[libvirt PATCH 1/1] Ignore EPERM on attempts to clear VF VLAN ID
Dmitrii Shcherbakov
dmitrii.shcherbakov at canonical.com
Fri Oct 22 13:00:14 UTC 2021
SmartNIC DPUs may not expose some privileged eswitch operations
to the hypervisor hosts. For example, this happens with Bluefield
devices running in the ECPF (default) mode for security reasons. While
VF MAC address programming is possible via an RTM_SETLINK operation,
trying to set a VLAN ID in the same operation will fail with EPERM.
The equivalent ip link commands below provide an illustration:
1. This works:
sudo ip link set enp130s0f0 vf 2 mac de:ad:be:ef:ca:fe
2. Setting (or clearing) a VLAN fails with EPERM:
sudo ip link set enp130s0f0 vf 2 vlan 0
RTNETLINK answers: Operation not permitted
3. This is what Libvirt attempts to do today (when trying to clear a
VF VLAN at the same time as programming a VF MAC).
sudo ip link set enp130s0f0 vf 2 vlan 0 mac de:ad:be:ef:ca:fe
RTNETLINK answers: Operation not permitted
If setting an explicit VLAN ID results in an EPERM, clearing a VLAN
(setting a VLAN ID to 0) can be handled gracefully by ignoring the
EPERM error with the rationale being that if we cannot set this state
in the first place, we cannot clear it either.
Thus, virNetDevSetVfConfig is split into two distinct functions. If
clearing a VLAN ID fails with EPERM, the error is simply ignored.
An alternative to this could be providing a higher level control plane
mechanism that would provide metadata about a device being remotely
managed in which case Libvirt would avoid trying to set or clear a
VLAN ID. This would be more complicated since other software (like Nova
in the OpenStack case) would have to annotate every guest device with an
attribute indicating whether a device is remotely managed or not based
on operator provided configuration so that Libvirt can act on this and
avoid VLAN programming.
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov at canonical.com>
---
src/util/virnetdev.c | 144 +++++++++++++++++++++++++++++++++++++------
1 file changed, 124 insertions(+), 20 deletions(-)
diff --git a/src/util/virnetdev.c b/src/util/virnetdev.c
index 5b4c585716..7b0904e699 100644
--- a/src/util/virnetdev.c
+++ b/src/util/virnetdev.c
@@ -1527,11 +1527,114 @@ static struct nla_policy ifla_vfstats_policy[IFLA_VF_STATS_MAX+1] = {
[IFLA_VF_STATS_MULTICAST] = { .type = NLA_U64 },
};
+static int
+virNetDevSetVfVlan(const char *ifname, int vf, int vlanid)
+{
+ int rc = -1;
+ g_autofree struct nlmsghdr *resp = NULL;
+ struct nlmsgerr *err;
+ unsigned int recvbuflen = 0;
+ struct nl_msg *nl_msg;
+ struct nlattr *vfinfolist, *vfinfo;
+ struct ifinfomsg ifinfo = {
+ .ifi_family = AF_UNSPEC,
+ .ifi_index = -1,
+ };
+
+ if (vlanid < 0)
+ return -1;
+
+ nl_msg = virNetlinkMsgNew(RTM_SETLINK, NLM_F_REQUEST);
+
+ if (nlmsg_append(nl_msg, &ifinfo, sizeof(ifinfo), NLMSG_ALIGNTO) < 0)
+ goto buffer_too_small;
+
+ if (ifname &&
+ nla_put(nl_msg, IFLA_IFNAME, strlen(ifname)+1, ifname) < 0)
+ goto buffer_too_small;
+
+
+ if (!(vfinfolist = nla_nest_start(nl_msg, IFLA_VFINFO_LIST)))
+ goto buffer_too_small;
+
+ if (!(vfinfo = nla_nest_start(nl_msg, IFLA_VF_INFO)))
+ goto buffer_too_small;
+
+ if (vlanid >= 0) {
+ struct ifla_vf_vlan ifla_vf_vlan = {
+ .vf = vf,
+ .vlan = vlanid,
+ .qos = 0,
+ };
+
+ if (nla_put(nl_msg, IFLA_VF_VLAN, sizeof(ifla_vf_vlan),
+ &ifla_vf_vlan) < 0)
+ goto buffer_too_small;
+ }
+
+ nla_nest_end(nl_msg, vfinfo);
+ nla_nest_end(nl_msg, vfinfolist);
+
+ if (virNetlinkCommand(nl_msg, &resp, &recvbuflen, 0, 0,
+ NETLINK_ROUTE, 0) < 0)
+ goto cleanup;
+
+ if (recvbuflen < NLMSG_LENGTH(0) || resp == NULL)
+ goto malformed_resp;
+
+ switch (resp->nlmsg_type) {
+ case NLMSG_ERROR:
+ err = (struct nlmsgerr *)NLMSG_DATA(resp);
+ if (resp->nlmsg_len < NLMSG_LENGTH(sizeof(*err)))
+ goto malformed_resp;
+
+ /* If vlanid is 0 - we are attempting to clear an existing VLAN id.
+ * An EPERM received at this stage is an indicator that the embedded
+ * switch is not exposed to this host and the network driver is not
+ * able to set a VLAN for a VF. */
+ if (err->error == -EPERM && vlanid == 0) {
+ rc = 0;
+ goto cleanup;
+ } else if (err->error) {
+ virReportSystemError(-err->error,
+ _("Cannot set interface vlanid to %d "
+ "for ifname %s vf %d"),
+ vlanid,
+ ifname ? ifname : "(unspecified)",
+ vf);
+ goto cleanup;
+ }
+ break;
+ case NLMSG_DONE:
+ break;
+ default:
+ goto malformed_resp;
+ }
+
+ rc = 0;
+ cleanup:
+ VIR_DEBUG("RTM_SETLINK %s vf %d vlanid=%d - %s",
+ ifname, vf,
+ vlanid, rc < 0 ? "Fail" : "Success");
+
+ nlmsg_free(nl_msg);
+ return rc;
+
+ malformed_resp:
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("malformed netlink response message"));
+ goto cleanup;
+
+ buffer_too_small:
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("allocated netlink buffer is too small"));
+ goto cleanup;
+}
static int
-virNetDevSetVfConfig(const char *ifname, int vf,
- const virMacAddr *macaddr, int vlanid,
- bool *allowRetry)
+virNetDevSetVfMac(const char *ifname, int vf,
+ const virMacAddr *macaddr,
+ bool *allowRetry)
{
int rc = -1;
char macstr[VIR_MAC_STRING_BUFLEN];
@@ -1545,7 +1648,7 @@ virNetDevSetVfConfig(const char *ifname, int vf,
.ifi_index = -1,
};
- if (!macaddr && vlanid < 0)
+ if (!macaddr)
return -1;
nl_msg = virNetlinkMsgNew(RTM_SETLINK, NLM_F_REQUEST);
@@ -1577,18 +1680,6 @@ virNetDevSetVfConfig(const char *ifname, int vf,
goto buffer_too_small;
}
- if (vlanid >= 0) {
- struct ifla_vf_vlan ifla_vf_vlan = {
- .vf = vf,
- .vlan = vlanid,
- .qos = 0,
- };
-
- if (nla_put(nl_msg, IFLA_VF_VLAN, sizeof(ifla_vf_vlan),
- &ifla_vf_vlan) < 0)
- goto buffer_too_small;
- }
-
nla_nest_end(nl_msg, vfinfo);
nla_nest_end(nl_msg, vfinfolist);
@@ -1615,12 +1706,11 @@ virNetDevSetVfConfig(const char *ifname, int vf,
} else if (err->error) {
/* other errors are permanent */
virReportSystemError(-err->error,
- _("Cannot set interface MAC/vlanid to %s/%d "
+ _("Cannot set interface MAC to %s "
"for ifname %s vf %d"),
(macaddr
? virMacAddrFormat(macaddr, macstr)
: "(unchanged)"),
- vlanid,
ifname ? ifname : "(unspecified)",
vf);
*allowRetry = false; /* no use retrying */
@@ -1637,10 +1727,10 @@ virNetDevSetVfConfig(const char *ifname, int vf,
rc = 0;
cleanup:
- VIR_DEBUG("RTM_SETLINK %s vf %d MAC=%s vlanid=%d - %s",
+ VIR_DEBUG("RTM_SETLINK %s vf %d MAC=%s - %s",
ifname, vf,
macaddr ? virMacAddrFormat(macaddr, macstr) : "(unchanged)",
- vlanid, rc < 0 ? "Fail" : "Success");
+ rc < 0 ? "Fail" : "Success");
nlmsg_free(nl_msg);
return rc;
@@ -1656,6 +1746,20 @@ virNetDevSetVfConfig(const char *ifname, int vf,
goto cleanup;
}
+static int
+virNetDevSetVfConfig(const char *ifname, int vf,
+ const virMacAddr *macaddr, int vlanid,
+ bool *allowRetry)
+{
+ int rc = 0;
+ if ((rc = virNetDevSetVfMac(ifname, vf, macaddr, allowRetry)) < 0) {
+ return rc;
+ } else if ((rc = virNetDevSetVfVlan(ifname, vf, vlanid)) < 0) {
+ return rc;
+ }
+ return rc;
+}
+
/**
* virNetDevParseVfInfo:
* Get the VF interface information from kernel by netlink, To make netlink
--
2.32.0
More information about the libvir-list
mailing list