alitech Posted February 27, 2021 Share Posted February 27, 2021 Hi all I dont know what I am doing wrong here and I hope someone can help me out. I need to isolate a windows VM with its own network interface for security reasons. I have followed spaceinvaders guide on how to pass through However, when I assign a network port to the VM, it does not start and gives me this issue. My system devices are all in an attachment as well as the flash drive settings with the vfio. What have I done wrong here? The VM works when I remove the dedicated network port but not without. Is there a quick fix on this? Quote Link to comment
tbonedude420 Posted February 27, 2021 Share Posted February 27, 2021 Hello. Not an expert, not even close, but found my self in a similar pickle, and again, spaceinvaderone was there to the rescue. My assumption is you need to further split the IOMMU groups in regards to the quad network adapter, as shown in the picture, they are all responding with the same xxxx:xxxx pci identifier. I see you tried to append the kernel, no luck im guessing? I see one entry... shouldn't there be 4? One for each of the NICs on the card? Similar thread here. Quote Link to comment
SimonF Posted February 27, 2021 Share Posted February 27, 2021 The cards is not in its own IOMMU Group so cannot be used. You may need to look at the ACS Override in the VM settings or unsafe interrupts. Quote Link to comment
alitech Posted February 28, 2021 Author Share Posted February 28, 2021 6 hours ago, tbonedude420 said: Hello. Not an expert, not even close, but found my self in a similar pickle, and again, spaceinvaderone was there to the rescue. My assumption is you need to further split the IOMMU groups in regards to the quad network adapter, as shown in the picture, they are all responding with the same xxxx:xxxx pci identifier. I see you tried to append the kernel, no luck im guessing? I see one entry... shouldn't there be 4? One for each of the NICs on the card? Similar thread here. Thank you for taking the time to respond to me. I did look at this video and also the other thread. I tried ACS downstream, multifunction and also tried to just use the PCIE identifier in ACS, all didnt really work. What both the thread or the video doesnt show is how to split a nic which has the same pcie ID across the 4 ports. In the devices, I can see 4 with their individual addresses [8086:10c9] 25:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01) [8086:10c9] 25:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01) [8086:10c9] 26:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01) [8086:10c9] 26:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01) These 4 ports are what I want to see available in "other devices". I want to assign 1 port to each VM I am going to run. I dont know what to put in the kernel to make these 4 ports isolated from unraid and available only to VMs. Any help is much appreciated. Quote Link to comment
SimonF Posted February 28, 2021 Share Posted February 28, 2021 Which motherboard do you have and have you checked BIOS options? Quote Link to comment
alitech Posted February 28, 2021 Author Share Posted February 28, 2021 I was finally able to do split out all the iommu groups and then isolate each port by doing what this post said: This allowed me to then assign a port to a VM. Nothing else worked for me. I tried about 20 suggestions but this one was the one for me Quote Link to comment
BVD Posted February 28, 2021 Share Posted February 28, 2021 (edited) @alitech You have an 82756 - if you don't want to restrict the card to solely being used in that one VM, I finally finished up this guide that might be helpful: If you end up trying it out, I'd appreciate any feedback on issues you have, as I don't have an i350 at home to validate with (and can't get to mine right now thanks to this freakin pandemic ) Edited February 28, 2021 by BVD Quote Link to comment
alitech Posted February 28, 2021 Author Share Posted February 28, 2021 26 minutes ago, BVD said: @alitech You have an 82756 - if you don't want to restrict the card to solely being used in that one VM, I finally finished up this guide that might be helpful: If you end up trying it out, I'd appreciate any feedback on issues you have, as I don't have an i350 at home to validate with (and can't get to mine right now thanks to this freakin pandemic ) Very comprehensive write up. I am wondering if you could do a video for this and showcase how the mics can be split up and how they become available to VMs. I am also unsure if the method you warn about to try at my own risk is actually needed or not or will I get everything I need up to that point? Currently I have broken up all the iommu groups and I am seeing a warning there, I am guessing your method has nothing to do with iommu groups. Thanks for making this guide, I just need to ensure what the benefits are before I attempt this. I am not an expert and Linux is the equivalent of rocket science to me right now so I dont want to do anything that might permanently break my setup. I have a lot of data I stand to lose otherwise. Quote Link to comment
BVD Posted February 28, 2021 Share Posted February 28, 2021 Nah, you don't have to care about IOMMU groups for either one of the methods. You do need to add to your syslinux though: Quote intel_iommu=pt I guess I (incorrectly) assumed everyone would've already had that, I'll get it added to the guide once I have time. I've got the device specific recommendations coming up once I find the time to get them formatted properly (already have the comment reserved and content created, just need to make it into the forum format. The first post has the benefits and details on SR-IOV, why it exists, etc, within both my comments, as well as reference information in a few of the links at the bottom (the YT video would be particularly helpful if you're new to it all). Don't want to hijack this thread (keep the searchability easier), so feel free to comment there with anything further related to SR-IOV if you would. Thanks! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.