On Tue, Oct 29, at 5:52 pm, Jiang, Yunhong <yunhong.ji...@intel.com> wrote:
>> -----Original Message----- >> From: Henry Gessau [mailto:ges...@cisco.com] >> Sent: Tuesday, October 29, 2013 2:23 PM >> To: OpenStack Development Mailing List (not for usage questions) >> Subject: Re: [openstack-dev] [nova] [neutron] PCI pass-through network >> support >> >> On Tue, Oct 29, at 4:31 pm, Jiang, Yunhong <yunhong.ji...@intel.com> >> wrote: >> >> > Henry,why do you think the "service VM" need the entire PF instead of a >> > VF? I think the SR-IOV NIC should provide QoS and performance >> isolation. >> >> I was speculating. I just thought it might be a good idea to leave open the >> possibility of assigning a PF to a VM if the need arises. >> >> Neutron service VMs are a new thing. I will be following the discussions >> and >> there is a summit session for them. It remains to be seen if there is any >> desire/need for full PF ownership of NICs. But if a service VM owns the PF >> and has the right NIC driver it could do some advanced features with it. >> > At least in current PCI implementation, if a device has no SR-IOV > enabled, then that device will be exposed and can be assigned (is this > your so-called PF?). Apologies, this was not clear to me until now. Thanks. I am not aware of a use-case for a service VM needing to control VFs. So you are right, I should not have talked about PF but rather just the entire NIC device in passthrough mode, no SR-IOV needed. So the admin will need to know: Put a NIC in SR-IOV mode if it is to be used by multiple VMs. Put a NIC in single device passthrough mode if it is to be used by one service VM. > If a device has SR-IOV enabled, then only VF be > exposed and the PF is hidden from resource tracker. The reason is, when > SR-IOV enabled, the PF is mostly used to configure and management the > VFs, and it will be security issue to expose the PF to a guest. Thanks for bringing up the security issue. If a physical network interface is connected in a special way to some switch/router with the intention being for it to be used only by a service VM, then close attention must be paid to security. The device owner might get some low-level network access that can be misused. > I'm not sure if you are talking about the PF, are you talking about the > PF w/ or w/o SR-IOV enabled. > > I totally agree that assign a PCI NIC to service VM have a lot of benefit > from both performance and isolation point of view. > > Thanks > --jyh > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
