[libvirt PATCH 0/1] [RFC] Ignore EPERM on attempts to clear a VF VLAN ID

Dmitrii Shcherbakov dmitrii.shcherbakov at canonical.com
Fri Oct 22 13:00:13 UTC 2021 

SmartNIC DPUs may not expose some privileged eswitch operations
to the hypervisor hosts. For example, this happens with Bluefield
devices running in the ECPF (default) mode [1] for security reasons.
While VF MAC address programming is possible via an RTM_SETLINK
operation, trying to set a VLAN ID in the same operation will fail with
EPERM.

The equivalent ip link commands below provide an illustration:

1. This works (ECPF mode):

sudo ip link set enp130s0f0 vf 2 mac de:ad:be:ef:ca:fe

2. Setting (or clearing) a VLAN fails with EPERM:

sudo ip link set enp130s0f0 vf 2 vlan 0
RTNETLINK answers: Operation not permitted

3. This is what Libvirt attempts to do today (when trying to clear a
   VF VLAN at the same time as programming a VF MAC).

sudo ip link set enp130s0f0 vf 2 vlan 0 mac de:ad:be:ef:ca:fe
RTNETLINK answers: Operation not permitted

If setting an explicit VLAN ID results in an EPERM, clearing a VLAN
(setting a VLAN ID to 0) can be handled gracefully by ignoring the
EPERM error with the rationale being that if we cannot set this state
in the first place, we cannot clear it either. The downside is that we
do not know if the VLAN setting operation failed previously with the
same error or if it succeded and it is just clearing that fails with
EPERM but this seems like a very unlikely scenario.

Thus, virNetDevSetVfConfig is split into two distinct functions. If
clearing a VLAN ID fails with EPERM, the error is simply ignored.

An alternative to this could be providing a higher level control plane
mechanism that would provide metadata about a device being remotely
managed in which case Libvirt would avoid trying to set or clear a
VLAN ID. This would be more complicated since other software (like Nova
in the OpenStack case) would have to annotate every guest device with an
attribute indicating whether a device is remotely managed or not based
on operator provided configuration so that Libvirt can act on this and
avoid VLAN programming.

Note: this is an RFC to get some feedback before going into adding
additional test cases and possibly reducing duplication in how the
requests are formed.

[1] https://docs.mellanox.com/display/BlueFieldSWv35111601/Modes+of+Operation#ModesofOperation-SmartNICmode

Dmitrii Shcherbakov (1):
  Ignore EPERM on attempts to clear VF VLAN ID

 src/util/virnetdev.c | 144 +++++++++++++++++++++++++++++++++++++------
 1 file changed, 124 insertions(+), 20 deletions(-)

-- 
2.32.0

More information about the libvir-list mailing list