Currently we have rhel/openvswitch.spec.in that provides
sysv scripts. The fedora package provides systemd scripts.
If one upgrades openvswitch package from sysv to systemd,
you will end up in a situation where old OVS daemons are
running, but systemd does not know about it. One "restart"
is needed for systemd to see the old daemons. Another "restart"
or "force-reload-kmod" is needed to actually use the new
daemons.
This commit, just takes care of the first restart. The "real"
restart/force-reload-kmod will still have to be done outside
the package installation.
fedora: Ability to auto enable openvswitch service.
We currently have rhel/openvswitch.spec.in that automatically
enables openvswitch service when the package is installed using
chkconfig.
But fedora rpm may not enable openvswitch service automatically.
The macro currently being used in fedora rpm (systemd_post) will
look for preset files in /etc/systemd/system-preset/ to figure
out whether openvswitch service needs to be automatically enabled.
But, the fedora package does not provide such a file. The argument
is that people may want to install the package for binaries and
not necessarily to run OVS.
If someone now wants to install the fedora package and automatically
enable openvswitch, he will have to create a new package that OVS
package depends on to install the preset file. This is unwieldy.
This commit, provides a rpm build time option to enable the openvswitch
service automatically. If you now run the below command, openvswitch
service will be automatically enabled during package installation.
Yifeng Sun [Fri, 10 May 2019 19:30:14 +0000 (12:30 -0700)]
datapath: Support kernel version 4.19.x and 4.20.x
This patch updated acinclude.m4 so that OVS can be compiled on 4.19.x
and 4.20.x kernels.
This patch also updated travis files so that latest kernel versions
are used during travis test builds.
Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
netfilter: Remove useless param helper of nf_ct_helper_ext_add
The param helper of nf_ct_helper_ext_add is useless now, then remove
it now.
Signed-off-by: Gao Feng <gfree.wind@vip.163.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch backports the above upstream patch to OVS.
Cc: Gao Feng <gfree.wind@vip.163.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
openvswitch: use nf_ct_get_tuplepr, invert_tuplepr
These versions deal with the l3proto/l4proto details internally.
It removes only caller of nf_ct_get_tuple, so make it static.
After this, l3proto->get_l4proto() can be removed in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch backports the above upstream kernel patch to OVS.
Cc: Florian Westphal <fw@strlen.de> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Yifeng Sun [Fri, 10 May 2019 19:30:11 +0000 (12:30 -0700)]
datapath: Fix conntrack_count related compilation errors
This patch fixes the compilation errors of OVS on 4.19+ kernels.
Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module
IPV6=m
DEFRAG_IPV6=m
CONNTRACK=y yields:
net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
net/netfilter/nf_conntrack_proto.c:802: undefined reference to `nf_defrag_ipv6_enable'
net/netfilter/nf_conntrack_proto.o:(.rodata+0x640): undefined reference to `nf_conntrack_l4proto_icmpv6'
Setting DEFRAG_IPV6=y causes undefined references to ip6_rhash_params
ip6_frag_init and ip6_expire_frag_queue so it would be needed to force
IPV6=y too.
This patch gets rid of the 'followup linker error' by removing
the dependency of ipv6.ko symbols from netfilter ipv6 defrag.
Shared code is placed into a header, then used from both.
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch backports the above upstream patch to OVS.
Cc: Florian Westphal <fw@strlen.de> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
netfilter: conntrack: pass nf_hook_state to packet and error handlers
nf_hook_state contains all the hook meta-information: netns, protocol family,
hook location, and so on.
Instead of only passing selected information, pass a pointer to entire
structure.
This will allow to merge the error and the packet handlers and remove
the ->new() function in followup patches.
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch backports the above upstream patch to OVS and fixes compiling
errors on RHEL kernels.
Cc: Florian Westphal <fw@strlen.de> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Yifeng Sun [Fri, 10 May 2019 19:30:08 +0000 (12:30 -0700)]
datapath: Handle removal of nf_conntrack_l3proto.h
Upstream kernel commit a0ae2562 ("netfilter: conntrack: remove l3proto
abstraction") removed header file net/netfilter/nf_conntrack_l3proto.h.
This patch detects it and fixes compilation errors of OVS on 4.19+ kernels.
Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Darrell Ball [Thu, 9 May 2019 15:15:07 +0000 (08:15 -0700)]
conntrack: Add rcu support.
For performance and code simplification reasons, add rcu support for
conntrack. The array of hmaps is replaced by a cmap as part of this
conversion. Using a single map also simplifies the handling of NAT
and allows the removal of the nat_conn map and friends. Per connection
entry locks are introduced, which are needed in a few code paths.
Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ovs-save: Handle cases of upgrades from very old OVS versions.
We have added code to ovs-save over the last few releases
which makes the following bad assumptions.
1. The default OpenFlow version of running daemon is OpenFlow14.
Impact: This causes upgrades from older OVS versions to end up with no
flows in their bridges (even the default 'NORMAL' ones) causing traffic
to stop.
2. That ovs-ofctl commands like dump-groups and dump-tlv-map
will just work with old OVS versions.
Impact: Does not look like it effects the upgrade in a bad away - except
you get some errors.
Since OpenFlow14 was enabled by default in OVS 2.8, this commit makes
a lazy assumption that any upgrade of OVS from versions before 2.7
will not attempt to save and restore flows.
VMware-BZ: #2340482 Signed-off-by: Gurucharan Shetty <guru@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Use sb mac binding table to trigger ip buffer dequeueing instead of
the APR/ND packet reception since the ARP reply can be managed on a
different chassis if a gw router port is scheduled on a different
node
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Leonid Ryzhyk [Thu, 2 May 2019 17:37:57 +0000 (10:37 -0700)]
ovn: Added missing --wait in ovn tests
Several of the ovn tests did not use the `--wait` flag to to wait for a
configuration change to propagate through the system. As a result,
these tests fail when `ovn-northd` is slow.
Fixed by adding `--wait=hv` or `--wait=sb` as appropriate.
Signed-off-by: Leonid Ryzhyk <ryzhyk@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
system-offloads-traffic.at: Fix requesting HW offloaded flows from veth.
veth pair doesn't offload anything to HW. i.e. we should use 'tc' type
while requesting flows. 'offloaded' kept just in case to not update the
test if veths will be HW offloaded someday.
Additionally fixed missed for unknown reason 'ipv4' fields. Also
dropped stripping of the errors from log.
Fixes test:
2: offloads - ping between two ports - offloads enabled ok
CC: Gavi Teitz <gavi@mellanox.com> Fixes: d63ca5329ff9 ("dpctl: Properly reflect a rule's offloaded to HW state") Acked-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Yifeng Sun [Fri, 26 Apr 2019 21:42:07 +0000 (14:42 -0700)]
datapath: Fix compiling error for 4.14.111+ kernel
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Fixes: f72469405eec9 ("datapath: meter: Use struct_size() in kzalloc()") Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ovn-northd: Fix the HA_Chassis sync issue in OVN SB DB
ovn-northd deletes and recreates HA_Chassis rows (which belong
to a HA_Chassis_Group) whenever the HA_Chassis_Group/Gateway_Chassis
rows in Northbound DB are out of sync. If a Chassis table row in
Southbound DB is deleted and if this row is referenced by HA_Chassis
row (in Southbound DB), then the present code syncs the HA_Chassis
rows continously and this causes the ovn-controller's to wake up
and results in 100% cpu usage.
This was a simple case which the commit 1be1e0e5e0d1 ("ovn: Add generic HA chassis group") missed out addressing.
This patch fixes this issue.
Fixes: 1be1e0e5e0d1 ("ovn: Add generic HA chassis group")
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2019-April/048580.html Reported-by: Daniel Alvarez Sanchez (dalvarez@redhat.com) Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
datapath-windows: Do not send out nbls when cloned nbls are being accessed
As per MSDN documentation, "As soon as a filter driver calls the
NdisFSendNetBufferLists function, it relinquishes ownership of
the NET_BUFFER_LIST structures and all associated resources.
A filter driver should never try to examine the NET_BUFFER_LIST
structures or any associated data after calling NdisFSendNetBufferLists".
When freeing up memory of a cloned nbl, parent's nbl and context
is being accessed, which is incorrect can cause BSOD.
With this patch, original nbl is sent out only when cloned nbl is done
with packet processing and its memory is freed.
Signed-off-by: Anand Kumar <kumaranand@vmware.com> Acked-by: Alin Gabriel Serdean <aserdean@ovn.org> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Ben Pfaff [Tue, 23 Apr 2019 23:42:32 +0000 (16:42 -0700)]
sparse: Configure target operating system and fix fallout.
cgcc, the "sparse" wrapper that OVS uses, can be told the host architecture
or the host OS or both. Until now, OVS has told it the host architecture
because it is fairly common that it doesn't guess it automatically. Until
now, OS has not told it the host OS, assuming that it would get it right.
However, it doesn't--if you tell it the host OS or the host architecture,
it doesn't really have a default for the other. This means that on Linux
(presumably the only OS where sparse works properly for OVS), it was not
defining __linux__, which caused some weird behavior.
This commit adds a flag to the cgcc invocation to make it define __linux__
on Linux, and it fixes some errors that this would otherwise cause.
Acked-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Recent commit in "sparse" broke checking the OVS sources, because
'make' uses '-MD' flag to generate dependencies as a side effect
within compilation commands, but "sparse" skips all the build commands
that contains '-MD' and friends.
Let's revert the bad commit as a workaround before installing "sparse"
in TravisCI.
Additionally fixed a false-positive:
./lib/bitmap.h:64:29: error: shift too big (64) for type unsigned long
Currently, rule_insert() API does not have return value. There are some
possible scenarios where rule insertions can fail at run-time even though the
static checks during rule_construct() had passed previously. Some possible
scenarios for failure of rule insertions:
**) Rule insertions can fail dynamically in Hybrid mode (both Openflow and
Normal switch functioning coexist) where the CAM space could get suddenly
filled up by Normal switch functioning and Openflow gets devoid of available
space.
**) Some deployments could have separate independent layers for HW rule
insertions and application layer to interact with OVS. HW layer could face any
dynamic issue during rule handling which application could not have
predicted/captured in rule-construction phase.
Rule-insert errors for bundles are handled too.
Testing: Tested failures of rule insertions and also with bundles.
Signed-off-by: Aravind Prasad S <aravind.sridharan at dell.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Zhantao Fu [Tue, 23 Apr 2019 11:04:25 +0000 (19:04 +0800)]
Double postponing to free subtables.
Subtable destruction should be double postponed because readers could still obtain old values while iterating over pvector implementation before its new version published.
Signed-off-by: Zhantao Fu <fuzhantao@huawei.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
OVN: Clarify docs about the default transport zone
This patch is extending the documentation about the new transport zones
feature to clarify that if no transport zones are set, the chassis will
belong to a default group.
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch is adding support for Transport Zones. Transport zones (a.k.a
TZs) is way to enable users of OVN to separate Chassis into different
logical groups that will only form tunnels between members of the same
groups. Each Chassis can belong to one or more Transport Zones. If
not set, the Chassis will be considered part of a default group.
Configuring Transport Zones is done by creating a key called
"ovn-transport-zones" in the external_ids column of the Open_vSwitch
table from the local OVS instance. The value is a string with the name
of the Transport Zone that this instance is part of. Multiple TZs can
be specified with a comma-separated list. For example:
$ sudo ovs-vsctl set open . external-ids:ovn-transport-zones=tz1
or
$ sudo ovs-vsctl set open . external-ids:ovn-transport-zones=tz1,tz2,tz3
This configuration is also exposed in the Chassis table of the OVN
Southbound Database in a new column called "transport_zones".
The use for Transport Zones includes but are not limited to:
* Edge computing: As a way to preventing edge sites from trying to create
tunnels with every node on every other edge site while still allowing
these sites to create tunnels with the central node.
* Extra security layer: Where users wants to create "trust zones"
and prevent computes in a more secure zone to communicate with a less
secure zone.
This patch is also backward compatible so the upgrade guide for OVN [0]
is still valid and the ovn-controller service can be upgraded before the
OVSDBs.
The old git tree git://git.kernel.org/pub/scm/devel/sparse/chrisl/sparse.git
has not been updated since 2016, and that triggers the following build error
on Ubuntu 18.04 host with 2.27-3 libc6-dev. So update the sparse git repo
to the new one.
/usr/include/stdlib.h:140:17: error: Expected ; at end of declaration
/usr/include/stdlib.h:140:17: error: got strtof32
/usr/include/stdlib.h:146:17: error: Expected ; at end of declaration
/usr/include/stdlib.h:146:17: error: got strtof64
/usr/include/stdlib.h:158:18: error: Expected ; at end of declaration
/usr/include/stdlib.h:158:18: error: got strtof32x
/usr/include/stdlib.h:233:33: error: Expected ) in function declarator
/usr/include/stdlib.h:233:33: error: got __f
/usr/include/stdlib.h:239:33: error: Expected ) in function declarator
/usr/include/stdlib.h:239:33: error: got __f
/usr/include/stdlib.h:251:35: error: Expected ) in function declarator
/usr/include/stdlib.h:251:35: error: got __f
/usr/include/stdlib.h:316:17: error: Expected ; at end of declaration
/usr/include/stdlib.h:316:17: error: got strtof32_l
/usr/include/stdlib.h:323:17: error: Expected ; at end of declaration
/usr/include/stdlib.h:323:17: error: got strtof64_l
/usr/include/stdlib.h:337:18: error: Expected ; at end of declaration
/usr/include/stdlib.h:337:18: error: got strtof32x_l
Makefile:5288: recipe for target 'lib/aes128.lo' failed
make[2]: *** [lib/aes128.lo] Error 1
...
Tested on Jarvis: https://travis-ci.org/YiHungWei/ovs/builds/521979625
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 19 Apr 2019 19:17:47 +0000 (12:17 -0700)]
ovsdb raft: Avoid unnecessary reconnecting during leader election.
If a server claims itself as "disconnected", all clients connected
to that server will try to reconnect to a new server in the cluster.
However, currently a server would claim itself as disconnected even
when itself is the candidate and try to become the new leader (most
likely it will be), and all its clients will reconnect to another
node.
During a leader fail-over (e.g. due to a leader failure), it is
expected that all clients of the old leader will have to reconnect
to other nodes in the cluster, but it is unnecessary for all the
clients of a healthy node to reconnect, which could cause more
disturbance in a large scale environment.
This patch fixes the problem by slightly change the condition that
a server regards itself as disconnected: if its role is candidate,
it is regarded as disconnected only if the election didn't succeed
at the first attempt. Related failure test cases are also unskipped
and all passed with this patch.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
In commit-2bcb3b70 (ovsdb raft: Move ovsdb cluster tests to separate
testsuite.) the "clustered transactions" tests were left unexecuted
because they depend on "EXECUTION_EXAMPLES", which is defined in
ovsdb-execution.at.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ovn: Generate ICMPv4 packet in router pipeline for larger packets
This patch adds 2 stages in router pipeline after ARP_RESOLVE
and adds the logical flows to check the packet length and
generate ICMPv4 packet.
* S_ROUTER_IN_CHK_PKT_LEN - Which checks the packet length using
check_pkt_larger OVN action
* S_ROUTER_IN_LARGER_PKTS - Which generates icmp packet with
type 3 (Destination Unreachable),
code 4 (Frag Needed and DF was Set)
icmp4.frag_mtu = gw_mtu
In order to add these logical flows, CMS should set the
option 'gateway_mtu' for the distributed logical router port.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Previous commit added a new OVS action 'check_pkt_larger'. This
patch supports that action in OVN. The syntax to use this would be
reg0[0] = check_pkt_larger(LEN)
Upcoming commit will make use of this action in ovn-northd and
will generate an ICMPv4 packet if the packet length is greater than
the specified length.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
This action is similar to the existing 'icmp4' OVN action except that
that this action is expected to be used to generate an ICMPv4 packet
in response to an error in original IP packet. When this action
injects the icmpv4 packet, it also copies the original IP datagram
following the icmp4 header as per RFC 1122: 3.2.2
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
In order to support OVN specific fields (which are not yet
supported in OpenvSwitch to set or modify values) a generic
OVN field support is added in this patch. These OVN fields
gets translated to controller actions.
This patch adds only one field for now - icmp4.frag_mtu.
It should be fairly straightforward to add similar fields in the
near future.
pinctrl module of ovn-controller will set the specified value
in the the low-order 16 bits of the ICMP4 header field that is
labelled "unused" in the ICMP specification as defined in the RFC 1191.
Upcoming patch will use it to send an icmp4 packet if the
source IPv4 packet destined to go via external gateway needs to
be fragmented.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch adds a new action - 'check_pkt_len' which checks the
packet length and executes a set of actions if the packet
length is greater than the specified length or executes
another set of actions if the packet length is lesser or equal to.
This action takes below nlattrs
* OVS_CHECK_PKT_LEN_ATTR_PKT_LEN - 'pkt_len' to check for
* OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER - Nested actions
to apply if the packet length is greater than the specified 'pkt_len'
* OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL - Nested
actions to apply if the packet length is lesser or equal to the
specified 'pkt_len'.
The main use case for adding this action is to solve the packet
drops because of MTU mismatch in OVN virtual networking solution.
When a VM (which belongs to a logical switch of OVN) sends a packet
destined to go via the gateway router and if the nic which provides
external connectivity, has a lesser MTU, OVS drops the packet
if the packet length is greater than this MTU.
With the help of this action, OVN will check the packet length
and if it is greater than the MTU size, it will generate an
ICMP packet (type 3, code 4) and includes the next hop mtu in it
so that the sender can fragment the packets.
Reported-at:
https://mail.openvswitch.org/pipermail/ovs-discuss/2018-July/047039.html Suggested-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> CC: Gregory Rose <gvrose8192@gmail.com> CC: Pravin B Shelar <pshelar@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Use of 'nla_parse_strict()' (in validate_and_copy_check_len()) is available
only in recent kernels. So changed it to 'nla_parse_nested()'.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch adds a new action 'check_pkt_larger' which checks if the
packet is larger than the given size and stores the result in the
destination register.
This patch makes use of the new datapath action - 'check_pkt_len'
which was recently added in the commit [1].
At the start of ovs-vswitchd, datapath is probed for this action.
If the datapath action is present, then 'check_pkt_larger'
makes use of this datapath action.
Datapath action 'check_pkt_len' takes these nlattrs
* OVS_CHECK_PKT_LEN_ATTR_PKT_LEN - 'pkt_len' to check for
* OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER (optional) - Nested actions
to apply if the packet length is greater than the specified 'pkt_len'
* OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL (optional) - Nested
actions to apply if the packet length is lesser or equal to the
specified 'pkt_len'.
Let's say we have these flows added to an OVS bridge br-int
Then the action 'check_pkt_larger' will be translated as
- check_pkt_len(size=100,gt(3),le(4))
datapath will check the packet length and if the packet length is greater than 100,
it will output to port 3, else it will output to port 4.
In case, datapath doesn't support 'check_pkt_len' action, the OVS action
'check_pkt_larger' sets SLOW_ACTION so that datapath flow is not added.
This OVS action is intended to be used by OVN to check the packet length
and generate an ICMP packet with type 3, code 4 and next hop mtu
in the logical router pipeline if the MTU of the physical interface
is lesser than the packet length. More information can be found here [2]
William Tu [Fri, 19 Apr 2019 22:26:41 +0000 (15:26 -0700)]
dpif-netdev: fix meter at high packet rate.
When testing packet rate around 1Mpps with meter enabled, the frequency
of hitting meter action becomes much higher, around 30us each time.
As a result, the meter's calculation of 'uint32_t delta_t' becomes
always 0 and meter action has no effect. This is due to the previous
commit 05f9e707e194 divides the delta by 1000, in order to convert to
msec granularity. The patch fixes it updating the time when across
millisecond boundary.
Fixes: 05f9e707e194 ("dpif-netdev: Use microsecond granularity.") Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Acked-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: William Tu <u9012063@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
dpif-netdev: Update comment about flow installation race.
Userspace datapath uses per-PMD flow tables/classifiers for a long
time. However, it was decided to keep this race window to not block
revalidators. Comment should be updated to reflect the current state.
Fixes: 1c1e46ed8457 ("dpif-netdev: Add per-pmd flow-table/classifier.") Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Commit bde94613e627 was aimed to slightly ( < 1%) increase performance
in the case where EMC disabled, but it avoids RSS hash calculation and
OVS has to calculate it while executing OVS_ACTION_ATTR_HASH in order
to handle balanced-tcp bonding. At the time of executing that action
there is no parsed flow, and OVS parses the packet for the second time
to calculate the hash. This happens for all packets received from the
virtual interfaces because they have no HW RSS.
Here is the example of 'perf' output for VM --> (bonded PHY) traffic:
We can see that packet parsed twice. First time by 'miniflow_extract'
right after receiving and the second time by 'flow_extract' while
executing actions.
In this particular case calculating RSS on receive saves > 7% of the
total CPU processing time. It varies from ~7 to ~10 % depending on
scenario/traffic types.
It's better to calculate hash each time because performance
improvements of avoiding are negligible in compare with performance
drop in case of sending packets to bonded interface.
Another solution could be to pass the parsed flow explicitly through
the datapath, but this will require big code changes and will have
additional overhead for metadata updating on packet changes.
Also, this change should have small impact since SMC works well in most
cases and will be enabled/recommended by default in the future.
CC: Antonio Fischetti <antonio.fischetti@intel.com> Fixes: bde94613e627 ("dpif-netdev: Avoid reading RSS hash when EMC is disabled.") Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
ovn/utilities/ovn-nbctl.c: In function 'print_routing_policy':
ovn/utilities/ovn-nbctl.c:3620:23: error: format '%ld' expects argument
of type 'long int', but argument 3 has type 'int64_t'
policy->match, policy->action, next_hop);
^
ovn/utilities/ovn-nbctl.c:3624:23: error: format '%ld' expects argument
of type 'long int', but argument 3 has type 'int64_t'
policy->match, policy->action);
^
ovn/utilities/ovn-nbctl.c: In function 'cmd_ha_ch_grp_list':
ovn/utilities/ovn-nbctl.c:5056:27: error: format '%lu' expects argument
of type 'long unsigned int', but argument 10 has type 'int64_t'
ha_ch->priority);
^
cc1: all warnings being treated as errors
make[2]: *** [ovn/utilities/ovn-nbctl.o] Error 1
I confirmed that the dst entry also has dst->input set to
dst_md_discard, so it looks like it's an entry that's been
initialized via __metadata_dst_init alright.
I think the fix here is to use skb_valid_dst(skb) - it checks
for DST_METADATA also, and with that fix in place, the
problem - which was previously 100% reproducible - disappears.
The below patch resolves the panic and all bpf tunnel tests pass
without incident.
Fixes: c8b34e680a09 ("ip_tunnel: Add tnl_update_pmtu in ip_md_tunnel_xmit") Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> Signed-off-by: Alan Maguire <alan.maguire@oracle.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Anders Roxell <anders.roxell@linaro.org> Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Fixed up for backward compatibility to our own compat layer ip_tunnel.c
module.
Cc: Alan Maguire <alan.maguire@oracle.com> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
net: openvswitch: fix missing checks for nla_nest_start
nla_nest_start may fail and thus deserves a check.
The fix returns -EMSGSIZE when it fails.
Signed-off-by: Kangjie Lu <kjlu@umn.edu> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Kangjie Lu <kjlu@umn.edu> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
upcall is dereferenced even when genlmsg_put fails. The fix
goto out to avoid the NULL pointer dereference in this case.
Signed-off-by: Kangjie Lu <kjlu@umn.edu> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Kangjie Lu <kjlu@umn.edu> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Patch series "generic radix trees; drop flex arrays".
This patch (of 7):
There was no real need for this code to be using flexarrays, it's just
implementing a hash table - ideally it would be using rhashtables, but
that conversion would be significantly more complicated.
Link: http://lkml.kernel.org/r/20181217131929.11727-2-kent.overstreet@gmail.com Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com> Reviewed-by: Matthew Wilcox <willy@infradead.org> Cc: Pravin B Shelar <pshelar@ovn.org> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Dave Hansen <dave.hansen@intel.com> Cc: Eric Paris <eparis@parisplace.org> Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Cc: Neil Horman <nhorman@tuxdriver.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Shaohua Li <shli@kernel.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Kent Overstreet <kent.overstreet@gmail.com> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ovn-fedora spec generates the rpms - ovn, ovn-common, ovn-host etc
in which ovn is an empty package. The ovn fedora spec file here [1]
has moved all the ovn-common files to the 'ovn' package.
This patch does the same.
Flavio Leitner [Tue, 26 Mar 2019 17:15:00 +0000 (14:15 -0300)]
netlink linux: fix to append the netnsid netlink attr.
The attribute was being prepended to the netlink buffer, but
the function nl_sock_transact_multiple__() expects to find the
netlink header as first to update the length, seq and pid fields.
This patch fixes to append the attribute instead of prepending it.
Fixes: 756819ddd788 ("netdev-linux: use netlink to update netdev.") Acked-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Flavio Leitner [Tue, 26 Mar 2019 17:14:59 +0000 (14:14 -0300)]
netlink linux: account for the netnsid netlink attr.
The buffer needs to be reallocated and data copied when
the netnsid netlink attribute is included, so avoid that
by accounting the attribute when the buffer is initially
allocated.
Fixes: 756819ddd788 ("netdev-linux: use netlink to update netdev.") Acked-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Thu, 21 Mar 2019 00:38:53 +0000 (17:38 -0700)]
stream-ssl: Add support for TLS SNI (Server Name Indication).
This TLS extension, introduced in RFC 3546, allows the server to know what
host the client believes it is contacting, the TLS equivalent of the Host:
header in HTTP.
Tested-by: Yifeng Sun <pkusunyifeng@gmail.com> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Requested-by: Shivaram Mysore <smysore@servicefractal.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
openvswitch: meter: Use struct_size() in kzalloc()
One of the more common cases of allocation size calculations is finding the
size of a structure that has a zero-sized array at the end, along with
memory for some number of elements for that array. For example:
This code was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Use of struct_size() needed some compat layer adjustments to make use
of this new macro. This patch pulls in some of the needed support
from the linux mm.h and overflow.h header files. This new header
file support is also necessary for the following patch that converts
to use of kvmalloc().
Cc: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Lorenzo Bianconi [Fri, 29 Mar 2019 15:58:57 +0000 (16:58 +0100)]
OVN: add the possibility to configure a static IPv4/IPv6 address and dynamic MAC
Add the possibility to configure a static IPv4 and/or IPv6 address
and get MAC address dynamically allocated. This can be done using the
following commands:
Darrell Ball [Fri, 29 Mar 2019 16:50:47 +0000 (09:50 -0700)]
conntrack: Fix minimum connections to clean.
If there is low maximum connection count configuration and less than 10
connections in a bucket, the calculation of the maximum number of
connections to clean for the bucket could be zero, leading to these
connections not being cleaned until and if the connection count in the
bucket increases.
Fix this by checking for low maximum connection count configuration
and do this outside of the buckets loop, thereby simplifying the loop.
rhel: if rpms were built without libcapng then let processes to run as root
Otherwise, Open vSwitch will fail to start with the following
error "libcap-ng is not configured at compile time" when it
attempts to downgrade to Open vSwitch user.
Also, if packages were built in a way where processes are
supposed to be running only as root, then there is no point
in creating "openvswitch" user in the first place.
Signed-off-by: Ansis Atteka <aatteka@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Tue, 16 Apr 2019 18:42:04 +0000 (11:42 -0700)]
chassis.c: Return chassis record whenever available in chassis_run().
The ovn-controller main loop relies on the return value of chassis_run().
When ovnsb_idl_txn is NULL (i.e. there is a pending transaction for SB),
chasssis_run() returns NULL, which blocks functions to be executed in
the main loop unnecessarily. This patch updates chassis_run() so that
it returns chassis record whenever it is available.
This changes allows xxx_run() functions being executed whenever
br_int and chassis are not NULL. For functions that need to update
SB DB, there are already additional checks making sure ovnsb_idl_txn
is not NULL.
Acked-by: Numan Siddique <nusiddiq@redhat.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Tue, 16 Apr 2019 18:42:03 +0000 (11:42 -0700)]
ovn-controller: Fix busy loop when sb disconnected.
In the main loop, if the SB DB is disconnected when there is a pending
transaction, there can be busy loop causing 100% CPU of ovn-controller,
until SB DB is connected again.
The root cause is that when a transaction is pending, ovsdb_idl_loop_run()
will return NULL for ovnsb_idl_txn, and chassis_run() returns NULL when
ovnsb_idl_txn is NULL, so the condition if (br_int && chassis) is not
satisfied and so ofctrl_run() is not executed in the main loop. If there
is any message pending from br-int.mgmt, such as OFPTYPE_BARRIER_REPLY or
OFPTYPE_ECHO_REQUEST, the main loop will be woken up again and again
because those messages are not processed because ofctrl_run() is not
invoked.
This patch fixes the problem by moving ofctrl_run() above and run it
whenever br_int is not NULL, and not care about chassis because this
function doesn't depend on it.
It also moves out sbrec_chassis_set_nb_cfg() from the "if (ovs_idl_txn)"
just to avoid adding more indentation of the whole block to avoid >79
line length.
Note: the changes of this patch is better to be shown with "-w" because
most of them are indent changes.
Acked-by: Numan Siddique <nusiddiq@redhat.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mary Manohar [Wed, 3 Apr 2019 23:27:56 +0000 (23:27 +0000)]
Policy-based routing (PBR) in OVN.
PBR provides a mechanism to configure permit/deny and reroute policies on the
router. Permit/deny policies are similar to OVN ACLs, but exist on the
logical-router. Reroute policies are needed for service-insertion and
service-chaining. Currently, policies are stateless.
To achieve this, a new table is introduced in the ingress pipeline of the
Logical-router. The new table is between the ‘IP Routing’ and the ‘ARP/ND
resolution’ table. This way, PBR can override routing decisions and provide a
different next-hop.
This Patch:
a. Changes in OVN NB Schema to introduce a new table in the Logical
router.
b. Add commands to ovn-nbctl to add/delete/list routing policies.
c. Changes in ovn-northd to process routing-policy configurations.
A new table 'Logical_Router_Policy' has been added in the northbound schema.
The table has the following columns:
* priority: Rules with numerically higher priority take precedence over
those with lower.
* match: Uses the same expression language as the 'match' column of
'Logical_Flow' table in the OVN Southbound database.
* action: allow/drop/reroute nexthop: Nexthop IP address.
Each row in this table represents one routing policy for a logical router. The
'action' column for the highest priority matching row in this table determines a
packet's treatment. If no row matches, packets are allowed by default.
The new ovn-nbctl commands are as follows:
1. Add a new ovn-nbctl command to add a routing policy.
lr-policy-add ROUTER PRIORITY MATCH ACTION [NEXTHOP]
Nexthop is an optional parameter. It needs to be provided only when
'action' is 'reroute'. A policy is uniquely identified by priority and match.
Multiple policies can have the same priority.
2. Add a new ovn-nbctl command to delete a routing policy.
lr-policy-del ROUTER [PRIORITY [MATCH]]
Takes priority and match as optional parameters. If priority and match
are specified, the policy with the given priority and match is deleted. If
priority is specified and match is not specified, all rules with that priority
are deleted. If priority is not specified, all the rules would be deleted.
3. Add a new ovn-nbctl command to list routing-policies in the logical
router.
lr-policy-list ROUTER
ovn-northd changes are to get routing-policies from northbound database
and populate the same as logical flows in the southbound database. A new table
called 'POLICY' is introduced in the Logical router's ingress pipeline. Each
routing-policy configured in the northbound database translates into a single
logical flow in the new table.
The columns from the Logical_Router_Policy table are used as follows:
The priority column is used as priority in the logical-flow. The match column
is used as the 'match' string in the logical-flow. The action column is used to
determine the action of the logical-flow.
When the 'action' is reroute, if the nexthop ip-address is a connected
router port or the IP address of a logical port, the logical-flow is constructed
to route the packet to the nexthop ip-address.
Signed-off-by: Mary Manohar <mary.manohar@nutanix.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
When DVR is enabled FIP traffic need to be forwarded directly using
external connection to the underlay network and not be distributed
through geneve tunnels.
Fix this adding new logical flows to take care of distributed DNAT/SNAT
Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Thu, 28 Mar 2019 06:10:17 +0000 (11:40 +0530)]
ovn: Support a new Logical_Switch_Port.type - 'external'
In the case of OpenStack + OVN, when the VMs are booted on
hypervisors supporting SR-IOV nics, there are no OVS ports
for these VMs. When these VMs sends DHCPv4, DHPCv6 or IPv6
Router Solicitation requests, the local ovn-controller
cannot reply to these packets. OpenStack Neutron dhcp agent
service needs to be run to serve these requests.
With the new logical port type - 'external', OVN itself can
handle these requests avoiding the need to deploy any
external services like neutron dhcp agent.
To make use of this feature, CMS has to
- create a logical port for such VMs
- set the type to 'external'
- create an HA chassis group and associate the logical port
to it or associate an already existing HA chassis group.
- create a localnet port for the logical switch
- configure the ovn-bridge-mappings option in the OVS db.
HA chassis with the highest priority becomes the master of
the HA chassis group and the ovn-controller running in that
'chassis', claims the Port_Binding for that logical port
and it adds the necessary DHCPv4/v6 OF flows. Since the packet
enters the logical switch pipeline via the localnet port,
the inport register (reg14) is set
to the tunnel key of localnet port in the match conditions.
In case the chassis goes down for some reason, next higher
priority HA chassis becomes the master and claims the port.
When the VM with the external port, sends an ARP request for
the router ips, only the chassis which has claimed the port,
will reply to the ARP requests. Rest of the chassis on
receiving these packets drop them in the ingress switch
datapath stage - S_SWITCH_IN_EXTERNAL_PORT which is just
before S_SWITCH_IN_L2_LKUP.
This would guarantee that only the chassis which has claimed
the external ports will run the router datapath pipeline.
Acked-by: Mark Michelson <mmichels@redhat.com> Acked-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Thu, 28 Mar 2019 06:10:11 +0000 (11:40 +0530)]
ovn-northd: Delete the references to gateway_chasss in SB DB
Previous patch in the series added the support in ovn-controller
to use ha_chassis_group table in SB DB to support HA chassis
and establishing BFD tunnels instead of the gateway_chassis table.
There is no need for ovn-northd to create any gateway_chassis
rows in SB DB. This patch does that and deletes the code
which is not required anymore.
This patch also now supports 'ha_chassis_group' to be associated
with a distributed logical router port and ignores 'gateway_chassis'
and 'redirect-chassis' if set along with 'ha_chassis_group'.
Acked-by: Mark Michelson <mmichels@redhat.com> Acked-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Thu, 28 Mar 2019 06:10:03 +0000 (11:40 +0530)]
ovn-controller: Make use of ha_chassis_group table to bind the chassisredirect ports
This patch uses the newly added ha_chassis_group table in Southbound DB
- to bind the chassisredirect ports.
- to establish BFD sessions with the required chassis. The previous patch
in this series sets the list of chassis which references a ha chassis group
in the 'ref_chassis' column of 'ha_chassis_group' table (in ovn-northd).
This patch uses that information to establish BFD sessions with only the
required chassis. There is no need to traverse the local_datapath list
to determine if a local chasis has to establish a BFD session with another
chassis. For eg, if chassis - HV1, HV2 and HV3 are part of a chassis group
G1 and G1 is referenced by compute chassis - C1 and C2, the chassis C1
will establish BFD sessions with HV1, HV2 and HV3 since C1 references the
group G1. The ha chassis HV1, HV2 and HV3 also establish BFD sessions
amongst themselves and also with C1 and C2.
This patch also deletes the old code (which used gateway_chassis table)
to bind the chassisredirect port.
The rational behind the refactor is to make the ha chassis binding support
generic, so that logical ports of type 'external' (which will be
added in the upcoming patch) can also make use of it and to simplify
the gateway chassis support code in OVN. Functionally this new
approach is same as the older one.
Acked-by: Mark Michelson <mmichels@redhat.com> Acked-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Thu, 28 Mar 2019 06:09:54 +0000 (11:39 +0530)]
ovn: Add generic HA chassis group
This patch adds the tables - 'HA_Chassis_Group' and 'HA_Chassis' in
both OVN Northbound and Southbound DBs to support generic HA Chassis
groups in OVN. CMS can create a group of HA chassis with the priorities
assigned to each chassis in the group. An HA chassis group can be associated to
a distributed logical router port. An upcoming patch will make
use of it while supporting 'external'* logical ports.
HA chassis group is similar to the existing gateway chassis support in
OVN which is used by the distributed gateway router ports.
This patch tries to abstract this so that, the HA chassis support
can be leveraged by not just distributed gateway router ports.
If a logical router port has a set of gateway chassis associated to
it, ovn-northd will create HA chassis group in Southbound
DB and add these gateway chassis to this group. ovn-northd would still create
gateway chassis in Southbound DB as ovn-controller still doesn't support
using the HA chassis group.
Next patch in the series will add the support in ovn-controller to
make use of HA chassis group instead of gateway chassis. The patch following
that will delete creation of gateway chassis in Southbound DB.
HA_Chasss_Group table in Southbound DB has a column - 'ref_chassis'.
This column is used to store the list of chassis which references the
HA chassis group. This information will be used by ovn-controller in an
upcoming patch to establish BFD sessions with the required chassis.
Suppose if there is an HA chassis group - 'hagrp1' in the Southbound
DB and it has HA chasiss list - ha1, ha2 and ha3 and this HA chassis
group is used by a distributed logical router port, then ovn-northd
will update the 'ref_chassis' with the list of chassis which has claimed
all the logical switch ports which are connected to the logical router
which has this distributed logical router port.
Acked-by: Han Zhou <hzhou8@ebay.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Thu, 28 Mar 2019 06:09:48 +0000 (11:39 +0530)]
ovn-northd: Reuse the hmaps - datapaths and ports in ovnsb_db_run()
We can reuse the datapaths and ports built during ovnnb_db_run()
in ovnsb_db_run(). This way we avoid creating the logical ports hash nodes
during the ovnsb_db_run().
An upcoming patch will make further use of these hashmaps during ovnsb_db_run().
This patch refactors the code accordingly.
Acked-by: Mark Michelson <mmichels@redhat.com> Acked-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Revert "openvswitch: Fix template leak in error cases."
This reverts commit 90c7afc.
When the commit was merged, the code used nf_ct_put() to free
the entry, but later on commit 7664423 ("openvswitch: Free
tmpl with tmpl_free.") replaced that with nf_ct_tmpl_free which
is a more appropriate. Now the original problem is removed.
Then 44d6e2f ("net: Replace NF_CT_ASSERT() with WARN_ON().")
replaced a debug assert with a WARN_ON() which is trigged now.
Signed-off-by: Flavio Leitner <fbl@redhat.com> Acked-by: Joe Stringer <joe@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This patch backports this upstream patch to OVS.
Acked-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 12 Apr 2019 23:26:28 +0000 (16:26 -0700)]
ovsdb raft: Fix duplicated transaction execution when leader failover.
When a transaction is submitted from a client connected to a follower,
if leader crashes after receiving the execute_command_request from the
follower and sending out append request to the majority of followers,
but before sending execute_command_reply to the follower. The
transaction would finally got commited by the new leader. However,
with current implementation the transaction would be commited twice.
For the root cause, there are two cases:
Case 1, the connected follower becomes the new leader. In this case,
the pending command of the follower will be cancelled during its role
changing to leader, so the trigger for the transaction will be retried.
Case 2, another follower becomes the new leader. In this case, since
there is no execute_command_reply from the original leader (which has
crashed), the command will finally timed out, causing the trigger for
the transaction retried.
In both cases, the transaction will be retried by the server node's
trigger retrying logic. This patch fixes the problem by below changes:
1) A pending command can be completed not only by
execute_command_reply, but also when the eid is committed, if the
execute_command_reply never came.
2) Instead of cancelling all pending commands during role change, let
the commands continue waiting to be completed when the eid is
committed. The timer is increased to be twice the election base time,
so that it has the chance to be completed when leader crashes.
This patch fixes the two raft failure test cases previously disabled.
See the test case for details of how to reproduce the problem.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 12 Apr 2019 23:26:26 +0000 (16:26 -0700)]
ovsdb raft: Test cases for cluster failures when there are pending transactions.
Implement test cases for the failure scenarios when there are pending
transactions from clients. This patch implements test cases for different
combinations of conditions with the help of previously added test
commands and options for cluster mode. The conditions include:
- Connected node from which client transaction is executed: leader, follower
- Crashed node: leader, follower that is connected, or the other follower
- Crash point:
- For leader:
- before/after receiving execute_command_request
- before/after sending append_request
- before/after sending execute_command_reply
- For follower:
- before/after sending execute_command_request
- after receiving append_request
There are 16 test cases in total, and 9 of them are skipped purposely
because of the bugs found by the test cases to avoid CI failure. They will
be enabled in coming patches when the corresponding bugs are fixed.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 12 Apr 2019 23:26:25 +0000 (16:26 -0700)]
ovn-nbctl: Support --no-shuffle-remotes.
Support --no-shuffle-remotes option for ovn-nbctl, which is mainly for testing
purpose, so that we can specify the order that client will failover when the
connected node is down, to have more predictability in the test cases.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 12 Apr 2019 23:26:24 +0000 (16:26 -0700)]
ovsdb-idl: Support optionally not shuffling multiple remotes.
This patch allows remotes not being shuffled if desired (mostly for
testing purpose, when we need the order of remotes during retrying
be predictable). By default it still shuffles as how it behaves today.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 12 Apr 2019 23:26:23 +0000 (16:26 -0700)]
ovsdb raft: Support commands that are required for testing failure scenarios.
Added unix commands cluster/... for ovsdb raft, which will be used in a future
patch to test more fine-grained failure scenarios. The commands either causes
a node to crash at certain point, or manipulate the election timer so that
we can control the election process to elect a new leader we desired for the
test cases.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 12 Apr 2019 23:26:22 +0000 (16:26 -0700)]
ovsdb raft: Sync commit index to followers without delay.
When update is requested from follower, the leader sends AppendRequest
to all followers and wait until AppendReply received from majority, and
then it will update commit index - the new entry is regarded as committed
in raft log. However, this commit will not be notified to followers
(including the one initiated the request) until next heartbeat (ping
timeout), if no other pending requests. This results in long latency
for updates made through followers, especially when a batch of updates
are requested through the same follower.
$ time for i in `seq 1 100`; do ovn-nbctl ls-add ls$i; done
real 0m34.154s
user 0m0.083s
sys 0m0.250s
This patch solves the problem by sending heartbeat as soon as the commit
index is updated in leader. It also avoids unnessary heartbeat by resetting
the ping timer whenever AppendRequest is broadcasted. With this patch
the performance is improved more than 50 times in same test:
$ time for i in `seq 1 100`; do ovn-nbctl ls-add ls$i; done
real 0m0.564s
user 0m0.080s
sys 0m0.199s
Torture test cases are also updated because otherwise the tests will
all be skipped because of the improved performance.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Fri, 12 Apr 2019 23:26:21 +0000 (16:26 -0700)]
ovsdb raft: Move ovsdb cluster tests to separate testsuite.
Tests in ovsdb-cluster.at are relatively slow, especially torture
tests, and they will be changed in the future costing high CPU, to
make the tests more effective. So we move the tests to a separate
testsuite, so that we can execute them separately, probably with
lower parallelism to avoid exhausting system resources.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Fri, 12 Apr 2019 17:00:02 +0000 (10:00 -0700)]
debian: Remove Ben Pfaff from Uploaders field.
I don't want to claim to be in charge of upstream Debian packaging anymore. Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Chris Mi [Sat, 13 Apr 2019 08:09:37 +0000 (16:09 +0800)]
netdev-vport: Use the dst_port in tunnel netdev name
If tunnel device dst_port is not the default one, "ovs-dpctl dump-flows"
will fail. The error message for vxlan is:
netdev_linux|INFO|ioctl(SIOCGIFINDEX) on vxlan_sys_4789 device failed: No such device
That's because when calling netdev_vport_construct() for netdev
vxlan_sys_xxxx, the default dst_port is used. Actually, the dst_port
value is in the netdev name. Use it to avoid the error.
Signed-off-by: Chris Mi <chrism@mellanox.com> Reviewed-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Unlike manual splitting, 'splitlines' correctly handles different
line endings. Without this change script fails to check files with
'\r\n' endings treating the whole patch as a header.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
LIU Yulong [Tue, 9 Apr 2019 07:48:08 +0000 (15:48 +0800)]
Docs: fix conntrack flow ct_state input
In the following envrionment:
ovs-vsctl (Open vSwitch) 2.11.0
DB Schema 7.16.1
we meet the following error during the tutorials
conntrack test:
"ovs-ofctl: field +est missing value"
"ovs-ofctl: field +trk missing value"
ovs-vsctl 2.9.0 has the same issue.
This patch gives the tutorials with right
conntrack input.