lxd/device: add support for network device limits.priority option

mihalicyn · mihalicyn · commit daef95d37f7b · 2023-09-25T10:56:51.000+02:00
This is a replacement feature for per-instance limits.network.priority option.
New approach does not require netprio cgroup to be suppored (it's from legacy
cgroup v1) and also it allows to set priority for virtual machine instances.

Signed-off-by: Alexander Mikhalitsyn &lt;aleksandr.mikhalitsyn@canonical.com&gt;
diff --git a/doc/.wordlist.txt b/doc/.wordlist.txt
@@ -307,3 +307,4 @@ Zettabyte
 ZFS
 zpool
 zpools
+qdisc
diff --git a/doc/reference/devices_nic.md b/doc/reference/devices_nic.md
@@ -88,6 +88,7 @@ Key                      | Type    | Default           | Managed | Description
 `limits.egress`          | string  | -                 | no      | I/O limit in bit/s for outgoing traffic (various suffixes supported, see {ref}`instances-limit-units`)
 `limits.ingress`         | string  | -                 | no      | I/O limit in bit/s for incoming traffic (various suffixes supported, see {ref}`instances-limit-units`)
 `limits.max`             | string  | -                 | no      | I/O limit in bit/s for both incoming and outgoing traffic (same as setting both `limits.ingress` and `limits.egress`)
+`limits.priority`       | integer | -                 | The `skb->priority` value (32-bit unsigned integer) for outgoing traffic, to be used by the kernel queuing discipline (qdisc) to prioritize network packets (The effect of this value depends on the particular qdisc implementation, for example, `SKBPRIO` or `QFQ`. Consult the kernel qdisc documentation before setting this value.)
 `maas.subnet.ipv4`       | string  | -                 | yes     | MAAS IPv4 subnet to register the instance in
 `maas.subnet.ipv6`       | string  | -                 | yes     | MAAS IPv6 subnet to register the instance in
 `mtu`                    | integer | parent MTU        | yes     | The MTU of the new interface
@@ -354,6 +355,7 @@ Key                     | Type    | Default           | Description
 `limits.egress`         | string  | -                 | I/O limit in bit/s for outgoing traffic (various suffixes supported, see {ref}`instances-limit-units`)
 `limits.ingress`        | string  | -                 | I/O limit in bit/s for incoming traffic (various suffixes supported, see {ref}`instances-limit-units`)
 `limits.max`            | string  | -                 | I/O limit in bit/s for both incoming and outgoing traffic (same as setting both `limits.ingress` and `limits.egress`)
+`limits.priority`       | integer | -                 | The `skb->priority` value (32-bit unsigned integer) for outgoing traffic, to be used by the kernel queuing discipline (qdisc) to prioritize network packets (The effect of this value depends on the particular qdisc implementation, for example, `SKBPRIO` or `QFQ`. Consult the kernel qdisc documentation before setting this value.)
 `mtu`                   | integer | kernel assigned   | The MTU of the new interface
 `name`                  | string  | kernel assigned   | The name of the interface inside the instance
 `queue.tx.length`       | integer | -                 | The transmit queue length for the NIC
@@ -442,6 +444,7 @@ Key                     | Type    | Default           | Description
 `limits.egress`         | string  | -                 | I/O limit in bit/s for outgoing traffic (various suffixes supported, see {ref}`instances-limit-units`)
 `limits.ingress`        | string  | -                 | I/O limit in bit/s for incoming traffic (various suffixes supported, see {ref}`instances-limit-units`)
 `limits.max`            | string  | -                 | I/O limit in bit/s for both incoming and outgoing traffic (same as setting both `limits.ingress` and `limits.egress`)
+`limits.priority`       | integer | -                 | The `skb->priority` value (32-bit unsigned integer) for outgoing traffic, to be used by the kernel queuing discipline (qdisc) to prioritize network packets (The effect of this value depends on the particular qdisc implementation, for example, `SKBPRIO` or `QFQ`. Consult the kernel qdisc documentation before setting this value.)
 `mtu`                   | integer | parent MTU        | The MTU of the new interface
 `name`                  | string  | kernel assigned   | The name of the interface inside the instance
 `parent`                | string  | -                 | The name of the host device to join the instance to
diff --git a/lxd/device/device_utils_network.go b/lxd/device/device_utils_network.go
@@ -560,6 +560,44 @@ func networkSetupHostVethLimits(d *deviceCommon, oldConfig deviceConfig.Device,
 		}
 	}
 
+	var networkPriority uint64
+	if d.config["limits.priority"] != "" {
+		networkPriority, err = strconv.ParseUint(d.config["limits.priority"], 10, 32)
+		if err != nil {
+			return fmt.Errorf("Failed to parse limits.priority %q: %w", d.config["limits.priority"], err)
+		}
+	}
+
+	if oldConfig != nil && oldConfig["limits.priority"] != d.config["limits.priority"] {
+		err = d.state.Firewall.InstanceClearNetPrio(d.inst.Project().Name, d.inst.Name(), veth)
+		if err != nil {
+			return err
+		}
+	}
+
+	if oldConfig == nil || (oldConfig != nil && oldConfig["limits.priority"] != d.config["limits.priority"]) {
+		if networkPriority != 0 {
+			if bridged && d.state.Firewall.String() == "xtables" {
+				return fmt.Errorf("Failed to setup instance device network priority. The xtables firewall driver does not support required functionality.")
+			}
+
+			err = d.state.Firewall.InstanceSetupNetPrio(d.inst.Project().Name, d.inst.Name(), veth, uint32(networkPriority))
+			if err != nil {
+				return fmt.Errorf("Failed to setup instance device network priority: %w", err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// networkClearHostVethLimits clears any network rate limits to the veth device specified in the config.
+func networkClearHostVethLimits(d *deviceCommon) error {
+	err := d.state.Firewall.InstanceClearNetPrio(d.inst.Project().Name, d.inst.Name(), d.config["host_name"])
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/lxd/device/nic.go b/lxd/device/nic.go
@@ -26,6 +26,7 @@ func nicValidationRules(requiredFields []string, optionalFields []string, instCo
 		"limits.ingress":                       validate.IsAny,
 		"limits.egress":                        validate.IsAny,
 		"limits.max":                           validate.IsAny,
+		"limits.priority":                      validate.Optional(validate.IsUint32),
 		"security.mac_filtering":               validate.IsAny,
 		"security.ipv4_filtering":              validate.IsAny,
 		"security.ipv6_filtering":              validate.IsAny,
diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
@@ -75,6 +75,7 @@ func (d *nicBridged) validateConfig(instConf instance.ConfigReader) error {
 		"limits.ingress",
 		"limits.egress",
 		"limits.max",
+		"limits.priority",
 		"ipv4.address",
 		"ipv6.address",
 		"ipv4.routes",
@@ -456,7 +457,7 @@ func (d *nicBridged) UpdatableFields(oldDevice Type) []string {
 		return []string{}
 	}
 
-	return []string{"limits.ingress", "limits.egress", "limits.max", "ipv4.routes", "ipv6.routes", "ipv4.routes.external", "ipv6.routes.external", "ipv4.address", "ipv6.address", "security.mac_filtering", "security.ipv4_filtering", "security.ipv6_filtering"}
+	return []string{"limits.ingress", "limits.egress", "limits.max", "limits.priority", "ipv4.routes", "ipv6.routes", "ipv4.routes.external", "ipv6.routes.external", "ipv4.address", "ipv6.address", "security.mac_filtering", "security.ipv4_filtering", "security.ipv6_filtering"}
 }
 
 // Add is run when a device is added to a non-snapshot instance whether or not the instance is running.
@@ -800,6 +801,14 @@ func (d *nicBridged) Stop() (*deviceConfig.RunConfig, error) {
 		return nil, err
 	}
 
+	// Populate device config with volatile fields (hwaddr and host_name) if needed.
+	networkVethFillFromVolatile(d.config, d.volatileGet())
+
+	err = networkClearHostVethLimits(&d.deviceCommon)
+	if err != nil {
+		return nil, err
+	}
+
 	// Setup post-stop actions.
 	runConf := deviceConfig.RunConfig{
 		PostHooks: []func() error{d.postStop},
diff --git a/lxd/device/nic_p2p.go b/lxd/device/nic_p2p.go
@@ -37,6 +37,7 @@ func (d *nicP2P) validateConfig(instConf instance.ConfigReader) error {
 		"limits.ingress",
 		"limits.egress",
 		"limits.max",
+		"limits.priority",
 		"ipv4.routes",
 		"ipv6.routes",
 		"boot.priority",
@@ -67,7 +68,7 @@ func (d *nicP2P) UpdatableFields(oldDevice Type) []string {
 		return []string{}
 	}
 
-	return []string{"limits.ingress", "limits.egress", "limits.max", "ipv4.routes", "ipv6.routes"}
+	return []string{"limits.ingress", "limits.egress", "limits.max", "limits.priority", "ipv4.routes", "ipv6.routes"}
 }
 
 // Start is run when the device is added to a running instance or instance is starting up.
@@ -199,6 +200,14 @@ func (d *nicP2P) Update(oldDevices deviceConfig.Devices, isRunning bool) error {
 
 // Stop is run when the device is removed from the instance.
 func (d *nicP2P) Stop() (*deviceConfig.RunConfig, error) {
+	// Populate device config with volatile fields (hwaddr and host_name) if needed.
+	networkVethFillFromVolatile(d.config, d.volatileGet())
+
+	err := networkClearHostVethLimits(&d.deviceCommon)
+	if err != nil {
+		return nil, err
+	}
+
 	runConf := deviceConfig.RunConfig{
 		PostHooks: []func() error{d.postStop},
 	}
diff --git a/lxd/device/nic_routed.go b/lxd/device/nic_routed.go
@@ -43,7 +43,7 @@ func (d *nicRouted) UpdatableFields(oldDevice Type) []string {
 		return []string{}
 	}
 
-	return []string{"limits.ingress", "limits.egress", "limits.max"}
+	return []string{"limits.ingress", "limits.egress", "limits.max", "limits.priority"}
 }
 
 // validateConfig checks the supplied config for correctness.
@@ -69,6 +69,7 @@ func (d *nicRouted) validateConfig(instConf instance.ConfigReader) error {
 		"limits.ingress",
 		"limits.egress",
 		"limits.max",
+		"limits.priority",
 		"ipv4.gateway",
 		"ipv6.gateway",
 		"ipv4.routes",
@@ -588,6 +589,14 @@ func (d *nicRouted) Update(oldDevices deviceConfig.Devices, isRunning bool) erro
 
 // Stop is run when the device is removed from the instance.
 func (d *nicRouted) Stop() (*deviceConfig.RunConfig, error) {
+	// Populate device config with volatile fields (hwaddr and host_name) if needed.
+	networkVethFillFromVolatile(d.config, d.volatileGet())
+
+	err := networkClearHostVethLimits(&d.deviceCommon)
+	if err != nil {
+		return nil, err
+	}
+
 	runConf := deviceConfig.RunConfig{
 		PostHooks: []func() error{d.postStop},
 	}

-Original file line number
+Diff line change
 ZFS
 zpool
 zpools
 +qdisc