Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
SR-IOV Spoof Check control for Tungsten Fabric¶
Available since MOSK 24.2 TechPreview
MOSK provides the capability to enable SR-IOV Spoof Check control with the Neutron Tungsten Fabric backend.
The capability can be useful for certain network configurations. For example, you might need to allow traffic from a virtual function interface even when its MAC address does not match the MAC address inside the virtual machine. In this scenario, known as MAC spoofing, disabling spoof check enables the traffic to pass through regardless of the MAC address mismatch.
Caution
Certain NICs and drivers may not handle the spoofchk
setting.
For example, the Intel 82599ES NIC paired with the ixgbe driver disregards
the spoofchk
setting when VLAN tagging is enabled. Therefore, ensure
compatibility with your hardware configuration regarding spoofchk
handling before proceeding.
To enable SR-IOV Spoof Check control for Tungsten Fabric, enable SR-IOV
interfaces handling by Nova os-vif
plugin in the OpenStackDeployment
custom resource:
services:
compute:
nova:
values:
conf:
nova:
workarounds:
pass_hwveb_ports_to_os_vif_plugin: true
Now, you can enable and disable spoof checking for certain SR-IOV ports through the OpenStack CLI. To disable spoof checking on an SR-IOV port:
openstack port set --no-security-group --disable-port-security <SRIOV-PORT>
To enable spoof checking on an SR-IOV port:
openstack port set --enable-port-security <SRIOV-PORT>