Merge ~fnordahl/ubuntu/+source/ovn:bug/1914988-focal into ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/focal
- Git
- lp:~fnordahl/ubuntu/+source/ovn
- bug/1914988-focal
- Merge into ubuntu/focal
Proposed by
Frode Nordahl
Status: | Merged |
---|---|
Merged at revision: | 7a3378023cebe06914c840027fb630464e46ec09 |
Proposed branch: | ~fnordahl/ubuntu/+source/ovn:bug/1914988-focal |
Merge into: | ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/focal |
Diff against target: |
701 lines (+662/-1) 6 files modified
debian/changelog (+8/-0) debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0) debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0) debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+138/-0) debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0) debian/patches/series (+5/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
James Page | Pending | ||
Review via email: mp+409495@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
Frode Nordahl (fnordahl) wrote : | # |
Revision history for this message
Erlon R. Cruz (sombrafam) wrote : | # |
Tested this on Focal and it does solve the problem!
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 3a96e4b..92f56a2 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,11 @@ |
6 | +ovn (20.03.2-0ubuntu0.20.04.3) focal; urgency=medium |
7 | + |
8 | + * d/p/lp-1914988-tests-*: Backport test cases for SSL+RBAC (LP: #1914988). |
9 | + * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: |
10 | + Do not forward traffic from localport to localnet ports (LP: #1943266). |
11 | + |
12 | + -- Frode Nordahl <frode.nordahl@canonical.com> Fri, 01 Oct 2021 09:42:00 +0200 |
13 | + |
14 | ovn (20.03.2-0ubuntu0.20.04.2) focal; urgency=medium |
15 | |
16 | * d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch: |
17 | diff --git a/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
18 | new file mode 100644 |
19 | index 0000000..073b2cb |
20 | --- /dev/null |
21 | +++ b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
22 | @@ -0,0 +1,213 @@ |
23 | +Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7 |
24 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
25 | +Last-Update: 2021-10-01 |
26 | + |
27 | +From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001 |
28 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
29 | +Date: Fri, 5 Mar 2021 13:16:30 +0100 |
30 | +Subject: [PATCH 2/3] tests: Make certificate generation extendable |
31 | + |
32 | +In preparation for enabling testing with SSL and RBAC enabled by |
33 | +default, rework the certificate generation so that we can easily |
34 | +add generation of more certificates/CN on demand. |
35 | + |
36 | +A side erffect of the change is a more generic naming scheme for |
37 | +the certificate files so the patch also contains an update to |
38 | +existing tests so that they use the new filenames. |
39 | + |
40 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
41 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
42 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
43 | +(cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7) |
44 | +--- |
45 | + tests/automake.mk | 48 ++++++++++++++++++++++------------------------- |
46 | + tests/ovn.at | 48 +++++++++++++++++++++++------------------------ |
47 | + 2 files changed, 46 insertions(+), 50 deletions(-) |
48 | + |
49 | +diff --git a/tests/automake.mk b/tests/automake.mk |
50 | +index 9740f085a..6eabb97e6 100644 |
51 | +--- a/tests/automake.mk |
52 | ++++ b/tests/automake.mk |
53 | +@@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage |
54 | + FLAKE8_PYFILES += $(CHECK_PYFILES) |
55 | + |
56 | + if HAVE_OPENSSL |
57 | +-TESTPKI_FILES = \ |
58 | +- tests/testpki-cacert.pem \ |
59 | +- tests/testpki-cert.pem \ |
60 | +- tests/testpki-privkey.pem \ |
61 | +- tests/testpki-req.pem \ |
62 | +- tests/testpki-cert2.pem \ |
63 | +- tests/testpki-privkey2.pem \ |
64 | +- tests/testpki-req2.pem |
65 | ++OVS_PKI_DIR = $(CURDIR)/tests/pki |
66 | ++TESTPKI_CNS = test test2 |
67 | ++TESTPKI_FILES = $(shell \ |
68 | ++ for cn in $(TESTPKI_CNS); do \ |
69 | ++ echo tests/testpki-$$cn-cert.pem ; \ |
70 | ++ echo tests/testpki-$$cn-privkey.pem ; \ |
71 | ++ echo tests/testpki-$$cn-req.pem ; \ |
72 | ++ done) |
73 | ++ |
74 | ++tests/testpki-cacert.pem: tests/pki/stamp |
75 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ |
76 | ++ |
77 | ++$(TESTPKI_FILES): tests/pki/stamp |
78 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ |
79 | ++ |
80 | ++check_DATA += tests/testpki-cacert.pem |
81 | + check_DATA += $(TESTPKI_FILES) |
82 | ++CLEANFILES += tests/testpki-cacert.pem |
83 | + CLEANFILES += $(TESTPKI_FILES) |
84 | + |
85 | +-tests/testpki-cacert.pem: tests/pki/stamp |
86 | +- $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ |
87 | +-tests/testpki-cert.pem: tests/pki/stamp |
88 | +- $(AM_V_GEN)cp tests/pki/test-cert.pem $@ |
89 | +-tests/testpki-req.pem: tests/pki/stamp |
90 | +- $(AM_V_GEN)cp tests/pki/test-req.pem $@ |
91 | +-tests/testpki-privkey.pem: tests/pki/stamp |
92 | +- $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ |
93 | +-tests/testpki-cert2.pem: tests/pki/stamp |
94 | +- $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ |
95 | +-tests/testpki-req2.pem: tests/pki/stamp |
96 | +- $(AM_V_GEN)cp tests/pki/test2-req.pem $@ |
97 | +-tests/testpki-privkey2.pem: tests/pki/stamp |
98 | +- $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ |
99 | +- |
100 | +-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log |
101 | ++ |
102 | ++OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log |
103 | + tests/pki/stamp: |
104 | + $(AM_V_at)rm -f tests/pki/stamp |
105 | + $(AM_V_at)rm -rf tests/pki |
106 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
107 | +- $(OVS_PKI) req+sign tests/pki/test && \ |
108 | +- $(OVS_PKI) req+sign tests/pki/test2 && \ |
109 | ++ for cn in $(TESTPKI_CNS); do \ |
110 | ++ $(OVS_PKI) req+sign tests/pki/$$cn; \ |
111 | ++ done && \ |
112 | + : > tests/pki/stamp |
113 | + CLEANFILES += tests/ovs-pki.log |
114 | + |
115 | +diff --git a/tests/ovn.at b/tests/ovn.at |
116 | +index 4d9ee1256..6de5a6d3f 100644 |
117 | +--- a/tests/ovn.at |
118 | ++++ b/tests/ovn.at |
119 | +@@ -7701,8 +7701,8 @@ AT_CHECK( |
120 | + |
121 | + start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ |
122 | + --remote=db:OVN_Southbound,SB_Global,connections \ |
123 | +- --private-key="$PKIDIR/testpki-privkey2.pem" \ |
124 | +- --certificate="$PKIDIR/testpki-cert2.pem" \ |
125 | ++ --private-key="$PKIDIR/testpki-test2-privkey.pem" \ |
126 | ++ --certificate="$PKIDIR/testpki-test2-cert.pem" \ |
127 | + --ca-cert="$PKIDIR/testpki-cacert.pem" \ |
128 | + ovn-sb.db |
129 | + |
130 | +@@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
131 | + |
132 | + # read-only accesses should succeed |
133 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
134 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
135 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
136 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
137 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
138 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
139 | + list SB_Global], [0], [stdout], [ignore]) |
140 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
141 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
142 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
143 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
144 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
145 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
146 | + list Connection], [0], [stdout], [ignore]) |
147 | + |
148 | + # write access should fail |
149 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
150 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
151 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
152 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
153 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
154 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
155 | + chassis-add ch vxlan 1.2.4.8], [1], [ignore], |
156 | + [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} |
157 | +@@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ |
158 | + |
159 | + # Populate SSL configuration entries in nb db |
160 | + AT_CHECK( |
161 | +- [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
162 | +- $PKIDIR/testpki-cert.pem \ |
163 | ++ [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
164 | ++ $PKIDIR/testpki-test-cert.pem \ |
165 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
166 | + |
167 | + # Populate a passive SSL connection in nb db |
168 | +@@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
169 | + |
170 | + # Verify SSL connetivity to nb db server |
171 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
172 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
173 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
174 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
175 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
176 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
177 | + list NB_Global], |
178 | + [0], [stdout], [ignore]) |
179 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
180 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
181 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
182 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
183 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
184 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
185 | + list Connection], |
186 | + [0], [stdout], [ignore]) |
187 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
188 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
189 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
190 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
191 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
192 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
193 | + get-connection], |
194 | + [0], [stdout], [ignore]) |
195 | +@@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ |
196 | + |
197 | + # Populate SSL configuration entries in sb db |
198 | + AT_CHECK( |
199 | +- [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
200 | +- $PKIDIR/testpki-cert.pem \ |
201 | ++ [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
202 | ++ $PKIDIR/testpki-test-cert.pem \ |
203 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
204 | + |
205 | + # Populate a passive SSL connection in sb db |
206 | +@@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
207 | + |
208 | + # Verify SSL connetivity to sb db server |
209 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
210 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
211 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
212 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
213 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
214 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
215 | + list SB_Global], |
216 | + [0], [stdout], [ignore]) |
217 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
218 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
219 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
220 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
221 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
222 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
223 | + list Connection], |
224 | + [0], [stdout], [ignore]) |
225 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
226 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
227 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
228 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
229 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
230 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
231 | + get-connection], |
232 | + [0], [stdout], [ignore]) |
233 | +-- |
234 | +2.32.0 |
235 | + |
236 | diff --git a/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
237 | new file mode 100644 |
238 | index 0000000..3336825 |
239 | --- /dev/null |
240 | +++ b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
241 | @@ -0,0 +1,153 @@ |
242 | +Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4 |
243 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
244 | +Last-Update: 2021-10-01 |
245 | + |
246 | +From d2a358676e6d7260f44baa7ab2c23065c23f5968 Mon Sep 17 00:00:00 2001 |
247 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
248 | +Date: Fri, 5 Mar 2021 13:16:31 +0100 |
249 | +Subject: [PATCH 3/3] tests: Test with SSL and RBAC for controller by default |
250 | + |
251 | +To help ourself to not forget updating RBAC rules when we land |
252 | +changes to existing functionality and new features we must enable |
253 | +SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds |
254 | +with OpenSSL enabled. |
255 | + |
256 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
257 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
258 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
259 | +(cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4) |
260 | +--- |
261 | + tests/automake.mk | 9 +++++++-- |
262 | + tests/ofproto-macros.at | 12 ++++++++++++ |
263 | + tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- |
264 | + 3 files changed, 55 insertions(+), 4 deletions(-) |
265 | + |
266 | +diff --git a/tests/automake.mk b/tests/automake.mk |
267 | +index 6eabb97e6..2df1e7a4f 100644 |
268 | +--- a/tests/automake.mk |
269 | ++++ b/tests/automake.mk |
270 | +@@ -216,7 +216,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) |
271 | + |
272 | + if HAVE_OPENSSL |
273 | + OVS_PKI_DIR = $(CURDIR)/tests/pki |
274 | +-TESTPKI_CNS = test test2 |
275 | ++# NOTE: Certificate generation has to be done serially, and each one adds a few |
276 | ++# seconds to the test run. Please try to re-use one of the many CNs already |
277 | ++# used in the existing tests. |
278 | ++TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 |
279 | + TESTPKI_FILES = $(shell \ |
280 | + for cn in $(TESTPKI_CNS); do \ |
281 | + echo tests/testpki-$$cn-cert.pem ; \ |
282 | +@@ -241,9 +244,11 @@ tests/pki/stamp: |
283 | + $(AM_V_at)rm -f tests/pki/stamp |
284 | + $(AM_V_at)rm -rf tests/pki |
285 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
286 | ++ cd tests/pki && \ |
287 | + for cn in $(TESTPKI_CNS); do \ |
288 | +- $(OVS_PKI) req+sign tests/pki/$$cn; \ |
289 | ++ $(OVS_PKI) -u req+sign $$cn; \ |
290 | + done && \ |
291 | ++ cd ../../ && \ |
292 | + : > tests/pki/stamp |
293 | + CLEANFILES += tests/ovs-pki.log |
294 | + |
295 | +diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at |
296 | +index 22999c1ca..502313083 100644 |
297 | +--- a/tests/ofproto-macros.at |
298 | ++++ b/tests/ofproto-macros.at |
299 | +@@ -99,6 +99,7 @@ start_daemon () { |
300 | + # |
301 | + # sim_add hv0 |
302 | + # as hv0 ovs-vsctl add-br br0 |
303 | ++PKIDIR="$(cd $abs_top_builddir/tests && pwd)" |
304 | + sims= |
305 | + sim_add () { |
306 | + echo "adding simulator '$1'" |
307 | +@@ -120,6 +121,17 @@ sim_add () { |
308 | + |
309 | + # Start ovs-vswitchd |
310 | + as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl |
311 | ++ if test X$HAVE_OPENSSL = Xyes; then |
312 | ++ if test -f $PKIDIR/testpki-$1-privkey.pem; then |
313 | ++ as $1 ovs-vsctl set-ssl \ |
314 | ++ $PKIDIR/testpki-$1-privkey.pem \ |
315 | ++ $PKIDIR/testpki-$1-cert.pem \ |
316 | ++ $PKIDIR/testpki-cacert.pem \ |
317 | ++ || return 1 |
318 | ++ else |
319 | ++ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" |
320 | ++ fi |
321 | ++ fi |
322 | + } |
323 | + |
324 | + # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. |
325 | +diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at |
326 | +index 6089ccf67..6ac23c51e 100644 |
327 | +--- a/tests/ovn-macros.at |
328 | ++++ b/tests/ovn-macros.at |
329 | +@@ -108,7 +108,18 @@ ovn_init_db () { |
330 | + mkdir "$d" || return 1 |
331 | + : > "$d"/.$1.db.~lock~ |
332 | + as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema |
333 | +- as $as_d start_daemon ovsdb-server --remote=punix:"$d"/$1.sock "$d"/$1.db |
334 | ++ |
335 | ++ local remote_in_db= |
336 | ++ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then |
337 | ++ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" |
338 | ++ fi |
339 | ++ |
340 | ++ as $as_d start_daemon ovsdb-server \ |
341 | ++ -vjsonrpc \ |
342 | ++ --remote=punix:"$d"/$1.sock \ |
343 | ++ $remote_in_db \ |
344 | ++ "$d"/$1.db |
345 | ++ |
346 | + local var=`echo $1_db | tr a-z- A-Z_` |
347 | + AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var |
348 | + } |
349 | +@@ -161,6 +172,24 @@ ovn_start () { |
350 | + --ovnnb-db=$ovn_nb_db \ |
351 | + --ovnsb-db=$ovn_sb_db |
352 | + |
353 | ++ if test X$HAVE_OPENSSL = Xyes; then |
354 | ++ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create |
355 | ++ # SB_Global and Connection with ovsdb-tool transact at DB creation |
356 | ++ # time, but unfortunately that does not work, northd-ddlog will replace |
357 | ++ # the SB_Global record on startup. |
358 | ++ ovn-sbctl \ |
359 | ++ -- --id=@c create connection \ |
360 | ++ target=\"pssl:0:127.0.0.1\" role=ovn-controller \ |
361 | ++ -- add SB_Global . connections @c |
362 | ++ local d=$ovs_base |
363 | ++ if test -n "$1"; then |
364 | ++ d=$d/$1 |
365 | ++ fi |
366 | ++ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) |
367 | ++ var="SSL_OVN_SB_DB" |
368 | ++ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var |
369 | ++ fi |
370 | ++ |
371 | + if test -n "$1"; then |
372 | + as_d=$1/ic |
373 | + echo "starting ovn-ic" |
374 | +@@ -225,11 +254,16 @@ ovn_az_attach() { |
375 | + |
376 | + local ovn_remote |
377 | + if test X"$az" = XNONE; then |
378 | +- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
379 | ++ if test X$HAVE_OPENSSL = Xyes; then |
380 | ++ ovn_remote=$SSL_OVN_SB_DB |
381 | ++ else |
382 | ++ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
383 | ++ fi |
384 | + else |
385 | + ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock |
386 | + fi |
387 | + ovs-vsctl \ |
388 | ++ -- set Open_vSwitch . external-ids:hostname=$sandbox \ |
389 | + -- set Open_vSwitch . external-ids:system-id=$sandbox \ |
390 | + -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ |
391 | + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve,vxlan \ |
392 | +-- |
393 | +2.32.0 |
394 | + |
395 | diff --git a/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
396 | new file mode 100644 |
397 | index 0000000..d6751dc |
398 | --- /dev/null |
399 | +++ b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
400 | @@ -0,0 +1,138 @@ |
401 | +Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f |
402 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
403 | +Last-Update: 2021-10-01 |
404 | + |
405 | +From fecda75d32d187cab785089d3435915a9582de35 Mon Sep 17 00:00:00 2001 |
406 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
407 | +Date: Fri, 5 Mar 2021 13:16:29 +0100 |
408 | +Subject: [PATCH 1/3] tests: Use ovn_start in tests/ovn-controller.at |
409 | + |
410 | +The current version of the tests only initializes the SB DB and |
411 | +instruments it directly. This does not work with SSL+RBAC as |
412 | +northd must run to program the RBAC rules into the SB DB. |
413 | + |
414 | +Run tests both for C and ddlog version of northd. |
415 | + |
416 | +Add workaround for ovn-controller not re-reading certificates to |
417 | +'ovn-controller - Chassis other_config' test. |
418 | + |
419 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
420 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
421 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
422 | +(cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f) |
423 | +--- |
424 | + tests/ovn-controller.at | 38 ++++++++++++++++++++++++++++++++------ |
425 | + 1 file changed, 32 insertions(+), 6 deletions(-) |
426 | + |
427 | +diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at |
428 | +index b9d8c3f36..44a449403 100644 |
429 | +--- a/tests/ovn-controller.at |
430 | ++++ b/tests/ovn-controller.at |
431 | +@@ -2,7 +2,7 @@ AT_BANNER([ovn-controller]) |
432 | + |
433 | + AT_SETUP([ovn-controller - ovn-bridge-mappings]) |
434 | + AT_KEYWORDS([ovn]) |
435 | +-ovn_init_db ovn-sb |
436 | ++ovn_start |
437 | + net_add n1 |
438 | + sim_add hv |
439 | + as hv |
440 | +@@ -54,6 +54,14 @@ check_bridge_mappings () { |
441 | + OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} external_ids:ovn-bridge-mappings | sed -e 's/\"//g')]) |
442 | + } |
443 | + |
444 | ++# NOTE: This test originally ran with only the SB-DB and no northd. For the |
445 | ++# test to be successfull with SSL+RBAC we need to initially run northd to get |
446 | ++# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB |
447 | ++# directly and we need to stop northd to avoid overwriting the instrumentation. |
448 | ++kill `cat northd/ovn-northd.pid` |
449 | ++kill `cat northd-backup/ovn-northd.pid` |
450 | ++kill `cat ovn-nb/ovsdb-server.pid` |
451 | ++ |
452 | + # Initially there should be no patch ports. |
453 | + check_patches |
454 | + |
455 | +@@ -116,12 +124,13 @@ as ovn-sb |
456 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
457 | + |
458 | + AT_CLEANUP |
459 | ++]) |
460 | + |
461 | + # Checks that ovn-controller populates datapath-type and iface-types |
462 | + # correctly in the Chassis external-ids column. |
463 | + AT_SETUP([ovn-controller - Chassis external_ids]) |
464 | + AT_KEYWORDS([ovn]) |
465 | +-ovn_init_db ovn-sb |
466 | ++ovn_start |
467 | + |
468 | + net_add n1 |
469 | + sim_add hv |
470 | +@@ -192,7 +201,21 @@ OVS_WAIT_UNTIL([ |
471 | + # Until that happens ovn-controller fails to create the records due to |
472 | + # constraint violation on the Encap table. |
473 | + sysid=${sysid}-foo |
474 | +-ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}" |
475 | ++current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote` |
476 | ++if test X$HAVE_OPENSSL = Xyes; then |
477 | ++ # To change chassis name we need to change certificate with matching CN |
478 | ++ ovs-vsctl set-ssl \ |
479 | ++ $PKIDIR/testpki-${sysid}-privkey.pem \ |
480 | ++ $PKIDIR/testpki-${sysid}-cert.pem \ |
481 | ++ $PKIDIR/testpki-cacert.pem |
482 | ++ # force reconnect which makes OVN controller read the new certificates |
483 | ++ # TODO implement check for change of certificates in ovn-controller |
484 | ++ # and remove this workaround. |
485 | ++ ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null |
486 | ++fi |
487 | ++ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \ |
488 | ++ -- set Open_vSwitch . external-ids:system-id="${sysid}" \ |
489 | ++ -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}" |
490 | + |
491 | + OVS_WAIT_UNTIL([ |
492 | + grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log |
493 | +@@ -217,12 +240,13 @@ as ovn-sb |
494 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
495 | + |
496 | + AT_CLEANUP |
497 | ++]) |
498 | + |
499 | + # Checks that ovn-controller correctly maintains the mapping from the Encap |
500 | + # table in the Southbound database to OVS in the face of changes on both sides |
501 | + AT_SETUP([ovn-controller - change Encap properties]) |
502 | + AT_KEYWORDS([ovn]) |
503 | +-ovn_init_db ovn-sb |
504 | ++ovn_start |
505 | + |
506 | + net_add n1 |
507 | + sim_add hv |
508 | +@@ -272,11 +296,12 @@ as ovn-sb |
509 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
510 | + |
511 | + AT_CLEANUP |
512 | ++]) |
513 | + |
514 | + # Check ovn-controller connection status to Southbound database |
515 | + AT_SETUP([ovn-controller - check sbdb connection]) |
516 | + AT_KEYWORDS([ovn]) |
517 | +-ovn_init_db ovn-sb |
518 | ++ovn_start |
519 | + |
520 | + net_add n1 |
521 | + sim_add hv |
522 | +@@ -306,11 +331,12 @@ as ovn-sb |
523 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
524 | + |
525 | + AT_CLEANUP |
526 | ++]) |
527 | + |
528 | + # Checks that ovn-controller recreates its chassis record when deleted externally. |
529 | + AT_SETUP([ovn-controller - Chassis self record]) |
530 | + AT_KEYWORDS([ovn]) |
531 | +-ovn_init_db ovn-sb |
532 | ++ovn_start |
533 | + |
534 | + net_add n1 |
535 | + sim_add hv |
536 | +-- |
537 | +2.32.0 |
538 | + |
539 | diff --git a/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
540 | new file mode 100644 |
541 | index 0000000..8e24101 |
542 | --- /dev/null |
543 | +++ b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
544 | @@ -0,0 +1,145 @@ |
545 | +From 10ade706b64a9752e4fc75838b0eddb1bad7e9ec Mon Sep 17 00:00:00 2001 |
546 | +From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
547 | +Date: Tue, 4 May 2021 19:59:00 +0200 |
548 | +Subject: [PATCH] physical: do not forward traffic from localport to a localnet |
549 | + one |
550 | + |
551 | +Since the localnet port is available on each hv, do not forward traffic |
552 | +to the localnet port if it is present in order to avoid switch fdb |
553 | +misconfiguration. |
554 | +Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877 |
555 | + |
556 | +Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
557 | +Acked-by: Mark Michelson |
558 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
559 | +(cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa) |
560 | +--- |
561 | + controller/physical.c | 23 +++++++++++++++++++++++ |
562 | + include/ovn/logical-fields.h | 16 ++++++++++++++++ |
563 | + tests/ovn.at | 17 +++++++++++++++++ |
564 | + 3 files changed, 56 insertions(+) |
565 | + |
566 | +diff --git a/controller/physical.c b/controller/physical.c |
567 | +index 3c5bbe027..87a0cff72 100644 |
568 | +--- a/controller/physical.c |
569 | ++++ b/controller/physical.c |
570 | +@@ -1137,6 +1137,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
571 | + |
572 | + load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p); |
573 | + |
574 | ++ if (!strcmp(binding->type, "localport")) { |
575 | ++ /* mark the packet as incoming from a localport */ |
576 | ++ put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p); |
577 | ++ } |
578 | ++ |
579 | + /* Resubmit to first logical ingress pipeline table. */ |
580 | + put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p); |
581 | + ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG, |
582 | +@@ -1196,6 +1201,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
583 | + ofport, flow_table); |
584 | + } |
585 | + |
586 | ++ /* Table 39, priority 160. |
587 | ++ * ======================= |
588 | ++ * |
589 | ++ * Do not forward local traffic from a localport to a localnet port. |
590 | ++ */ |
591 | ++ if (!strcmp(binding->type, "localnet")) { |
592 | ++ /* do not forward traffic from localport to localnet port */ |
593 | ++ match_init_catchall(&match); |
594 | ++ ofpbuf_clear(ofpacts_p); |
595 | ++ match_set_metadata(&match, htonll(dp_key)); |
596 | ++ match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key); |
597 | ++ match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, |
598 | ++ MLF_LOCALPORT, MLF_LOCALPORT); |
599 | ++ ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160, |
600 | ++ binding->header_.uuid.parts[0], &match, |
601 | ++ ofpacts_p, &binding->header_.uuid); |
602 | ++ } |
603 | ++ |
604 | + } else if (!tun && !is_ha_remote) { |
605 | + /* Remote port connected by localnet port */ |
606 | + /* Table 33, priority 100. |
607 | +diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h |
608 | +index c7bd2dba9..b7e0affe9 100644 |
609 | +--- a/include/ovn/logical-fields.h |
610 | ++++ b/include/ovn/logical-fields.h |
611 | +@@ -57,6 +57,10 @@ enum mff_log_flags_bits { |
612 | + MLF_LOCAL_ONLY_BIT = 4, |
613 | + MLF_NESTED_CONTAINER_BIT = 5, |
614 | + MLF_LOOKUP_MAC_BIT = 6, |
615 | ++ MLF_LOOKUP_LB_HAIRPIN_BIT = 7, |
616 | ++ MLF_LOOKUP_FDB_BIT = 8, |
617 | ++ MLF_SKIP_SNAT_FOR_LB_BIT = 9, |
618 | ++ MLF_LOCALPORT_BIT = 10, |
619 | + }; |
620 | + |
621 | + /* MFF_LOG_FLAGS_REG flag assignments */ |
622 | +@@ -88,6 +92,18 @@ enum mff_log_flags { |
623 | + |
624 | + /* Indicate that the lookup in the mac binding table was successful. */ |
625 | + MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT), |
626 | ++ |
627 | ++ MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT), |
628 | ++ |
629 | ++ /* Indicate that the lookup in the fdb table was successful. */ |
630 | ++ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT), |
631 | ++ |
632 | ++ /* Indicate that a packet must not SNAT in the gateway router when |
633 | ++ * load-balancing has taken place. */ |
634 | ++ MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT), |
635 | ++ |
636 | ++ /* Indicate the packet has been received from a localport */ |
637 | ++ MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT), |
638 | + }; |
639 | + |
640 | + /* OVN logical fields |
641 | +diff --git a/tests/ovn.at b/tests/ovn.at |
642 | +index 6de5a6d3f..4ad5e5809 100644 |
643 | +--- a/tests/ovn.at |
644 | ++++ b/tests/ovn.at |
645 | +@@ -10348,10 +10348,17 @@ AT_CLEANUP |
646 | + AT_SETUP([ovn -- localport suppress gARP]) |
647 | + ovn_start |
648 | + |
649 | ++send_garp() { |
650 | ++ local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5 |
651 | ++ local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa} |
652 | ++ as hv1 ovs-appctl netdev-dummy/receive vif$inport $request |
653 | ++} |
654 | ++ |
655 | + net_add n1 |
656 | + sim_add hv1 |
657 | + as hv1 |
658 | + check ovs-vsctl add-br br-phys |
659 | ++ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
660 | + ovn_attach n1 br-phys 192.168.0.1 |
661 | + |
662 | + check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
663 | +@@ -10362,6 +10369,7 @@ check ovn-nbctl ls-add ls \ |
664 | + -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ |
665 | + -- lsp-add ls ln \ |
666 | + -- lsp-set-type ln localnet \ |
667 | ++ -- lsp-set-addresses ln unknown \ |
668 | + -- lsp-set-options ln network_name=phys \ |
669 | + -- lsp-add ls lsp \ |
670 | + -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" |
671 | +@@ -10395,6 +10403,15 @@ AT_CHECK([ |
672 | + test 0 -eq $pkts |
673 | + ]) |
674 | + |
675 | ++spa=$(ip_to_hex 10 0 0 1) |
676 | ++tpa=$(ip_to_hex 10 0 0 100) |
677 | ++send_garp 1 000000000001 ffffffffffff $spa $tpa |
678 | ++ |
679 | ++dnl traffic from localport should not be sent to localnet |
680 | ++AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl |
681 | ++0 |
682 | ++],[ignore]) |
683 | ++ |
684 | + OVN_CLEANUP([hv1]) |
685 | + AT_CLEANUP |
686 | + |
687 | +-- |
688 | +2.32.0 |
689 | + |
690 | diff --git a/debian/patches/series b/debian/patches/series |
691 | index 9afd08f..fbe5db9 100644 |
692 | --- a/debian/patches/series |
693 | +++ b/debian/patches/series |
694 | @@ -1,2 +1,6 @@ |
695 | -lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
696 | lp-1937075-ovn-ctl-Fix-stucked-while-do-cluster-db-init.patch |
697 | +lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
698 | +lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
699 | +lp-1914988-tests-Make-certificate-generation-extendable.patch |
700 | +lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
701 | +lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
Package building here: https:/ /launchpad. net/~fnordahl/ +archive/ ubuntu/ lp1914988