Ubuntu
ovn package

Merge ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute into ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute

  1. Git
  2. lp:~fnordahl/ubuntu/+source/ovn
  3. bug/1914988-hirsute
  4. Merge into ubuntu/hirsute
Proposed by Frode Nordahl
Status: Merged
Merged at revision: 36b37fa493fdd844fbd80b41821fa8e0701fdaee
Proposed branch: ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute
Merge into: ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute
Diff against target: 237 lines (+205/-0)
5 files modified
debian/changelog (+12/-0)
debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch (+42/-0)
debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch (+100/-0)
debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch (+48/-0)
debian/patches/series (+3/-0)
Reviewer Review Type Date Requested Status
James Page Pending
Ubuntu Server Developers Pending
Review via email: mp+409046@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Frode Nordahl (fnordahl) wrote :

Built package available in https://launchpad.net/~fnordahl/+archive/ubuntu/hirsute-rbac-fixes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 3b332a3..e9b9bbf 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+ovn (20.12.0-0ubuntu3) hirsute; urgency=medium
7+
8+ * Cherry-pick fixes from upstream branch-20.12
9+ - d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
10+ Update RBAC rules for Chassis_Private table (LP: #1913024).
11+ - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
12+ Add RBAC rules for IGMP_Group table (LP: #1914988).
13+ - d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
14+ Update RBAC rules for Port_Binding table (LP: #1917475).
15+
16+ -- Frode Nordahl <frode.nordahl@canonical.com> Thu, 23 Sep 2021 10:59:00 +0200
17+
18 ovn (20.12.0-0ubuntu2) hirsute; urgency=medium
19
20 * d/rules: Disable test 168 on arm architectures.
21diff --git a/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch b/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
22new file mode 100644
23index 0000000..a2533f8
24--- /dev/null
25+++ b/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
26@@ -0,0 +1,42 @@
27+Origin: upstream, https://github.com/ovn-org/ovn/commit/f653d627100c91fb169009de44add746beb23769
28+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024
29+Last-Update: 2021-09-23
30+
31+From f653d627100c91fb169009de44add746beb23769 Mon Sep 17 00:00:00 2001
32+From: Frode Nordahl <frode.nordahl@canonical.com>
33+Date: Mon, 25 Jan 2021 21:34:04 +0100
34+Subject: [PATCH] northd: Add Chassis_Private "external_ids" column to RBAC
35+
36+After introduction of the Chassis_Private table in OVN 20.09, CMS'es do
37+expect data plane components that may be subject to the
38+`ovn-controller` RBAC role to be able to write to the external_ids
39+column. An example being the OpenStack metadata agent [0].
40+
41+[0]: https://github.com/openstack/neutron/blob/master/neutron/agent/ovn/metadata/agent.py#L175-L191
42+Reported-at: https://bugs.launchpad.net/bugs/1913024
43+Fixes: 4adc10f58127 ("Avoid nb_cfg update notification flooding")
44+Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
45+Acked-by: Dumitru Ceara <dceara@redhat.com>
46+Signed-off-by: Numan Siddique <numans@ovn.org>
47+
48+(cherry-picked from master commit a798e2cfb6dd97c1603b7b758464afb8b897c9ed)
49+---
50+ northd/ovn-northd.c | 2 +-
51+ 1 file changed, 1 insertion(+), 1 deletion(-)
52+
53+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
54+index 7ead3f6b8..89f7dc362 100644
55+--- a/northd/ovn-northd.c
56++++ b/northd/ovn-northd.c
57+@@ -12729,7 +12729,7 @@ static const char *rbac_chassis_update[] =
58+ static const char *rbac_chassis_private_auth[] =
59+ {"name"};
60+ static const char *rbac_chassis_private_update[] =
61+- {"nb_cfg", "nb_cfg_timestamp", "chassis"};
62++ {"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"};
63+
64+ static const char *rbac_encap_auth[] =
65+ {"chassis_name"};
66+--
67+2.32.0
68+
69diff --git a/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch b/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
70new file mode 100644
71index 0000000..52365a4
72--- /dev/null
73+++ b/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
74@@ -0,0 +1,100 @@
75+Origin: upstream, https://github.com/ovn-org/ovn/commit/6aab727db39dcdcfd859aa617e0d9f1ab0bcac98
76+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
77+Last-Update: 2021-09-23
78+
79+From 6aab727db39dcdcfd859aa617e0d9f1ab0bcac98 Mon Sep 17 00:00:00 2001
80+From: Pedro Guimaraes <pedro.guimaraes@canonical.com>
81+Date: Sun, 7 Feb 2021 16:07:08 +0100
82+Subject: [PATCH] Add IGMP_Group to ovn-controller RBAC
83+
84+If RBAC and IGMP snooping are enabled, ovn-controllers need to
85+be able to register new entries to table IGMP_Group as requests
86+are detected.
87+
88+For that, ovn-controllers need to have read/write access to
89+IGMP_Group table.
90+
91+Signed-off-by: Pedro Guimaraes <pedro.guimaraes@canonical.com>
92+Reported-at: https://github.com/ovn-org/ovn/issues/77
93+Acked-by: Frode Nordahl <frode.nordahl@canonical.com>
94+Signed-off-by: Numan Siddique <numans@ovn.org>
95+
96+(cherry-picked from master commit e92d8cb838d407aac7d44c9d27f862df42fbb8d2)
97+---
98+ AUTHORS.rst | 1 +
99+ northd/ovn-northd.c | 12 ++++++++++++
100+ ovn-architecture.7.xml | 16 ++++++++++++++++
101+ 3 files changed, 29 insertions(+)
102+
103+diff --git a/AUTHORS.rst b/AUTHORS.rst
104+index 5d926c11f..ba0a4eb1e 100644
105+--- a/AUTHORS.rst
106++++ b/AUTHORS.rst
107+@@ -290,6 +290,7 @@ Paul Fazzone pfazzone@vmware.com
108+ Paul Ingram
109+ Paul-Emmanuel Raoul skyper@skyplabs.net
110+ Pavithra Ramesh paramesh@vmware.com
111++Pedro Guimaraes pedro.guimaraes@canonical.com
112+ Peter Downs padowns@gmail.com
113+ Philippe Jung phil.jung@free.fr
114+ Pim van den Berg pim@nethuis.nl
115+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
116+index 89f7dc362..cb6bbb74d 100644
117+--- a/northd/ovn-northd.c
118++++ b/northd/ovn-northd.c
119+@@ -12750,6 +12750,10 @@ static const char *rbac_svc_monitor_auth[] =
120+ {""};
121+ static const char *rbac_svc_monitor_auth_update[] =
122+ {"status"};
123++static const char *rbac_igmp_group_auth[] =
124++ {""};
125++static const char *rbac_igmp_group_update[] =
126++ {"address", "chassis", "datapath", "ports"};
127+
128+ static struct rbac_perm_cfg {
129+ const char *table;
130+@@ -12808,6 +12812,14 @@ static struct rbac_perm_cfg {
131+ .update = rbac_svc_monitor_auth_update,
132+ .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update),
133+ .row = NULL
134++ },{
135++ .table = "IGMP_Group",
136++ .auth = rbac_igmp_group_auth,
137++ .n_auth = ARRAY_SIZE(rbac_igmp_group_auth),
138++ .insdel = true,
139++ .update = rbac_igmp_group_update,
140++ .n_update = ARRAY_SIZE(rbac_igmp_group_update),
141++ .row = NULL
142+ },{
143+ .table = NULL,
144+ .auth = NULL,
145+diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml
146+index d00af36b4..e5b70ca20 100644
147+--- a/ovn-architecture.7.xml
148++++ b/ovn-architecture.7.xml
149+@@ -2597,6 +2597,22 @@
150+ modified by ovn-controller.
151+ </p>
152+ </dd>
153++
154++ <dt><code>IGMP_Group</code></dt>
155++ <dd>
156++ <p>
157++ <code>Authorization</code>: disabled (all clients are considered
158++ to be authorized).
159++ </p>
160++ <p>
161++ <code>Insert/Delete</code>: row insertion/deletion are permitted.
162++ </p>
163++ <p>
164++ <code>Update</code>: The columns <code>address</code>,
165++ <code>chassis</code>, <code>datapath</code>, and
166++ <code>ports</code> may be modified by ovn-controller.
167++ </p>
168++ </dd>
169+ </dl>
170+
171+ <p>
172+--
173+2.32.0
174+
175diff --git a/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch b/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
176new file mode 100644
177index 0000000..1968bc4
178--- /dev/null
179+++ b/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
180@@ -0,0 +1,48 @@
181+Origin: upstream, https://github.com/ovn-org/ovn/commit/291d88b787a66741810950a5b1b74f82e53ec9a4
182+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
183+Last-Update: 2021-09-23
184+
185+From 291d88b787a66741810950a5b1b74f82e53ec9a4 Mon Sep 17 00:00:00 2001
186+From: Frode Nordahl <frode.nordahl@canonical.com>
187+Date: Fri, 5 Mar 2021 13:16:23 +0100
188+Subject: [PATCH] northd: Amend RBAC rules for Port_Binding table
189+
190+When `ovn-controller` claims a virtual lport it will update the
191+Port_Binding table with which chassis currently has claimed the
192+port as well as recording information about the virtual parent
193+lport [0].
194+
195+When `ovn-controller` claims a lport it will also update the
196+encap field of the Port_Binding table if set and an update is
197+needed.
198+
199+The current RBAC rules does not allow for these updates.
200+
201+0: https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150
202+Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'")
203+Fixes: 6c8b9a132 (" ovn-controller: Store the local port bindings in the runtime data I-P state")
204+Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
205+Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
206+Signed-off-by: Numan Siddique <numans@ovn.org>
207+
208+(cherry-picked from master commit 525d78946e6db29430fc2f946b9348eda6356fc6)
209+---
210+ northd/ovn-northd.c | 2 +-
211+ 1 file changed, 1 insertion(+), 1 deletion(-)
212+
213+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
214+index 13288a31c..893b55bed 100644
215+--- a/northd/ovn-northd.c
216++++ b/northd/ovn-northd.c
217+@@ -12745,7 +12745,7 @@ static const char *rbac_encap_update[] =
218+ static const char *rbac_port_binding_auth[] =
219+ {""};
220+ static const char *rbac_port_binding_update[] =
221+- {"chassis"};
222++ {"chassis", "encap", "virtual_parent"};
223+
224+ static const char *rbac_mac_binding_auth[] =
225+ {""};
226+--
227+2.32.0
228+
229diff --git a/debian/patches/series b/debian/patches/series
230new file mode 100644
231index 0000000..c004be5
232--- /dev/null
233+++ b/debian/patches/series
234@@ -0,0 +1,3 @@
235+lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
236+lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
237+lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch

Subscribers

People subscribed via source and target branches