Andrew Evans [Thu, 7 Apr 2011 19:43:18 +0000 (19:43 +0000)]
datapath: Update netdev_frame_hook() for 2.6.39 rx handler API change.
netdev_rx_handler_register() changed the type of the skb argument to the
callback function as well as the return type. Special-case
netdev_frame_hook() to do the right thing on 2.6.39 and later.
Signed-off-by: Andrew Evans <aevans@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Ethan Jackson [Thu, 7 Apr 2011 00:23:40 +0000 (17:23 -0700)]
cfm: Fix broken fault logic.
If the last receive time for a remote MP was before the last fault
check, the CFM code would not declare a fault. This is, of course,
exactly the wrong response.
Ethan Jackson [Mon, 4 Apr 2011 23:55:34 +0000 (16:55 -0700)]
dpif-linux: Choose port numbers more prudently.
Before this patch the kernel chose the lowest available number for
newly created datapath ports. This patch moves the port number
choosing responsibility to user space, and implements a least
recently used port number queue in an attempt to avoid reuse.
Ethan Jackson [Sat, 2 Apr 2011 00:37:56 +0000 (17:37 -0700)]
bond: Choose slaves randomly.
When the bonding library encounters a flow it hasn't seen before,
it assigns it to the active slave and waits for load balancing to
move it to a more appropriate place. This commit causes it to
first attempt a random slave.
Ben Pfaff [Mon, 4 Apr 2011 17:59:19 +0000 (10:59 -0700)]
daemon: Avoid races on pidfile creation.
Until now, if two copies of one OVS daemon started up at the same time,
then due to races in pidfile creation it was possible for both of them to
start successfully, instead of just one. This was made worse when a
previous copy of the daemon had died abruptly, leaving a stale pidfile.
This commit implements a new pidfile creation and removal protocol that I
believe closes these races. Now, a pidfile is asserted with "link" instead
of "rename", which prevents the race on creation, and a stale pidfile may
only be deleted by a process after it has taken a lock on it.
This may solve mysterious problems seen occasionally on vswitch restart.
I'm still puzzled by these problems, however, because I don't see anything
in our tests cases that would actually cause two copies of a daemon to
start at the same time, which as far as I can see is a necessary
precondition for the problem.
Ben Pfaff [Thu, 31 Mar 2011 16:44:30 +0000 (09:44 -0700)]
daemon: Integrate checking for an existing pidfile into daemonize_start().
Until now, it has been the responsibility of an individual daemon to call
die_if_already_running() at an appropriate time. A long time ago, this
had to happen *before* daemonizing, because once the process daemonized
itself there was no way to report failure to the process that originally
started the daemon. With the introduction of daemonize_start(), this is
now possible, but we haven't been taking advantage of it.
Therefore, this commit integrates the die_if_already_running() call into
daemonize_start() and deletes the calls to it from individual daemons.
Ben Pfaff [Thu, 31 Mar 2011 21:52:36 +0000 (14:52 -0700)]
stream-ssl: Use out_of_memory() to abort due to lack of memory.
This matches what xmalloc() does. It will be handled better by a monitor
process (created with --monitor), which will restart the child instead of
exiting.
Ben Pfaff [Fri, 1 Apr 2011 20:47:51 +0000 (13:47 -0700)]
xenserver: Fix up iface-id after it changes or disappears too.
ovs-xapi-sync is supposed to always keep external-ids:iface-id up to date,
but in fact it would only set it when an interface initially appeared. If
the interface quickly disappeared and reappeared, then it failed to notice
that iface-id had changed or disappeared. This happens in practice on
Citrix XenServer, where VM "tap" devices often disappear and then reappear
almost immediately during VM boot. This commit fixes the problem.
This also fixes the similar problem for external-ids:bridge-id in Bridge
records. Bridges aren't ordinarily destroyed and re-created quickly, so
this problem might never have manifested in practice for bridges.
Many thanks to Reid Price <reid@nicira.com> for identifying the problem
and supplying an initial fix.
Bug #5239. Reported-by: Henrik Amren <henrik@nicira.com>
Ben Pfaff [Thu, 24 Mar 2011 19:30:51 +0000 (12:30 -0700)]
bridge: Change "struct dst" from containing a dp_ifidx to a struct iface *.
The following commit will need to iterate over a set of "struct
dst"s, obtaining the iface for each. It could look them up using
the hash table that indexes over dp_ifidx, but it's easier if we
simply store the iface pointer directly.
Ben Pfaff [Wed, 30 Mar 2011 18:03:16 +0000 (11:03 -0700)]
bridge: Break bonding implementation out into library.
This removes over 1000 lines of code from bridge.c and will make it
easier to moving the bonding implementation into ofproto as part of
future development.
Ben Pfaff [Wed, 23 Mar 2011 17:47:15 +0000 (10:47 -0700)]
bridge: Simplify and clean up bond slave enable/disable.
The code that enables and disables bond slaves was a bit of a mess:
* Disabling a slave could recursively enable a different slave.
* Processing a flow could enable a slave.
This commit gets rid of both of those properties, which made it difficult
to reason about the code paths along which slaves would be enabled and
disabled.
Ben Pfaff [Mon, 21 Mar 2011 19:49:44 +0000 (12:49 -0700)]
bridge: Drop LACP configuration members from struct iface and struct port.
There's no reason that I can see to maintain this information in struct
port and struct iface. It's redundant, since the lacp implementation
maintains the same information.
Ben Pfaff [Mon, 21 Mar 2011 20:15:31 +0000 (13:15 -0700)]
lacp: Fix misleading prototype for lacp_configure().
Only the first 6 bytes (ETH_ADDR_LEN) of the 'sys_id' argument are used,
but the prototype declared it as an array of 8 bytes. This has no effect
on the generated code--the declared size of an array parameter is
irrelevant--but it is misleading.
Also, add 'const' since the array is not modified.
Ben Pfaff [Thu, 24 Mar 2011 20:35:15 +0000 (13:35 -0700)]
packets: Fix potential use-after-free in compose_benign_packet().
The second call to ofpbuf_put_zeros() could cause the 'eth' pointer to
be invalidated.
It appears that this does not fix a real bug because the existing callers
all preallocate 128 bytes of tailroom, but the interface doesn't document
that requirement.
Ben Pfaff [Fri, 1 Apr 2011 22:46:22 +0000 (15:46 -0700)]
ovsdb-server: Avoid intermittent test failures due to lockfile log message.
Sometimes lockfile will emit a message saying that it took a little while
to get the lock, which caused spurious test failures. This commit
suppresses the message. With this change, I was able to run these tests
continuously for some time without failures.
This was a bug in the testsuite, not in the code under test.
Ethan Jackson [Fri, 1 Apr 2011 20:10:49 +0000 (13:10 -0700)]
cfm: Allow time for CCM reception after cfm_configure();
Before this (and the previous) patch, whenever cfm_configure was
called it would set the fault_timer to expired. Thus, the next
call to cfm_run would notice a lack of CCM reception and trigger a
faulted status. This is a bug in and of itself, but normally would
not be a big deal because cfm_configure should only be called
infrequently (when the database changes). However due to an
unrelated bug, cfm_configure() was getting called approximately once
per second. This resulted in all monitors showing faults all of
the time.
This patch fixes the problem by not expiring the timer at
cfm_configure(). Instead it gives it the appropriate
fault_interval amount of time to miss heartbeats.
Ethan Jackson [Fri, 1 Apr 2011 20:22:44 +0000 (13:22 -0700)]
cfm: cfm_configure() only update when necessary.
Calling cfm_configure often could cause timers to be reset
resulting in unexpected behavior. This commit only updates when
cfm configuration actually changed.
Ben Pfaff [Mon, 28 Mar 2011 20:05:40 +0000 (13:05 -0700)]
ovsdb: Truncate bad transactions from database log.
When ovsdb-server reads a database file that is corrupted at the
transaction level (that is, the transaction is valid JSON and has the
correct SHA-1 hash, but it does not describe a valid database transaction),
then ovsdb-server should truncate it and overwrite it by valid
transactions. However, until now, it didn't. Instead, it would keep the
invalid transaction and possibly every transaction in the database file
(depending on in what way the transaction was invalid), which would just
cause the same trouble again the next time the database was read.
This fixes the problem. An invalid transaction will be deleted from the
database file at the first write to the database.
Ben Pfaff [Mon, 28 Mar 2011 19:57:20 +0000 (12:57 -0700)]
ovsdb: Check that ovsdb-server truncates corrupted database logs.
When ovsdb-server reads a database that is corrupted at the log level
(that is, when ovsdb_log detects the corruption by checking the SHA-1 hash
of the record or JSON parser error reporting), then writing to the database
should discard the corrupted data and thereby fix the problem for future
ovsdb-server runs.
This already worked OK. This just adds an extra test.
Ben Pfaff [Mon, 28 Mar 2011 19:59:18 +0000 (12:59 -0700)]
ovsdb: Raise database corruption log level from warning to error.
If there's database corruption then it indicates that something went wrong,
e.g. the machine was powered-off by power failure. It's definitely
something that the admin should know about. This sounds like an error to
me, so use that log level.
Ben Pfaff [Thu, 31 Mar 2011 23:43:43 +0000 (16:43 -0700)]
ovsdb: Force strong references to non-root tables to be persistent.
When a strong reference to a non-root table is ephemeral, the database log
can contain inconsistencies. In particular, if the column in question is
the only reference to a row, then the row will be created in one logged
transaction but the reference to it will not be logged (because it is
ephemeral). Thus, any later occurrence of the row later in the log (to
modify it, to delete it, or just to reference it) will yield a transaction
error and reading the database will abort at that point.
This commit fixes the problem by forcing any column with a strong reference
to a non-root table to be persistent.
The change to ovsdb_schema_from_json() looks bigger than it really is: it
just swaps the order of two operations on the schema and updates their
comments. Similarly for the update to ovs.db.DbSchema.__init__().
Ben Pfaff [Mon, 28 Mar 2011 17:48:36 +0000 (10:48 -0700)]
ovsdb-types: Fix bug in ovsdb_base_type_is_ref().
This function only worked properly inside OVSDB itself, because that is
the only place where the 'refTable' member of ovsdb_base_type is set.
Both inside and outside OVSDB, 'refTableName' is set for reference types,
so it's better to check for that.
This doesn't fix any existing bug because this function was only used
inside OVSDB until now.
Ben Pfaff [Fri, 25 Mar 2011 22:26:30 +0000 (15:26 -0700)]
Convert shash users that don't use the 'data' value to sset instead.
In each of the cases converted here, an shash was used simply to maintain
a set of strings, with the shash_nodes' 'data' values set to NULL. This
commit converts them to use sset instead.
Ben Pfaff [Wed, 30 Mar 2011 20:44:10 +0000 (13:44 -0700)]
sset: New data type for a set of strings.
Many uses of "shash" or "svec" data structures really call for a "set of
strings" data type. This commit introduces such a data structure. Later
commits convert inappropriate uses of shash and svec to use sset instead.
Ethan Jackson [Thu, 31 Mar 2011 20:46:04 +0000 (13:46 -0700)]
lib: Create new timer library.
Scattered throughout the code base we use long integers to
implement timers. When the result of timer_msec() is greater than
the time stored, we preform some action.
This commit creates a new timer library intended to replace these
manually managed timers. Code using the timer library will be more
obviously correct, and more consistent with other code using the
library.
Ben Pfaff [Thu, 31 Mar 2011 21:11:57 +0000 (14:11 -0700)]
ofproto: Fix order of destruction in ofproto_destroy().
ofproto_flush_flows() calls into the connmgr (via connmgr_flushed()) so
it must be called before destroying the connmgr to avoid a use-after-free
error.
Ben Pfaff [Wed, 2 Mar 2011 21:39:59 +0000 (13:39 -0800)]
ofpbuf: Make ofpbufs initialized with ofpbuf_use_stack() not expandable.
My original intent for ofpbufs initialized with ofpbuf_use_stack() was that
the caller was providing enough space on the stack for the common case,
with dynamic allocation as a fallback. But in practice, none of the
clients actually do this. Instead, all of them actually know that the
stack-allocated buffer is big enough and, since they don't want to bother
with having to call ofpbuf_delete(), they instead assert that the buffer
wasn't reallocated.
Since this is a bit of a pain, this commit changes the semantics of
ofpbuf_use_stack() to be that the stack-allocated buffer cannot be
reallocated at all. This is more convenient for the existing clients.
Ben Pfaff [Wed, 30 Mar 2011 21:54:26 +0000 (14:54 -0700)]
datapath: Fix mysterious GRE-over-IPSEC problems.
We've noticed that packets that go up to userspace and then back down to
the kernel and then enter an GRE tunnel that is then ESP encapsulated
by IPSEC end up with a bad ESP "next header" value: it ends up as zero
instead of 0x2f (IPPROTO_GRE). Just putting packets from userspace into
a freshly allocated skb fixes the problem.
The underlying problem that this works around is still unknown.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Bug #4769.
Ben Pfaff [Mon, 28 Mar 2011 20:43:32 +0000 (13:43 -0700)]
timeval: Only log poll intervals longer than 50 ms.
When poll interval-based logging was introduced a long time, we were
actively interested in looking at almost every long poll interval. But
these days, with OVS working rather well, with pretty good latency, most
of the messages are red herrings that bother some administrators and
provoke false reports. So this commit suppresses all but the most
egregious long poll intervals that may in fact be worth looking at.
Ben Pfaff [Tue, 29 Mar 2011 17:08:16 +0000 (10:08 -0700)]
bridge: Always wait for MAC learning table and ports.
The test ofproto_has_primary_controller() is meaningless, since OFPP_NORMAL
can cause the MAC learning table and port bonding to be in use even when
there is a controller.
I see that this bug has been here since early 2009, when the OFPP_NORMAL
feature was introduced in the bridge. (Obviously it's not a severe
problem.)
Ben Pfaff [Mon, 28 Mar 2011 23:22:59 +0000 (16:22 -0700)]
xenserver: Wait for ovs-xapi-sync to exit in "stop" command.
It seems possible that "restart" or a quick application of "stop" then
"start" could kill ovs-xapi-sync without starting it again, if
ovs-xapi-sync takes a little while to die, long enough for the next
instance of it to see that its pidfile is still open and locked.
I hope that this fixes some odd races that we've noticed in the "restart"
command.
Ethan Jackson [Mon, 28 Mar 2011 20:10:12 +0000 (13:10 -0700)]
cfm: No longer keep track of bad remote MPs and MAIDS.
Ben pointed out that an attacker could cause OVS to use infinite
memory by sending a series of CCMs with different MAIDs. Each
message would cause a remote_maid to be allocated and stored for
several seconds.
Since Commit 1c2e2d2fc8 (cfm: Don't report unexpected remote
endpoints) no longer reports unexpected remote MAIDS and MPs in the
database, the only reason to keep track of this information is for
debugging purposes. In my judgment, it provides negligible useful
debugging information at the expense of significantly increased
code complexity. This commit rips it out entirely.
Ethan Jackson [Fri, 25 Mar 2011 21:26:53 +0000 (14:26 -0700)]
cfm: Reduce missed CCM detection time.
The specification says that a fault should be signaled when 3.5 *
ccm_interval milliseconds have passed. This commit respects that
requirement, possibly increasing the responsiveness of fault
detection slightly.