Restore original VF state when needed #114
Conversation
| if err = s.nLink.LinkSetVfSpoofchk(pfLink, conf.VFID, spoofchk_val); err != nil { | ||
| return fmt.Errorf("failed to restore spoof checking for vf %d to %s: %v", conf.VFID, conf.OrigSpoofChk, err) | ||
| } | ||
| } |
There was a problem hiding this comment.
we could add an "else" clause here and set spoofchk to false. However, this will not necessarily preserve the original state of the system.
adrianchiris
force-pushed
the
vf-config
branch
from
a495922 to
2a3a55e
Compare
pkg/sriov/sriov.go
Outdated
| conf.OrigSpoofChk = "off" | ||
| } | ||
|
|
||
| if spoofChk && conf.MAC == "" && origVfInfo.Mac.String() == zeroMac { |
There was a problem hiding this comment.
I think we may not want to enforce spoofchk=on + adminMac=all-zero rule here as this behavior may be different from driver to driver.
I'd suggest to just restore the spoofChk to its original value which shall work across drivers as driver would set the spoofchk and adminMac properly when VF first gets created.
There was a problem hiding this comment.
It may also be worth documenting this behavior for user reference.
There was a problem hiding this comment.
Seeing that Intel VFs are created with spoofchk on and all-zero admin mac it seems that behaviour of this state (and transitions to this state) is left to the interpretation of each vendor driver.
will remove the check
pkg/types/types.go
Outdated
| MinTxRate *int `json:"min_tx_rate"` // Mbps, 0 = disable rate limiting | ||
| MaxTxRate *int `json:"max_tx_rate"` // Mbps, 0 = disable rate limiting | ||
| SpoofChk string `json:"spoofchk,omitempty"` // on|off | ||
| OrigSpoofChk string `json:"origSpoofchk,omitempty"` // on|off, represents the original spoofchk value in the system |
There was a problem hiding this comment.
I am getting concerned about littering all "non-user-configurable" parameters with corresponding json encoding fields so that we could save them on disk.
Ideally, we should only have fields with json tag if the value is expected from user. I was wondering if there's any better way of doing this.
There was a problem hiding this comment.
This regards a more general problem, for this PR we deal with the issue of implicitly changing spoofchk value which was introduced in
020e04d
this causes pod traffic to fail on mellanox VFs. (as described in commit message)
ideally the VF's "restore" state should be in a separate cache entry (maybe different file/ different section in the file).
these values would still have json tags as the state will eventually end up as JSON to be consumed later by cmdDel
There was a problem hiding this comment.
There was a problem hiding this comment.
I dont understand why this differs from NetConf.AdminMAC , NetConf.EffectiveMAC (These are not user configurable parameters) this patch takes the same approach to deal with what i consider a critical issue as Pod 2 Pod traffic will always fail on VFs from Mellanox NIC due to the fact that the original state of spoofchk is not preserved.
Now, don't get me wrong, i'm all for solving the general issue but it can be regarded as an enhancement (crucial one IMO) to the project that will take some time to agree on design, implementation etc.
This patch is proposed as a triage until #115 is implemented.
There was a problem hiding this comment.
Also i'm not sure about backpoting policies for this project in case there was a release with this issue.
There was a problem hiding this comment.
I think the idea of not having origSpoofChk in conf also applies to AdminMac and EffectiveMac, it's just that it was not explicitly called out. Maybe we shall put all the VF state related options which are not expected to be configured by user into a separate structure or as a sub-structure of conf so that CNI can cache all the VF states and restore them when cmdDel is called.
There was a problem hiding this comment.
Regarding backporting, I think we don't have much request as such before so there is no established rules of how this should be done. but we're open to backport any fix to release branch where needed.
pkg/sriov/sriov.go
Outdated
| @@ -277,6 +279,11 @@ func (s *sriovManager) ApplyVFConfig(conf *sriovtypes.NetConf) error { | |||
| return fmt.Errorf("failed to lookup master %q: %v", conf.Master, err) | |||
| } | |||
|
|
|||
| origVfInfo := getVfInfo(pfLink, conf.VFID) | |||
There was a problem hiding this comment.
We should try save and restore the original VF states from this. And on the ApplyVFConfig() should only try setting VF configurations that are given in the config. If any config not given let's not touch them.
There was a problem hiding this comment.
If we can define a data structure for origVfInfo, then it would be easier to store the retrieved origVfInfo to the defined structure and cache it. This will save us from contional check from here
adrianchiris
force-pushed
the
vf-config
branch
2 times, most recently
from
6583666 to
d85544e
Compare
|
recheck |
adrianchiris
changed the title
|
This PR has been modified to address the comments, it now stores the original VF state in a separate struct nested in netconf and conditionally restores all VF configuration values. |
| } | ||
|
|
||
| // Restore spoofchk | ||
| if conf.SpoofChk != "" { |
There was a problem hiding this comment.
If it restores only when spoofChk is configured, will this resolve the issue that spoofChk is flipped to on while releasing VF on mellanox VF?
There was a problem hiding this comment.
Yes, it is assumed that the VF state prior to cmdAdd() call is a valid one for the NIC driver(so no spoofchk=on, MAC=00000...).
then if user chose to change the value, we will restore to the original state.
There was a problem hiding this comment.
What if user doesn't specify the value of spoofChk, will it still be turned on automatically when released? (then next time it's used in other pod, traffic blocked)
There was a problem hiding this comment.
Maybe im missing something, but who would turn on spoofchk automatically ?
the only entity who modifies these VF attributes should be SR-IOV CNI which, now, does that conditionally.
can you describe the scenario ?
There was a problem hiding this comment.
ok, here is what I found on openshift deployment: when VF is released from pod, spoofChk is turned on automatically, the next time new pod get created with the same VF will have traffic blocked as it doesn't explicitly turn off the spoofChk.
There was a problem hiding this comment.
ok, here is what I found on openshift deployment: when VF is released from pod, spoofChk is turned on automatically, the next time new pod get created with the same VF will have traffic blocked as it doesn't explicitly turn off the spoofChk.
Current SR-IOV CNI automatically sets it to on on cmdDel(), after this change it will not.
this PR does not address fixing a VF which has ended up in an invalid state (initial configuration is assumed to be valid).
|
/retest |
pkg/config/config.go
Outdated
| } | ||
|
|
||
| // validate that vlan id is set if vlan qos is configured | ||
| if n.Vlan == 0 && n.VlanQoS != 0 { | ||
| if (n.Vlan == nil || *n.Vlan == 0) && n.VlanQoS != nil { |
There was a problem hiding this comment.
I know it's rarely used, but shall we allow combined settings vlan == 0 and vlanQoS == 0?
There was a problem hiding this comment.
IMO we should not (at least not in this PR) ill modify the condition to:
if (n.Vlan == nil || *n.Vlan == 0) && (n.VlanQos != nil && *n.VlanQos != 0) {...}
There was a problem hiding this comment.
On second thought, i don't think we need to prevent it.
Changing Vlan and VlanQos to a pointer allows us to know if the user specified a value.
so in my opinion we should enforce:
- Vlan must be specified by the user if VlanQos is specified
- if VlanQos is specified and is a non-zero value then Vlan must be a non zero value
i don't think we should prevent vlan == 0 && vlanQos == 0
This commit attempts to sort out (to some extent)
how a VF configuration is restored.
Until today, almost all VF configurations (except MAC)
where restored to some hardcoded value.
These values may not be desired by the system administrator
or may be invalid for some NIC driver implementation.
As an example, The behaviour of A VF where spoofchk is enabled
and admin mac address is zero is not well defined and is left
for the vendor driver implementors to define the behaviour.
This may cause the NIC's embedded switch to block traffic
from the VF, hence a POD will not be able to send traffic on that VF.
Today, when a user does not specify MAC and Spoofchk values in network
configuration will run into the issue described above when the VF is
reused for a POD.
To fix the issue, described above we take a similar approach to
how Administrative MAC is saved and restored today.
This commit:
1. Defines a new VF state struct which will save VF configurations
to be used during configuration restoration which shall be saved
together with the network confguration in cache.
2. Moves AdminMAC, EffectiveMAC attributes to the new struct
3. Saves the VF's state during CmdAdd flow
4. Conditionally restores all values to their saved state during
ResetVFConfig()
5. Modifies order when restoring VF confguration to first restore
spoofchk and then Administrative MAC
6. Enhances documentation under Mellanox to clarify the spoofchk
and mac dependency.
|
/retest |
|
PR update : allow user to specify the following configuration: vlan == 0 && vlanQos == 0 |
|
@zshi-redhat @ahalim-intel inputs appreciated :) |
I just got chance to test this PR, it worked fine. Thanks for working on it! |
|
works well also on my local environment. Without this patch, I may encounter the panic issue, such as : |
|
/lgtm |
|
can we merged this please? |
|
I tested this across a number of nics and drivers and it's working as described. /LGTM |
|
thanks :) |
|
@zshi-redhat, Do we need to backport this for openshift? |
@moshe010 this is cherry-picked as part of regular update: openshift/sriov-cni#14 |
This commit attempts to sort out (to some extent)
how a VF configuration is restored.
Until today, almost all VF configurations (except MAC)
where restored to some hardcoded value.
These values may not be desired by the system administrator
or may be invalid for some NIC driver implementation.
As an example, The behaviour of A VF where spoofchk is enabled
and admin mac address is zero is not well defined and is left
for the vendor driver implementors to define the behaviour.
This may cause the NIC's embedded switch to block traffic
from the VF, hence a POD will not be able to send traffic on that VF.
Today, when a user does not specify MAC and Spoofchk values in network
configuration will run into the issue described above when the VF is
reused for a POD.
To fix the issue, described above we take a similar approach to
how Administrative MAC is saved and restored today.
This commit:
1. Defines a new VF state struct which will save VF configurations
to be used during configuration restoration which shall be saved
together with the network confguration in cache.
2. Moves AdminMAC, EffectiveMAC attributes to the new struct
3. Saves the VF's state during CmdAdd flow
4. Conditionally restores all values to their saved state during
ResetVFConfig()
5. Modifies order when restoring VF confguration to first restore
spoofchk and then Administrative MAC
6. Enhances documentation under Mellanox to clarify the spoofchk
and mac dependency.
Restore original VF value when needed