Ben Pfaff [Wed, 25 Nov 2015 16:15:04 +0000 (08:15 -0800)]
ofproto: Correctly reject duplicate bucket ID for OFPGC_INSERT_BUCKET.
Otherwise duplicate bucket IDs cause linked list loops and other nastiness
because the ofputil_bucket_find() in the OFPG15_BUCKET_LAST case later in
copy_buckets_for_insert_bucket() will find the new bucket instead of the
old one and the list_splice() call becomes nonsensical.
Reported-by: Ray Li <rayli1107@gmail.com>
Reported-at: http://openvswitch.org/pipermail/discuss/2015-September/018731.html Signed-off-by: Ben Pfaff <blp@ovn.org> Reviewed-by: Simon Horman <simon.horman@netronome.com>
stream-ssl: Replace client CA list instead of adding to it.
SSL_CTX_add_client_CA() appends to the client CA list without replacing any
already on the list, and furthermore wastes memory if the certificate in
the file is already on the list. This commit thus fixes an effective
memory leak.
Signed-off-by: YongQiangLiu <liu.liuyongqiang@huawei.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Joe Stringer [Sat, 7 Nov 2015 20:00:00 +0000 (12:00 -0800)]
system-traffic: Add internal port conntrack tests.
Add an additional test that ensures that when receiving packets from
internal ports that reside in a foreign namespace, the conntrack
information is not populated in the flow.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Joe Stringer [Sat, 7 Nov 2015 19:59:58 +0000 (11:59 -0800)]
system-traffic: Remove netcat from ICMP test.
Netcat is different on each platform I tried (Debian, Ubuntu, RHEL),
so rather than handling version differences it's better to just do the
same test with some hardcoded packets.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Jarno Rajahalme [Tue, 24 Nov 2015 21:33:22 +0000 (13:33 -0800)]
system-tests: Use '--bundle'
Use OpenFlow bundles for setting up flow tables. This has the benefit
that when debugging test failures, no packet gets processed by
partially set-up flow table, which may seem confusing.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Joe Stringer [Wed, 11 Nov 2015 21:25:44 +0000 (13:25 -0800)]
compat: Explicitly include net/ip.h in net/udp.h.
The inet_get_local_port_range() function is defined as a 3-parameter
version in the backported net/ip.h, however some versions of RHEL7
kernel use the 2-parameter version in their net/udp.h header. We need to
make sure that our net/ip.h is first included, then undef our overriding
3-parameter version, include the system net/udp.h, then redefine our
overriding 3-parameter version so that it may be used inside OVS code.
This header needs to include net/ip.h here as some files may not include
it prior to net/udp.h, in which case the logic we have to define the
right version while including the system net/udp.h will not work.
Specifically this fixes issues on kernel 3.10.0-229.7.2.el7.x86_64
(perhaps earlier as well; some later versions make this unnecessary).
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Russell Bryant [Mon, 23 Nov 2015 16:23:02 +0000 (11:23 -0500)]
ovn: Update BFD item in the ovn TODO list.
Update the BFD todo item to clarify where we might use BFD as it
previously seemed to imply we wanted to enable it for all
hypervisor-to-hypervisor tunnels.
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-By: Kyle Mestery <mestery@mestery.com Acked-by: Ben Pfaff <blp@ovn.org>
Prevent test failures when there are non Ethernet devices on the system.
When there are PtP TUN devices on the system or SIT devices, tests will fail
because of a warning that it was not possible to get their Ethernet addresses.
That call comes from the route code adding tunnel ports.
Make that warning an informational message and filter that out during tests.
Also, return EINVAL when trying to get those interface Ethernet addresses, which
will prevent them from being added to the tunnel ports pool and will properly
fail in other places as well.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Sten Spans [Thu, 22 Oct 2015 06:53:18 +0000 (08:53 +0200)]
xenserver: Add ovsdb_port variable to xapi configuration update plugin.
The hardcoded ovsdb port causes problems when hooking up xenserver to
different SDN stacks. Changing this to a variable at the start of the
script makes it easier to update this when needed (using chef/puppet/etc)
Signed-off-by: Sten Spans <sten@blinkenlights.nl> Signed-off-by: Ben Pfaff <blp@ovn.org>
Shad Ansari [Tue, 27 Oct 2015 20:55:35 +0000 (13:55 -0700)]
ovsdb-idl: Add support for change tracking.
Ovsdb-idl notifies a client that something changed; it does not track
which table, row changed in what way (insert, modify or delete).
As a result, a client has to scan or reconfigure the entire idl after
ovsdb_idl_run(). This is presumably fine for typical ovs schemas where
tables are relatively small. In use-cases where ovsdb is used with
schemas that can have very large tables, the current ovsdb-idl
notification mechanism does not appear to scale - clients need to do a
lot of processing to determine the exact change delta.
This change adds support for:
- Table and row based change sequence numbers to record the
most recent IDL change sequence numbers associated with insert,
modify or delete update on that table or row.
- Change tracking of specific columns. This ensures that changed
rows (inserted, modified, deleted) that have tracked columns, are
tracked by IDL. The client can directly access the changed rows
with get_first, get_next operations without the need to scan the
entire table.
The tracking functionality is not enabled by default and needs to
be turned on per-column by the client after ovsdb_idl_create()
and before ovsdb_idl_run().
/* Example Usage */
idl = ovsdb_idl_create(...);
/* Track specific columns */
ovsdb_idl_track_add_column(idl, column);
/* Or, track all columns */
ovsdb_idl_track_add_all(idl);
for (;;) {
ovsdb_idl_run(idl);
seqno = ovsdb_idl_get_seqno(idl);
/* Process only the changed rows in Table FOO */
FOO_FOR_EACH_TRACKED(row, idl) {
/* Determine the type of change from the row seqnos */
if (foo_row_get_seqno(row, OVSDB_IDL_CHANGE_DELETE)
>= seqno)) {
printf("row deleted\n");
} else if (foo_row_get_seqno(row, OVSDB_IDL_CHANGE_MODIFY)
>= seqno))
printf("row modified\n");
} else if (foo_row_get_seqno(row, OVSDB_IDL_CHANGE_INSERT)
>= seqno))
printf("row inserted\n");
}
}
/* All changes processed - clear the change track */
ovsdb_idl_track_clear(idl);
}
Signed-off-by: Shad Ansari <shad.ansari@hp.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Shad Ansari [Thu, 22 Oct 2015 21:35:24 +0000 (14:35 -0700)]
ovsdb-idl: Support for readonly columns that are fetched on-demand
There is currently no mechanism in IDL to fetch specific column values
on-demand without having to register them for monitoring. In the case
where the column represent a frequently changing entity (e.g. counter),
and the reads are relatively infrequent (e.g. CLI client), there is a
significant overhead in replication.
This patch adds support in the Python IDL to register a subset of the
columns of a table as "readonly". Readonly columns are not replicated.
Users may "fetch" the readonly columns of a row on-demand. Once fetched,
the columns are not updated until the next fetch by the user. Writes by
the user to readonly columns does not change the value (both locally or
on the server).
The two main user visible changes in this patch are:
- The SchemaHelper.register_columns() method now takes an optionaly
argument to specify the subset of readonly column(s)
- A new Row.fetch(columns) method to fetch values of readonly columns(s)
Usage:
------
# Schema file includes all columns, including readonly
schema_helper = ovs.db.idl.SchemaHelper(schema_file)
# Register interest in columns with 'r' and 's' as readonly
schema_helper.register_columns("simple", [i, r, s], [r, s])
# Create Idl and jsonrpc, and wait for update, as usual
...
# Fetch value of column 'r' for a specific row
row.fetch('r')
txn.commit_block()
print row.r
print getattr(row, 'r')
# Writing to readonly column has no effect (locally or on server)
row.r = 3
print row.r # prints fetched value not 3
Signed-off-by: Shad Ansari <shad.ansari@hp.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ariel Tubaltsev [Sat, 14 Nov 2015 01:01:11 +0000 (17:01 -0800)]
HW VTEP Schema: update Tunnel table definition
vtep/vtep.xml : Tunnel table definitions were reviewed against
latest OVS schema.
Relevant changes taken into HW VTEP schema.
XML formatting of Tunnel table corrected
Signed-off-by: Ariel Tubaltsev <tubaltzev@gmail.com> Acked-by: Bruce Davie <bdavie@vmware.com> Signed-off-by: Russell Bryant <russell@ovn.org>
netdev-dpdk: assume dpdkr peer can be multi-producer/consumer
Although netdev does explicit locking, it is only valid from the ovs
perspective, then only the ring ends used by ovs should be declared as
single producer/consumer.
The other ends that are used by the application should be declared as
multiple producer/consumer that is the most general case.
Signed-off-by: Mauricio Vasquez B <mauricio.vasquezbernal@studenti.polito.it> Acked-by: Flavio Leitner <fbl@sysclose.org> Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Andy Zhou [Sat, 14 Nov 2015 02:39:37 +0000 (18:39 -0800)]
vlog: Fix a deadlock bug.
Calling VLOG_FATAL() while holding the 'log_file_mutex" may lead to
deadlock since VLOG_FATAL() implementation tries to acquire the
same lock. Fix this by building the error message first, then
call VLOG_FATAL() after the 'log_file_mutex' has been released.
This bug is not likely show up in practice since chown() usually
won't fail. It is still better to have a correct implementation.
Reported-by: Daniele Di Proietto <ddiproietto@vmware.com> Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Daniele Di Proietto <ddiproietto@vmware.com>
Docker multi-host networking is now part of
Docker 1.9.
This commit adds two drivers for OVN integration
with Docker. The first driver is a pure overlay driver
that does not need OpenStack integration. The second driver
needs OVN+OpenStack.
The description of the Docker API exists here:
https://github.com/docker/libnetwork/blob/master/docs/remote.md
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@ovn.org>
Russell Bryant [Thu, 12 Nov 2015 19:06:39 +0000 (14:06 -0500)]
ovn-tutorial: Use github instead of relative links.
All of these links when viewing OVN-Tutorial on github, but most of
these links didn't work when viewing OVN-Tutorial.md.html in dist-docs.
Use full github links so that they always work (as long as you have
internet access).
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-By: Kyle Mestery <mestery@mestery.com>
Andy Zhou [Sat, 10 Oct 2015 02:45:46 +0000 (19:45 -0700)]
lib: allow group access to Unix domain sockets
By default, Unix domain sockets are created with file system permission
mode of 0700. This means that only processes that runs under the same
user can access this socket.
For OVS, it may be more convenient to control access at the group
level rather than at the user level, since other processes need to
access OVSDB and UNIXCTL sockets while running under different users.
This patch changes Unix domain sockets' file system permission to 0770,
to grant group access.
It has not been an issue in the past since OVS, until very recently,
had to run as root. If a process needed to access OVSDB or UNIXCTL
sockets, it had to be a root process as well.
With the added --user option to OVS daemons and this change, system
administrators can deploy OVS more securely: OVS daemons can run as
a non root user. Various processes that need to talk to OVS does not
have to run as root process anymore.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Ansis Atteka <aatteka@nicira.com>
Andy Zhou [Sat, 10 Oct 2015 02:07:40 +0000 (19:07 -0700)]
vlog: change log file owner when switching user
vlog log file can be created when parsing --log-file option, before
switching user, in case the --user option is also specified. While this
does not directly cause errors for the running daemons, it can
leave the log files on the disk as created under the "root" user.
This patch fix the log file ownership to the user specified with --user.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Ansis Atteka <aatteka@nicira.com>
Andy Zhou [Sat, 10 Oct 2015 01:48:59 +0000 (18:48 -0700)]
lib: simplify daemon_become_new_user__()
A global variable 'switch_user' was used to make sure
we switch process's current user only once. This logic is now
simplified by testing for uid directly; if switch process has
taken place, the current uid will be not be zero.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Ansis Atteka <aatteka@nicira.com>
Joe Stringer [Sat, 7 Nov 2015 00:16:47 +0000 (16:16 -0800)]
ofproto-dpif-xlate: Don't stop processing after ct.
If conntrack recirculates, it should not stop processing the current
pipeline. The cloned packet will begin processing in the table specified
with the current metadata and action set; The current copy of the packet
will continue processing, including to return back to prior resubmit()
calls.
Reported-by: Russell Bryant <rbryant@redhat.com> Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Ben Pfaff [Wed, 11 Nov 2015 16:58:51 +0000 (08:58 -0800)]
dist-docs: Fix text and HTML manpage generation with some groff versions.
Some versions of groff use termcap sequences for bold, italic, etc. by
default. The dist-docs script doesn't cope with those; it expects
sequences based on backspacing and overprinting. This commit fixes the
problem by setting an environment variable GROFF_NO_SGR that forces groff
to use backspacing.
Found on Fedora.
Reported-by: Russell Bryant <rbryant@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Russell Bryant <rbryant@redhat.com>
Ben Pfaff [Tue, 10 Nov 2015 21:13:28 +0000 (13:13 -0800)]
ovs-thread: Fix memory leak in thread exit.
'n' is the number of keys, which are grouped into blocks of L2_SIZE
indexes. Even if only one key in a block is allocated, the whole block has
a pointer to it that must be freed. Thus, we need to round up instead of
down.
Reported-at: https://github.com/openvswitch/ovs/pull/87 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Jiri Benc [Thu, 22 Oct 2015 17:28:57 +0000 (15:28 -0200)]
tunneling: extend tnl_match with ipv6
[cascardo: use IPv4-mapped IPv6 addresses]
Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Co-authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ciara Loftus [Thu, 5 Nov 2015 11:14:25 +0000 (11:14 +0000)]
INSTALL.DPDK: Mention issue with QEMU v2.4.0 & dpdkvhostuser
Currently when using QEMU v2.4.0+, two (or more) dpdkvhostuser ports cannot
be unbound from the kernel driver in the guest without causing the
ovs-vswitchd process to crash. Document this limitation and potential
workarounds.
Signed-off-by: Ciara Loftus <ciara.loftus@intel.com> Acked-by: Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Jarno Rajahalme [Wed, 4 Nov 2015 23:47:36 +0000 (15:47 -0800)]
upcall: Check for recirc_id in ukey_create_from_dpif_flow()
Filter out not only flows with recirculation actions, but also flows
with non-zero recirculation id in flow key when creating ukeys from
datapath flows, as such flows also depend on the recirculation
context, which have been lost after a restart.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Joe Stringer <joestringer@nicira.com>
Jarno Rajahalme [Wed, 4 Nov 2015 23:47:35 +0000 (15:47 -0800)]
tests: Strip more variable output from conntrack output.
'conntrack' output format varies depending on the system
configuration, i.e., conntrack accounting or timestamping is enabled.
Modify the FORMAT_CT() macro to hide these differences.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Joe Stringer <joestringer@nicira.com>
Russell Bryant [Wed, 21 Oct 2015 20:13:43 +0000 (16:13 -0400)]
ovn-tutorial: Add a section on ACLs.
Add a section that gives a quick introduction to applying ACLs. It
discusses how the ACLs are translated into OVN logical flows. It doesn't
get down to the OpenFlow level because that's not supported in
ovs-sandbox yet. Instead, it provides a reference to an OpenStack
related blog post that talks about how OVN ACLs are used there and gives
examples of the resulting OpenFlow flows.
In theory, once we have a userspace conntrack implementation available,
we'll be able to provide better suppot for it in ovs-sandbox.
Signed-off-by: Russell Bryant <rbryant@redhat.com> Acked-by: Kyle Mestery <mestery@mestery.com>
Ben Pfaff [Thu, 15 Oct 2015 16:46:21 +0000 (09:46 -0700)]
ofp-parse: Fix parsing, formatting of multiple fields in NTR extension.
Until now, the only way to specify multiple fields in the "fields"
parameter for the Netronome groups extension, was to specify "fields"
more than once, e.g. fields=eth_dst,fields=ip_dst
However, this wasn't documented and the code in ofp-print didn't use it,
generating output that couldn't be parsed.
This commit fixes the situation by introducing a more straightforward
syntax, e.g. fields(eth_dst,ip_dst), documents it, and adjusts ofp-print
code to use it when there is more than one field (it retains the previous
format for backward compatibility when there is exactly one field)
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Simon Horman <simon.horman@netronome.com>
Ben Pfaff [Sat, 17 Oct 2015 21:24:01 +0000 (14:24 -0700)]
dpctl: Fix jump through wild pointer in "dpctl/help".
dpctl_unixctl_handler() didn't fully initialize the dpctl_params structure
it passed to the handler, which meant that dpctl_help() could see a nonnull
(indeterminate) 'usage' pointer and jump through it, causes a crash.
This commit fixes the crash by fully initializing the structure.
The dpctl/help command wasn't going to do anything useful anyway, so this
commit also stops registering it.
Reported-by: Murali R <muralirdev@gmail.com>
Reported-at: http://openvswitch.org/pipermail/discuss/2015-October/019135.html Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Ansis Atteka [Tue, 3 Nov 2015 23:29:32 +0000 (15:29 -0800)]
tests: add documentation for OVS_WAIT_UNTIL and OVS_WAIT_WHILE macros
It is very easy to misuse these macros, because when the COMMAND
returns exit code "0" it is actually considered as if condition
evaluated to "true" and not "false" as some might think.
This patch ensures that this is clearly reflected in documentation.
Acked-by: Ben Pfaff <blp@nicira.com> Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Russell Bryant [Sat, 24 Oct 2015 19:41:37 +0000 (15:41 -0400)]
ovn: Remove duplicate versions from schemas.
Since commit 5935835968c9d36ffe306863f0c8079d3b670e2a, the OVN nb and sb
schema definitions have included duplicate version entries. In the nb
case, the version has since been updated to 2.0.0, but only in one
place. Remove the duplicate version entries that were at the bottom of
the files.
Signed-off-by: Russell Bryant <rbryant@redhat.com> Acked-by: Ben Pfaff <blp@nicira.com>
Russell Bryant [Tue, 27 Oct 2015 09:01:28 +0000 (18:01 +0900)]
ovn: Fix check on existing encap row.
This code does some checking to validate the existing encaps for a
chassis to see if they need to be updated. This typo resulted in
ovn-controller re-creating its encap(s) every time this code ran, making
ovn-controller and ovsdb-server eat up a CPU in my testing.
Signed-off-by: Russell Bryant <rbryant@redhat.com> Acked-by: Ben Pfaff <blp@nicira.com>
datapath-windows: Updating an External Adapter causes flow lookup failure
This patch fixes an issue with updating the propeties of an external
adapter in Windows. The issue causes flow lookups to fail until the
kernel is reinstalled.
Saurabh Mohan [Tue, 6 Oct 2015 23:35:32 +0000 (16:35 -0700)]
debian: place kernel module to satisfy depmod search.
On Ubuntu depmod's search priority is configured in /etc/depmod to be
updates and then the kernel built-in directory.
$ cat /etc/depmod.d/ubuntu.conf
search updates ubuntu built-in
Thus change the placement of openvswitch.ko under updates/ not kernel/updates.
Andy Zhou [Thu, 29 Oct 2015 21:51:34 +0000 (14:51 -0700)]
test: Make test independent of the recirc_id
Commit 8ae8176fd0d8ed919e3301cc961dcf02b65ff49d (tests: Make test
independent of the hash function) improves the test "ofprot-dpif
- balance-tcp bonding, different recirc flow" to not dependent on
the values of dp-hash, but it still depends on the value of recirc_id,
which can be a different value based on runs, specifically, it depends
which one of the two bonds allocates recirc id first.
Since both dp_hash and recirc_id values are runtime dependent,
consolidate the masking scripts into ofctl_strip.
Sairam Venugopal [Mon, 26 Oct 2015 23:48:39 +0000 (16:48 -0700)]
datapath-windows: Move OvsAllocateNBLFromBuffer to BufferMgmt
Move the functionality around creating an NBL from Buffer to
Buffermanagement. This function will be used for converting the buffer
from user-space to NBL and also by STT - reassembly logic.
Andy Zhou [Thu, 22 Oct 2015 17:29:56 +0000 (10:29 -0700)]
bfd: always export remote_state and remote_diagnostic to OVSDB
RFC 5880 specified bfd.RemoteSessionState as one of the state
variables. In OVS implementation, this value is exported to OVSDB's
BFD status column of the interface table, as one of the map elements,
with the key of 'remote_state'.
It can be surprising when the 'remote_state' map element disappears
when BFD is in the 'DOWN' state, but otherwise always exported.
Change to always exporting it, to make it more predictable for
applications that monitors the BFD status column.
While at it, make the same change to 'remote_diagnostic', so that it
is also always exported to OVSDB for consistency.
Before this commit vtep-ctl hung forever if it didn't manage to reach
the database.
This caused the testcase "ovn -- 3 HVs, 1 VIFs/HV, 1 GW, 1 LS" to hang
occasionally, because ovsdb-server could be killed before ovs-vtep
called vtep-ctl.
This mimics the behaviour of ovs-vsctl, ovn-nbctl and ovn-sbctl.
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com> Acked-by: Justin Pettit <jpettit@nicira.com>
Ciara Loftus [Wed, 21 Oct 2015 13:50:36 +0000 (14:50 +0100)]
netdev-dpdk: Clean-up after vHost User port delete
Unregister and delete the socket associated with a vhost-user
port when the port is deleted and/or the switch is brought down.
Do not delete the socket if the vhost-user device is still attached
to the guest.
Signed-off-by: Ciara Loftus <ciara.loftus@intel.com> Acked-by: Daniele Di Proietto <diproiettod@vmware.com>