Ben Pfaff [Thu, 26 Apr 2018 16:39:30 +0000 (09:39 -0700)]
ovsdb.7: Clarify description of OVSDB.
A reader reported that "network database system" made it sound like OVSDB
was specialized for databases about networks. It's not, it's just
accessible over the network.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
In case where "use_names" is set (e.g. in an interactive session) to show
the port and table names when ovs-ofctl is run with snoop command,
ovs-ofctl would get stuck in an endless loop inside "table_iterator_next"
function's while loop checking for "while (ti->send_xid != recv_xid)".
This would happening because the "vconn" to "<bridge>.snoop" socket would
not respond to TABLE_FEATURES_REQUEST sent by ovs-ofctl.
This commit disables showing port or table names in the snoop command.
Signed-off-by: Ashish Varma <ashishvarma.ovs@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jianbo Liu [Wed, 25 Apr 2018 08:09:08 +0000 (08:09 +0000)]
lib/tc: Remove unnecessary icmp recalculation
ICMP checksum is calculated from ICMP headers and data, so hardware doesn't
need to calculate it again because we only rewrite IP headers.
Signed-off-by: Jianbo Liu <jianbol@mellanox.com> Reviewed-by: Paul Blakey <paulb@mellanox.com> Reviewed-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
Greg Rose [Tue, 17 Apr 2018 19:34:08 +0000 (12:34 -0700)]
datapath: Prevent panic
On RHEL 7.x kernels we observe a panic induced by a paging error
when the timer kicks off a job that subsequently accesses memory
that belonged to the openvswitch kernel module but was since
unloaded - thus the paging error.
The panic can be induced on any RHEL 7.x kernel with the following test:
while `true`
do
make check-kmod TESTSUITEFLAGS="-k \!gre"
done
On the systems I've been testing on it generally takes anywhere from a
minute to 15 minutes or so to repro but never longer than that. Similar
results have been seen by other testers.
This patch does not fix the underlying bug, which does need to be
investigated and fixed, but it does prevent it from occurring. We
would like to prevent customer systems from panicking while we do
futher investigation to find the root cause.
Marcin Rybka [Fri, 20 Apr 2018 13:46:27 +0000 (14:46 +0100)]
tests: Add system-dpdk-testsuite
New OVS-DPDK testsuite, which can be launched via `make check-dpdk`,
tests OVS using a DPDK datapath. The testsuite contains already
initial tests:
1. EAL init
2. Add standard DPDK PHY port
3. Add vhost-user-client port
Signed-off-by: Marcin Rybka <marcinx.rybka@intel.com> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Stephen Finucane [Fri, 20 Apr 2018 09:24:32 +0000 (10:24 +0100)]
docs: Clarify changes in Rx queue allocation
Two mistakes here:
- Automatic assignment of Rx queues to PMD threads has always existed -
it was simply switched from round-robin allocation to
utilization-based allocation
- The above, along with the 'pmd-rxq-rebalance' command, was added in
OVS 2.9.0 - not OVS 2.8.0 - while the 'pmd-rxq-show' command was added
in OVS 2.6.0 and modified in OVS 2.9.0
Correct both of these and modify the NEWS entry for this to clarify
things a little (it took a bit of git spelunking and bothering people on
IRC to figure out).
Signed-off-by: Stephen Finucane <stephen@that.guru> Cc: Kevin Traynor <ktraynor@redhat.com> Cc: Ian Stokes <ian.stokes@intel.com> Acked-by: Kevin Traynor <ktraynor@redhat.com> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Stephen Finucane [Thu, 19 Apr 2018 12:57:24 +0000 (13:57 +0100)]
doc: Add "vdev" topic document
These are separate things from physical, ring and vhost-user interfaces
and deserve their own documents. A couple of small typos are fixed along
the way.
Signed-off-by: Stephen Finucane <stephen@that.guru> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Stephen Finucane [Thu, 19 Apr 2018 12:57:23 +0000 (13:57 +0100)]
doc: Move additional sections to "physical ports" doc
The "hotplugging", "flow control", and "Rx checksum offload" sections
only apply to 'dpdk' ports and are too detailed to include in a
high-level howto. Move them, reworking some aspects of this in the
process.
Signed-off-by: Stephen Finucane <stephen@that.guru> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Stephen Finucane [Thu, 19 Apr 2018 12:57:22 +0000 (13:57 +0100)]
doc: Add "PMD" topic document
This continues the breakup of the huge DPDK "howto" into smaller
components. There are a couple of related changes included, such as
using "Rx queue" instead of "rxq" and noting how Tx queues cannot be
configured.
Signed-off-by: Stephen Finucane <stephen@that.guru> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Stephen Finucane [Thu, 19 Apr 2018 12:57:21 +0000 (13:57 +0100)]
doc: Add an overview of the 'dpdk' port
These ports are used to allow ingress/egress from the host and are
therefore _reasonably_ important. However, there is no clear overview of
what these ports actually are or why things are done the way they are.
Start closing this gap by providing a standalone example of using these
ports along with a little more detailed overview of the binding process.
There is additional cleanup to be done for the DPDK howto, but that will
be done separately.
We enable the TODO directive so we can actually start calling out some
TODOs.
Signed-off-by: Stephen Finucane <stephen@that.guru> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Ian Stokes [Wed, 18 Apr 2018 12:30:42 +0000 (13:30 +0100)]
docs: Fix urls in index.rst.
This patch prepends 'www' to openvswitch urls in index.rst. Without this
make check-docs fails when verifying url liveness. Also remove url
referencing ovsdb-server(5) as these are no longer accessible.
Cc: Stephen Finucane <stephen@that.guru> Fixes: 4f6ec357c ("doc: Populate 'ref' section") Signed-off-by: Ian Stokes <ian.stokes@intel.com> Acked-by: Stephen Finucane <stephen@that.guru>
Ian Stokes [Wed, 18 Apr 2018 10:17:12 +0000 (11:17 +0100)]
docs: Fix sphinx urls.
Update dead url links for sphinx documentation to avoid
make check-docs failing.
Cc: Stephen Finucane <stephen@that.guru> Fixes: 26ea2d409 ("docs: Add writing guide") Fixes: 73c76b447 ("doc: Add info on building documentation") Signed-off-by: Ian Stokes <ian.stokes@intel.com> Acked-by: Stephen Finucane <stephen@that.guru>
Ian Stokes [Wed, 18 Apr 2018 09:54:09 +0000 (10:54 +0100)]
docs: Fix sflow documentation url and markup.
The link url link for the blog in sflow documentation causes make
check-docs to fail with a broken link warning. Fix this by correcting
the url address. Also use correct markup for note regarding the
configuration of sflow.
CC: Stephen Finucane <stephen@that.guru> Fixes: 198c5d3d0 ("doc: Add sFlow cookbook from website") Signed-off-by: Ian Stokes <ian.stokes@intel.com> Acked-by: Stephen Finucane <stephen@that.guru>
Kevin Traynor [Fri, 13 Apr 2018 17:40:13 +0000 (18:40 +0100)]
netdev-dpdk: Free mempool only when no in-use mbufs.
DPDK mempools are freed when they are no longer needed.
This can happen when a port is removed or a port's mtu
is reconfigured so that a new mempool is used.
It is possible that an mbuf is attempted to be returned
to a freed mempool from NIC Tx queues and this can lead
to a segfault.
In order to prevent this, only free mempools when they
are not needed and have no in-use mbufs. As this might
not be possible immediately, create a free list of
mempools and sweep it anytime a port tries to get a
mempool.
When explaining on how to add vhost-user ports to a guest, using
libvirt, the following piece of configuration is used:
<disk type='dir' device='disk'>
<driver name='qemu' type='fat'/>
<source dir='/usr/src/dpdk-stable-17.11.1'/>
<target dev='vdb' bus='virtio'/>
<readonly/>
</disk>
This is used to facilitate sharing of a DPDK directory between the host
and the guest. However, for this to work selinux also needs to be
configured (or disabled). Furthermore, if one is using Ubuntu, libvirtd
would need to be added to complain only in AppArmor. Instead, in [1] it
is advised to use wget to get the DPDK sources over the internet, which
avoids this differentiation. Thus, we drop this piece of configuration
here as well and keep the example configuration as simple as possible.
This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
image.
When explaining on how to add vhost-user ports to a guest, using
libvirt, point to the qemu-system-x86_64 binary by default, instead of
using qemu-kvm. The latter has been made obsolete and dropped from a
number of distributions (although it is still available on Fedora).
This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
image.
ofproto-dpif-upcall: Only call ovsrcu_postpone() on active actions
Currently, ovsrcu_postpone() is called even with a NULL argument,
i.e. when there is no data to be freed. This is causing additional
overhead because work is scheduled for the urcu thread. This change
avoids adding the postpone callback if no work needs to be done.
This especially helps for the OVS-DPDK case where the PMD threads
might no longer have to do a write() due to the latch_set(), and thus
saving a syscall.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
xlate: Move tnl_neigh_snoop() to terminate_native_tunnel()
Currently OVS snoops any ARP or ND packets in any bridge and populates
the tunnel neighbor cache with the retreived data. For instance, when
an ARP reply originated by a tenant is received in an overlay bridge, the
ARP packet is snooped and tunnel neighbor cache is filled with tenant
address information. This is at best useless as tunnel endpoints can only
reside on an underlay bridge.
The real problem starts if different tenants on the overlay bridge have
overlapping IP addresses such that they keep overwriting each other's
pseudo tunnel neighbor entries. These frequent updates are treated as
configuration changes and trigger revalidation each time, thus causing
a lot of useless revalidation load on the system.
To keep the ARP neighbor cache clean, this patch moves tunnel neighbor
snooping from the generic function do_xlate_actions() to the specific
funtion terminate_native_tunnel() in compose_output_action(). Thus,
only ARP and Neighbor Advertisement packets addressing a local
tunnel endpoint (on the LOCAL port of the underlay bridge) are snooped.
In order to achieve this, IP addresses of the bridge ports are retrieved
and then stored in xbridge by calling xlate_xbridge_set(). The
destination address extracted from the ARP or Neighbor Advertisement
packet is then matched against the known xbridge addresses in
is_neighbor_reply_correct() to filter the snooped packets further.
Signed-off-by: Zoltan Balogh <zoltan.balogh.eth@gmail.com> Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
tests: Inject ARP replies for snoop tests on different port
The ARP replies injected into the underlay bridge 'br0' to trigger
ARP snooping should be destined to the the bridges LOCAL port. So far
the tests injected them on LOCAL port 'br0' itself, which didn't matter
as OVS snooped on all ARP packets passing the bridge.
This patch injects the ARP replies on a different port in preparation for
an upcoming commit that will make OVS only snoop on ARP packets output
to the LOCAL port.
The clone() wrapper must be added to the generated datapath flows now as
the traced packets would actually be transmitted through the tunnel port.
Previously the underlay bridge dropped the packets as the learned egress
port for the tunnel nexthop was the LOCAL port, which also served as
virtual ingress port for the encapsulated traffic. The translation
end result was an expensive way to say 'drop'.
Signed-off-by: Zoltan Balogh <zoltan.balogh.eth@gmail.com> Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ofproto-dpif-xlate: makes OVS native tunneling honor tunnel-specified source addresses
It makes OVS native tunneling honor tunnel-specified source addresses,
in the same way that Linux kernel tunneling honors them.
This patch made valid tun_src specified by flow-action can be used for
tunnel_src of packet. add a "local" property for a route entry and enhance
the priority of local route higher than user route.
Like the kernel space when lookup the route, if there are tun_src specified
by flow-action or port options. Check the tun_src wheather is a local
address, then lookup the route.
Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: frank.zeng <frank.zeng@ucloud.cn> Signed-off-by: Ben Pfaff <blp@ovn.org>
lacp: New command "lacp/show-stats" fordisplaying LACP counters.
Currently OVS does not provide any command to display stats for LACP
without which it is difficult to debug LACP issues. Here we propose
to display various statistics about LACP PDUs and slave state change.
tutorial: skip passing .db for backup option for ovn_start_ovsdb_server:
current params uses two sb1.db which is redundant:
e.g. ovsdb-server --remote=punix:sb1.ovsdb sb1.db sb1.db
expected:
e.g. ovsdb-server --remote=punix:sb1.ovsdb sb1.db
tested and works as expected:
ovn-sbctl --db=unix:/root/ovs/tutorial/sandbox/sb2.ovsdb show
Chassis "chassis-1"
hostname: sandbox
Encap geneve
ip: "127.0.0.1"
options: {csum="true"}
Signed-off-by: aginwala <aginwala@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Wed, 18 Apr 2018 16:01:13 +0000 (18:01 +0200)]
tests: Extend Python IDL checks to also run with SSL
Extend the macro for running a Python IDL test against an OVSDB server
that uses SSL so that it can be used for regular IDL tests and for the
notify tests.
This makes it easy to generate additional Python IDL tests that run
using SSL, so do it.
As it turns out, newly added SSL tests unearth a pre-existing issue with
unicode encoding when SSL is used, which will be fixed in the following
patch.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Wed, 18 Apr 2018 16:01:14 +0000 (18:01 +0200)]
python: Fix a double encoding attempt on an Unicode string
Encoding from 'unicode' to 'str' that has been added to the Stream class
in commit 2254074e3067 ("python: fix python3 encode/decode on Windows")
conflicts with SSLStream which already contains a quirk for pyopenssl
that does the same thing.
This results in a double encoding attempt when SSL is used and we crash
and burn due to:
Traceback (most recent call last):
File "../.././test-ovsdb.py", line 874, in <module>
main(sys.argv)
File "../.././test-ovsdb.py", line 869, in main
func(*args)
File "../.././test-ovsdb.py", line 655, in do_idl
idl_set(idl, command, step)
File "../.././test-ovsdb.py", line 526, in idl_set
status = txn.commit_block()
File "/home/jkbs/src/ovs/python/ovs/db/idl.py", line 1405, in commit_block
status = self.commit()
File "/home/jkbs/src/ovs/python/ovs/db/idl.py", line 1388, in commit
if not self.idl._session.send(msg):
File "/home/jkbs/src/ovs/python/ovs/jsonrpc.py", line 540, in send
return self.rpc.send(msg)
File "/home/jkbs/src/ovs/python/ovs/jsonrpc.py", line 244, in send
self.run()
File "/home/jkbs/src/ovs/python/ovs/jsonrpc.py", line 203, in run
retval = self.stream.send(self.output)
File "/home/jkbs/src/ovs/python/ovs/stream.py", line 808, in send
return super(SSLStream, self).send(buf)
File "/home/jkbs/src/ovs/python/ovs/stream.py", line 391, in send
buf = buf.encode('utf-8')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 83: ordinal not in range(128)
Remove the quirk from SSLStream as the base class now does encoding.
Reported-by: Marcin Mirecki <mmirecki@redhat.com> Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Wed, 18 Apr 2018 16:01:12 +0000 (18:01 +0200)]
tests: Reuse OVSDB_CHECK_IDL_PYN macro for IDL notify tests
OVSDB_CHECK_IDL_NOTIFY_PYN macro is the same as OVSDB_CHECK_IDL_PYN
except it doesn't support PRE-IDL-TXN parameter. Reuse the more generic
OVSDB_CHECK_IDL_PYN macro.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Wed, 18 Apr 2018 16:01:11 +0000 (18:01 +0200)]
tests: Remove useless run-if-fail commands passed to AT_CHECK
Path to ovsdb-server's pidfile has changed long ago when
ovsdb_start_idltest() helper was introduced in commit 561205007e17
("tests: Get rid of overly specific --pidfile and --unixctl options.")
but the run-if-fail commands were left behind.
Besides, we don't need to kill the ovs-db-server from the AT_CHECK
anymore since ovsdb_start_idltest() registers an on_exit hook that will
do it.
Clean up any run-if-fail commands that attempt to kill ovsdb-server
using an invalid pidfile.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Wed, 18 Apr 2018 16:01:10 +0000 (18:01 +0200)]
tests: Complain if key and certs not provided for SSL connection
Add an argument check to test-ovsdb.py to ensure that the user has
provided the private key, the certificate, and the peer CA certificate
needed to set up an SSL connection.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Recently, an issue was debugged that was thought to be a bond
failover triggered issue. It turned out to an vlan interface MTU set issue
that had nothing to do with bonding or most other likely possibilities.
Besides the effect of not setting the MTU to the desired value, this can
result in increased netlink traffic and processing with associated wasted
work. Let us flag a configuration issue at warn level (rather than dbg) to
catch the problem early.
Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Wed, 18 Apr 2018 10:35:08 +0000 (12:35 +0200)]
python: Fix reporting that test-ovsdb.py command needs more args
In Python OVSDB tester, we are not unpacking a value from n_args tuple
that holds the accepted range of arguments. This causes an error:
$ python tests/test-ovsdb.py idl tests/idltest.schema
Traceback (most recent call last):
File "./tests/test-ovsdb.py", line 869, in <module>
main(sys.argv)
File "./tests/test-ovsdb.py", line 852, in main
n_args, len(args)))
TypeError: %d format: a number is required, not tuple
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Terry Wilson [Fri, 13 Apr 2018 00:24:27 +0000 (19:24 -0500)]
Add multi-column index support for the Python IDL
This adds multi-column index support for the Python IDL that is
similar to the feature in the C IDL. Since it adds sortedcontainers
as a dependency and some distros don't yet package it, the library
is copied in-tree and used if sortedcontainers is not installed.
Signed-off-by: Terry Wilson <twilson@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
rhel: Fix literal dollar sign usage in systemd service files
Currently (at least on RHEL 7.5) openvswitch fails to start (with DPDK
enabled) as non-root, since chown fails and "/dev/hugepages" group is not
changed.
Commit tested on Fedora 28 and RHEL 7.5, both as root as non-root user.
From man 5 systemd.service:
To pass a literal dollar sign, use "$$". Variables whose value is not known
at expansion time are treated as empty strings. Note that the first argument
(i.e. the program to execute) may not be a variable.
CC: Aaron Conole <aconole@redhat.com> Fixes: 4299145c1095 ("rhel: don't drop capabilities when running as root") Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Aaron Conole <aconole@redhat.com> Acked-by: Eelco Chaudron <echaudro@redhat.com>
Ben Pfaff [Tue, 17 Apr 2018 15:33:41 +0000 (08:33 -0700)]
netdev: Fix typos in comment.
Fixes: ee4776b8bce1 ("netdev: New function netdev_get_ip_by_name().") Suggested-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Fri, 13 Apr 2018 16:51:37 +0000 (09:51 -0700)]
socket-util: Add more functions for IPv[46] sockaddr and sockaddr_storage.
The existing functions for working with sockaddr_storage that contain an
IPv4 or IPv6 address are useful. This commit adds more functions for
working with them, as well as a parallel set of functions for struct
sockaddr.
This also adds an initial user for some of the new sockaddr functions in
netdev.c.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ben Pfaff [Wed, 11 Apr 2018 18:12:21 +0000 (11:12 -0700)]
Make <host>:<port> parsing uniform treewide.
I didn't realize until now that the tree had two different ways of parsing
strings in the form <host>:<port> and <port>:<host>. There are the
long-standing inet_parse_active() and inet_parse_passive() functions, and
more recently the ipv46_parse() function. This commit eliminates the
latter and changes the code to use the former.
The two implementations interpreted some input differently. In particular,
the older functions required IPv6 addresses to be [bracketed], but the
newer ones do not. For compatibility this patch changes the merged code to
use the more liberal interpretation.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Ben Pfaff [Wed, 11 Apr 2018 18:24:59 +0000 (11:24 -0700)]
socket-util: Make inet_parse_active() and inet_parse_passive() more alike.
Until now, the default_port parameters to these functions have had
different types and different behavior. There is a reason for this, since
it makes sense to listen on a kernel-selected port but it does not make
sense to connect to a kernel-selected port, but this overlooks the
possibility that a caller might want to parse a string in the format
understood by inet_parse_active() without actually using it to connect to
a remote host. This commit makes the behavior consistent and updates all
the callers to work with the new semantics.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
This patch drops the '--monitor' argument when running the ovsdb-server.
This can potentially increase the bug detection since the process will not
be restarted in certain situations.
Also, fixes the test under Windows since daemons do not have '--monitor'
argument.
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org> Suggested-by: Ben Pfaff <blp@ovn.org>
Suggested-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-April/346135.html
Han Zhou [Sat, 14 Apr 2018 00:07:27 +0000 (17:07 -0700)]
ovn: Support address sets generated from port groups
Address sets are automatically generated from corresponding port
groups, and can be used directly in ACL match conditions.
There are two address sets generated for each port group:
<port group name>_ip4
<port group name>_ip6
For example, if port_group1 is created, we can directly use below
match condition in ACL:
"outport == @port_group1 && ip4.src == $port_group1_ip4"
This will simplify OVN client implementation, and avoid some tricky
problems such as race conditions when maintaining address set
memberships as discussed in the link below.
Reported-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046174.html Reviewed-by: Mark Michelson <mmichels@redhat.com> Reviewed-by: Daniel Alvarez <dalvarez@redhat.com> Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
python-windows: Update python3 environment variables on Windows
Starting from Python 3.6 two new environment variables have been introduced
on Windows:
PYTHONLEGACYWINDOWSFSENCODING
https://docs.python.org/3/using/cmdline.html#envvar-PYTHONLEGACYWINDOWSFSENCODING
PYTHONLEGACYWINDOWSSTDIO
https://docs.python.org/3/using/cmdline.html#envvar-PYTHONLEGACYWINDOWSSTDIO
To keep backwards compatibility when running tests under Windows we define and
set the two variables thus ensuring default filesystem encoding (mbcs).
Fixes tests on Python version >=3.6:
2030: simple idl, writing via IDL with unicode - Python3
2032: simple idl, writing via IDL with unicode - Python3 - register_columns
2034: simple idl, writing via IDL with unicode - Python3 - tcp
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> Co-authored-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Acked-by: Ben Pfaff <blp@ovn.org>
ovn: Set router lifetime value for IPv6 periodic RA.
ovn-controller when it sends out periodic RA packets, sets '0' in the
Router lifetime field. As per the RFC 4861, lifetime of 0 indicates that
the router is not a default router and SHOULD NOT appear on the default
router list. Without the default route, a VM will not able to reach to
other router ports attached to the same router unless a default route
is added by the user.
ovn-controller when encoding the 'put_nd_ra_opts' action sets the Router
Lifetime field to 0xffff. So this patch also sets the same value when
sending out the periodic RAs.
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1567735 Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Andrea Kao [Fri, 13 Apr 2018 18:09:39 +0000 (11:09 -0700)]
Edit Open vSwitch license info so that GitHub recognizes it.
GitHub uses a library called Licensee to identify a project's license
type. It shows this information in the status bar and via the API if it
can unambiguously identify the license.
This commit creates a LICENSE file that stores the full text of the
Apache license. It also removes the COPYING file and transfers its
contents to a new "License" section in the README.
Collectively, these changes allow Licensee to successfully identify the
license type of Open vSwitch's codebase as Apache.
Submitted-at: https://github.com/openvswitch/ovs/pull/224 Signed-off-by: Andrea Kao <eirinikos@gmail.com>
[blp@ovn.org removed references to COPYING and updated Makefile.am] Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Aaron Conole <aconole@redhat.com>
One issue with this test is that MSYS mangles the shorter form of the IPv6 address.
To solve this, we switch to the longer notation of it.
Another issue is that `printf` command does not add the leading `0` to the packet.
We switch to a more platform independent `awk` substitution.
Co-authored-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
commit f6fabcc6245 (ofproto-dpif: Mark packets as "untracked"
after call to ct().) changed the behavior after a call to ct().
The +trk bit would automatically be unset if packet is sent to
ct() and not forked. This caused a bug in the OVN gateway
pipeline when there is SNAT rule as well as load-balancing rule.
In the OVN gateway pipeline for the gateway router, we had an
optimization where the packets sent to unSNAT need not go through
a recirculation. But since doing this now means that the +trk bit
gets unset, the DNAT rules for load-balancing a new packet in the next
table won't get hit.
This commit removes the optimization for unSNAT packets so that
there is always a recirculation.
Han Zhou [Thu, 5 Apr 2018 00:51:47 +0000 (17:51 -0700)]
ovn: Support port groups in ACLs
This patch enables using port group names in ACL match conditions.
Users can create a port group in northbound DB Port_Group table,
and then use the name of the port group in ACL match conditions
for "inport" or "outport". It can help reduce the number of ACLs
for CMS clients such as OpenStack Neutron, for the use cases
where a group of logical ports share same ACL rules except the
"inport"/"outport" part. Without this patch, the clients have to
create N (N = number of lports) ACLs, and this patch helps achieve
the same goal with only one ACL. E.g.:
There was a similar attempt by Zong Kai Li in 2016 [1]. This patch
takes a slightly different approach by using weak refs instead of
strings, which requires a new table instead of reusing the address
set table. This way it will also benefit for a follow up patch that
enables generating address sets automatically from port groups to
avoid a lot a trouble from client perspective [2].
An extra benefit of this patch is that it could enable conjunctive
match effectively. As reported at [3], this patch was tested together
with the conjunctive match enhancement patch [4], and huge performance
improvement (more than 10x faster) was seen because of this.
Reported-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html Tested-by: Mark Michelson <mmichels@redhat.com> Reviewed-by: Mark Michelson <mmichels@redhat.com> Reviewed-by: Daniel Alvarez <dalvarez@redhat.com> Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Tue, 20 Mar 2018 11:29:42 +0000 (16:59 +0530)]
ovn-controller: Handle Port_Binding's "requested-chassis" option in physical.c
When a Logical_Switch_Port P's options is set with 'requested-chassis=hv1'
and if the user has bound this logical port to two OVS interfaces each in
different host (eg. hv1 and hv2), then ovn-controller in hv1 sets the
P's Port_Binding.chassis to hv1 which is as expected. But on hv2, ovn-controller
is adding OF flows in table 0 and table 65 for the OVS interface instead of
considering 'P' as a remote port. When another logical port bound on hv2,
pings to the logical port 'P', the packet gets delivered to hv2 OVS interface
instead of hv1 OVS interface, which is wrong.
This scenario is most likely to happen when requested-chassis option is used
by CMS during migration of a VM from one chassis to another.
This patch fixes this issue by checking the Port_Binding's "requested-chassis"
option in physical.c before adding the flows in table 0 an 65.
Reported-by: Marcin Mirecki <mmirecki@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/345266.html Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Tested-by: Marcin Mirecki <mmirecki@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Chris Mi [Tue, 10 Apr 2018 05:18:09 +0000 (14:18 +0900)]
netdev-tc-offloads: Add offloading of multiple outputs
Currently, we support offloading of one output port. Remove that
limitation by use of mirred mirror action for all output ports,
except that the last one is mirred redirect action.
Signed-off-by: Chris Mi <chrism@mellanox.com> Reviewed-by: Paul Blakey <paulb@mellanox.com> Reviewed-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
Chris Mi [Tue, 10 Apr 2018 05:18:08 +0000 (14:18 +0900)]
tc: Make the actions order consistent
When OVS DP passes the actions to TC library, we save all the
actions in data structure tc_flower and each action type has its
own field in tc_flower. So when TC library passes the actions to
kernel, actually the actions order is lost.
We add an actions array in tc_flower to keep the actions order
in this patch.
Signed-off-by: Chris Mi <chrism@mellanox.com> Reviewed-by: Paul Blakey <paulb@mellanox.com> Reviewed-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
The commit 9afc6f14ee7b2622703d98689acb0044d4a5492e added a new author
which name was too long that broke the column size. Runinng "make
docs-checks" was failing because of that.
All this patch does is to enlarge the "Name" column to fit the new
author's name.
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Daniel Alvarez <dalvarez@redhat.com>
Roi Dayan [Wed, 11 Apr 2018 07:57:30 +0000 (10:57 +0300)]
tc: Change filter error to debug once
Also update the message to be more correct.
Before this commit if there were tc rules that are not of type
flower the log was getting filled quickyl with errors about it
and always appeared to the user when dumping flows from user space.
This commit moves the error to debug and logs it only once.
Signed-off-by: Roi Dayan <roid@mellanox.com> Reviewed-by: Paul Blakey <paulb@mellanox.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
icmp6 action is used to replace the IPv6 packet been processed with
an ICMPv6 packet initialized based on incoming IPv6 one.
Ethernet and IPv6 fields not listed are not changed:
- ip.proto = 58 (ICMPv6)
- ip.ttl = 255
- icmp6.type = 1 (destination unreachable)
- icmp6.code = 1 (communication administratively prohibited)
Prerequisite: ip6
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Handle gratuitous ARP requests and replies in tnl_arp_snoop()
Problem:
========
In user-space tunneling implementation, tnl_arp_snoop() snoops only ARP
*reply* packets to resolve tunnel nexthop IP addresses to MAC addresses.
Normally the ARP requests are periodically sent by the local host IP stack,
so that the ARP cache in OVS is refreshed and entries do not time out.
However, if the remote tunnel nexthop is a VRRP IP, and the gateway
periodically sends gratuitous ARP *requests* to announce itself,
tnl_arp_snoop() treats them as INVALID. Consequently, the ARP cache in OVS
expires after 10 minutes, which results in dropping of the next packet(s)
until a new ARP request is responded to.
Fix:
====
Enhance the tunnel neighbor resolution logic in OVS to not only snoop on
ARP replies but also on gratuitous ARP requests.
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
From: Manohar K C <manohar.krishnappa.chidambaraswamy@ericsson.com> CC: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mark Michelson [Mon, 9 Apr 2018 17:07:20 +0000 (12:07 -0500)]
stopwatch: Fix Windows incompatibility
Stopwatch was implemented using a Unix-only pipe structure. This commit
changes to using a guarded list and latch in order to pass data between
threads.
Signed-off-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
json.at: Avoid to run $PYTHON when python is not available
This commit is needed since autotest tries to run AT_XFAIL_IF when
AT_SKIP_IF condition is true too.
Currently HAVE_PYTHON is required, but this may change in the future
since many distributions are migrating to python3 as default python
(like Arch Linux or Fedora) and so it can be a good idea to permit to
build OVS using python3.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
In some environments, builds would fail with the following error:
lib/stopwatch.c: In function ‘stopwatch_exit’:
lib/stopwatch.c:448:5: error: ignoring return value of ‘write’, declared
with attribute warn_unused_result [-Werror=unused-result]
write(stopwatch_pipe[1], &pkt, sizeof pkt);
This patch explicitly ignores the return value of write().
Signed-off-by: Justin Pettit <jpettit@ovn.org> Acked-by: Mark Michelson <mmichels@redhat.com>
Jan Scheurich [Thu, 5 Apr 2018 14:11:04 +0000 (16:11 +0200)]
nsh: Add unit test for double NSH encap and decap
The added test verifies that OVS correctly encapsulates an Ethernet
packet with two NSH (MD1) headers, sends it with an Ethernet header
over a patch port and decaps the Ethernet and the two NSH headers on
the receiving bridge to reveal the original packet.
The test case performs the encap() operations in a sequence of three
chained groups to test the correct handling of encap() actions in
group buckets recently fixed in commit ce4a16ac0.
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jan Scheurich [Thu, 5 Apr 2018 14:11:03 +0000 (16:11 +0200)]
xlate: Correct handling of double encap() actions
When the same encap() header was pushed twice onto a packet (e.g in the
case of NSH in NSH), the translation logic only generated a datapath push
action for the first encap() action. The second encap() did not emit a
push action because the packet type was unchanged.
commit_encap_decap_action() (renamed from commit_packet_type_change) must
solely rely on ctx->pending_encap to generate an datapath push action.
Similarly, the first decap() action on a double header packet does not
change the packet_type either. Add a corresponding ctx->pending_decap
flag and use that to trigger emitting a datapath pop action.
Fixes: f839892a2 ("OF support and translation of generic encap and decap") Fixes: 1fc11c594 ("Generic encap and decap support for NSH") Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Mon, 12 Mar 2018 06:50:57 +0000 (12:20 +0530)]
Fix possible timing issues in OVN test cases
This patch fixes timing related failures in some test cases when run with
-j option. It uses OVS_WAIT_* whereever appropriate. It also fixes the
test case "ovn -- IPv6 periodic RA" wherein the logical port - sw-p1 is
bound on 2 chassis and this causes both the chassis to fight for the port.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Yi-Hung Wei [Wed, 14 Mar 2018 18:16:41 +0000 (11:16 -0700)]
ofproto-dpif-xlate: Report ct fields changes in ofproto/trace
With commit f6fabcc6 ("ofproto-dpif: Mark packets as "untracked" after
call to ct()", after the ct() action, the packet conntrack state is set
to an untracked state, and all the conntrack fields are cleared.
This patch updates ofproto/trace report to reflect this change, so that
it would be easier to debug OpenFlow pipeline with conntrack.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch adds the options to start clustered OVN db servers in ovn-ctl.
To support this, following options are added - '--db-(nb/sb)-cluster-local-addr',
'--db-(nb/sb)-cluster-local-port', '--db-(nb/sb)-cluster-local-proto',
'--db-(nb/sb)-cluster-remote-addr', '--db-(nb/sb)-cluster-remote-port' and
'--db-(nb/sb)-cluster-remote-proto'.
If only '--db-(nb/sb)-cluster-local-addr' is defined then clustered db is created
(using ovsdb-tool create-cluster). If both are defined, then the db is added to
the cluster (using ovsdb-tool join-cluster)
This patch also adds the support to configure ovn-northd to point to all the servers
in the cluster using the options - '--ovn-northd-nb-db' and 'ovn-northd-sb-db'.
Presently this patch doesn't handle the schema update scenario when restarting the
clustered ovsdb-servers. This will be handled in a separate patch.
The initial versions of these commands are tested by Aliasgar <aginwala <aginwala@asu.edu>
and the discussion on this can be found here -
https://mail.openvswitch.org/pipermail/ovs-discuss/2018-March/046470.html
(There are 4 checkpatch warnings 'Line length is >79-characters long' in ovn-ctl.8.xml
which I couldn't resolve without losing proper rendering when "man ovn-ctl" is run.)
Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
By default, ovs-ofctl can accept and display port
names in place of numbers. ovs-ofctl tool exports
only the option --names, but not --no-names in
command help information.
Fixes: 50f96b10e1c8 ("Support accepting and displaying port names in OVS tools.") Cc: Ben Pfaff <blp@ovn.org> Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>