[openstack-dev] [nova] [neutron] PCI pass-through network support

Henry Gessau gessau at cisco.com
Tue Oct 29 23:29:59 UTC 2013 

On Tue, Oct 29, at 5:52 pm, Jiang, Yunhong <yunhong.jiang at intel.com> wrote:

>> -----Original Message-----
>> From: Henry Gessau [mailto:gessau at cisco.com]
>> Sent: Tuesday, October 29, 2013 2:23 PM
>> To: OpenStack Development Mailing List (not for usage questions)
>> Subject: Re: [openstack-dev] [nova] [neutron] PCI pass-through network
>> support
>> 
>> On Tue, Oct 29, at 4:31 pm, Jiang, Yunhong <yunhong.jiang at intel.com>
>> wrote:
>> 
>> > Henry,why do you think the "service VM" need the entire PF instead of a
>> > VF? I think the SR-IOV NIC should provide QoS and performance
>> isolation.
>> 
>> I was speculating. I just thought it might be a good idea to leave open the
>> possibility of assigning a PF to a VM if the need arises.
>> 
>> Neutron service VMs are a new thing. I will be following the discussions
>> and
>> there is a summit session for them. It remains to be seen if there is any
>> desire/need for full PF ownership of NICs. But if a service VM owns the PF
>> and has the right NIC driver it could do some advanced features with it.
>> 
> At least in current PCI implementation, if a device has no SR-IOV
> enabled, then that device will be exposed and can be assigned (is this
> your so-called PF?).

Apologies, this was not clear to me until now. Thanks. I am not aware of a
use-case for a service VM needing to control VFs. So you are right, I should
not have talked about PF but rather just the entire NIC device in
passthrough mode, no SR-IOV needed.

So the admin will need to know: Put a NIC in SR-IOV mode if it is to be used
by multiple VMs. Put a NIC in single device passthrough mode if it is to be
used by one service VM.

> If a device has SR-IOV enabled, then only VF be
> exposed and the PF is hidden from resource tracker. The reason is, when
> SR-IOV enabled, the PF is mostly used to configure and management the
> VFs, and it will be security issue to expose the PF to a guest.

Thanks for bringing up the security issue. If a physical network interface
is connected in a special way to some switch/router with the intention being
for it to be used only by a service VM, then close attention must be paid to
security. The device owner might get some low-level network access that can
be misused.

> I'm not sure if you are talking about the PF, are you talking about the
> PF w/ or w/o SR-IOV enabled.
> 
> I totally agree that assign a PCI NIC to service VM have a lot of benefit
> from both performance and isolation point of view.
> 
> Thanks
> --jyh
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list