netdev: fail when setting up an SRIOV VF if PF is offline

If an SRIOV PF is offline, the kernel won't complain if you set the mac address and vlan tag for a VF via this PF, and it will even let you assign the VF to a guest using PCI device assignment or macvtap passthrough. But in this case (the PF isn't online), the device won't be usable in the guest. Silently setting the PF online would solve the connectivity problem, but as pointed out by Dan Berrange, when an interface is set online with no associated config, the kernel will by default turn on IPv6 autoconf, which could create unexpected security problems for the host. For this reason, this patch instead logs an error and fails the operation. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=893738 Originally filed against RHEL6, but present in every version of libvirt until today.

netdev: fail when setting up an SRIOV VF if PF is offline
If an SRIOV PF is offline, the kernel won't complain if you set the mac address and vlan tag for a VF via this PF, and it will even let you assign the VF to a guest using PCI device assignment or macvtap passthrough. But in this case (the PF isn't online), the device won't be usable in the guest. Silently setting the PF online would solve the connectivity problem, but as pointed out by Dan Berrange, when an interface is set online with no associated config, the kernel will by default turn on IPv6 autoconf, which could create unexpected security problems for the host. For this reason, this patch instead logs an error and fails the operation. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=893738 Originally filed against RHEL6, but present in every version of libvirt until today.
474523fa · Laine Stump · c4d27bdd · 474523fa
隐藏空白更改
内联并排

Showing with 22 addition and 0 deletion

src/util/virnetdev.c src/util/virnetdev.c +22 -0

未找到文件。
--- a/src/util/virnetdev.c
+++ b/src/util/virnetdev.c
@@ -2258,6 +2258,28 @@ virNetDevReplaceVfConfig(const char *pflinkdev, int vf,
    char macstr[VIR_MAC_STRING_BUFLEN];
    char *fileData = NULL;
    int ifindex = -1;
+    bool pfIsOnline;
+
+    /* Assure that PF is online prior to twiddling with the VF.  It
+     * *should* be, but if the PF isn't online the changes made to the
+     * VF via the PF won't take effect, yet there will be no error
+     * reported. In the case that it isn't online, fail and report the
+     * error, since setting an unconfigured interface online
+     * automatically turns on IPv6 autoconfig, which may not be what
+     * the admin expects, so we want them to explicitly enable the PF
+     * in the host system network config.
+     */
+    if (virNetDevGetOnline(pflinkdev, &pfIsOnline) < 0)
+       goto cleanup;
+    if (!pfIsOnline) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Unable to configure VF %d of PF '%s' "
+                         "because the PF is not online. Please "
+                         "change host network config to put the "
+                         "PF online."),
+                       vf, pflinkdev);
+        goto cleanup;
+    }

    if (virNetDevGetVfConfig(pflinkdev, vf, &oldmac, &oldvlanid) < 0)
        goto cleanup;