Merge ~fnordahl/ubuntu/+source/ovn:bug/1914988-focal into ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/focal
- Git
- lp:~fnordahl/ubuntu/+source/ovn
- bug/1914988-focal
- Merge into ubuntu/focal
Proposed by
Frode Nordahl
| Status: | Merged |
|---|---|
| Merged at revision: | 7a3378023cebe06914c840027fb630464e46ec09 |
| Proposed branch: | ~fnordahl/ubuntu/+source/ovn:bug/1914988-focal |
| Merge into: | ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/focal |
| Diff against target: |
701 lines (+662/-1) 6 files modified
debian/changelog (+8/-0) debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0) debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0) debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+138/-0) debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0) debian/patches/series (+5/-1) |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| James Page | Pending | ||
|
Review via email:
|
|||
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
| Frode Nordahl (fnordahl) wrote : | # |
Revision history for this message
| Erlon R. Cruz (sombrafam) wrote : | # |
Tested this on Focal and it does solve the problem!
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | diff --git a/debian/changelog b/debian/changelog |
| 2 | index 3a96e4b..92f56a2 100644 |
| 3 | --- a/debian/changelog |
| 4 | +++ b/debian/changelog |
| 5 | @@ -1,3 +1,11 @@ |
| 6 | +ovn (20.03.2-0ubuntu0.20.04.3) focal; urgency=medium |
| 7 | + |
| 8 | + * d/p/lp-1914988-tests-*: Backport test cases for SSL+RBAC (LP: #1914988). |
| 9 | + * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: |
| 10 | + Do not forward traffic from localport to localnet ports (LP: #1943266). |
| 11 | + |
| 12 | + -- Frode Nordahl <frode.nordahl@canonical.com> Fri, 01 Oct 2021 09:42:00 +0200 |
| 13 | + |
| 14 | ovn (20.03.2-0ubuntu0.20.04.2) focal; urgency=medium |
| 15 | |
| 16 | * d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch: |
| 17 | diff --git a/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
| 18 | new file mode 100644 |
| 19 | index 0000000..073b2cb |
| 20 | --- /dev/null |
| 21 | +++ b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
| 22 | @@ -0,0 +1,213 @@ |
| 23 | +Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7 |
| 24 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 25 | +Last-Update: 2021-10-01 |
| 26 | + |
| 27 | +From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001 |
| 28 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 29 | +Date: Fri, 5 Mar 2021 13:16:30 +0100 |
| 30 | +Subject: [PATCH 2/3] tests: Make certificate generation extendable |
| 31 | + |
| 32 | +In preparation for enabling testing with SSL and RBAC enabled by |
| 33 | +default, rework the certificate generation so that we can easily |
| 34 | +add generation of more certificates/CN on demand. |
| 35 | + |
| 36 | +A side erffect of the change is a more generic naming scheme for |
| 37 | +the certificate files so the patch also contains an update to |
| 38 | +existing tests so that they use the new filenames. |
| 39 | + |
| 40 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 41 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
| 42 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 43 | +(cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7) |
| 44 | +--- |
| 45 | + tests/automake.mk | 48 ++++++++++++++++++++++------------------------- |
| 46 | + tests/ovn.at | 48 +++++++++++++++++++++++------------------------ |
| 47 | + 2 files changed, 46 insertions(+), 50 deletions(-) |
| 48 | + |
| 49 | +diff --git a/tests/automake.mk b/tests/automake.mk |
| 50 | +index 9740f085a..6eabb97e6 100644 |
| 51 | +--- a/tests/automake.mk |
| 52 | ++++ b/tests/automake.mk |
| 53 | +@@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage |
| 54 | + FLAKE8_PYFILES += $(CHECK_PYFILES) |
| 55 | + |
| 56 | + if HAVE_OPENSSL |
| 57 | +-TESTPKI_FILES = \ |
| 58 | +- tests/testpki-cacert.pem \ |
| 59 | +- tests/testpki-cert.pem \ |
| 60 | +- tests/testpki-privkey.pem \ |
| 61 | +- tests/testpki-req.pem \ |
| 62 | +- tests/testpki-cert2.pem \ |
| 63 | +- tests/testpki-privkey2.pem \ |
| 64 | +- tests/testpki-req2.pem |
| 65 | ++OVS_PKI_DIR = $(CURDIR)/tests/pki |
| 66 | ++TESTPKI_CNS = test test2 |
| 67 | ++TESTPKI_FILES = $(shell \ |
| 68 | ++ for cn in $(TESTPKI_CNS); do \ |
| 69 | ++ echo tests/testpki-$$cn-cert.pem ; \ |
| 70 | ++ echo tests/testpki-$$cn-privkey.pem ; \ |
| 71 | ++ echo tests/testpki-$$cn-req.pem ; \ |
| 72 | ++ done) |
| 73 | ++ |
| 74 | ++tests/testpki-cacert.pem: tests/pki/stamp |
| 75 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ |
| 76 | ++ |
| 77 | ++$(TESTPKI_FILES): tests/pki/stamp |
| 78 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ |
| 79 | ++ |
| 80 | ++check_DATA += tests/testpki-cacert.pem |
| 81 | + check_DATA += $(TESTPKI_FILES) |
| 82 | ++CLEANFILES += tests/testpki-cacert.pem |
| 83 | + CLEANFILES += $(TESTPKI_FILES) |
| 84 | + |
| 85 | +-tests/testpki-cacert.pem: tests/pki/stamp |
| 86 | +- $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ |
| 87 | +-tests/testpki-cert.pem: tests/pki/stamp |
| 88 | +- $(AM_V_GEN)cp tests/pki/test-cert.pem $@ |
| 89 | +-tests/testpki-req.pem: tests/pki/stamp |
| 90 | +- $(AM_V_GEN)cp tests/pki/test-req.pem $@ |
| 91 | +-tests/testpki-privkey.pem: tests/pki/stamp |
| 92 | +- $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ |
| 93 | +-tests/testpki-cert2.pem: tests/pki/stamp |
| 94 | +- $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ |
| 95 | +-tests/testpki-req2.pem: tests/pki/stamp |
| 96 | +- $(AM_V_GEN)cp tests/pki/test2-req.pem $@ |
| 97 | +-tests/testpki-privkey2.pem: tests/pki/stamp |
| 98 | +- $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ |
| 99 | +- |
| 100 | +-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log |
| 101 | ++ |
| 102 | ++OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log |
| 103 | + tests/pki/stamp: |
| 104 | + $(AM_V_at)rm -f tests/pki/stamp |
| 105 | + $(AM_V_at)rm -rf tests/pki |
| 106 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
| 107 | +- $(OVS_PKI) req+sign tests/pki/test && \ |
| 108 | +- $(OVS_PKI) req+sign tests/pki/test2 && \ |
| 109 | ++ for cn in $(TESTPKI_CNS); do \ |
| 110 | ++ $(OVS_PKI) req+sign tests/pki/$$cn; \ |
| 111 | ++ done && \ |
| 112 | + : > tests/pki/stamp |
| 113 | + CLEANFILES += tests/ovs-pki.log |
| 114 | + |
| 115 | +diff --git a/tests/ovn.at b/tests/ovn.at |
| 116 | +index 4d9ee1256..6de5a6d3f 100644 |
| 117 | +--- a/tests/ovn.at |
| 118 | ++++ b/tests/ovn.at |
| 119 | +@@ -7701,8 +7701,8 @@ AT_CHECK( |
| 120 | + |
| 121 | + start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ |
| 122 | + --remote=db:OVN_Southbound,SB_Global,connections \ |
| 123 | +- --private-key="$PKIDIR/testpki-privkey2.pem" \ |
| 124 | +- --certificate="$PKIDIR/testpki-cert2.pem" \ |
| 125 | ++ --private-key="$PKIDIR/testpki-test2-privkey.pem" \ |
| 126 | ++ --certificate="$PKIDIR/testpki-test2-cert.pem" \ |
| 127 | + --ca-cert="$PKIDIR/testpki-cacert.pem" \ |
| 128 | + ovn-sb.db |
| 129 | + |
| 130 | +@@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
| 131 | + |
| 132 | + # read-only accesses should succeed |
| 133 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 134 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 135 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 136 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 137 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 138 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 139 | + list SB_Global], [0], [stdout], [ignore]) |
| 140 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 141 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 142 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 143 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 144 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 145 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 146 | + list Connection], [0], [stdout], [ignore]) |
| 147 | + |
| 148 | + # write access should fail |
| 149 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 150 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 151 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 152 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 153 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 154 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 155 | + chassis-add ch vxlan 1.2.4.8], [1], [ignore], |
| 156 | + [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} |
| 157 | +@@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ |
| 158 | + |
| 159 | + # Populate SSL configuration entries in nb db |
| 160 | + AT_CHECK( |
| 161 | +- [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
| 162 | +- $PKIDIR/testpki-cert.pem \ |
| 163 | ++ [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
| 164 | ++ $PKIDIR/testpki-test-cert.pem \ |
| 165 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
| 166 | + |
| 167 | + # Populate a passive SSL connection in nb db |
| 168 | +@@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
| 169 | + |
| 170 | + # Verify SSL connetivity to nb db server |
| 171 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 172 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 173 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 174 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 175 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 176 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 177 | + list NB_Global], |
| 178 | + [0], [stdout], [ignore]) |
| 179 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 180 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 181 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 182 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 183 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 184 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 185 | + list Connection], |
| 186 | + [0], [stdout], [ignore]) |
| 187 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 188 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 189 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 190 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 191 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 192 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 193 | + get-connection], |
| 194 | + [0], [stdout], [ignore]) |
| 195 | +@@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ |
| 196 | + |
| 197 | + # Populate SSL configuration entries in sb db |
| 198 | + AT_CHECK( |
| 199 | +- [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
| 200 | +- $PKIDIR/testpki-cert.pem \ |
| 201 | ++ [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
| 202 | ++ $PKIDIR/testpki-test-cert.pem \ |
| 203 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
| 204 | + |
| 205 | + # Populate a passive SSL connection in sb db |
| 206 | +@@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
| 207 | + |
| 208 | + # Verify SSL connetivity to sb db server |
| 209 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 210 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 211 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 212 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 213 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 214 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 215 | + list SB_Global], |
| 216 | + [0], [stdout], [ignore]) |
| 217 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 218 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 219 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 220 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 221 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 222 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 223 | + list Connection], |
| 224 | + [0], [stdout], [ignore]) |
| 225 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 226 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 227 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 228 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 229 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 230 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 231 | + get-connection], |
| 232 | + [0], [stdout], [ignore]) |
| 233 | +-- |
| 234 | +2.32.0 |
| 235 | + |
| 236 | diff --git a/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
| 237 | new file mode 100644 |
| 238 | index 0000000..3336825 |
| 239 | --- /dev/null |
| 240 | +++ b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
| 241 | @@ -0,0 +1,153 @@ |
| 242 | +Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4 |
| 243 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 244 | +Last-Update: 2021-10-01 |
| 245 | + |
| 246 | +From d2a358676e6d7260f44baa7ab2c23065c23f5968 Mon Sep 17 00:00:00 2001 |
| 247 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 248 | +Date: Fri, 5 Mar 2021 13:16:31 +0100 |
| 249 | +Subject: [PATCH 3/3] tests: Test with SSL and RBAC for controller by default |
| 250 | + |
| 251 | +To help ourself to not forget updating RBAC rules when we land |
| 252 | +changes to existing functionality and new features we must enable |
| 253 | +SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds |
| 254 | +with OpenSSL enabled. |
| 255 | + |
| 256 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 257 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
| 258 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 259 | +(cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4) |
| 260 | +--- |
| 261 | + tests/automake.mk | 9 +++++++-- |
| 262 | + tests/ofproto-macros.at | 12 ++++++++++++ |
| 263 | + tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- |
| 264 | + 3 files changed, 55 insertions(+), 4 deletions(-) |
| 265 | + |
| 266 | +diff --git a/tests/automake.mk b/tests/automake.mk |
| 267 | +index 6eabb97e6..2df1e7a4f 100644 |
| 268 | +--- a/tests/automake.mk |
| 269 | ++++ b/tests/automake.mk |
| 270 | +@@ -216,7 +216,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) |
| 271 | + |
| 272 | + if HAVE_OPENSSL |
| 273 | + OVS_PKI_DIR = $(CURDIR)/tests/pki |
| 274 | +-TESTPKI_CNS = test test2 |
| 275 | ++# NOTE: Certificate generation has to be done serially, and each one adds a few |
| 276 | ++# seconds to the test run. Please try to re-use one of the many CNs already |
| 277 | ++# used in the existing tests. |
| 278 | ++TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 |
| 279 | + TESTPKI_FILES = $(shell \ |
| 280 | + for cn in $(TESTPKI_CNS); do \ |
| 281 | + echo tests/testpki-$$cn-cert.pem ; \ |
| 282 | +@@ -241,9 +244,11 @@ tests/pki/stamp: |
| 283 | + $(AM_V_at)rm -f tests/pki/stamp |
| 284 | + $(AM_V_at)rm -rf tests/pki |
| 285 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
| 286 | ++ cd tests/pki && \ |
| 287 | + for cn in $(TESTPKI_CNS); do \ |
| 288 | +- $(OVS_PKI) req+sign tests/pki/$$cn; \ |
| 289 | ++ $(OVS_PKI) -u req+sign $$cn; \ |
| 290 | + done && \ |
| 291 | ++ cd ../../ && \ |
| 292 | + : > tests/pki/stamp |
| 293 | + CLEANFILES += tests/ovs-pki.log |
| 294 | + |
| 295 | +diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at |
| 296 | +index 22999c1ca..502313083 100644 |
| 297 | +--- a/tests/ofproto-macros.at |
| 298 | ++++ b/tests/ofproto-macros.at |
| 299 | +@@ -99,6 +99,7 @@ start_daemon () { |
| 300 | + # |
| 301 | + # sim_add hv0 |
| 302 | + # as hv0 ovs-vsctl add-br br0 |
| 303 | ++PKIDIR="$(cd $abs_top_builddir/tests && pwd)" |
| 304 | + sims= |
| 305 | + sim_add () { |
| 306 | + echo "adding simulator '$1'" |
| 307 | +@@ -120,6 +121,17 @@ sim_add () { |
| 308 | + |
| 309 | + # Start ovs-vswitchd |
| 310 | + as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl |
| 311 | ++ if test X$HAVE_OPENSSL = Xyes; then |
| 312 | ++ if test -f $PKIDIR/testpki-$1-privkey.pem; then |
| 313 | ++ as $1 ovs-vsctl set-ssl \ |
| 314 | ++ $PKIDIR/testpki-$1-privkey.pem \ |
| 315 | ++ $PKIDIR/testpki-$1-cert.pem \ |
| 316 | ++ $PKIDIR/testpki-cacert.pem \ |
| 317 | ++ || return 1 |
| 318 | ++ else |
| 319 | ++ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" |
| 320 | ++ fi |
| 321 | ++ fi |
| 322 | + } |
| 323 | + |
| 324 | + # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. |
| 325 | +diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at |
| 326 | +index 6089ccf67..6ac23c51e 100644 |
| 327 | +--- a/tests/ovn-macros.at |
| 328 | ++++ b/tests/ovn-macros.at |
| 329 | +@@ -108,7 +108,18 @@ ovn_init_db () { |
| 330 | + mkdir "$d" || return 1 |
| 331 | + : > "$d"/.$1.db.~lock~ |
| 332 | + as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema |
| 333 | +- as $as_d start_daemon ovsdb-server --remote=punix:"$d"/$1.sock "$d"/$1.db |
| 334 | ++ |
| 335 | ++ local remote_in_db= |
| 336 | ++ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then |
| 337 | ++ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" |
| 338 | ++ fi |
| 339 | ++ |
| 340 | ++ as $as_d start_daemon ovsdb-server \ |
| 341 | ++ -vjsonrpc \ |
| 342 | ++ --remote=punix:"$d"/$1.sock \ |
| 343 | ++ $remote_in_db \ |
| 344 | ++ "$d"/$1.db |
| 345 | ++ |
| 346 | + local var=`echo $1_db | tr a-z- A-Z_` |
| 347 | + AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var |
| 348 | + } |
| 349 | +@@ -161,6 +172,24 @@ ovn_start () { |
| 350 | + --ovnnb-db=$ovn_nb_db \ |
| 351 | + --ovnsb-db=$ovn_sb_db |
| 352 | + |
| 353 | ++ if test X$HAVE_OPENSSL = Xyes; then |
| 354 | ++ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create |
| 355 | ++ # SB_Global and Connection with ovsdb-tool transact at DB creation |
| 356 | ++ # time, but unfortunately that does not work, northd-ddlog will replace |
| 357 | ++ # the SB_Global record on startup. |
| 358 | ++ ovn-sbctl \ |
| 359 | ++ -- --id=@c create connection \ |
| 360 | ++ target=\"pssl:0:127.0.0.1\" role=ovn-controller \ |
| 361 | ++ -- add SB_Global . connections @c |
| 362 | ++ local d=$ovs_base |
| 363 | ++ if test -n "$1"; then |
| 364 | ++ d=$d/$1 |
| 365 | ++ fi |
| 366 | ++ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) |
| 367 | ++ var="SSL_OVN_SB_DB" |
| 368 | ++ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var |
| 369 | ++ fi |
| 370 | ++ |
| 371 | + if test -n "$1"; then |
| 372 | + as_d=$1/ic |
| 373 | + echo "starting ovn-ic" |
| 374 | +@@ -225,11 +254,16 @@ ovn_az_attach() { |
| 375 | + |
| 376 | + local ovn_remote |
| 377 | + if test X"$az" = XNONE; then |
| 378 | +- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
| 379 | ++ if test X$HAVE_OPENSSL = Xyes; then |
| 380 | ++ ovn_remote=$SSL_OVN_SB_DB |
| 381 | ++ else |
| 382 | ++ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
| 383 | ++ fi |
| 384 | + else |
| 385 | + ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock |
| 386 | + fi |
| 387 | + ovs-vsctl \ |
| 388 | ++ -- set Open_vSwitch . external-ids:hostname=$sandbox \ |
| 389 | + -- set Open_vSwitch . external-ids:system-id=$sandbox \ |
| 390 | + -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ |
| 391 | + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve,vxlan \ |
| 392 | +-- |
| 393 | +2.32.0 |
| 394 | + |
| 395 | diff --git a/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
| 396 | new file mode 100644 |
| 397 | index 0000000..d6751dc |
| 398 | --- /dev/null |
| 399 | +++ b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
| 400 | @@ -0,0 +1,138 @@ |
| 401 | +Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f |
| 402 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 403 | +Last-Update: 2021-10-01 |
| 404 | + |
| 405 | +From fecda75d32d187cab785089d3435915a9582de35 Mon Sep 17 00:00:00 2001 |
| 406 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 407 | +Date: Fri, 5 Mar 2021 13:16:29 +0100 |
| 408 | +Subject: [PATCH 1/3] tests: Use ovn_start in tests/ovn-controller.at |
| 409 | + |
| 410 | +The current version of the tests only initializes the SB DB and |
| 411 | +instruments it directly. This does not work with SSL+RBAC as |
| 412 | +northd must run to program the RBAC rules into the SB DB. |
| 413 | + |
| 414 | +Run tests both for C and ddlog version of northd. |
| 415 | + |
| 416 | +Add workaround for ovn-controller not re-reading certificates to |
| 417 | +'ovn-controller - Chassis other_config' test. |
| 418 | + |
| 419 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 420 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
| 421 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 422 | +(cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f) |
| 423 | +--- |
| 424 | + tests/ovn-controller.at | 38 ++++++++++++++++++++++++++++++++------ |
| 425 | + 1 file changed, 32 insertions(+), 6 deletions(-) |
| 426 | + |
| 427 | +diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at |
| 428 | +index b9d8c3f36..44a449403 100644 |
| 429 | +--- a/tests/ovn-controller.at |
| 430 | ++++ b/tests/ovn-controller.at |
| 431 | +@@ -2,7 +2,7 @@ AT_BANNER([ovn-controller]) |
| 432 | + |
| 433 | + AT_SETUP([ovn-controller - ovn-bridge-mappings]) |
| 434 | + AT_KEYWORDS([ovn]) |
| 435 | +-ovn_init_db ovn-sb |
| 436 | ++ovn_start |
| 437 | + net_add n1 |
| 438 | + sim_add hv |
| 439 | + as hv |
| 440 | +@@ -54,6 +54,14 @@ check_bridge_mappings () { |
| 441 | + OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} external_ids:ovn-bridge-mappings | sed -e 's/\"//g')]) |
| 442 | + } |
| 443 | + |
| 444 | ++# NOTE: This test originally ran with only the SB-DB and no northd. For the |
| 445 | ++# test to be successfull with SSL+RBAC we need to initially run northd to get |
| 446 | ++# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB |
| 447 | ++# directly and we need to stop northd to avoid overwriting the instrumentation. |
| 448 | ++kill `cat northd/ovn-northd.pid` |
| 449 | ++kill `cat northd-backup/ovn-northd.pid` |
| 450 | ++kill `cat ovn-nb/ovsdb-server.pid` |
| 451 | ++ |
| 452 | + # Initially there should be no patch ports. |
| 453 | + check_patches |
| 454 | + |
| 455 | +@@ -116,12 +124,13 @@ as ovn-sb |
| 456 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 457 | + |
| 458 | + AT_CLEANUP |
| 459 | ++]) |
| 460 | + |
| 461 | + # Checks that ovn-controller populates datapath-type and iface-types |
| 462 | + # correctly in the Chassis external-ids column. |
| 463 | + AT_SETUP([ovn-controller - Chassis external_ids]) |
| 464 | + AT_KEYWORDS([ovn]) |
| 465 | +-ovn_init_db ovn-sb |
| 466 | ++ovn_start |
| 467 | + |
| 468 | + net_add n1 |
| 469 | + sim_add hv |
| 470 | +@@ -192,7 +201,21 @@ OVS_WAIT_UNTIL([ |
| 471 | + # Until that happens ovn-controller fails to create the records due to |
| 472 | + # constraint violation on the Encap table. |
| 473 | + sysid=${sysid}-foo |
| 474 | +-ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}" |
| 475 | ++current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote` |
| 476 | ++if test X$HAVE_OPENSSL = Xyes; then |
| 477 | ++ # To change chassis name we need to change certificate with matching CN |
| 478 | ++ ovs-vsctl set-ssl \ |
| 479 | ++ $PKIDIR/testpki-${sysid}-privkey.pem \ |
| 480 | ++ $PKIDIR/testpki-${sysid}-cert.pem \ |
| 481 | ++ $PKIDIR/testpki-cacert.pem |
| 482 | ++ # force reconnect which makes OVN controller read the new certificates |
| 483 | ++ # TODO implement check for change of certificates in ovn-controller |
| 484 | ++ # and remove this workaround. |
| 485 | ++ ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null |
| 486 | ++fi |
| 487 | ++ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \ |
| 488 | ++ -- set Open_vSwitch . external-ids:system-id="${sysid}" \ |
| 489 | ++ -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}" |
| 490 | + |
| 491 | + OVS_WAIT_UNTIL([ |
| 492 | + grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log |
| 493 | +@@ -217,12 +240,13 @@ as ovn-sb |
| 494 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 495 | + |
| 496 | + AT_CLEANUP |
| 497 | ++]) |
| 498 | + |
| 499 | + # Checks that ovn-controller correctly maintains the mapping from the Encap |
| 500 | + # table in the Southbound database to OVS in the face of changes on both sides |
| 501 | + AT_SETUP([ovn-controller - change Encap properties]) |
| 502 | + AT_KEYWORDS([ovn]) |
| 503 | +-ovn_init_db ovn-sb |
| 504 | ++ovn_start |
| 505 | + |
| 506 | + net_add n1 |
| 507 | + sim_add hv |
| 508 | +@@ -272,11 +296,12 @@ as ovn-sb |
| 509 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 510 | + |
| 511 | + AT_CLEANUP |
| 512 | ++]) |
| 513 | + |
| 514 | + # Check ovn-controller connection status to Southbound database |
| 515 | + AT_SETUP([ovn-controller - check sbdb connection]) |
| 516 | + AT_KEYWORDS([ovn]) |
| 517 | +-ovn_init_db ovn-sb |
| 518 | ++ovn_start |
| 519 | + |
| 520 | + net_add n1 |
| 521 | + sim_add hv |
| 522 | +@@ -306,11 +331,12 @@ as ovn-sb |
| 523 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 524 | + |
| 525 | + AT_CLEANUP |
| 526 | ++]) |
| 527 | + |
| 528 | + # Checks that ovn-controller recreates its chassis record when deleted externally. |
| 529 | + AT_SETUP([ovn-controller - Chassis self record]) |
| 530 | + AT_KEYWORDS([ovn]) |
| 531 | +-ovn_init_db ovn-sb |
| 532 | ++ovn_start |
| 533 | + |
| 534 | + net_add n1 |
| 535 | + sim_add hv |
| 536 | +-- |
| 537 | +2.32.0 |
| 538 | + |
| 539 | diff --git a/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
| 540 | new file mode 100644 |
| 541 | index 0000000..8e24101 |
| 542 | --- /dev/null |
| 543 | +++ b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
| 544 | @@ -0,0 +1,145 @@ |
| 545 | +From 10ade706b64a9752e4fc75838b0eddb1bad7e9ec Mon Sep 17 00:00:00 2001 |
| 546 | +From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
| 547 | +Date: Tue, 4 May 2021 19:59:00 +0200 |
| 548 | +Subject: [PATCH] physical: do not forward traffic from localport to a localnet |
| 549 | + one |
| 550 | + |
| 551 | +Since the localnet port is available on each hv, do not forward traffic |
| 552 | +to the localnet port if it is present in order to avoid switch fdb |
| 553 | +misconfiguration. |
| 554 | +Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877 |
| 555 | + |
| 556 | +Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
| 557 | +Acked-by: Mark Michelson |
| 558 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 559 | +(cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa) |
| 560 | +--- |
| 561 | + controller/physical.c | 23 +++++++++++++++++++++++ |
| 562 | + include/ovn/logical-fields.h | 16 ++++++++++++++++ |
| 563 | + tests/ovn.at | 17 +++++++++++++++++ |
| 564 | + 3 files changed, 56 insertions(+) |
| 565 | + |
| 566 | +diff --git a/controller/physical.c b/controller/physical.c |
| 567 | +index 3c5bbe027..87a0cff72 100644 |
| 568 | +--- a/controller/physical.c |
| 569 | ++++ b/controller/physical.c |
| 570 | +@@ -1137,6 +1137,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
| 571 | + |
| 572 | + load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p); |
| 573 | + |
| 574 | ++ if (!strcmp(binding->type, "localport")) { |
| 575 | ++ /* mark the packet as incoming from a localport */ |
| 576 | ++ put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p); |
| 577 | ++ } |
| 578 | ++ |
| 579 | + /* Resubmit to first logical ingress pipeline table. */ |
| 580 | + put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p); |
| 581 | + ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG, |
| 582 | +@@ -1196,6 +1201,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
| 583 | + ofport, flow_table); |
| 584 | + } |
| 585 | + |
| 586 | ++ /* Table 39, priority 160. |
| 587 | ++ * ======================= |
| 588 | ++ * |
| 589 | ++ * Do not forward local traffic from a localport to a localnet port. |
| 590 | ++ */ |
| 591 | ++ if (!strcmp(binding->type, "localnet")) { |
| 592 | ++ /* do not forward traffic from localport to localnet port */ |
| 593 | ++ match_init_catchall(&match); |
| 594 | ++ ofpbuf_clear(ofpacts_p); |
| 595 | ++ match_set_metadata(&match, htonll(dp_key)); |
| 596 | ++ match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key); |
| 597 | ++ match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, |
| 598 | ++ MLF_LOCALPORT, MLF_LOCALPORT); |
| 599 | ++ ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160, |
| 600 | ++ binding->header_.uuid.parts[0], &match, |
| 601 | ++ ofpacts_p, &binding->header_.uuid); |
| 602 | ++ } |
| 603 | ++ |
| 604 | + } else if (!tun && !is_ha_remote) { |
| 605 | + /* Remote port connected by localnet port */ |
| 606 | + /* Table 33, priority 100. |
| 607 | +diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h |
| 608 | +index c7bd2dba9..b7e0affe9 100644 |
| 609 | +--- a/include/ovn/logical-fields.h |
| 610 | ++++ b/include/ovn/logical-fields.h |
| 611 | +@@ -57,6 +57,10 @@ enum mff_log_flags_bits { |
| 612 | + MLF_LOCAL_ONLY_BIT = 4, |
| 613 | + MLF_NESTED_CONTAINER_BIT = 5, |
| 614 | + MLF_LOOKUP_MAC_BIT = 6, |
| 615 | ++ MLF_LOOKUP_LB_HAIRPIN_BIT = 7, |
| 616 | ++ MLF_LOOKUP_FDB_BIT = 8, |
| 617 | ++ MLF_SKIP_SNAT_FOR_LB_BIT = 9, |
| 618 | ++ MLF_LOCALPORT_BIT = 10, |
| 619 | + }; |
| 620 | + |
| 621 | + /* MFF_LOG_FLAGS_REG flag assignments */ |
| 622 | +@@ -88,6 +92,18 @@ enum mff_log_flags { |
| 623 | + |
| 624 | + /* Indicate that the lookup in the mac binding table was successful. */ |
| 625 | + MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT), |
| 626 | ++ |
| 627 | ++ MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT), |
| 628 | ++ |
| 629 | ++ /* Indicate that the lookup in the fdb table was successful. */ |
| 630 | ++ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT), |
| 631 | ++ |
| 632 | ++ /* Indicate that a packet must not SNAT in the gateway router when |
| 633 | ++ * load-balancing has taken place. */ |
| 634 | ++ MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT), |
| 635 | ++ |
| 636 | ++ /* Indicate the packet has been received from a localport */ |
| 637 | ++ MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT), |
| 638 | + }; |
| 639 | + |
| 640 | + /* OVN logical fields |
| 641 | +diff --git a/tests/ovn.at b/tests/ovn.at |
| 642 | +index 6de5a6d3f..4ad5e5809 100644 |
| 643 | +--- a/tests/ovn.at |
| 644 | ++++ b/tests/ovn.at |
| 645 | +@@ -10348,10 +10348,17 @@ AT_CLEANUP |
| 646 | + AT_SETUP([ovn -- localport suppress gARP]) |
| 647 | + ovn_start |
| 648 | + |
| 649 | ++send_garp() { |
| 650 | ++ local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5 |
| 651 | ++ local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa} |
| 652 | ++ as hv1 ovs-appctl netdev-dummy/receive vif$inport $request |
| 653 | ++} |
| 654 | ++ |
| 655 | + net_add n1 |
| 656 | + sim_add hv1 |
| 657 | + as hv1 |
| 658 | + check ovs-vsctl add-br br-phys |
| 659 | ++ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
| 660 | + ovn_attach n1 br-phys 192.168.0.1 |
| 661 | + |
| 662 | + check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
| 663 | +@@ -10362,6 +10369,7 @@ check ovn-nbctl ls-add ls \ |
| 664 | + -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ |
| 665 | + -- lsp-add ls ln \ |
| 666 | + -- lsp-set-type ln localnet \ |
| 667 | ++ -- lsp-set-addresses ln unknown \ |
| 668 | + -- lsp-set-options ln network_name=phys \ |
| 669 | + -- lsp-add ls lsp \ |
| 670 | + -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" |
| 671 | +@@ -10395,6 +10403,15 @@ AT_CHECK([ |
| 672 | + test 0 -eq $pkts |
| 673 | + ]) |
| 674 | + |
| 675 | ++spa=$(ip_to_hex 10 0 0 1) |
| 676 | ++tpa=$(ip_to_hex 10 0 0 100) |
| 677 | ++send_garp 1 000000000001 ffffffffffff $spa $tpa |
| 678 | ++ |
| 679 | ++dnl traffic from localport should not be sent to localnet |
| 680 | ++AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl |
| 681 | ++0 |
| 682 | ++],[ignore]) |
| 683 | ++ |
| 684 | + OVN_CLEANUP([hv1]) |
| 685 | + AT_CLEANUP |
| 686 | + |
| 687 | +-- |
| 688 | +2.32.0 |
| 689 | + |
| 690 | diff --git a/debian/patches/series b/debian/patches/series |
| 691 | index 9afd08f..fbe5db9 100644 |
| 692 | --- a/debian/patches/series |
| 693 | +++ b/debian/patches/series |
| 694 | @@ -1,2 +1,6 @@ |
| 695 | -lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
| 696 | lp-1937075-ovn-ctl-Fix-stucked-while-do-cluster-db-init.patch |
| 697 | +lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
| 698 | +lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
| 699 | +lp-1914988-tests-Make-certificate-generation-extendable.patch |
| 700 | +lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
| 701 | +lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
Package building here: https:/