OpenStack Compute (nova)

OVS hardware offload for non admin users requires custom Neutron API policy

Bug #2020813 reported by Alexey Stupnikov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Alexey Stupnikov

Bug Description

OVS hardware offload was originally intended to be a feature used by normal users. But bugfix https://review.opendev.org/c/openstack/neutron/+/499203 for bug #1713590 removed the ability for non-admins to use OVS hardware offload without changing neutron default policy in a non-secure manner: "switchdev" capability must be added to port binding profile after port is created.

At the same time, libvirt node device driver reports "switchdev" capability and we can translate it from NIC PCI device object to port binding profile when port is attached.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/nova/+/884439

Changed in nova:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/c/openstack/nova/+/884439
Committed: https://opendev.org/openstack/nova/commit/cef3b5ef2cc1fe983578e4966208cf95fdea5880
Submitter: "Zuul (22348)"
Branch: master

commit cef3b5ef2cc1fe983578e4966208cf95fdea5880
Author: Alexey Stupnikov <email address hidden>
Date: Thu May 25 21:23:32 2023 +0200

    Translate VF network capabilities to port binding

    Libvirt's node device driver accumulates and reports information
    about host devices. Network capabilities reported by node device
    driver for NIC contain information about HW offloads supported
    by this NIC.

    One of possible features reported by node device driver is
    switchdev: a NIC capability to implement VFs similar to actual
    HW switch ports (also referred to as SR-IOV OVS hardware offload).
    From Neutron perspective, vnic-type should be set to "direct" and
    "switchdev" capability should be added to port binding profile to
    enable HW offload (there are also configuration steps on compute
    hosts to tune NIC config).

    This patch was written to automatically translate "switchdev" from
    VF network capabilities reported by node device driver to Neutron
    port binding profile and allow user to skip manual step that
    requires admin privileges.

    Other capabilities are also translated: they are not used right
    now, but provide visibility and can be utilized later.

    Closes-bug: #2020813
    Closes-bug: #2008238
    Change-Id: I3b17f386325b8f42c0c374f766fb21c520161a59

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/nova/+/898945

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/nova/+/899225

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/nova/+/899229

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/nova/+/899254

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/nova/+/899225
Committed: https://opendev.org/openstack/nova/commit/7e4f45df91f33fa8b75feec95e5636db06fda443
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 7e4f45df91f33fa8b75feec95e5636db06fda443
Author: Alexey Stupnikov <email address hidden>
Date: Thu May 25 21:23:32 2023 +0200

    Translate VF network capabilities to port binding

    Libvirt's node device driver accumulates and reports information
    about host devices. Network capabilities reported by node device
    driver for NIC contain information about HW offloads supported
    by this NIC.

    One of possible features reported by node device driver is
    switchdev: a NIC capability to implement VFs similar to actual
    HW switch ports (also referred to as SR-IOV OVS hardware offload).
    From Neutron perspective, vnic-type should be set to "direct" and
    "switchdev" capability should be added to port binding profile to
    enable HW offload (there are also configuration steps on compute
    hosts to tune NIC config).

    This patch was written to automatically translate "switchdev" from
    VF network capabilities reported by node device driver to Neutron
    port binding profile and allow user to skip manual step that
    requires admin privileges.

    Other capabilities are also translated: they are not used right
    now, but provide visibility and can be utilized later.

    Closes-bug: #2020813
    Closes-bug: #2008238
    Change-Id: I3b17f386325b8f42c0c374f766fb21c520161a59
    (cherry picked from commit cef3b5ef2cc1fe983578e4966208cf95fdea5880)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/nova/+/898945
Committed: https://opendev.org/openstack/nova/commit/4fcc8c369f2c580f86dbfc6b1f812516f80262c0
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 4fcc8c369f2c580f86dbfc6b1f812516f80262c0
Author: Alexey Stupnikov <email address hidden>
Date: Thu May 25 21:23:32 2023 +0200

    Translate VF network capabilities to port binding

    Libvirt's node device driver accumulates and reports information
    about host devices. Network capabilities reported by node device
    driver for NIC contain information about HW offloads supported
    by this NIC.

    One of possible features reported by node device driver is
    switchdev: a NIC capability to implement VFs similar to actual
    HW switch ports (also referred to as SR-IOV OVS hardware offload).
    From Neutron perspective, vnic-type should be set to "direct" and
    "switchdev" capability should be added to port binding profile to
    enable HW offload (there are also configuration steps on compute
    hosts to tune NIC config).

    This patch was written to automatically translate "switchdev" from
    VF network capabilities reported by node device driver to Neutron
    port binding profile and allow user to skip manual step that
    requires admin privileges.

    Other capabilities are also translated: they are not used right
    now, but provide visibility and can be utilized later.

    Closes-bug: #2020813
    Closes-bug: #2008238
    Change-Id: I3b17f386325b8f42c0c374f766fb21c520161a59
    (cherry picked from commit cef3b5ef2cc1fe983578e4966208cf95fdea5880)
    (cherry picked from commit 7e4f45df91f33fa8b75feec95e5636db06fda443)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 28.0.1

This issue was fixed in the openstack/nova 28.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 27.2.0

This issue was fixed in the openstack/nova 27.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/nova/+/899229
Committed: https://opendev.org/openstack/nova/commit/c36e0db95749395d5915b366fe6d36f516151c1a
Submitter: "Zuul (22348)"
Branch: stable/zed

commit c36e0db95749395d5915b366fe6d36f516151c1a
Author: Alexey Stupnikov <email address hidden>
Date: Thu May 25 21:23:32 2023 +0200

    Translate VF network capabilities to port binding

    Libvirt's node device driver accumulates and reports information
    about host devices. Network capabilities reported by node device
    driver for NIC contain information about HW offloads supported
    by this NIC.

    One of possible features reported by node device driver is
    switchdev: a NIC capability to implement VFs similar to actual
    HW switch ports (also referred to as SR-IOV OVS hardware offload).
    From Neutron perspective, vnic-type should be set to "direct" and
    "switchdev" capability should be added to port binding profile to
    enable HW offload (there are also configuration steps on compute
    hosts to tune NIC config).

    This patch was written to automatically translate "switchdev" from
    VF network capabilities reported by node device driver to Neutron
    port binding profile and allow user to skip manual step that
    requires admin privileges.

    Other capabilities are also translated: they are not used right
    now, but provide visibility and can be utilized later.

    Closes-bug: #2020813
    Closes-bug: #2008238
    Change-Id: I3b17f386325b8f42c0c374f766fb21c520161a59
    (cherry picked from commit cef3b5ef2cc1fe983578e4966208cf95fdea5880)
    (cherry picked from commit 7e4f45df91f33fa8b75feec95e5636db06fda443)
    (cherry picked from commit 4fcc8c369f2c580f86dbfc6b1f812516f80262c0)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 26.2.1

This issue was fixed in the openstack/nova 26.2.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/yoga)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/yoga
Review: https://review.opendev.org/c/openstack/nova/+/899254
Reason: stable/yoga branch of openstack/nova is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/yoga if you want to further work on this patch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 29.0.0.0rc1

This issue was fixed in the openstack/nova 29.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.