There are limits per HV how many root/switch ports can be created. We need to make sure that we're not exceeding those limits otherwise we get cryptic memory errors.

For QEMU we have a limit of 16 root ports or 16 switch ports or 64KB IO memory each root or switch port taking up of default 4K IO memory.

@BbolroC One outstanding thing to clarify is can we attach VFIO-AP devices to a root-port? This way we can drop the support for legacy bridges altogether.

There are limits per HV how many root/switch ports can be created. We need to make sure that we're not exceeding those limits otherwise we get cryptic memory errors.

For QEMU we have a limit of 16 root ports or 16 switch ports or 64KB IO memory each root or switch port taking up of default 4K IO memory.

Yes, sir. without KEP-4113 support, we need introduce many related codes to do such work which seems hacking to me.
But I am thinking how to address this problem and will make it be more friendly for the future KEP-4113 or sandbox API.

I have pulled request for get bar max memory in another PR. And I am looking forward to your INPUT @zvonkok @BbolroC

I have tested it with related PRs and get the SWITHCH PORT output as below:

configuration

hotplug_vfio_on_root_bus = true
pcie_switch_port = 4

~/kata-cdi/apokleos/kata-containers/src/runtime-rs# ctr run -t --device /dev/vfio/75 --device /dev/vfio/76 --device /dev/vfio/214 --device /dev/vfio/215 --rm --runtime io.containerd.kata.v2 "$image" debug0456789 /bin/bash
[root@localhost /]# lspci -tvnn
-[0000:00]-+-00.0  Intel Corporation 82G33/G31/P35/P31 Express DRAM Controller [8086:29c0]
           +-01.0  Red Hat, Inc. Virtio RNG [1af4:1005]
           +-02.0-[01]--
           +-03.0-[02]--
           +-04.0  Red Hat, Inc. Virtio SCSI [1af4:1004]
           +-05.0  Red Hat, Inc. Virtio socket [1af4:1053]
           +-06.0  Red Hat, Inc. Virtio file system [1af4:105a]
           +-07.0-[03-08]----00.0-[04-08]--+-00.0-[05]----00.0  NVIDIA Corporation TU104GL [Tesla T4] [10de:1eb8]
           |                               +-01.0-[06]----00.0  NVIDIA Corporation TU104GL [Tesla T4] [10de:1eb8]
           |                               +-02.0-[07]----00.0  NVIDIA Corporation TU104GL [Tesla T4] [10de:1eb8]
           |                               \-03.0-[08]----00.0  NVIDIA Corporation TU104GL [Tesla T4] [10de:1eb8]
           +-08.0  Red Hat, Inc. Virtio console [1af4:1003]
           +-1f.0  Intel Corporation 82801IB (ICH9) LPC Interface Controller [8086:2918]
           +-1f.2  Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] [8086:2922]
           \-1f.3  Intel Corporation 82801I (ICH9 Family) SMBus Controller [8086:2930]

get the root ports

           +-07.0-[03]--
           +-08.0-[04]--

the shell command

configuration

...
hotplug_vfio_on_root_bus = true

# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
# The value means the number of pcie_root_port
# This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35"
# Default 0
pcie_root_port = 2

[root@localhost /]# lspci -tvnn
-[0000:00]-+-00.0  Intel Corporation 82G33/G31/P35/P31 Express DRAM Controller [8086:29c0]
           +-01.0  Red Hat, Inc. Virtio RNG [1af4:1005]
           +-02.0-[01]--
           +-03.0-[02]--
           +-04.0  Red Hat, Inc. Virtio SCSI [1af4:1004]
           +-05.0  Red Hat, Inc. Virtio socket [1af4:1053]
           +-06.0  Red Hat, Inc. Virtio file system [1af4:105a]
           +-07.0-[03]--
           +-08.0-[04]--
           +-09.0  Red Hat, Inc. Virtio console [1af4:1003]
           +-1f.0  Intel Corporation 82801IB (ICH9) LPC Interface Controller [8086:2918]
           +-1f.2  Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] [8086:2922]
           \-1f.3  Intel Corporation 82801I (ICH9 Family) SMBus Controller [8086:2930]
[root@localhost /]# 

@BbolroC One outstanding thing to clarify is can we attach VFIO-AP devices to a root-port? This way we can drop the support for legacy bridges altogether.

Please take a look at the following:

• @hbrueckner 's comment: Support basic capabilities to hotplug VFIO devices to root-port or switch-port for qemu-rs #10361 (comment)
• Add subchannel and VFIO-AP hot-plugging support to qemu-runtime-rs for s390x #10573

Based on my understanding so far, there is no PCI support in s390x QEMU (so no concept like a root/switch port) and a bridge info is not required for VFIO-AP hot-plugging. I will raise a PR for VFIO-AP hot-plugging after this PR and #10362 are merged. Thanks.

hotplug_vfio_on_root_bus = true this is a very old unsupported option. We removed that some time ago. We should use

hot_plug_vfio = "root-port"
cold_plug_vfio = "root-port"

@Apokleos For the switch-port use-case I need to post a QEMU patch. Can you check if the BARs are correctly mapped?

dmesg | grep BAR

@BbolroC One outstanding thing to clarify is can we attach VFIO-AP devices to a root-port? This way we can drop the support for legacy bridges altogether.

Please take a look at the following:

• @hbrueckner 's comment: Support basic capabilities to hotplug VFIO devices to root-port or switch-port for qemu-rs #10361 (comment)
• Add subchannel and VFIO-AP hot-plugging support to qemu-runtime-rs for s390x #10573

Based on my understanding so far, there is no PCI support in s390x QEMU (so no concept like a root/switch port) and a bridge info is not required for VFIO-AP hot-plugging. I will raise a PR for VFIO-AP hot-plugging after this PR and #10362 are merged. Thanks.

Thx Choi @BbolroC, I'd like to know that there's some work in my PR I can do for you which can help your coming works ? If any ideas, please let me know.

hotplug_vfio_on_root_bus = true this is a very old unsupported option. We removed that some time ago. We should use

hot_plug_vfio = "root-port"
cold_plug_vfio = "root-port"

Sure. the coming updated PR will remove this option.

@Apokleos I am wondering how we're dealing with different archs, in the go-runtime we have different implementation for different architectures like x86 - s390x how are we dealing it with in runtime-rs?
A good example is that in x86 we do not need the bridge but s390x needs it. So we shouldn't introduce the bridge in x86 but only have it enabled in s390x.

Thanks @Apokleos for this huge piece of work in a well-formatted PR! :-) I'm approving but frankly I'd prefer if you could deal with some of the remaining suggestions by @gkurz and @BbolroC either by incorporating them and resolving the pertinent conversations, or by documenting your reasons why not to incorporate them.

I've resolved my conversations for clarity that you've dealt with.

Thx Pavel @pmores.
Yes, absolutely I will do. As I have promissed @zvonkok I will clean up these left comments.

hotplug_vfio_on_root_bus = true this is a very old unsupported option. We removed that some time ago. We should use

hot_plug_vfio = "root-port"
cold_plug_vfio = "root-port"

I'd like to create an issue to do this work

hotplug_vfio_on_root_bus = true this is a very old unsupported option. We removed that some time ago. We should use

hot_plug_vfio = "root-port"
cold_plug_vfio = "root-port"

I think we should address it in another PR, ahead of it, I open an issue to track it

Hi @zvonkok @pmores @BbolroC I have updated the PR, and try to address the left comments. Is there any stuff I need address before it's merged ? It is with do-not-merge before your ACK.

Thanks for the update. I am fine with merging this. 👍

Hey @Apokleos , I'd still be in favour of mentioning the root/switch port counts limitation in the config file template but I'm fine merging this with or without that change. Thanks!

@Apokleos What happens if a VFIO device is hot-plugged to a root-port and the workload fails to start and the container is restarted. Is the root-port freed up? Can it be reused once he container restarts?

@zvonkok I don't think this PR deals with hotplugging at all.

Hey @Apokleos , I'd still be in favour of mentioning the root/switch port counts limitation in the config file template but I'm fine merging this with or without that change. Thanks!

Thx Pavel @pmores
I hope my explanation makes sense. When I initially designed this, the primary goal was to align with the runtime-go's implementation to ensure functional consistency.

Secondly, it's aimed for a simpler pcie topology that could still support advanced features for devices like GPUs. It's what the limitation only one port device type(RootPort or SwitchPort) exists in a pod/VM.

I also spent some time considering if there were scenarios requiring both a dedicated root port and a combined root/switch port or called switch port, but couldn't identify any clear use cases. That's what led to the current design.

However, I'm certainly open to making adjustments in future implementations if such scenarios do arise.

@Apokleos What happens if a VFIO device is hot-plugged to a root-port and the workload fails to start and the container is restarted. Is the root-port freed up? Can it be reused once he container restarts?

Thx @zvonkok This PR will not involve the vfio device hotplugging stuff, and the following one will do. But IMO, it's a point worth discussing. As I understand, continuously hot-plugging devices from VM isn't very reliable at the moment, so we might need to have a deep discussion about it based on the PR #10362.