Aaron Conole [Wed, 8 Aug 2018 00:34:52 +0000 (20:34 -0400)]
table: fix html buffer output
Prior to this commit, html output exhibits a doppler effect for
content by continually printing strings passed from
table_print_html_cell.
Fixes: cb139fa8b3a1 ("table: New function table_format() for formatting a table as a string.") Cc: Ben Pfaff <blp@ovn.org> Cc: Jakub Sitnicki <jsitnicki@gmail.com> Signed-off-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Aaron Conole [Wed, 8 Aug 2018 00:34:51 +0000 (20:34 -0400)]
table: append newline when printing tables
With commit cb139fa8b3a1 ("table: New function table_format() for
formatting a table as a string.") a new mechanism for formatting
tables was introduced, and the table_print method was refactored to
use this.
During that refactor, calls to 'puts' were replaced with
'ds_put_cstr', and table print was changed to use 'fputs(...,
stdout)'. Unfortunately, fputs() does not append a newline to the
string provided, and changes the output strings of, for example,
ovsdb-client dump to print all on one line. This means
post-processing scripts that are chained after ovsdb-client would
either block indefinitely (if they don't detect EOF), or process the
entire bundle at once (rather than seeing each table on a separate
line).
Fixes: cb139fa8b3a1 ("table: New function table_format() for formatting a table as a string.") Cc: Ben Pfaff <blp@ovn.org> Cc: Jakub Sitnicki <jsitnicki@gmail.com> Reported-by: Terry Wilson <twilson@redhat.com>
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1608508 Signed-off-by: Aaron Conole <aconole@redhat.com> Suggested-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Terry Wilson <twilson@redhat.com> Tested-by: Terry Wilson <twilson@redhat.com>
In the case there was no sorting criteria the flows on Windows were being
rearranged because it was always returning zero.
Also check if there we need sorting to save a few cycles.
CC: Ben Pfaff <blp@ovn.org> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Markos Chandras [Wed, 8 Aug 2018 14:27:25 +0000 (17:27 +0300)]
rhel: Use correct user in the logrotate configuration file
The /var/log/openvswitch directory is owned by the openvswitch user but
logrotate could be running as root or as another user. As a result of
which, rpmlint prints the following warning when building the spec file
on SUSE Linux Enterprise:
openvswitch.x86_64: W: suse-logrotate-user-writable-log-dir /var/log/openvswitch openvswitch:openvswitch 0750
The log directory is writable by unprivileged users. Please fix the
permissions so only root can write there or add the 'su' option
to your logrotate config
In order to fix that, we should run the logrotate script as the same
user which runs the various Open vSwitch daemons. If this is a new
installation, then this user is the 'openvswitch' one, but if we are
upgrading from an older release, then the user is normally 'root'.
As such, we set the initial user to 'root' and we fix this up in the
%post scriptlet.
Justin Pettit [Tue, 7 Aug 2018 23:45:26 +0000 (16:45 -0700)]
datapath: meter: Fix setting meter id for new entries
Upstream commit:
From: Justin Pettit <jpettit@ovn.org>
Date: Sat, 28 Jul 2018 15:26:01 -0700
Subject: [PATCH] openvswitch: meter: Fix setting meter id for new entries
The meter code would create an entry for each new meter. However, it
would not set the meter id in the new entry, so every meter would appear
to have a meter id of zero. This commit properly sets the meter id when
adding the entry.
Fixes: 96fbc13d7e77 ("openvswitch: Add meter infrastructure") Signed-off-by: Justin Pettit <jpettit@ovn.org> Cc: Andy Zhou <azhou@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Justin Pettit <jpettit@ovn.org> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Tue, 7 Aug 2018 02:44:02 +0000 (19:44 -0700)]
ovn-trace: Fix warnings when port is found but not in current datapath.
When port group is used, ovn-trace may print warnings like this:
$ ovn-trace ls1 'inport == "lp111" && eth.src == f0:00:00:00:01:11 && eth.dst == f0:00:00:00:01:12 && ip4.src == 192.168.11.1 && ip4.dst == 192.168.11.2 && ip.ttl == 10'
2018-08-02T01:43:23Z|00001|ovntrace|WARN|lp211: not in datapath ls1
2018-08-02T01:43:23Z|00002|ovntrace|WARN|lp211: unknown logical port
2018-08-02T01:43:23Z|00003|ovntrace|WARN|lp221: not in datapath ls1
2018-08-02T01:43:23Z|00004|ovntrace|WARN|lp221: unknown logical port
2018-08-02T01:43:23Z|00005|ovntrace|WARN|lp231: not in datapath ls1
2018-08-02T01:43:23Z|00006|ovntrace|WARN|lp231: unknown logical port
There are 2 warnings:
For the first one, it might be reasonable
before port group is supported, but now since ports in a port group
can span across multiple datapaths, this situation is normal, and
warning should not be printed.
For the second one, it is misleading, and it should not be printed
in this situation even before port group is supported. It should be
printed only if the port is not found at all.
This patch fixes both.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Han Zhou [Tue, 7 Aug 2018 02:44:01 +0000 (19:44 -0700)]
ovn-northd: Improve efficiency of stateful checking for ACLs on port groups.
Currently in has_stateful_acl(), to check if a datapath has stateful ACLs,
it needs to iterate all port groups and check if the current datapath is
related to each port group, and then iterate the ACLs on the port group. This
is inefficient if there are a lot of port groups. A typical scenario is in
OpenStack each tenant will have a default security group which will be mapped
as a port group, and the default security group is supposed to contain ports
of the tenant only, so most likely only the logical switches belonging to the
tenant should be related to the port group, but we are checking all the port
groups belonging to all tenants for each datapath.
To improve this, a reverse direction of hmap is built from logical switch to
port group, so that the iteration is avoided. The time complexity of this
function improves from O(P * A) to O(PL * A), P = total number of port groups
in NB, PL = number of port groups related to the logical switch, A = number
of ACLs.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
wenxu [Sat, 4 Aug 2018 08:31:36 +0000 (16:31 +0800)]
datapath: support upstream ndo_udp_tunnel_add in net_device_ops
It makes datapath can support both ndo_add_udp_tunnel_port and
ndo_add_vxlan/geneve_port. The newer kernels don't support vxlan/geneve
specific NDO's anymore
Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Ben Pfaff <blp@ovn.org> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Tested-by: Greg Rose <gvrose8192@gmail.com>
After commit ffc2b6ee4174 ("ip_gre: fix IFLA_MTU ignored on NEWLINK")
variable t_hlen is assigned values that are never read,
hence they are redundant and can be removed.
Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Xin Long [Tue, 7 Aug 2018 21:48:52 +0000 (14:48 -0700)]
ip_gre: fix IFLA_MTU ignored on NEWLINK
Upstream commit:
From: Xin Long <lucien.xin@gmail.com>
Date: Tue, 27 Feb 2018 19:19:39 +0800
Subject: [PATCH] ip_gre: fix IFLA_MTU ignored on NEWLINK
It's safe to remove the setting of dev's needed_headroom and mtu in
__gre_tunnel_init, as discussed in [1], ip_tunnel_newlink can do it
properly.
Now Eric noticed that it could cover the mtu value set in do_setlink
when creating a ip_gre dev. It makes IFLA_MTU param not take effect.
So this patch is to remove them to make IFLA_MTU work, as in other
ipv4 tunnels.
[1]: https://patchwork.ozlabs.org/patch/823504/
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Reported-by: Eric Garver <e@erig.me> Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Part of this commit already made it into __gre_tunnel_init but
the piece for erspan_tunnel_init did not make it in so fix that
now.
Cc: Xin Long <lucien.xin@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Thu, 12 Jul 2018 21:55:31 +0000 (14:55 -0700)]
tests: Ignore recirc_id in "MPLS xlate action" test.
When I run this test with DPDK enabled, it fails because it ends up using
a different recirculation ID when DPDK is not enabled. I guess that's a
little weird but the recirculation IDs are not supposed to be significant,
so this change makes the test ignore it.
Zak Whittington [Tue, 7 Aug 2018 21:13:17 +0000 (14:13 -0700)]
ofproto-dpif-xlate: use new info-level logging helper when sending out an in_port
Added new helper function similar to xlate_report_error called
xlate_report_info that logs info-level messages, and used that
function to add an extra log message when attempting to send
out an in-port.
VMware-BZ: 2158607 Signed-off-by: Zak Whittington <zwhitt.vmware@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Tue, 24 Jul 2018 19:53:20 +0000 (12:53 -0700)]
ovn-nbctl: Make daemon mode more transparent.
This makes ovn-nbctl transparently use daemon mode if an appropriate
environment variable is set.
It also transforms ovn-nbctl.at so that it runs each ovn-nbctl test in
"direct" mode and in daemon mode. It uses a combination of m4 macros and
shell functions to keep from expanding the generated testsuite more than
necessary.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ben Pfaff [Mon, 6 Aug 2018 21:35:27 +0000 (14:35 -0700)]
raft: Fix use-after-free error in raft_store_snapshot().
raft_store_snapshot() constructs a new snapshot in a local variable then
destroys the current snapshot and replaces it by the new one. Until now,
it has not cloned the data in the new snapshot until it did the
replacement. This led to the unexpected consequence that, if 'servers' in
the old and new snapshots was the same, then it would first be freed and
later cloned, which could cause a segfault.
Multiple people reported the crash. Gurucharan Shetty provided a
reproduction case.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ilya Maximets [Wed, 1 Aug 2018 15:54:22 +0000 (18:54 +0300)]
ovs-vtep: Pass log level arguments to underlying utils.
Control utils should be called with the same verbose level
at least to manage output to system logs. For example, to
disable unwanted syslog messages in unit tests or to enable
higher debug levels if needed.
New arguments added before '-vconsole:off' because it's
still inconvenient to have console output.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
When ovsdb-server is starting, it performs some DB steps such as
creating and upgrading the OvS DB. When we are running as
'non-root' user, the 'runuser' tool is used to manage the privileges.
However, when this happens during systemd boot, we observe the following
errors in journald:
Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Failed to add PIDs to
scope's control group: No such process
Jun 21 07:32:57 virt systemd[1]: Failed to start Session c1 of user openvswitch.
Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Unit entered failed state.
According to the analysis performed on openSUSE bugzilla[1], it seems
that ovsdb-server.service creates (via the call to runuser) a user
session and therefore call pam_systemd which in its turn tries to start
a systemd user instance: "user@474.service". However "user@474.service"
is supposed to be started after systemd-user-sessions.service which is
supposed to be started after network.target. Additionally,
ovsdb-server.service uses Before=network.target hence the deadlock.
This commit uses "setpriv" instead of "runuser" to launch "ovsdb-tool" that
doesn't use PAM and so it permits to launch "ovsdb-tool" as a user without
having the deadlock. Since some old versions for "setpriv" (such as the
one used by RHEL7) doesn't support the username / groupname, but only the
user ids / group ids, "id" is used to get the user ID and the group IDs.
To replicate the same behaviour of "runuser", the effective group ID of
the user is used as GID (usually "openvswitch") and the remaining group
IDs are used as supplementary groups (usually "hugetlbfs", if OVS is
built with DPDK support).
Darrell Ball [Mon, 6 Aug 2018 17:55:26 +0000 (10:55 -0700)]
dpctl: Simplify dpctl_flush_conntrack.
The function dpctl_flush_conntrack() and other such new functions with
multiple optional arguments can be simplified by reodering the checks
for optional parameters, where the datapath argument is checked for
last.
Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
utilities: Install ovs-tcp{dump, undump} also when only Python3 is enabled
Since commit 793bdb6c0500 ("ovs-tcpdump: Fix incompatibilities with python3")
and commit 227abb77d3d1 ("ovs-tcpundump: Fix incompatibilities with python3")
ovs-tcpdump and ovs-tcpdump works with Python3 as well.
This commit allows ovs-tcpdump and ovs-tcpundump to be installed also when
only Python3 is enabled.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
stream-ssl: Don't enable new TLS versions by default
Currently protocol_flags is populated by the list of SSL and TLS
protocols by hand. This means that when a new TLS version is added to
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
ovsdb-server automatically enable support to it with the default ciphers.
This can be a security problem (since other ciphers can be enabled) and it
also makes a test (SSL db: implementation) to fail.
This commit changes the 'protocol_flags' to use the list of all protocol
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
need to keep the list updated by hand.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Tue, 31 Jul 2018 21:51:54 +0000 (14:51 -0700)]
meta-flow: Make mf_vl_mff_mf_from_nxm_header() require a valid field.
All the users of mf_vl_mff_mf_from_nxm_header() expect it to always obtain
a valid field or to report an error. In practice, it did not report an
error in the case where the field was unknown (although it did report an
error in some other cases). This commit fixes the problem.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9652 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Ben Pfaff [Wed, 25 Jul 2018 21:10:26 +0000 (14:10 -0700)]
ovsdb-tool: Only check leader completeness when we can, in "check-cluster".
Generally when we know the leader for a term, in "check-cluster", it's
because we read that leader's log file. In that case, we have the leader's
log_end because it told us. However, taking a snapshot can discard that
data. In that case, log_end is 0 and we should not try to check for leader
completeness on that basis.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ben Pfaff [Wed, 25 Jul 2018 20:57:38 +0000 (13:57 -0700)]
ovsdb-tool: Read server headers first, before full logs, in "check-cluster".
Having the headers available before reading the complete logs means that
server IDs can be associated with the server file names earlier, which can
improve error messages in some cases.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ben Pfaff [Wed, 25 Jul 2018 17:55:59 +0000 (10:55 -0700)]
tests: Fix use of variable in cluster torture test.
remove_server() is supposed to deal with its argument $i, not $victim. In
this case they happen to have the same value so the difference is moot,
but it's still best to be clear.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ben Pfaff [Wed, 25 Jul 2018 17:31:47 +0000 (10:31 -0700)]
tests: Fix cluster torture test.
A previous commit to improve timing also caused the cluster torture test to
be skipped (unless it failed early). This is related to the shell "while"
loop's use of a variable $phase to indicate how far it got in the test
procedure. A very fast machine, or one on which the races went just the
right way, might finish the test before all the torture properly starts, so
the code is designed to just skip the test if that happens. However, a
commit to improve the accuracy ended up skipping it all the time.
Prior to the timing commit, the loop looked something like this:
phase=0
while :; do
...things that eventually increment $phase to 2...
done
AT_SKIP_IF([test $phase != 2])
This works fine.
The timing commit changed the "while :" to "(...something...) | while
read". This looks innocuous but it actually causes everything inside the
"while" loop to run in a subshell. Thus, the increments to $phase are not
visible after the loop ends, and the test always gets skipped.
This commit fixes the problem by storing the phase in a file instead of a
shell variable.
Fixes: 0f03ae3754ec ("ovsdb: Improve timing in cluster torture test.") Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ben Pfaff [Thu, 26 Jul 2018 22:43:27 +0000 (15:43 -0700)]
nx-match: Fix memory leak in oxm_pull_field_array() error case.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9424 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Martin Xu [Wed, 1 Aug 2018 23:00:59 +0000 (16:00 -0700)]
rhel: bug fix kmod spec file, rhel6
This patch fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
When multiple versions passed into the kversion for the spec file, the
variable is used as is for the kernel module paths for command
weak-modules --add-modules. Then the modules cannot be found.
Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
multiple kernels, rhel6)
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com> CC: Greg Rose <gvrose8192@gmail.com> CC: Ben Pfaff <blp@ovn.org> CC: Flavio Leitner <fbl@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
Martin Xu [Wed, 1 Aug 2018 23:00:58 +0000 (16:00 -0700)]
rhel: support kmod build against multiple 7.2 kernels, rhel6
This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
build against multiple kernels, rhel6) to support building kmod RPMs
with multiple minor revisions within 3.10.0-327 kernels. It was
discovered for RHEL 7.2 that 41.3 minor revision introduced backward
incompatible changes.
Ben Pfaff [Tue, 24 Jul 2018 16:58:56 +0000 (09:58 -0700)]
unixctl: Use absolute paths on Windows too.
When this case was adapted for Windows, asb_file_name() simply didn't work
at all there. Now, it should work OK, and it seems like the right thing
to do, and it makes the code more straightforward too.
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Tue, 24 Jul 2018 16:48:45 +0000 (09:48 -0700)]
util: Fix abs_file_name() bugs on Windows.
abs_file_name() believed that a file name that begins with / or contains :
is absolute and that any other file name is relative. On Windows, this is
wrong in at least the following ways:
* / and \ are interchangeable on Windows.
* A name that begins with \\ or // is also absolute.
* A name that begins with X: but not X:\ is not absolute.
* A name with : in some position other than the second position is
not absolute (although it might not be valid either?).
Furthermore, Windows has more than one current working directory (one per
volume letter), so trying to make a file name absolute by just prefixing
the current working directory for the current volume results in silliness.
This patch attempts to fix the problem.
This makes OVS link against shlwapi, which is needed to use
PathIsRelative().
Found by inspection.
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mark Michelson [Mon, 30 Jul 2018 13:47:45 +0000 (09:47 -0400)]
ovn: Modify restart_controller in ovn-ctl to use --restart
The --restart flag allows for uninterrupted packet flowage when exiting
ovn-controller. This patch modifies the restart_controller argument to
ovn-ctl to use --restart.
Signed-off-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mark Michelson [Mon, 30 Jul 2018 13:47:44 +0000 (09:47 -0400)]
ovn: Add '--restart' flag to ovn-controller exit.
When "--restart" is passed to ovn-controller's exit command, then
database entries are not removed for this hypervisor. This means that
* Encaps
* Chassis
* OVS ports
are not removed.
The reasoning is that if the intent is to restart ovn-controller, this
will allow for tunnels to remain up and allow for traffic not to be
interrupted during the restart. When ovn-controller is started again, it
picks back up from where it was.
Signed-off-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mark Michelson [Thu, 2 Aug 2018 12:52:56 +0000 (08:52 -0400)]
ovn: Allow for automatic dynamic updates of IPAM
OVN offers a method of IP address management that allows for an IPv4 subnet or
IPv6 prefix to be specified on a logical switch. Then by specifying a
switch port's address as "dynamic" or "<mac address> dynamic", OVN will
automatically assign addresses to the switch port.
While this works great for initial assignment of addresses, addresses do
not automatically adjust when changes are made to the switch's
configuration. For instance:
* If the subnet, ipv6_prefix, or exclude_ips for a logical switch
changes, the affected switch ports are not updated.
* If a switch port with a static IP address is added to the switch, and
that address conflicts with a dynamically assigned IP address, the
dynamic address is not updated.
* If a MAC address switched from being statically assigned to
dynamically assigned, the MAC address would not be updated.
* If a statically assigned MAC address changed, then the IPv6 address
would not be updated.
This patch solves all of the above issues by changing the algorithm for
IPAM assignment. There are essentially three steps.
1) While joining logical ports, all statically-assigned addresses (i.e.
any ports without "dynamic" addresses) have their addresses registered
to IPAM. This gives them top priority.
2) All logical ports with dynamic addresses are inspected. Any changes
that must be made to the addresses are collected to be made later. Any
addresses that do not require change are registered to IPAM. This allows
for previously assigned dynamic addresses to be kept.
3) All gathered changes are enacted.
The change contains new tests that ensure that dynamic addresses are
updated when appropriate.
This patch also alters some existing IPAM tests. Those tests assumed
that dynamic addresses would not be updated automatically, so those
tests either had to be altered or removed.
Signed-off-by: Mark Michelson <mmichels@redhat.com> Acked-by: Jakub Sitnicki <jsitnicki@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Tue, 31 Jul 2018 19:45:41 +0000 (12:45 -0700)]
ovn: Fix typos in "ovn -- Address Set generation..." test.
These caused the test to fail.
CC: Jakub Sitnicki <jkbs@redhat.com> Fixes: 984c7d5ea8fe ("ovn-northd: Propagate dynamic addresses to port group address sets.") Signed-off-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Simon Horman <simon.horman@netronome.com>
Until now we only had optind defined in the header.
Since we are using the BSD getopt variant add opterr and optopt.
Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.") Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
This patch modifies ovs-pki to generate x.509 version 3 certificate.
Compared with the x.509 v1 certificate generated by ovs-pki, version 3
certificate adds subjectAltName field and sets its value the same as
common name (CN). The main reason for this change is to enable
strongSwan IKE daemon to extract certificate identity string from the
subjectAltName field, which makes OVN IPsec implementation easier.
Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Thu, 5 Jul 2018 21:31:00 +0000 (14:31 -0700)]
release-process.rst: Add "soft freeze" stage.
The last few OVS releases have included a "soft freeze" stage in the
release process, but this stage has never been formalized in the
documentation. This adds a description.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Ian Stokes <ian.stokes@intel.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Martin Xu [Tue, 31 Jul 2018 05:47:18 +0000 (22:47 -0700)]
utilities: check datapath exists before conntrack flush
As part of "force-reload-kmod," conntrack flush command is issued as
'action "ovs-appctl dpctl/flush-conntrack"'. In case no datapath exists
yet when issuing "force-reload-kmod," there is an error message
"ovs-vswitchd: no datapaths exist\ ovs-appctl: ovs-vswitchd: server
returned an error", which is harmless but potentially shows up as "FAILED."
Add an if condition to check whether datapath exists before running the
conntrack flush command.
VMware-BZ: #2170402 Fixes: 265d70310c69 ("utilities: Fix conntrack flush command") Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com> CC: Greg Rose <gvrose8192@gmail.com> CC: Aaron Conole <aconole@redhat.com> CC: Justin Pettit <jpettit@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Fri, 15 Jun 2018 23:29:22 +0000 (16:29 -0700)]
ofp-actions: Split ofpacts_check__() into many functions.
ofpacts_check__() was a huge switch statement with special cases for many
different kinds of actions. This made it unwieldy and put the special
cases far away from the rest of the code related to a given action. This
commit refactors the code to avoid the problem.
Signed-off-by: Ben Pfaff <blp@ovn.org> Tested-by: Yifeng Sun <pkusunyifeng@gmail.com> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Greg Rose [Wed, 18 Jul 2018 16:22:13 +0000 (09:22 -0700)]
erspan: set bso bit based on mirrored packet's len
Upstream commit:
Before the patch, the erspan BSO bit (Bad/Short/Oversized) is not
handled. BSO has 4 possible values:
00 --> Good frame with no error, or unknown integrity
11 --> Payload is a Bad Frame with CRC or Alignment Error
01 --> Payload is a Short Frame
10 --> Payload is an Oversized Frame
Based the short/oversized definitions in RFC1757, the patch sets
the bso bit based on the mirrored packet's size.
Reported-by: Xiaoyan Jin <xiaoyanj@vmware.com> Signed-off-by: William Tu <u9012063@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: William Tu <u9012063@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: William Tu <u9012063@gmail.com>
Ian Stokes [Wed, 25 Jul 2018 14:00:43 +0000 (15:00 +0100)]
ovn-nbctl: Initialize arguments to avoid compilation warnings.
Output arguments for parse_priority() and dhcp_options_get() may not be
initialized when either function returns an error.
This causes compilation warnings for GCC 6.3.x regarding use of
uninitialized variable use and null-pointer-arithmetic.
Fix this by initializing priority_p* value to 0 for priority_parse()
when an error occurs during parsing.
For dhcp_options_get() set *dhcp_opts_p = dhcp_opts regardless as
dhcp_opts will be equal to NULL when an error occurs within the function
anyhow.
Cc: Jakub Sitnicki <jkbs@redhat.com> Fixes: 3844c85de979 ("ovn-nbctl: Don't die in dhcp_options_get()." Fixes: bc8223df3b01 ("ovn-nbctl: Don't die in parse_priority().") Signed-off-by: Ian Stokes <ian.stokes@intel.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jakub Sitnicki <jkbs@redhat.com>
Jakub Sitnicki [Wed, 25 Jul 2018 15:26:54 +0000 (17:26 +0200)]
ovn-nbctl: Detect unrecognized short options in server mode.
Because getopt() will set optopt for both known and unknown options,
we need to differentiate between them ourselves by checking if we
know the option. Do that by looking up its value.
Also, because we are using GNU extensions to getopt(), we need to be
resetting getopt() state by setting optind to 0 instead of 1 as
pointed out in NOTES in getopt(3) man-page. Not doing so results in
invalid reads and optopt being set to a garbarge value.
Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.") Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Mon, 30 Jul 2018 14:37:49 +0000 (16:37 +0200)]
ovn-northd: Propagate dynamic addresses to port group address sets.
If a logical switch port belongs to a port group and has dynamic
addresses assigned, propagate the addresses to the auto-generated
address sets for the port group.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Acked-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Tue, 31 Jul 2018 16:46:55 +0000 (09:46 -0700)]
ofctrl: Placate GCC.
Some GCC versions don't like ".x.y =", complaining about an uninitialized
field.
Without this patch we get travis failures, e.g.
https://travis-ci.org/openvswitch/ovs/jobs/410404752:
ovn/controller/ofctrl.c: In function ‘ofctrl_put’:
ovn/controller/ofctrl.c:1086:9: error: missing initializer for field ‘flags’ of ‘struct ofputil_meter_config’ [-Werror=missing-field-initializers]
};
^
In file included from ovn/controller/ofctrl.c:35:0:
./include/openvswitch/ofp-meter.h:53:14: note: ‘flags’ declared here
uint16_t flags;
^
With it, it passes.
Fixes: 185b13f228ac ("ovn: Add Meter and Meter_Band tables to the NB and SB databases.") Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
ovn: Support configuring meters through SB Meter table.
Add the ability to configure meters through the newly introduced Meter
table in the Southbound database. Previously, meters were configured by
providing strings to describe the meter in the extended meter table.
This patch changes the behavior so that the extended meter table's
strings are references to names in the Meter table. The old behavior is
still supported if the extended meter table entry begins with "__string: "
Signed-off-by: Justin Pettit <jpettit@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
ovn: Add Meter and Meter_Band tables to the NB and SB databases.
Add support for configuring meters through the Meter and Meter_Band
tables in the Northbound database. This commit also has ovn-northd
sync those tables between the Northbound and Southbound databases.
Add support for configuring meters with ovn-nbctl.
Signed-off-by: Justin Pettit <jpettit@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
dpif: Move common meter checks into the dpif layer.
Another dpif provider will soon add support for meters, so move
some of the common sanity checks up into the dpif layer so that each
provider doesn't need to re-implement them.
Signed-off-by: Justin Pettit <jpettit@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
If an OVS_ATTR_NESTED attribute type is found while walking
through netlink attributes, we call nlattr_set() recursively
passing the length table for the following nested attributes, if
different from the current one.
However, once we're done with those sub-nested attributes, we
should continue walking through attributes using the current
table, instead of using the one related to the sub-nested
attributes.
we switch to the 'ovs_tunnel_key_lens' table on attribute #3,
and we don't switch back to 'ovs_key_lens' while setting
attributes #9 to #11 in the sequence. As OVS_KEY_ATTR_MPLS
evaluates to 21, and the array size of 'ovs_tunnel_key_lens' is
15, we also get this kind of KASan splat while accessing the
wrong table:
[ 7655.132484] The buggy address belongs to the variable:
[ 7655.138226] ovs_tunnel_key_lens+0xf0/0xffffffffffffd400 [openvswitch]
[ 7655.145507]
[ 7655.147166] Memory state around the buggy address:
[ 7655.152514] ffffffffc169eb80: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
[ 7655.160585] ffffffffc169ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 7655.168644] >ffffffffc169ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
[ 7655.176701] ^
[ 7655.184372] ffffffffc169ed00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 05
[ 7655.192431] ffffffffc169ed80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
[ 7655.200490] ==================================================================
Reported-by: Hangbin Liu <liuhangbin@gmail.com> Fixes: 982b52700482 ("openvswitch: Fix mask generation for nested attributes.") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
netfilter: add NAT support for shifted portmap ranges
This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp
incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100)
Currently DNAT only works for single port or identical port ranges. (i.e.
ports 5000-5100 on WAN interface redirected to a LAN host while original
destination port is not altered) When different port ranges are configured,
either 'random' mode should be used, or else all incoming connections are
mapped onto the first port in the redirect range. (in described example
WAN:5000-5100 will all be mapped to 192.168.1.5:2000)
This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET
which uses a base port value to calculate an offset with the destination port
present in the incoming stream. That offset is then applied as index within the
redirect port range (index modulo rangewidth to handle range overflow).
In described example the base port would be 5000. An incoming stream with
destination port 5004 would result in an offset value 4 which means that the
NAT'ed stream will be using destination port 2004.
Other possibilities include deterministic mapping of larger or multiple ranges
to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port
51xx)
This patch does not change any current behavior. It just adds new NAT proto
range functionality which must be selected via the specific flag when intended
to use.
A patch for iptables (libipt_DNAT.c + libip6t_DNAT.c) will also be proposed
which makes this functionality immediately available.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
datapath: Introduce net_rwsem and remove rtnl_lock()
This patch backports the following two upstream commits and
add a new symbol HAVE_NET_RWSEM in acinclude.m4 to determine
whether to use new introduced rw_semaphore, net_rwsem.
net: Introduce net_rwsem to protect net_namespace_list
rtnl_lock() is used everywhere, and contention is very high.
When someone wants to iterate over alive net namespaces,
he/she has no a possibility to do that without exclusive lock.
But the exclusive rtnl_lock() in such places is overkill,
and it just increases the contention. Yes, there is already
for_each_net_rcu() in kernel, but it requires rcu_read_lock(),
and this can't be sleepable. Also, sometimes it may be need
really prevent net_namespace_list growth, so for_each_net_rcu()
is not fit there.
This patch introduces new rw_semaphore, which will be used
instead of rtnl_mutex to protect net_namespace_list. It is
sleepable and allows not-exclusive iterations over net
namespaces list. It allows to stop using rtnl_lock()
in several places (what is made in next patches) and makes
less the time, we keep rtnl_mutex. Here we just add new lock,
while the explanation of we can remove rtnl_lock() there are
in next patches.
Fine grained locks generally are better, then one big lock,
so let's do that with net_namespace_list, while the situation
allows that.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream commit:
commit ec9c780925c57588637e1dbd8650d294107311c0
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date: Thu Mar 29 19:21:09 2018 +0300
ovs: Remove rtnl_lock() from ovs_exit_net()
Here we iterate for_each_net() and removes
vport from alive net to the exiting net.
ovs_net::dps are protected by ovs_mutex(),
and the others, who change it (ovs_dp_cmd_new(),
__dp_destroy()) also take it.
The same with datapath::ports list.
So, we remove rtnl_lock() here.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
openvswitch: meter: fix the incorrect calculation of max delta_t
Max delat_t should be the full_bucket/rate instead of the full_bucket.
Also report EINVAL if the rate is zero.
Fixes: 96fbc13d7e77 ("openvswitch: Add meter infrastructure") Cc: Andy Zhou <azhou@ovn.org> Signed-off-by: zhangliping <zhangliping02@baidu.com> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
selinux: changes to support newer hugetlbfs restrictions
Newer selinux base policies now split out 'map' actions, as well as
adding more explicit checks for hugetlbfs objects. Where previously these
weren't required, recent changes have flagged the allocation of hugepages
and subsequent clearing. This means that the hugepage storage information
for the DPDK .rte_config, and clearing actions copying from /dev/zero will
trigger selinux denials.
This commit allows openvswitch to have more permissions for the hugetlbfs
allocation and use.
Greg Rose [Fri, 27 Jul 2018 18:20:08 +0000 (11:20 -0700)]
compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded
When for some reason the built-in kernel ip6_gre module is loaded that
would prevent the openvswitch kernel driver from loading. Even when
the built-in kernel ip6_gre module is loaded we can still perform
port mirroring via Tx. Adjust the error handling and detect when
the ip6_gre kernel module is loaded and in that case still enable
IPv6 GRE/ERSPAN Tx.
Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: William Tu <u9012063@gmail.com>
Greg Rose [Fri, 20 Jul 2018 01:48:31 +0000 (18:48 -0700)]
compat: Initialize IPv4 reassembly secret timer
The RHEL 7 kernels expect the secret timer interval to be initialized
before calling the inet_frags_init() function. By not initializing it
the inet_frags_secret_rebuild() function was running on every tick
rather than on the expected interval. This caused occasional panics
from page faults when inet_frags_secret_rebuild() would try to rearm a
timer from the openvswitch kernel module which had just been removed.
Also remove the prior, and now unnecessary, work around.
Commit ab15e70eb587 ("dpctl: Expand the flow dump type filter") had a
number of issues with style, build breakage, and failing unit tests.
The patch is being reverted so that they can addressed.