Merge ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute into ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute
- Git
- lp:~fnordahl/ubuntu/+source/ovn
- bug/1914988-hirsute
- Merge into ubuntu/hirsute
Proposed by
Frode Nordahl
| Status: | Needs review |
|---|---|
| Proposed branch: | ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute |
| Merge into: | ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute |
| Diff against target: |
1036 lines (+972/-0) 10 files modified
debian/changelog (+17/-0) debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch (+54/-0) debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch (+36/-0) debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch (+47/-0) debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0) debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0) debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+188/-0) debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0) debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch (+111/-0) debian/patches/series (+8/-0) |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| James Page | Pending | ||
|
Review via email:
|
|||
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
| Erlon R. Cruz (sombrafam) wrote : | # |
I've tested the patches on hirsute and they fixed the ARP issues.
Unmerged commits
- 414d998... by Frode Nordahl
-
Backport fixes
* Backport rollup for SSL+RBAC (LP: #1914988):
- d/p/lp-1913024- northd- Add-Chassis_ Private- external_ ids-column- to-RB.patch
- d/p/lp-1914988- Add-IGMP_ Group-to- ovn-controller- RBAC.patch
- d/p/lp-1917475- northd- Amend-RBAC- rules-for- Port_Binding- table.patch
- d/p/lp-1914988- northd- Amend-Chassis- RBAC-rules. patch
- d/p/lp-1914988- northd- Add-Controller_ Event-RBAC- rules.patch
- d/p/lp-1914988- tests-Amend- release- stale-port- binding- test-for- RBAC.patch
- d/p/lp-1914988- tests-Use- ovn_start- in-tests- ovn-controller. at.patch
- d/p/lp-1914988- tests-Make- certificate- generation- extendable. patch
- d/p/lp-1914988- tests-Test- with-SSL- and-RBAC- for-controller- by-defau. patch
* d/p/lp-1943266- physical- do-not- forward- traffic- from-localport- to-a-.patch:
Do not forward traffic from localport to localnet ports (LP: #1943266).
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | diff --git a/debian/changelog b/debian/changelog |
| 2 | index e9b9bbf..95ec54f 100644 |
| 3 | --- a/debian/changelog |
| 4 | +++ b/debian/changelog |
| 5 | @@ -1,3 +1,20 @@ |
| 6 | +ovn (20.12.0-0ubuntu4) hirsute; urgency=medium |
| 7 | + |
| 8 | + * Backport rollup for SSL+RBAC (LP: #1914988): |
| 9 | + - d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch |
| 10 | + - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
| 11 | + - d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch |
| 12 | + - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
| 13 | + - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
| 14 | + - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
| 15 | + - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
| 16 | + - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch |
| 17 | + - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
| 18 | + * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: |
| 19 | + Do not forward traffic from localport to localnet ports (LP: #1943266). |
| 20 | + |
| 21 | + -- Frode Nordahl <frode.nordahl@canonical.com> Fri, 01 Oct 2021 09:42:00 +0200 |
| 22 | + |
| 23 | ovn (20.12.0-0ubuntu3) hirsute; urgency=medium |
| 24 | |
| 25 | * Cherry-pick fixes from upstream branch-20.12 |
| 26 | diff --git a/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
| 27 | new file mode 100644 |
| 28 | index 0000000..f406009 |
| 29 | --- /dev/null |
| 30 | +++ b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
| 31 | @@ -0,0 +1,54 @@ |
| 32 | +Origin: backport, https://github.com/ovn-org/ovn/commit/51f2629cda614d0712ca13f4b51e30c9c2290bc1 |
| 33 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 34 | +Last-Update: 2021-10-01 |
| 35 | + |
| 36 | +From 23f2c7a18ec1f7690c827ea2adbab00f855c456a Mon Sep 17 00:00:00 2001 |
| 37 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 38 | +Date: Fri, 5 Mar 2021 13:16:26 +0100 |
| 39 | +Subject: [PATCH 5/9] northd: Add Controller_Event RBAC rules |
| 40 | + |
| 41 | +The use of the Controller_Event table does currently not work |
| 42 | +when RBAC is enabled. |
| 43 | + |
| 44 | +Fixes: be1eeb09d ("OVN: introduce Controller_Event table") |
| 45 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 46 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 47 | +(cherry picked from commit 51f2629cda614d0712ca13f4b51e30c9c2290bc1) |
| 48 | +--- |
| 49 | + northd/ovn-northd.c | 14 ++++++++++++++ |
| 50 | + 1 file changed, 14 insertions(+) |
| 51 | + |
| 52 | +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c |
| 53 | +index ad84c52be..4abb0c7ab 100644 |
| 54 | +--- a/northd/ovn-northd.c |
| 55 | ++++ b/northd/ovn-northd.c |
| 56 | +@@ -12687,6 +12687,12 @@ static const char *rbac_encap_auth[] = |
| 57 | + static const char *rbac_encap_update[] = |
| 58 | + {"type", "options", "ip"}; |
| 59 | + |
| 60 | ++static const char *rbac_controller_event_auth[] = |
| 61 | ++ {""}; |
| 62 | ++static const char *rbac_controller_event_update[] = |
| 63 | ++ {"chassis", "event_info", "event_type", "seq_num"}; |
| 64 | ++ |
| 65 | ++ |
| 66 | + static const char *rbac_port_binding_auth[] = |
| 67 | + {""}; |
| 68 | + static const char *rbac_port_binding_update[] = |
| 69 | +@@ -12731,6 +12737,14 @@ static struct rbac_perm_cfg { |
| 70 | + .update = rbac_chassis_private_update, |
| 71 | + .n_update = ARRAY_SIZE(rbac_chassis_private_update), |
| 72 | + .row = NULL |
| 73 | ++ },{ |
| 74 | ++ .table = "Controller_Event", |
| 75 | ++ .auth = rbac_controller_event_auth, |
| 76 | ++ .n_auth = ARRAY_SIZE(rbac_controller_event_auth), |
| 77 | ++ .insdel = true, |
| 78 | ++ .update = rbac_controller_event_update, |
| 79 | ++ .n_update = ARRAY_SIZE(rbac_controller_event_update), |
| 80 | ++ .row = NULL |
| 81 | + },{ |
| 82 | + .table = "Encap", |
| 83 | + .auth = rbac_encap_auth, |
| 84 | +-- |
| 85 | +2.32.0 |
| 86 | diff --git a/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
| 87 | new file mode 100644 |
| 88 | index 0000000..74bd27a |
| 89 | --- /dev/null |
| 90 | +++ b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
| 91 | @@ -0,0 +1,36 @@ |
| 92 | +Origin: backport, https://github.com/ovn-org/ovn/commit/b865e502293b8504812b062321be442805f46d4a |
| 93 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 94 | +Last-Update: 2021-10-01 |
| 95 | + |
| 96 | +From 0b44305ea11f5ecf3a5ba43de5f62fd1dcc3f912 Mon Sep 17 00:00:00 2001 |
| 97 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 98 | +Date: Fri, 5 Mar 2021 13:16:25 +0100 |
| 99 | +Subject: [PATCH 4/8] northd: Amend Chassis RBAC rules |
| 100 | + |
| 101 | +The Transport Zones support does currently not work when RBAC is |
| 102 | +enabled. |
| 103 | + |
| 104 | +Fixes: 07d0d258d ("OVN: Add support for Transport Zones") |
| 105 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 106 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 107 | +(cherry picked from commit b865e502293b8504812b062321be442805f46d4a) |
| 108 | +--- |
| 109 | + northd/ovn-northd.c | 2 +- |
| 110 | + 1 file changed, 1 insertion(+), 1 deletion(-) |
| 111 | + |
| 112 | +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c |
| 113 | +index 718ed831a..ad84c52be 100644 |
| 114 | +--- a/northd/ovn-northd.c |
| 115 | ++++ b/northd/ovn-northd.c |
| 116 | +@@ -12675,7 +12675,7 @@ static const char *rbac_chassis_auth[] = |
| 117 | + {"name"}; |
| 118 | + static const char *rbac_chassis_update[] = |
| 119 | + {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches", |
| 120 | +- "other_config"}; |
| 121 | ++ "other_config", "transport_zones"}; |
| 122 | + |
| 123 | + static const char *rbac_chassis_private_auth[] = |
| 124 | + {"name"}; |
| 125 | +-- |
| 126 | +2.32.0 |
| 127 | + |
| 128 | diff --git a/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
| 129 | new file mode 100644 |
| 130 | index 0000000..27cadef |
| 131 | --- /dev/null |
| 132 | +++ b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
| 133 | @@ -0,0 +1,47 @@ |
| 134 | +Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307 |
| 135 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 136 | +Last-Update: 2021-10-01 |
| 137 | + |
| 138 | +From d6e9c4f2b74ead49b65a4aedb464a87631d9d329 Mon Sep 17 00:00:00 2001 |
| 139 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 140 | +Date: Fri, 5 Mar 2021 13:16:28 +0100 |
| 141 | +Subject: [PATCH 5/8] tests: Amend release stale port binding test for RBAC |
| 142 | + |
| 143 | +The current version of the test attempts to simulate chassis |
| 144 | +registration prior to starting `ovn-controller`, however it does |
| 145 | +not set the `hostname` field. |
| 146 | + |
| 147 | +The RBAC role for `ovn-controller` does not allow for a chassis to |
| 148 | +change its own name or hostname, which makes sense as this is used |
| 149 | +for authentication. |
| 150 | + |
| 151 | +Update the test to set the `hostname` field when simulating chassis |
| 152 | +registration so that `ovn-controller` does not attempt to update it |
| 153 | +and subsequently make the test fail. |
| 154 | + |
| 155 | +Fixes b6b3823d4 ("ovn-controller: Fix I-P for SB Port_Binding and OVS Interface") |
| 156 | + |
| 157 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 158 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
| 159 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 160 | +(cherry picked from commit b92823f0e94e760c3e4b60ef132b513c3411ed2d) |
| 161 | +--- |
| 162 | + tests/ovn.at | 2 +- |
| 163 | + 1 file changed, 1 insertion(+), 1 deletion(-) |
| 164 | + |
| 165 | +diff --git a/tests/ovn.at b/tests/ovn.at |
| 166 | +index 2e0bc9c53..aae4c06be 100644 |
| 167 | +--- a/tests/ovn.at |
| 168 | ++++ b/tests/ovn.at |
| 169 | +@@ -20871,7 +20871,7 @@ ovn-nbctl --wait=sb lsp-add ls1 lsp1 |
| 170 | + |
| 171 | + # Simulate the fact that lsp1 had been previously bound on hv1. |
| 172 | + ovn-sbctl --id=@e create encap chassis_name=hv1 ip="192.168.0.1" type="geneve" \ |
| 173 | +- -- --id=@c create chassis name=hv1 encaps=@e \ |
| 174 | ++ -- --id=@c create chassis hostname=hv1 name=hv1 encaps=@e \ |
| 175 | + -- set Port_Binding lsp1 chassis=@c |
| 176 | + |
| 177 | + as hv1 |
| 178 | +-- |
| 179 | +2.32.0 |
| 180 | + |
| 181 | diff --git a/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
| 182 | new file mode 100644 |
| 183 | index 0000000..073b2cb |
| 184 | --- /dev/null |
| 185 | +++ b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
| 186 | @@ -0,0 +1,213 @@ |
| 187 | +Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7 |
| 188 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 189 | +Last-Update: 2021-10-01 |
| 190 | + |
| 191 | +From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001 |
| 192 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 193 | +Date: Fri, 5 Mar 2021 13:16:30 +0100 |
| 194 | +Subject: [PATCH 2/3] tests: Make certificate generation extendable |
| 195 | + |
| 196 | +In preparation for enabling testing with SSL and RBAC enabled by |
| 197 | +default, rework the certificate generation so that we can easily |
| 198 | +add generation of more certificates/CN on demand. |
| 199 | + |
| 200 | +A side erffect of the change is a more generic naming scheme for |
| 201 | +the certificate files so the patch also contains an update to |
| 202 | +existing tests so that they use the new filenames. |
| 203 | + |
| 204 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 205 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
| 206 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 207 | +(cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7) |
| 208 | +--- |
| 209 | + tests/automake.mk | 48 ++++++++++++++++++++++------------------------- |
| 210 | + tests/ovn.at | 48 +++++++++++++++++++++++------------------------ |
| 211 | + 2 files changed, 46 insertions(+), 50 deletions(-) |
| 212 | + |
| 213 | +diff --git a/tests/automake.mk b/tests/automake.mk |
| 214 | +index 9740f085a..6eabb97e6 100644 |
| 215 | +--- a/tests/automake.mk |
| 216 | ++++ b/tests/automake.mk |
| 217 | +@@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage |
| 218 | + FLAKE8_PYFILES += $(CHECK_PYFILES) |
| 219 | + |
| 220 | + if HAVE_OPENSSL |
| 221 | +-TESTPKI_FILES = \ |
| 222 | +- tests/testpki-cacert.pem \ |
| 223 | +- tests/testpki-cert.pem \ |
| 224 | +- tests/testpki-privkey.pem \ |
| 225 | +- tests/testpki-req.pem \ |
| 226 | +- tests/testpki-cert2.pem \ |
| 227 | +- tests/testpki-privkey2.pem \ |
| 228 | +- tests/testpki-req2.pem |
| 229 | ++OVS_PKI_DIR = $(CURDIR)/tests/pki |
| 230 | ++TESTPKI_CNS = test test2 |
| 231 | ++TESTPKI_FILES = $(shell \ |
| 232 | ++ for cn in $(TESTPKI_CNS); do \ |
| 233 | ++ echo tests/testpki-$$cn-cert.pem ; \ |
| 234 | ++ echo tests/testpki-$$cn-privkey.pem ; \ |
| 235 | ++ echo tests/testpki-$$cn-req.pem ; \ |
| 236 | ++ done) |
| 237 | ++ |
| 238 | ++tests/testpki-cacert.pem: tests/pki/stamp |
| 239 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ |
| 240 | ++ |
| 241 | ++$(TESTPKI_FILES): tests/pki/stamp |
| 242 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ |
| 243 | ++ |
| 244 | ++check_DATA += tests/testpki-cacert.pem |
| 245 | + check_DATA += $(TESTPKI_FILES) |
| 246 | ++CLEANFILES += tests/testpki-cacert.pem |
| 247 | + CLEANFILES += $(TESTPKI_FILES) |
| 248 | + |
| 249 | +-tests/testpki-cacert.pem: tests/pki/stamp |
| 250 | +- $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ |
| 251 | +-tests/testpki-cert.pem: tests/pki/stamp |
| 252 | +- $(AM_V_GEN)cp tests/pki/test-cert.pem $@ |
| 253 | +-tests/testpki-req.pem: tests/pki/stamp |
| 254 | +- $(AM_V_GEN)cp tests/pki/test-req.pem $@ |
| 255 | +-tests/testpki-privkey.pem: tests/pki/stamp |
| 256 | +- $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ |
| 257 | +-tests/testpki-cert2.pem: tests/pki/stamp |
| 258 | +- $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ |
| 259 | +-tests/testpki-req2.pem: tests/pki/stamp |
| 260 | +- $(AM_V_GEN)cp tests/pki/test2-req.pem $@ |
| 261 | +-tests/testpki-privkey2.pem: tests/pki/stamp |
| 262 | +- $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ |
| 263 | +- |
| 264 | +-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log |
| 265 | ++ |
| 266 | ++OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log |
| 267 | + tests/pki/stamp: |
| 268 | + $(AM_V_at)rm -f tests/pki/stamp |
| 269 | + $(AM_V_at)rm -rf tests/pki |
| 270 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
| 271 | +- $(OVS_PKI) req+sign tests/pki/test && \ |
| 272 | +- $(OVS_PKI) req+sign tests/pki/test2 && \ |
| 273 | ++ for cn in $(TESTPKI_CNS); do \ |
| 274 | ++ $(OVS_PKI) req+sign tests/pki/$$cn; \ |
| 275 | ++ done && \ |
| 276 | + : > tests/pki/stamp |
| 277 | + CLEANFILES += tests/ovs-pki.log |
| 278 | + |
| 279 | +diff --git a/tests/ovn.at b/tests/ovn.at |
| 280 | +index 4d9ee1256..6de5a6d3f 100644 |
| 281 | +--- a/tests/ovn.at |
| 282 | ++++ b/tests/ovn.at |
| 283 | +@@ -7701,8 +7701,8 @@ AT_CHECK( |
| 284 | + |
| 285 | + start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ |
| 286 | + --remote=db:OVN_Southbound,SB_Global,connections \ |
| 287 | +- --private-key="$PKIDIR/testpki-privkey2.pem" \ |
| 288 | +- --certificate="$PKIDIR/testpki-cert2.pem" \ |
| 289 | ++ --private-key="$PKIDIR/testpki-test2-privkey.pem" \ |
| 290 | ++ --certificate="$PKIDIR/testpki-test2-cert.pem" \ |
| 291 | + --ca-cert="$PKIDIR/testpki-cacert.pem" \ |
| 292 | + ovn-sb.db |
| 293 | + |
| 294 | +@@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
| 295 | + |
| 296 | + # read-only accesses should succeed |
| 297 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 298 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 299 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 300 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 301 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 302 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 303 | + list SB_Global], [0], [stdout], [ignore]) |
| 304 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 305 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 306 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 307 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 308 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 309 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 310 | + list Connection], [0], [stdout], [ignore]) |
| 311 | + |
| 312 | + # write access should fail |
| 313 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 314 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 315 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 316 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 317 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 318 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 319 | + chassis-add ch vxlan 1.2.4.8], [1], [ignore], |
| 320 | + [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} |
| 321 | +@@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ |
| 322 | + |
| 323 | + # Populate SSL configuration entries in nb db |
| 324 | + AT_CHECK( |
| 325 | +- [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
| 326 | +- $PKIDIR/testpki-cert.pem \ |
| 327 | ++ [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
| 328 | ++ $PKIDIR/testpki-test-cert.pem \ |
| 329 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
| 330 | + |
| 331 | + # Populate a passive SSL connection in nb db |
| 332 | +@@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
| 333 | + |
| 334 | + # Verify SSL connetivity to nb db server |
| 335 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 336 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 337 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 338 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 339 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 340 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 341 | + list NB_Global], |
| 342 | + [0], [stdout], [ignore]) |
| 343 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 344 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 345 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 346 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 347 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 348 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 349 | + list Connection], |
| 350 | + [0], [stdout], [ignore]) |
| 351 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 352 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 353 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 354 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 355 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 356 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 357 | + get-connection], |
| 358 | + [0], [stdout], [ignore]) |
| 359 | +@@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ |
| 360 | + |
| 361 | + # Populate SSL configuration entries in sb db |
| 362 | + AT_CHECK( |
| 363 | +- [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
| 364 | +- $PKIDIR/testpki-cert.pem \ |
| 365 | ++ [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
| 366 | ++ $PKIDIR/testpki-test-cert.pem \ |
| 367 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
| 368 | + |
| 369 | + # Populate a passive SSL connection in sb db |
| 370 | +@@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
| 371 | + |
| 372 | + # Verify SSL connetivity to sb db server |
| 373 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 374 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 375 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 376 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 377 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 378 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 379 | + list SB_Global], |
| 380 | + [0], [stdout], [ignore]) |
| 381 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 382 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 383 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 384 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 385 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 386 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 387 | + list Connection], |
| 388 | + [0], [stdout], [ignore]) |
| 389 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
| 390 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
| 391 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
| 392 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
| 393 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
| 394 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
| 395 | + get-connection], |
| 396 | + [0], [stdout], [ignore]) |
| 397 | +-- |
| 398 | +2.32.0 |
| 399 | + |
| 400 | diff --git a/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
| 401 | new file mode 100644 |
| 402 | index 0000000..8044734 |
| 403 | --- /dev/null |
| 404 | +++ b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
| 405 | @@ -0,0 +1,153 @@ |
| 406 | +Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4 |
| 407 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 408 | +Last-Update: 2021-10-01 |
| 409 | + |
| 410 | +From ef220e364c01af319eb378a7b6b508cc1a49266a Mon Sep 17 00:00:00 2001 |
| 411 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 412 | +Date: Fri, 5 Mar 2021 13:16:31 +0100 |
| 413 | +Subject: [PATCH] tests: Test with SSL and RBAC for controller by default |
| 414 | + |
| 415 | +To help ourself to not forget updating RBAC rules when we land |
| 416 | +changes to existing functionality and new features we must enable |
| 417 | +SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds |
| 418 | +with OpenSSL enabled. |
| 419 | + |
| 420 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 421 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
| 422 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 423 | +(cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4) |
| 424 | +--- |
| 425 | + tests/automake.mk | 9 +++++++-- |
| 426 | + tests/ofproto-macros.at | 12 ++++++++++++ |
| 427 | + tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- |
| 428 | + 3 files changed, 55 insertions(+), 4 deletions(-) |
| 429 | + |
| 430 | +diff --git a/tests/automake.mk b/tests/automake.mk |
| 431 | +index 7fab972ab..785a6e5a6 100644 |
| 432 | +--- a/tests/automake.mk |
| 433 | ++++ b/tests/automake.mk |
| 434 | +@@ -220,7 +220,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) |
| 435 | + |
| 436 | + if HAVE_OPENSSL |
| 437 | + OVS_PKI_DIR = $(CURDIR)/tests/pki |
| 438 | +-TESTPKI_CNS = test test2 |
| 439 | ++# NOTE: Certificate generation has to be done serially, and each one adds a few |
| 440 | ++# seconds to the test run. Please try to re-use one of the many CNs already |
| 441 | ++# used in the existing tests. |
| 442 | ++TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 |
| 443 | + TESTPKI_FILES = $(shell \ |
| 444 | + for cn in $(TESTPKI_CNS); do \ |
| 445 | + echo tests/testpki-$$cn-cert.pem ; \ |
| 446 | +@@ -245,9 +248,11 @@ tests/pki/stamp: |
| 447 | + $(AM_V_at)rm -f tests/pki/stamp |
| 448 | + $(AM_V_at)rm -rf tests/pki |
| 449 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
| 450 | ++ cd tests/pki && \ |
| 451 | + for cn in $(TESTPKI_CNS); do \ |
| 452 | +- $(OVS_PKI) req+sign tests/pki/$$cn; \ |
| 453 | ++ $(OVS_PKI) -u req+sign $$cn; \ |
| 454 | + done && \ |
| 455 | ++ cd ../../ && \ |
| 456 | + : > tests/pki/stamp |
| 457 | + CLEANFILES += tests/ovs-pki.log |
| 458 | + |
| 459 | +diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at |
| 460 | +index dd5d3848d..9e8c4f051 100644 |
| 461 | +--- a/tests/ofproto-macros.at |
| 462 | ++++ b/tests/ofproto-macros.at |
| 463 | +@@ -101,6 +101,7 @@ start_daemon () { |
| 464 | + # |
| 465 | + # sim_add hv0 |
| 466 | + # as hv0 ovs-vsctl add-br br0 |
| 467 | ++PKIDIR="$(cd $abs_top_builddir/tests && pwd)" |
| 468 | + sims= |
| 469 | + sim_add () { |
| 470 | + echo "adding simulator '$1'" |
| 471 | +@@ -123,6 +124,17 @@ sim_add () { |
| 472 | + # Start ovs-vswitchd |
| 473 | + as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl |
| 474 | + as $1 ovs-appctl vlog/disable-rate-limit vconn |
| 475 | ++ if test X$HAVE_OPENSSL = Xyes; then |
| 476 | ++ if test -f $PKIDIR/testpki-$1-privkey.pem; then |
| 477 | ++ as $1 ovs-vsctl set-ssl \ |
| 478 | ++ $PKIDIR/testpki-$1-privkey.pem \ |
| 479 | ++ $PKIDIR/testpki-$1-cert.pem \ |
| 480 | ++ $PKIDIR/testpki-cacert.pem \ |
| 481 | ++ || return 1 |
| 482 | ++ else |
| 483 | ++ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" |
| 484 | ++ fi |
| 485 | ++ fi |
| 486 | + } |
| 487 | + |
| 488 | + # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. |
| 489 | +diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at |
| 490 | +index ff71f02d0..902ff1115 100644 |
| 491 | +--- a/tests/ovn-macros.at |
| 492 | ++++ b/tests/ovn-macros.at |
| 493 | +@@ -120,7 +120,18 @@ ovn_init_db () { |
| 494 | + mkdir "$d" || return 1 |
| 495 | + : > "$d"/.$1.db.~lock~ |
| 496 | + as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema |
| 497 | +- as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db |
| 498 | ++ |
| 499 | ++ local remote_in_db= |
| 500 | ++ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then |
| 501 | ++ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" |
| 502 | ++ fi |
| 503 | ++ |
| 504 | ++ as $as_d start_daemon ovsdb-server \ |
| 505 | ++ -vjsonrpc \ |
| 506 | ++ --remote=punix:"$d"/$1.sock \ |
| 507 | ++ $remote_in_db \ |
| 508 | ++ "$d"/$1.db |
| 509 | ++ |
| 510 | + local var=`echo $1_db | tr a-z- A-Z_` |
| 511 | + AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var |
| 512 | + } |
| 513 | +@@ -173,6 +184,24 @@ ovn_start () { |
| 514 | + --ovnnb-db=$ovn_nb_db \ |
| 515 | + --ovnsb-db=$ovn_sb_db |
| 516 | + |
| 517 | ++ if test X$HAVE_OPENSSL = Xyes; then |
| 518 | ++ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create |
| 519 | ++ # SB_Global and Connection with ovsdb-tool transact at DB creation |
| 520 | ++ # time, but unfortunately that does not work, northd-ddlog will replace |
| 521 | ++ # the SB_Global record on startup. |
| 522 | ++ ovn-sbctl \ |
| 523 | ++ -- --id=@c create connection \ |
| 524 | ++ target=\"pssl:0:127.0.0.1\" role=ovn-controller \ |
| 525 | ++ -- add SB_Global . connections @c |
| 526 | ++ local d=$ovs_base |
| 527 | ++ if test -n "$1"; then |
| 528 | ++ d=$d/$1 |
| 529 | ++ fi |
| 530 | ++ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) |
| 531 | ++ var="SSL_OVN_SB_DB" |
| 532 | ++ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var |
| 533 | ++ fi |
| 534 | ++ |
| 535 | + if test -n "$1"; then |
| 536 | + as_d=$1/ic |
| 537 | + echo "starting ovn-ic" |
| 538 | +@@ -237,11 +266,16 @@ ovn_az_attach() { |
| 539 | + |
| 540 | + local ovn_remote |
| 541 | + if test X"$az" = XNONE; then |
| 542 | +- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
| 543 | ++ if test X$HAVE_OPENSSL = Xyes; then |
| 544 | ++ ovn_remote=$SSL_OVN_SB_DB |
| 545 | ++ else |
| 546 | ++ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
| 547 | ++ fi |
| 548 | + else |
| 549 | + ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock |
| 550 | + fi |
| 551 | + ovs-vsctl \ |
| 552 | ++ -- set Open_vSwitch . external-ids:hostname=$sandbox \ |
| 553 | + -- set Open_vSwitch . external-ids:system-id=$sandbox \ |
| 554 | + -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ |
| 555 | + -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \ |
| 556 | +-- |
| 557 | +2.32.0 |
| 558 | + |
| 559 | diff --git a/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
| 560 | new file mode 100644 |
| 561 | index 0000000..f57d9f6 |
| 562 | --- /dev/null |
| 563 | +++ b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
| 564 | @@ -0,0 +1,188 @@ |
| 565 | +Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f |
| 566 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
| 567 | +Last-Update: 2021-10-01 |
| 568 | + |
| 569 | +From cb1560a02e968c84ef8ea1c90f894610f88db8df Mon Sep 17 00:00:00 2001 |
| 570 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
| 571 | +Date: Fri, 5 Mar 2021 13:16:29 +0100 |
| 572 | +Subject: [PATCH] tests: Use ovn_start in tests/ovn-controller.at |
| 573 | + |
| 574 | +The current version of the tests only initializes the SB DB and |
| 575 | +instruments it directly. This does not work with SSL+RBAC as |
| 576 | +northd must run to program the RBAC rules into the SB DB. |
| 577 | + |
| 578 | +Run tests both for C and ddlog version of northd. |
| 579 | + |
| 580 | +Add workaround for ovn-controller not re-reading certificates to |
| 581 | +'ovn-controller - Chassis other_config' test. |
| 582 | + |
| 583 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
| 584 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
| 585 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 586 | +(cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f) |
| 587 | +--- |
| 588 | + tests/ovn-controller.at | 67 +++++++++++++++++++++++++++++++++++++---- |
| 589 | + 1 file changed, 61 insertions(+), 6 deletions(-) |
| 590 | + |
| 591 | +diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at |
| 592 | +index 1b4679963..3e06032ca 100644 |
| 593 | +--- a/tests/ovn-controller.at |
| 594 | ++++ b/tests/ovn-controller.at |
| 595 | +@@ -1,8 +1,9 @@ |
| 596 | + AT_BANNER([ovn-controller]) |
| 597 | + |
| 598 | ++OVN_FOR_EACH_NORTHD([ |
| 599 | + AT_SETUP([ovn-controller - ovn-bridge-mappings]) |
| 600 | + AT_KEYWORDS([ovn]) |
| 601 | +-ovn_init_db ovn-sb |
| 602 | ++ovn_start |
| 603 | + net_add n1 |
| 604 | + sim_add hv |
| 605 | + as hv |
| 606 | +@@ -54,6 +55,14 @@ check_bridge_mappings () { |
| 607 | + OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} other_config:ovn-bridge-mappings | sed -e 's/\"//g')]) |
| 608 | + } |
| 609 | + |
| 610 | ++# NOTE: This test originally ran with only the SB-DB and no northd. For the |
| 611 | ++# test to be successfull with SSL+RBAC we need to initially run northd to get |
| 612 | ++# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB |
| 613 | ++# directly and we need to stop northd to avoid overwriting the instrumentation. |
| 614 | ++kill `cat northd/ovn-northd.pid` |
| 615 | ++kill `cat northd-backup/ovn-northd.pid` |
| 616 | ++kill `cat ovn-nb/ovsdb-server.pid` |
| 617 | ++ |
| 618 | + # Initially there should be no patch ports. |
| 619 | + check_patches |
| 620 | + |
| 621 | +@@ -116,12 +125,14 @@ as ovn-sb |
| 622 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 623 | + |
| 624 | + AT_CLEANUP |
| 625 | ++]) |
| 626 | + |
| 627 | + # Checks that ovn-controller populates datapath-type and iface-types |
| 628 | + # correctly in the Chassis other_config column. |
| 629 | ++OVN_FOR_EACH_NORTHD([ |
| 630 | + AT_SETUP([ovn-controller - Chassis other_config]) |
| 631 | + AT_KEYWORDS([ovn]) |
| 632 | +-ovn_init_db ovn-sb |
| 633 | ++ovn_start |
| 634 | + |
| 635 | + net_add n1 |
| 636 | + sim_add hv |
| 637 | +@@ -192,7 +203,21 @@ OVS_WAIT_UNTIL([ |
| 638 | + # chassis_private records. Until that happens ovn-controller fails to |
| 639 | + # create the records due to constraint violation on the Encap table. |
| 640 | + sysid=${sysid}-foo |
| 641 | +-ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}" |
| 642 | ++current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote` |
| 643 | ++if test X$HAVE_OPENSSL = Xyes; then |
| 644 | ++ # To change chassis name we need to change certificate with matching CN |
| 645 | ++ ovs-vsctl set-ssl \ |
| 646 | ++ $PKIDIR/testpki-${sysid}-privkey.pem \ |
| 647 | ++ $PKIDIR/testpki-${sysid}-cert.pem \ |
| 648 | ++ $PKIDIR/testpki-cacert.pem |
| 649 | ++ # force reconnect which makes OVN controller read the new certificates |
| 650 | ++ # TODO implement check for change of certificates in ovn-controller |
| 651 | ++ # and remove this workaround. |
| 652 | ++ ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null |
| 653 | ++fi |
| 654 | ++ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \ |
| 655 | ++ -- set Open_vSwitch . external-ids:system-id="${sysid}" \ |
| 656 | ++ -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}" |
| 657 | + |
| 658 | + OVS_WAIT_UNTIL([ |
| 659 | + grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log |
| 660 | +@@ -216,12 +241,14 @@ as ovn-sb |
| 661 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 662 | + |
| 663 | + AT_CLEANUP |
| 664 | ++]) |
| 665 | + |
| 666 | + # Checks that ovn-controller correctly maintains the mapping from the Encap |
| 667 | + # table in the Southbound database to OVS in the face of changes on both sides |
| 668 | ++OVN_FOR_EACH_NORTHD([ |
| 669 | + AT_SETUP([ovn-controller - change Encap properties]) |
| 670 | + AT_KEYWORDS([ovn]) |
| 671 | +-ovn_init_db ovn-sb |
| 672 | ++ovn_start |
| 673 | + |
| 674 | + net_add n1 |
| 675 | + sim_add hv |
| 676 | +@@ -271,11 +298,13 @@ as ovn-sb |
| 677 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 678 | + |
| 679 | + AT_CLEANUP |
| 680 | ++]) |
| 681 | + |
| 682 | + # Check ovn-controller connection status to Southbound database |
| 683 | ++OVN_FOR_EACH_NORTHD([ |
| 684 | + AT_SETUP([ovn-controller - check sbdb connection]) |
| 685 | + AT_KEYWORDS([ovn]) |
| 686 | +-ovn_init_db ovn-sb |
| 687 | ++ovn_start |
| 688 | + |
| 689 | + net_add n1 |
| 690 | + sim_add hv |
| 691 | +@@ -305,11 +334,13 @@ as ovn-sb |
| 692 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
| 693 | + |
| 694 | + AT_CLEANUP |
| 695 | ++]) |
| 696 | + |
| 697 | + # Checks that ovn-controller recreates its chassis record when deleted externally. |
| 698 | ++OVN_FOR_EACH_NORTHD([ |
| 699 | + AT_SETUP([ovn-controller - Chassis self record]) |
| 700 | + AT_KEYWORDS([ovn]) |
| 701 | +-ovn_init_db ovn-sb |
| 702 | ++ovn_start |
| 703 | + |
| 704 | + net_add n1 |
| 705 | + sim_add hv |
| 706 | +@@ -360,8 +391,10 @@ OVS_WAIT_UNTIL([test x0 = x`ovn-sbctl --columns nb_cfg --bare find chassis`]) |
| 707 | + |
| 708 | + OVN_CLEANUP([hv]) |
| 709 | + AT_CLEANUP |
| 710 | ++]) |
| 711 | + |
| 712 | + # Test unix command: debug/delay-nb-cfg-report |
| 713 | ++OVN_FOR_EACH_NORTHD([ |
| 714 | + AT_SETUP([ovn-controller - debug/delay-nb-cfg-report]) |
| 715 | + AT_KEYWORDS([ovn]) |
| 716 | + ovn_start |
| 717 | +@@ -393,7 +426,9 @@ AT_CHECK([ovn-nbctl --timeout=1 --wait=hv sync]) |
| 718 | + |
| 719 | + OVN_CLEANUP([hv]) |
| 720 | + AT_CLEANUP |
| 721 | ++]) |
| 722 | + |
| 723 | ++OVN_FOR_EACH_NORTHD([ |
| 724 | + AT_SETUP([ovn -- nb_cfg sync to OVS]) |
| 725 | + ovn_start |
| 726 | + |
| 727 | +@@ -414,3 +449,23 @@ OVS_WAIT_UNTIL([ovs-vsctl get Bridge br-int external_ids:ovn-nb-cfg], [0], [1]) |
| 728 | + |
| 729 | + OVN_CLEANUP([hv1]) |
| 730 | + AT_CLEANUP |
| 731 | ++]) |
| 732 | ++ |
| 733 | ++OVN_FOR_EACH_NORTHD([ |
| 734 | ++AT_SETUP([ovn -- features]) |
| 735 | ++AT_KEYWORDS([features]) |
| 736 | ++ovn_start |
| 737 | ++ |
| 738 | ++net_add n1 |
| 739 | ++sim_add hv1 |
| 740 | ++ovs-vsctl add-br br-phys |
| 741 | ++ovn_attach n1 br-phys 192.168.0.1 |
| 742 | ++ |
| 743 | ++# Wait for ovn-controller to register in the SB. |
| 744 | ++OVS_WAIT_UNTIL([ |
| 745 | ++ test "$(ovn-sbctl get chassis hv1 other_config:port-up-notif)" = '"true"' |
| 746 | ++]) |
| 747 | ++ |
| 748 | ++OVN_CLEANUP([hv1]) |
| 749 | ++AT_CLEANUP |
| 750 | ++]) |
| 751 | +-- |
| 752 | +2.32.0 |
| 753 | diff --git a/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
| 754 | new file mode 100644 |
| 755 | index 0000000..42632d1 |
| 756 | --- /dev/null |
| 757 | +++ b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
| 758 | @@ -0,0 +1,145 @@ |
| 759 | +Origin: backport, https://github.com/ovn-org/ovn/commit/96959e56d634c8d888af9e3ee340602593c7e4fa |
| 760 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 |
| 761 | +Last-Update: 2021-10-01 |
| 762 | + |
| 763 | +From 1cdc8ce5b4373b2169129f53e4a060b75522b286 Mon Sep 17 00:00:00 2001 |
| 764 | +From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
| 765 | +Date: Tue, 4 May 2021 19:59:00 +0200 |
| 766 | +Subject: [PATCH 2/2] physical: do not forward traffic from localport to a |
| 767 | + localnet one |
| 768 | + |
| 769 | +Since the localnet port is available on each hv, do not forward traffic |
| 770 | +to the localnet port if it is present in order to avoid switch fdb |
| 771 | +misconfiguration. |
| 772 | +Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877 |
| 773 | + |
| 774 | +Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
| 775 | +Acked-by: Mark Michelson |
| 776 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 777 | +(cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa) |
| 778 | +--- |
| 779 | + controller/physical.c | 23 +++++++++++++++++++++++ |
| 780 | + include/ovn/logical-fields.h | 13 +++++++++++++ |
| 781 | + tests/ovn.at | 17 +++++++++++++++++ |
| 782 | + 3 files changed, 53 insertions(+) |
| 783 | + |
| 784 | +diff --git a/controller/physical.c b/controller/physical.c |
| 785 | +index fa5d0d692..f41010a2b 100644 |
| 786 | +--- a/controller/physical.c |
| 787 | ++++ b/controller/physical.c |
| 788 | +@@ -1160,6 +1160,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
| 789 | + |
| 790 | + load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p); |
| 791 | + |
| 792 | ++ if (!strcmp(binding->type, "localport")) { |
| 793 | ++ /* mark the packet as incoming from a localport */ |
| 794 | ++ put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p); |
| 795 | ++ } |
| 796 | ++ |
| 797 | + /* Resubmit to first logical ingress pipeline table. */ |
| 798 | + put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p); |
| 799 | + ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG, |
| 800 | +@@ -1219,6 +1224,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
| 801 | + ofport, flow_table); |
| 802 | + } |
| 803 | + |
| 804 | ++ /* Table 39, priority 160. |
| 805 | ++ * ======================= |
| 806 | ++ * |
| 807 | ++ * Do not forward local traffic from a localport to a localnet port. |
| 808 | ++ */ |
| 809 | ++ if (!strcmp(binding->type, "localnet")) { |
| 810 | ++ /* do not forward traffic from localport to localnet port */ |
| 811 | ++ match_init_catchall(&match); |
| 812 | ++ ofpbuf_clear(ofpacts_p); |
| 813 | ++ match_set_metadata(&match, htonll(dp_key)); |
| 814 | ++ match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key); |
| 815 | ++ match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, |
| 816 | ++ MLF_LOCALPORT, MLF_LOCALPORT); |
| 817 | ++ ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160, |
| 818 | ++ binding->header_.uuid.parts[0], &match, |
| 819 | ++ ofpacts_p, &binding->header_.uuid); |
| 820 | ++ } |
| 821 | ++ |
| 822 | + } else if (!tun && !is_ha_remote) { |
| 823 | + /* Remote port connected by localnet port */ |
| 824 | + /* Table 33, priority 100. |
| 825 | +diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h |
| 826 | +index aee474856..ebc4d82e3 100644 |
| 827 | +--- a/include/ovn/logical-fields.h |
| 828 | ++++ b/include/ovn/logical-fields.h |
| 829 | +@@ -59,6 +59,9 @@ enum mff_log_flags_bits { |
| 830 | + MLF_NESTED_CONTAINER_BIT = 5, |
| 831 | + MLF_LOOKUP_MAC_BIT = 6, |
| 832 | + MLF_LOOKUP_LB_HAIRPIN_BIT = 7, |
| 833 | ++ MLF_LOOKUP_FDB_BIT = 8, |
| 834 | ++ MLF_SKIP_SNAT_FOR_LB_BIT = 9, |
| 835 | ++ MLF_LOCALPORT_BIT = 10, |
| 836 | + }; |
| 837 | + |
| 838 | + /* MFF_LOG_FLAGS_REG flag assignments */ |
| 839 | +@@ -92,6 +95,16 @@ enum mff_log_flags { |
| 840 | + MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT), |
| 841 | + |
| 842 | + MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT), |
| 843 | ++ |
| 844 | ++ /* Indicate that the lookup in the fdb table was successful. */ |
| 845 | ++ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT), |
| 846 | ++ |
| 847 | ++ /* Indicate that a packet must not SNAT in the gateway router when |
| 848 | ++ * load-balancing has taken place. */ |
| 849 | ++ MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT), |
| 850 | ++ |
| 851 | ++ /* Indicate the packet has been received from a localport */ |
| 852 | ++ MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT), |
| 853 | + }; |
| 854 | + |
| 855 | + /* OVN logical fields |
| 856 | +diff --git a/tests/ovn.at b/tests/ovn.at |
| 857 | +index ce5e9fded..914f9b949 100644 |
| 858 | +--- a/tests/ovn.at |
| 859 | ++++ b/tests/ovn.at |
| 860 | +@@ -11490,10 +11490,17 @@ AT_CLEANUP |
| 861 | + AT_SETUP([ovn -- localport suppress gARP]) |
| 862 | + ovn_start |
| 863 | + |
| 864 | ++send_garp() { |
| 865 | ++ local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5 |
| 866 | ++ local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa} |
| 867 | ++ as hv1 ovs-appctl netdev-dummy/receive vif$inport $request |
| 868 | ++} |
| 869 | ++ |
| 870 | + net_add n1 |
| 871 | + sim_add hv1 |
| 872 | + as hv1 |
| 873 | + check ovs-vsctl add-br br-phys |
| 874 | ++ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
| 875 | + ovn_attach n1 br-phys 192.168.0.1 |
| 876 | + |
| 877 | + check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
| 878 | +@@ -11504,6 +11511,7 @@ check ovn-nbctl ls-add ls \ |
| 879 | + -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ |
| 880 | + -- lsp-add ls ln \ |
| 881 | + -- lsp-set-type ln localnet \ |
| 882 | ++ -- lsp-set-addresses ln unknown \ |
| 883 | + -- lsp-set-options ln network_name=phys \ |
| 884 | + -- lsp-add ls lsp \ |
| 885 | + -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" |
| 886 | +@@ -11537,6 +11545,15 @@ AT_CHECK([ |
| 887 | + test 0 -eq $pkts |
| 888 | + ]) |
| 889 | + |
| 890 | ++spa=$(ip_to_hex 10 0 0 1) |
| 891 | ++tpa=$(ip_to_hex 10 0 0 100) |
| 892 | ++send_garp 1 000000000001 ffffffffffff $spa $tpa |
| 893 | ++ |
| 894 | ++dnl traffic from localport should not be sent to localnet |
| 895 | ++AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl |
| 896 | ++0 |
| 897 | ++],[ignore]) |
| 898 | ++ |
| 899 | + OVN_CLEANUP([hv1]) |
| 900 | + AT_CLEANUP |
| 901 | + |
| 902 | +-- |
| 903 | +2.32.0 |
| 904 | diff --git a/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch |
| 905 | new file mode 100644 |
| 906 | index 0000000..8a2de0a |
| 907 | --- /dev/null |
| 908 | +++ b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch |
| 909 | @@ -0,0 +1,111 @@ |
| 910 | +Origin: backport, https://github.com/ovn-org/ovn/commit/578238b36073256c524a4c2b6ed7521f73aa0019 |
| 911 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 |
| 912 | +Last-Update: 2021-10-01 |
| 913 | + |
| 914 | +From aefe7053eb3d9750d552eb342caed9faaaf9365a Mon Sep 17 00:00:00 2001 |
| 915 | +From: Daniel Alvarez Sanchez <dalvarez@redhat.com> |
| 916 | +Date: Wed, 24 Mar 2021 18:23:47 +0100 |
| 917 | +Subject: [PATCH 1/2] pinctrl: Don't send gARPs for localports |
| 918 | + |
| 919 | +Ports of type 'localport' are present on every hypervisor and |
| 920 | +ovn-controller is sending gARPs for them which makes upstream |
| 921 | +switches to see its MAC address flapping. |
| 922 | + |
| 923 | +In order to avoid this behavior, the current patch is skipping |
| 924 | +localports when sending gARP/RARP packets. |
| 925 | + |
| 926 | +Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1939470 |
| 927 | + |
| 928 | +Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com> |
| 929 | +Co-authored-by: Dumitru Ceara <dceara@redhat.com> |
| 930 | +Signed-off-by: Dumitru Ceara <dceara@redhat.com> |
| 931 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
| 932 | +(cherry picked from commit 578238b36073256c524a4c2b6ed7521f73aa0019) |
| 933 | +--- |
| 934 | + controller/pinctrl.c | 6 +++++ |
| 935 | + tests/ovn.at | 53 ++++++++++++++++++++++++++++++++++++++++++++ |
| 936 | + 2 files changed, 59 insertions(+) |
| 937 | + |
| 938 | +diff --git a/controller/pinctrl.c b/controller/pinctrl.c |
| 939 | +index 7e3abf0a4..f20c24f0e 100644 |
| 940 | +--- a/controller/pinctrl.c |
| 941 | ++++ b/controller/pinctrl.c |
| 942 | +@@ -4102,6 +4102,12 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn, |
| 943 | + struct shash *nat_addresses) |
| 944 | + { |
| 945 | + volatile struct garp_rarp_data *garp_rarp = NULL; |
| 946 | ++ |
| 947 | ++ /* Skip localports as they don't need to be announced */ |
| 948 | ++ if (!strcmp(binding_rec->type, "localport")) { |
| 949 | ++ return; |
| 950 | ++ } |
| 951 | ++ |
| 952 | + /* Update GARP for NAT IP if it exists. Consider port bindings with type |
| 953 | + * "l3gateway" for logical switch ports attached to gateway routers, and |
| 954 | + * port bindings with type "patch" for logical switch ports attached to |
| 955 | +diff --git a/tests/ovn.at b/tests/ovn.at |
| 956 | +index 9dcb0772e..ce5e9fded 100644 |
| 957 | +--- a/tests/ovn.at |
| 958 | ++++ b/tests/ovn.at |
| 959 | +@@ -11487,6 +11487,59 @@ OVN_CLEANUP([hv1],[hv2]) |
| 960 | + |
| 961 | + AT_CLEANUP |
| 962 | + |
| 963 | ++AT_SETUP([ovn -- localport suppress gARP]) |
| 964 | ++ovn_start |
| 965 | ++ |
| 966 | ++net_add n1 |
| 967 | ++sim_add hv1 |
| 968 | ++as hv1 |
| 969 | ++check ovs-vsctl add-br br-phys |
| 970 | ++ovn_attach n1 br-phys 192.168.0.1 |
| 971 | ++ |
| 972 | ++check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
| 973 | ++ |
| 974 | ++check ovn-nbctl ls-add ls \ |
| 975 | ++ -- lsp-add ls lp \ |
| 976 | ++ -- lsp-set-type lp localport \ |
| 977 | ++ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ |
| 978 | ++ -- lsp-add ls ln \ |
| 979 | ++ -- lsp-set-type ln localnet \ |
| 980 | ++ -- lsp-set-options ln network_name=phys \ |
| 981 | ++ -- lsp-add ls lsp \ |
| 982 | ++ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" |
| 983 | ++ |
| 984 | ++dnl First bind the localport. |
| 985 | ++check ovs-vsctl add-port br-int vif1 \ |
| 986 | ++ -- set Interface vif1 external-ids:iface-id=lp |
| 987 | ++check ovn-nbctl --wait=hv sync |
| 988 | ++ |
| 989 | ++dnl Then bind the regular vif. |
| 990 | ++check ovs-vsctl add-port br-int vif2 \ |
| 991 | ++ -- set Interface vif2 external-ids:iface-id=lsp \ |
| 992 | ++ options:tx_pcap=hv1/vif2-tx.pcap \ |
| 993 | ++ options:rxq_pcap=hv1/vif2-rx.pcap |
| 994 | ++ |
| 995 | ++wait_row_count nb:Logical_Switch_Port 1 name=lsp up=true |
| 996 | ++check ovn-nbctl --wait=hv sync |
| 997 | ++ |
| 998 | ++dnl Wait for at least two gARPs from lsp (10.0.0.2). |
| 999 | ++lsp_garp=ffffffffffff000000000002080600010800060400010000000000020a0000020000000000000a000002 |
| 1000 | ++OVS_WAIT_UNTIL([ |
| 1001 | ++ garps=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep ${lsp_garp} -c` |
| 1002 | ++ test $garps -ge 2 |
| 1003 | ++]) |
| 1004 | ++ |
| 1005 | ++dnl At this point it's safe to assume that ovn-controller skipped sending gARP |
| 1006 | ++dnl for the localport. Check that there are no other packets than the gARPs |
| 1007 | ++dnl for the regular vif. |
| 1008 | ++AT_CHECK([ |
| 1009 | ++ pkts=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep -v ${lsp_garp} -c` |
| 1010 | ++ test 0 -eq $pkts |
| 1011 | ++]) |
| 1012 | ++ |
| 1013 | ++OVN_CLEANUP([hv1]) |
| 1014 | ++AT_CLEANUP |
| 1015 | ++ |
| 1016 | + AT_SETUP([ovn -- 1 LR with HA distributed router gateway port]) |
| 1017 | + ovn_start |
| 1018 | + |
| 1019 | +-- |
| 1020 | +2.32.0 |
| 1021 | diff --git a/debian/patches/series b/debian/patches/series |
| 1022 | index c004be5..de78d99 100644 |
| 1023 | --- a/debian/patches/series |
| 1024 | +++ b/debian/patches/series |
| 1025 | @@ -1,3 +1,11 @@ |
| 1026 | lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch |
| 1027 | lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
| 1028 | lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch |
| 1029 | +lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
| 1030 | +lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
| 1031 | +lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
| 1032 | +lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
| 1033 | +lp-1914988-tests-Make-certificate-generation-extendable.patch |
| 1034 | +lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
| 1035 | +lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch |
| 1036 | +lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
Package building here: https:/