)]}'
{"specs/backlog/approved/sroiv-trusted-vfs.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://blueprints.launchpad.net/nova/+spec/sriov-trusted-vfs"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"A new kernel feature allows Virtual Functions to become \"trusted\" by"},{"line_number":14,"context_line":"the Physical Function and perform some privileged operations, such as"},{"line_number":15,"context_line":"enabling VF promiscuous mode and changing VF MAC address within the"},{"line_number":16,"context_line":"guest. The inability to modify mac addresses in the guest prevents the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_0cee5d22","line":13,"range":{"start_line":13,"start_character":0,"end_line":13,"end_character":68},"updated":"2016-12-01 18:34:13.000000000","message":"Could you link to docs on this \"new kernel feature\", please :)","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":28,"context_line":"performed by a VF would be legitimate. Openstack currently doesn\u0027t"},{"line_number":29,"context_line":"provide an easy way for a user to boot an instance with selected"},{"line_number":30,"context_line":"trusted VFs. As well as there is no easy way for cloud operators to"},{"line_number":31,"context_line":"specify with PFs allows it\u0027s VFs to become trusted."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Use Cases"},{"line_number":34,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_1ab4cbf0","line":31,"range":{"start_line":31,"start_character":24,"end_line":31,"end_character":28},"updated":"2016-12-01 18:34:13.000000000","message":"its","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":28,"context_line":"performed by a VF would be legitimate. Openstack currently doesn\u0027t"},{"line_number":29,"context_line":"provide an easy way for a user to boot an instance with selected"},{"line_number":30,"context_line":"trusted VFs. As well as there is no easy way for cloud operators to"},{"line_number":31,"context_line":"specify with PFs allows it\u0027s VFs to become trusted."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Use Cases"},{"line_number":34,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_dab973ee","line":31,"range":{"start_line":31,"start_character":8,"end_line":31,"end_character":12},"updated":"2016-12-01 18:34:13.000000000","message":"which","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Use Cases"},{"line_number":34,"context_line":"----------"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"There are several use cases in which users would prefer to take"},{"line_number":37,"context_line":"advantage of the trusted VFs. Bonding VFs in a guest would be one of"},{"line_number":38,"context_line":"these. Bonding modes that require all slaves to use the same MAC"},{"line_number":39,"context_line":"address, would require address modification on one of the VFs during a"},{"line_number":40,"context_line":"fail-over. As MAC address altering is a privileged operation,"},{"line_number":41,"context_line":"participating VFs should be trusted in order to successfully configure"},{"line_number":42,"context_line":"bonding in the guest. [1]_"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Project Priority"},{"line_number":45,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_da033375","line":42,"range":{"start_line":36,"start_character":0,"end_line":42,"end_character":26},"updated":"2016-12-01 18:34:13.000000000","message":"nit: could you reword these as \"As X, I want to do Y\". It makes these sections a lot more readable. For example:\n\n  As a user, I want to bond VFs in a guest.","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3e827dcccb88b6f7b09e62291fd9ce536fb4fb67","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Use Cases"},{"line_number":34,"context_line":"----------"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"There are several use cases in which users would prefer to take"},{"line_number":37,"context_line":"advantage of the trusted VFs. Bonding VFs in a guest would be one of"},{"line_number":38,"context_line":"these. Bonding modes that require all slaves to use the same MAC"},{"line_number":39,"context_line":"address, would require address modification on one of the VFs during a"},{"line_number":40,"context_line":"fail-over. As MAC address altering is a privileged operation,"},{"line_number":41,"context_line":"participating VFs should be trusted in order to successfully configure"},{"line_number":42,"context_line":"bonding in the guest. [1]_"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Project Priority"},{"line_number":45,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfeb2761_00de4910","line":42,"range":{"start_line":36,"start_character":0,"end_line":42,"end_character":26},"in_reply_to":"3a71b18c_da033375","updated":"2017-04-04 10:20:31.000000000","message":"It seems like neutron would configure all the macs to be the same, if that were required. Seems wrong letting the user change the mac from what Neutron wants it to be.","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":12398,"name":"Dan Sneddon","email":"dsneddon@redhat.com","username":"dsneddon"},"change_message_id":"591b1b26202fe2bcf8b351f8d99c3edd68b67b29","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Use Cases"},{"line_number":34,"context_line":"----------"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"There are several use cases in which users would prefer to take"},{"line_number":37,"context_line":"advantage of the trusted VFs. Bonding VFs in a guest would be one of"},{"line_number":38,"context_line":"these. Bonding modes that require all slaves to use the same MAC"},{"line_number":39,"context_line":"address, would require address modification on one of the VFs during a"},{"line_number":40,"context_line":"fail-over. As MAC address altering is a privileged operation,"},{"line_number":41,"context_line":"participating VFs should be trusted in order to successfully configure"},{"line_number":42,"context_line":"bonding in the guest. [1]_"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Project Priority"},{"line_number":45,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_8fd09ccb","line":42,"range":{"start_line":36,"start_character":0,"end_line":42,"end_character":26},"in_reply_to":"dfeb2761_00de4910","updated":"2018-03-20 22:35:02.000000000","message":"If this only allows any of multiple NICs to use a MAC address assigned by Neutron (so the MAC address of NIC1 could also appear on NIC2, etc.), then I think this is fine. If it allows a user to set an arbitrary MAC address, this would create a potential security risk. Attacks could include stealing MAC addresses to perform man-in-the-middle attacks or denial-of-service attacks. Or it could allow creating temporary arbitrary MAC addresses in order to hide the source of hostile traffic. These attacks would be limited to the local layer 2 network, so if only one tenant is using a network segment it wouldn\u0027t allow cross-tenant security violations.","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":41,"context_line":"participating VFs should be trusted in order to successfully configure"},{"line_number":42,"context_line":"bonding in the guest. [1]_"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Project Priority"},{"line_number":45,"context_line":"-----------------"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"None"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Proposed change"},{"line_number":50,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_07c5443b","line":47,"range":{"start_line":44,"start_character":0,"end_line":47,"end_character":4},"updated":"2016-12-01 18:34:13.000000000","message":"Is this a new field? I haven\u0027t seen it before","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":55,"context_line":"PFs will allow trusted VFs to be configured."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Users will be able to request to boot an instance with trusted VF by"},{"line_number":58,"context_line":"adding a `trusted\u003dtrue` parameter to the nova boot nic option:"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. code-block:: console"},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_a7ec90c8","line":58,"range":{"start_line":58,"start_character":9,"end_line":58,"end_character":23},"updated":"2016-12-01 18:34:13.000000000","message":"Code? ``trusted\u003dtrue``","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":12171,"name":"Moshe Levi","email":"moshele@nvidia.com","username":"moshele"},"change_message_id":"75ba758e1f54251fc5e19227c18b57fd59550c06","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. code-block:: console"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"    $ nova boot --nic port-id\u003d[ID],trusted\u003dtrue"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"The operators will be able to select which PFs can have trusted VFs,"},{"line_number":65,"context_line":"during the devices white list process. This is by adding an additional"},{"line_number":66,"context_line":"parameter to the filter in nova.conf:"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":".. code-block:: json"},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a77a97e_c58a12bf","line":66,"range":{"start_line":62,"start_character":5,"end_line":66,"end_character":37},"updated":"2016-11-16 20:47:17.000000000","message":"another option is to create direct port with  --binding-profile\u003d\u0027{\"trusted\": True}\u0027\nand update the SR-IOV agent to do the change.\nin the agent we are already using using ip link to configure  rate/spoof check and admin state.","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":".. code-block:: console"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"    $ nova boot --nic port-id\u003d[ID],trusted\u003dtrue"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"The operators will be able to select which PFs can have trusted VFs,"},{"line_number":65,"context_line":"during the devices white list process. This is by adding an additional"},{"line_number":66,"context_line":"parameter to the filter in nova.conf:"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":".. code-block:: json"},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_8c125b61","line":66,"range":{"start_line":62,"start_character":5,"end_line":66,"end_character":37},"in_reply_to":"7a77a97e_c58a12bf","updated":"2016-12-01 18:34:13.000000000","message":"Using \u0027--binding-profile\u0027 makes more semantic sense, IMO, and helps us avoid modifying the nova-client/openstackclient. Also, while it\u0027s not the exact same thing, this reminds me of the comments danpb made on the user-controlled-sriov-ports-allocation spec [1].\n\n[1] https://review.openstack.org/#/c/182242/23..32/specs/ocata/approved/user-controlled-sriov-ports-allocation.rst","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":65,"context_line":"during the devices white list process. This is by adding an additional"},{"line_number":66,"context_line":"parameter to the filter in nova.conf:"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":".. code-block:: json"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"    [pci]"},{"line_number":71,"context_line":"    passthrough_whitelist \u003d {\"devname\":\"eth0\","}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_8726b466","line":68,"range":{"start_line":68,"start_character":16,"end_line":68,"end_character":20},"updated":"2016-12-01 18:34:13.000000000","message":"ini?","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":72,"context_line":"                             \"device_type\":\"type-PF\","},{"line_number":73,"context_line":"                             \"trusted_vfs\":\"true\"}"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"NOTE: After the instance destruction, VFs which have been configured"},{"line_number":76,"context_line":"with the bit trust will be cleared."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Alternatives"},{"line_number":79,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_071b841c","line":76,"range":{"start_line":75,"start_character":0,"end_line":76,"end_character":35},"updated":"2016-12-01 18:34:13.000000000","message":"rST supports this:\n\n    .. note::\n\n       After the instance...","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":126,"context_line":"Other deployer impact"},{"line_number":127,"context_line":"---------------------"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Operators will have to list PCI devices which can be considered to be"},{"line_number":130,"context_line":"set as \u0027trusted\u0027"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"Developer impact"},{"line_number":133,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_4779fcfb","line":130,"range":{"start_line":129,"start_character":0,"end_line":130,"end_character":16},"updated":"2016-12-01 18:34:13.000000000","message":"Could you reword this, please? I\u0027m mystified","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":150,"context_line":"* Update create REST API to boot instance and set NICs as trusted"},{"line_number":151,"context_line":"* Modify PCI whitelist to include trusted_vfs param."},{"line_number":152,"context_line":"* Define new attribute for NetworkRequest object"},{"line_number":153,"context_line":"* Modify `pci.passthrough_filter` to filter our hosts without trusted_vfs PFs"},{"line_number":154,"context_line":"* Setup VF trust on compute node for a requested VFs"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_2747a0bc","line":153,"range":{"start_line":153,"start_character":8,"end_line":153,"end_character":33},"updated":"2016-12-01 18:34:13.000000000","message":"``pci.passthrough_filter``","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":158,"context_line":""},{"line_number":159,"context_line":"Even if not directly related the spec User-controlled SR-IOV ports"},{"line_number":160,"context_line":"allocation\" [4]_ would provide required granularity in an use-case"},{"line_number":161,"context_line":"like \"fail-over bonding\" to connect NICs on different physical switch."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"Testing"},{"line_number":164,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_8735d447","line":161,"updated":"2016-12-01 18:34:13.000000000","message":"+1 - good call mentioning this","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":163,"context_line":"Testing"},{"line_number":164,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"New unit and functional tests will be written to cover the changes."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Documentation Impact"},{"line_number":169,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_27f08090","line":166,"range":{"start_line":166,"start_character":0,"end_line":166,"end_character":67},"updated":"2016-12-01 18:34:13.000000000","message":"Is this testable via a third-party CI?","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"56c1204e2dee3289f5e8d89f7f95456c4faadc7b","unresolved":false,"context_lines":[{"line_number":168,"context_line":"Documentation Impact"},{"line_number":169,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"New devices metadata structure should be documented."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"References"},{"line_number":174,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a71b18c_27ab2076","line":171,"range":{"start_line":171,"start_character":0,"end_line":171,"end_character":52},"updated":"2016-12-01 18:34:13.000000000","message":"huh?\n\nYou should probably mention that the SR-IOV doc in the networking guide will need to be updated to document both this and bonding in general (if that isn\u0027t already described). Also, the security risks are going to have to be documented somewhere","commit_id":"94f82c219a2ab0d6814dd4bba0d9fdab6337720f"}]}