network: add command to configure trusted mode for VFs

By default, Virtual Functions have no privileges to perform certain operations, such as enabling multicast promiscuous mode and modifying the VFs MAC address in the guest. These security measures are designed to prevent possible attacks, however, in some cases like failover bonding these operations performed by a VF would be legitimate. This commit add command to enable/disable trust for a specific VF. Implements blueprint sriov-trusted-vfs Change-Id: I461fd97876e23cbf38ccb8d769a5c8173b8bc810
openstack · Apr 3, 2018 · 27614dc · 27614dc
1 parent 98b505d
commit 27614dc
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
@@ -1831,3 +1831,20 @@ def set_vf_interface_vlan(pci_addr, mac_addr, vlan=0):
                   port_state,
                   run_as_root=True,
                   check_exit_code=exit_code)
+
+
+def set_vf_trusted(pci_addr, trusted):
+    """Configures the VF to be trusted or not
+
+    :param pci_addr: PCI slot of the device
+    :param trusted: Boolean value to indicate whether to
+                    enable/disable 'trusted' capability
+    """
+    pf_ifname = pci_utils.get_ifname_by_pci_address(pci_addr,
+                                                    pf_interface=True)
+    vf_num = pci_utils.get_vf_num_by_pci_address(pci_addr)
+    utils.execute('ip', 'link', 'set', pf_ifname,
+                  'vf', vf_num,
+                  'trust', bool(trusted) and 'on' or 'off',
+                  run_as_root=True,
+                  check_exit_code=[0, 2, 254])
diff --git a/nova/tests/unit/network/test_linux_net.py b/nova/tests/unit/network/test_linux_net.py
@@ -1407,3 +1407,25 @@ def test_create_tap_dev_multiqueue_tunctl_raises(self, mock_execute):
         self.assertRaises(processutils.ProcessExecutionError,
                           linux_net.create_tap_dev,
                           'tap42', multiqueue=True)
+
+    @mock.patch('nova.pci.utils.get_vf_num_by_pci_address')
+    @mock.patch('nova.pci.utils.get_ifname_by_pci_address')
+    @mock.patch('nova.utils.execute')
+    def test_set_vf_trusted_on(self, mexecute, mget_ifname, mget_vfnum):
+        mget_ifname.return_value = 'eth0'
+        mget_vfnum.return_value = 2
+        linux_net.set_vf_trusted('PCI_ADDR', True)
+        mexecute.assert_called_once_with(
+            'ip', 'link', 'set', 'eth0', 'vf', 2, 'trust', 'on',
+            check_exit_code=[0, 2, 254], run_as_root=True)
+
+    @mock.patch('nova.pci.utils.get_vf_num_by_pci_address')
+    @mock.patch('nova.pci.utils.get_ifname_by_pci_address')
+    @mock.patch('nova.utils.execute')
+    def test_set_vf_trusted_off(self, mexecute, mget_ifname, mget_vfnum):
+        mget_ifname.return_value = 'eth0'
+        mget_vfnum.return_value = 2
+        linux_net.set_vf_trusted('PCI_ADDR', False)
+        mexecute.assert_called_once_with(
+            'ip', 'link', 'set', 'eth0', 'vf', 2, 'trust', 'off',
+            check_exit_code=[0, 2, 254], run_as_root=True)