[libvirt] [PATCHv2] netdev: fail when setting up an SRIOV VF if PF is offline

Martin Kletzander mkletzan at redhat.com
Sat May 23 21:01:15 UTC 2015 

On Fri, May 15, 2015 at 03:04:14PM -0400, Laine Stump wrote:
>If an SRIOV PF is offline, the kernel won't complain if you set the
>mac address and vlan tag for a VF via this PF, and it will even let
>you assign the VF to a guest using PCI device assignment or macvtap
>passthrough. But in this case (the PF isn't online), the device won't
>be usable in the guest.
>
>Silently setting the PF online would solve the connectivity problem,
>but as pointed out by Dan Berrange, when an interface is set online
>with no associated config, the kernel will by default turn on IPv6
>autoconf, which could create unexpected security problems for the
>host. For this reason, this patch instead logs an error and fails the
>operation.
>
>This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=893738
>
>Originally filed against RHEL6, but present in every version of
>libvirt until today.
>---
> src/util/virnetdev.c | 22 ++++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>

ACK

>diff --git a/src/util/virnetdev.c b/src/util/virnetdev.c
>index e14b401..d0580a0 100644
>--- a/src/util/virnetdev.c
>+++ b/src/util/virnetdev.c
>@@ -2258,6 +2258,28 @@ virNetDevReplaceVfConfig(const char *pflinkdev, int vf,
>     char macstr[VIR_MAC_STRING_BUFLEN];
>     char *fileData = NULL;
>     int ifindex = -1;
>+    bool pfIsOnline;
>+
>+    /* Assure that PF is online prior to twiddling with the VF.  It
>+     * *should* be, but if the PF isn't online the changes made to the
>+     * VF via the PF won't take effect, yet there will be no error
>+     * reported. In the case that it isn't online, fail and report the
>+     * error, since setting an unconfigured interface online
>+     * automatically turns on IPv6 autoconfig, which may not be what
>+     * the admin expects, so we want them to explicitly enable the PF
>+     * in the host system network config.
>+     */
>+    if (virNetDevGetOnline(pflinkdev, &pfIsOnline) < 0)
>+       goto cleanup;
>+    if (!pfIsOnline) {
>+        virReportError(VIR_ERR_INTERNAL_ERROR,
>+                       "Unable to configure VF %d of PF '%s' "
>+                       "because the PF is not online. Please "
>+                       "change host network config to put the "
>+                       "PF online.",
>+                       vf, pflinkdev);
>+        goto cleanup;
>+    }
>
>     if (virNetDevGetVfConfig(pflinkdev, vf, &oldmac, &oldvlanid) < 0)
>         goto cleanup;
>--
>2.1.0
>
>--
>libvir-list mailing list
>libvir-list at redhat.com
>https://www.redhat.com/mailman/listinfo/libvir-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150523/04234097/attachment-0001.sig>

More information about the libvir-list mailing list