neutron

[RFE] Add a port extension to set/define the switchdev capabilities

Bug #1987093 reported by Rodolfo Alonso on 2022-08-19

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Won't Fix	Wishlist	Rodolfo Alonso

Bug Description

The aim of this RFE is to decouple the port binding profile update and the ability of a user to set the "switchdev" flag on a port.

Since [1], a user is able to set "{"capabilities": ["switchdev"]}" on the port binding profile in order to define this port as compatible with the Ethernet switch device driver model (switchdev) [2]. In other words, to be able to use a VF of a NIC with offloading capabilities. This is currently used in ML2/OVS and ML2/OVN to offload the OpenFlow rules on the NIC hardware.

The problem resides on the need of changing the port binding profile from the Neutron side:
* The port binding profile is a port blob that should be updated only from Nova.
* By default, this is allowed only to admin users, by is configurable via policy config. That could introduce security issues is a non-admin user can change any port binding profile, even if that is restricted to his/her own project.

This RFE will require a spec describing the needed changes on the API side, the port object and RPC blob transmitted (needed by Nova).

[1]https://review.opendev.org/c/openstack/neutron/+/499203
[2]https://www.kernel.org/doc/html/latest/networking/switchdev.html

Tags:

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2022-08-19

Changed in neutron:
importance:	Undecided → Wishlist
assignee:	nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)

Lajos Katona (lajos-katona) on 2022-08-19

tags:

added: rfe

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-08-24: Related fix proposed to neutron-tempest-plugin (master)

#1

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/854369

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2022-08-29 (last edit on 2022-08-29):

#2

We discussed this RFE on the last drivers meeting, see the logs in [1], The agreement was to continue the discussion because nova side changes seems to be also necessary.

[1]: https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-08-26-14.00.log.html#l-53

Revision history for this message

sean mooney (sean-k-mooney) wrote on 2022-09-05:

#3

i think this should only be done via nova unless we want to enable scheduling based on the network backend.

in either case, we should not expose an extension to set/define the switchdev capability.

that is the wrong level of absraction.
i am creating a specless blueprint to resolve this in nova alone which will not address scheduling since that is an existing gap that will require more discussion.

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2022-09-12:

#4

Hi Sean:

Please correct me if I'm wrong. From the Neutron side, the goal of this BZ if to create an extension in the port resource (the dictionary passed to Nova) indicating if the port has "switchdev" capabilities. That will prevent Neutron (and any non-admin user) from modifying the port binding dictionary (that should be updated by Nova only). With this change, a non-admin user will be able to create a "switchdev" port without having write access to the port binding dict.

The "switchdev" does not depend on the network backend, we can have both kernel and "switchdev" ports in the same OVS instance. Via scheduling, we can decide what hosts have this kind of resource, but from Neutron we should be able to create this kind of resource (logical resource, you know Neutron does not create the L1 resources).

Regards.

Revision history for this message

sean mooney (sean-k-mooney) wrote on 2022-09-21:

#5

we could alow ports to request traits once we track pci device for neturon network in placement but until then i don't think you should attepent to provide any extension in neutron for this.

in the future we can use the existing port resource request mechanism that we use for bandiwht or pps qos to request 1 VF with switchdev trait

but until we report the VF to placement which will not happen until the B cycle neutron does not need to have any changes. to enable this.

in the b cycle if downstream constraints allow i hope we can complete pci device tracking in placement such that we will also tack pci device that coan be consumed via neutron port but that wont happen in A.

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2022-09-22

Changed in neutron:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.