
self.dev_dict['capabilities'] = {'network': ['sg', 'tso', 'tx']}
|
||||
self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
|
||||
self.assertEqual(self.pci_device.network_caps, ['sg', 'tso', 'tx'])
|
||||
|
||||
def test_update_device(self):
|
||||
self.pci_device = pci_device.PciDevice.create(None, dev_dict)
|
||||
self.pci_device.obj_reset_changes()
|
||||
|
|
|
@ -1343,7 +1343,7 @@ Active: 8381604 kB
|
|||
"parent_ifname": "ens1",
|
||||
"capabilities": {
|
||||
"network": ["rx", "tx", "sg", "tso", "gso", "gro", "rxvlan",
|
||||
"txvlan", "rxhash"],
|
||||
"txvlan", "rxhash", "switchdev"],
|
||||
"sriov": {"pf_mac_address": "52:54:00:1e:59:c6",
|
||||
"vf_num": 1},
|
||||
# Should be obtained from the parent PF in this case.
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Previously ``switchdev`` capabilities should be configured manually by a
|
||||
user with admin privileges using port's binding profile. This blocked
|
||||
regular users from managing ports with Open vSwitch hardware offloading
|
||||
as providing write access to a port's binding profile to non-admin users
|
||||
introduces security risks. For example, a binding profile may contain a
|
||||
``pci_slot`` definition, which denotes the host PCI address of the
|
||||
device attached to the VM. A malicious user can use this parameter to
|
||||
passthrough any host device to a guest, so it is impossible to provide
|
||||
write access to a binding profile to regular users in many scenarios.
|
||||
|
||||
This patch fixes this situation by translating VF capabilities reported
|
||||
by Libvirt to Neutron port binding profiles. Other VF capabilities are
|
||||
translated as well for possible future use.
|
Loading…
Reference in New Issue