Merge ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute into ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute
- Git
- lp:~fnordahl/ubuntu/+source/ovn
- bug/1914988-hirsute
- Merge into ubuntu/hirsute
Status: | Needs review |
---|---|
Proposed branch: | ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute |
Merge into: | ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute |
Diff against target: |
1036 lines (+972/-0) 10 files modified
debian/changelog (+17/-0) debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch (+54/-0) debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch (+36/-0) debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch (+47/-0) debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0) debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0) debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+188/-0) debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0) debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch (+111/-0) debian/patches/series (+8/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
James Page | Pending | ||
Review via email: mp+409496@code.launchpad.net |
Commit message
Description of the change
Erlon R. Cruz (sombrafam) wrote : | # |
I've tested the patches on hirsute and they fixed the ARP issues.
Unmerged commits
- 414d998... by Frode Nordahl
-
Backport fixes
* Backport rollup for SSL+RBAC (LP: #1914988):
- d/p/lp-1913024- northd- Add-Chassis_ Private- external_ ids-column- to-RB.patch
- d/p/lp-1914988- Add-IGMP_ Group-to- ovn-controller- RBAC.patch
- d/p/lp-1917475- northd- Amend-RBAC- rules-for- Port_Binding- table.patch
- d/p/lp-1914988- northd- Amend-Chassis- RBAC-rules. patch
- d/p/lp-1914988- northd- Add-Controller_ Event-RBAC- rules.patch
- d/p/lp-1914988- tests-Amend- release- stale-port- binding- test-for- RBAC.patch
- d/p/lp-1914988- tests-Use- ovn_start- in-tests- ovn-controller. at.patch
- d/p/lp-1914988- tests-Make- certificate- generation- extendable. patch
- d/p/lp-1914988- tests-Test- with-SSL- and-RBAC- for-controller- by-defau. patch
* d/p/lp-1943266- physical- do-not- forward- traffic- from-localport- to-a-.patch:
Do not forward traffic from localport to localnet ports (LP: #1943266).
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index e9b9bbf..95ec54f 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,20 @@ |
6 | +ovn (20.12.0-0ubuntu4) hirsute; urgency=medium |
7 | + |
8 | + * Backport rollup for SSL+RBAC (LP: #1914988): |
9 | + - d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch |
10 | + - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
11 | + - d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch |
12 | + - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
13 | + - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
14 | + - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
15 | + - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
16 | + - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch |
17 | + - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
18 | + * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: |
19 | + Do not forward traffic from localport to localnet ports (LP: #1943266). |
20 | + |
21 | + -- Frode Nordahl <frode.nordahl@canonical.com> Fri, 01 Oct 2021 09:42:00 +0200 |
22 | + |
23 | ovn (20.12.0-0ubuntu3) hirsute; urgency=medium |
24 | |
25 | * Cherry-pick fixes from upstream branch-20.12 |
26 | diff --git a/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
27 | new file mode 100644 |
28 | index 0000000..f406009 |
29 | --- /dev/null |
30 | +++ b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
31 | @@ -0,0 +1,54 @@ |
32 | +Origin: backport, https://github.com/ovn-org/ovn/commit/51f2629cda614d0712ca13f4b51e30c9c2290bc1 |
33 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
34 | +Last-Update: 2021-10-01 |
35 | + |
36 | +From 23f2c7a18ec1f7690c827ea2adbab00f855c456a Mon Sep 17 00:00:00 2001 |
37 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
38 | +Date: Fri, 5 Mar 2021 13:16:26 +0100 |
39 | +Subject: [PATCH 5/9] northd: Add Controller_Event RBAC rules |
40 | + |
41 | +The use of the Controller_Event table does currently not work |
42 | +when RBAC is enabled. |
43 | + |
44 | +Fixes: be1eeb09d ("OVN: introduce Controller_Event table") |
45 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
46 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
47 | +(cherry picked from commit 51f2629cda614d0712ca13f4b51e30c9c2290bc1) |
48 | +--- |
49 | + northd/ovn-northd.c | 14 ++++++++++++++ |
50 | + 1 file changed, 14 insertions(+) |
51 | + |
52 | +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c |
53 | +index ad84c52be..4abb0c7ab 100644 |
54 | +--- a/northd/ovn-northd.c |
55 | ++++ b/northd/ovn-northd.c |
56 | +@@ -12687,6 +12687,12 @@ static const char *rbac_encap_auth[] = |
57 | + static const char *rbac_encap_update[] = |
58 | + {"type", "options", "ip"}; |
59 | + |
60 | ++static const char *rbac_controller_event_auth[] = |
61 | ++ {""}; |
62 | ++static const char *rbac_controller_event_update[] = |
63 | ++ {"chassis", "event_info", "event_type", "seq_num"}; |
64 | ++ |
65 | ++ |
66 | + static const char *rbac_port_binding_auth[] = |
67 | + {""}; |
68 | + static const char *rbac_port_binding_update[] = |
69 | +@@ -12731,6 +12737,14 @@ static struct rbac_perm_cfg { |
70 | + .update = rbac_chassis_private_update, |
71 | + .n_update = ARRAY_SIZE(rbac_chassis_private_update), |
72 | + .row = NULL |
73 | ++ },{ |
74 | ++ .table = "Controller_Event", |
75 | ++ .auth = rbac_controller_event_auth, |
76 | ++ .n_auth = ARRAY_SIZE(rbac_controller_event_auth), |
77 | ++ .insdel = true, |
78 | ++ .update = rbac_controller_event_update, |
79 | ++ .n_update = ARRAY_SIZE(rbac_controller_event_update), |
80 | ++ .row = NULL |
81 | + },{ |
82 | + .table = "Encap", |
83 | + .auth = rbac_encap_auth, |
84 | +-- |
85 | +2.32.0 |
86 | diff --git a/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
87 | new file mode 100644 |
88 | index 0000000..74bd27a |
89 | --- /dev/null |
90 | +++ b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
91 | @@ -0,0 +1,36 @@ |
92 | +Origin: backport, https://github.com/ovn-org/ovn/commit/b865e502293b8504812b062321be442805f46d4a |
93 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
94 | +Last-Update: 2021-10-01 |
95 | + |
96 | +From 0b44305ea11f5ecf3a5ba43de5f62fd1dcc3f912 Mon Sep 17 00:00:00 2001 |
97 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
98 | +Date: Fri, 5 Mar 2021 13:16:25 +0100 |
99 | +Subject: [PATCH 4/8] northd: Amend Chassis RBAC rules |
100 | + |
101 | +The Transport Zones support does currently not work when RBAC is |
102 | +enabled. |
103 | + |
104 | +Fixes: 07d0d258d ("OVN: Add support for Transport Zones") |
105 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
106 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
107 | +(cherry picked from commit b865e502293b8504812b062321be442805f46d4a) |
108 | +--- |
109 | + northd/ovn-northd.c | 2 +- |
110 | + 1 file changed, 1 insertion(+), 1 deletion(-) |
111 | + |
112 | +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c |
113 | +index 718ed831a..ad84c52be 100644 |
114 | +--- a/northd/ovn-northd.c |
115 | ++++ b/northd/ovn-northd.c |
116 | +@@ -12675,7 +12675,7 @@ static const char *rbac_chassis_auth[] = |
117 | + {"name"}; |
118 | + static const char *rbac_chassis_update[] = |
119 | + {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches", |
120 | +- "other_config"}; |
121 | ++ "other_config", "transport_zones"}; |
122 | + |
123 | + static const char *rbac_chassis_private_auth[] = |
124 | + {"name"}; |
125 | +-- |
126 | +2.32.0 |
127 | + |
128 | diff --git a/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
129 | new file mode 100644 |
130 | index 0000000..27cadef |
131 | --- /dev/null |
132 | +++ b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
133 | @@ -0,0 +1,47 @@ |
134 | +Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307 |
135 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
136 | +Last-Update: 2021-10-01 |
137 | + |
138 | +From d6e9c4f2b74ead49b65a4aedb464a87631d9d329 Mon Sep 17 00:00:00 2001 |
139 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
140 | +Date: Fri, 5 Mar 2021 13:16:28 +0100 |
141 | +Subject: [PATCH 5/8] tests: Amend release stale port binding test for RBAC |
142 | + |
143 | +The current version of the test attempts to simulate chassis |
144 | +registration prior to starting `ovn-controller`, however it does |
145 | +not set the `hostname` field. |
146 | + |
147 | +The RBAC role for `ovn-controller` does not allow for a chassis to |
148 | +change its own name or hostname, which makes sense as this is used |
149 | +for authentication. |
150 | + |
151 | +Update the test to set the `hostname` field when simulating chassis |
152 | +registration so that `ovn-controller` does not attempt to update it |
153 | +and subsequently make the test fail. |
154 | + |
155 | +Fixes b6b3823d4 ("ovn-controller: Fix I-P for SB Port_Binding and OVS Interface") |
156 | + |
157 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
158 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
159 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
160 | +(cherry picked from commit b92823f0e94e760c3e4b60ef132b513c3411ed2d) |
161 | +--- |
162 | + tests/ovn.at | 2 +- |
163 | + 1 file changed, 1 insertion(+), 1 deletion(-) |
164 | + |
165 | +diff --git a/tests/ovn.at b/tests/ovn.at |
166 | +index 2e0bc9c53..aae4c06be 100644 |
167 | +--- a/tests/ovn.at |
168 | ++++ b/tests/ovn.at |
169 | +@@ -20871,7 +20871,7 @@ ovn-nbctl --wait=sb lsp-add ls1 lsp1 |
170 | + |
171 | + # Simulate the fact that lsp1 had been previously bound on hv1. |
172 | + ovn-sbctl --id=@e create encap chassis_name=hv1 ip="192.168.0.1" type="geneve" \ |
173 | +- -- --id=@c create chassis name=hv1 encaps=@e \ |
174 | ++ -- --id=@c create chassis hostname=hv1 name=hv1 encaps=@e \ |
175 | + -- set Port_Binding lsp1 chassis=@c |
176 | + |
177 | + as hv1 |
178 | +-- |
179 | +2.32.0 |
180 | + |
181 | diff --git a/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
182 | new file mode 100644 |
183 | index 0000000..073b2cb |
184 | --- /dev/null |
185 | +++ b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch |
186 | @@ -0,0 +1,213 @@ |
187 | +Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7 |
188 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
189 | +Last-Update: 2021-10-01 |
190 | + |
191 | +From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001 |
192 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
193 | +Date: Fri, 5 Mar 2021 13:16:30 +0100 |
194 | +Subject: [PATCH 2/3] tests: Make certificate generation extendable |
195 | + |
196 | +In preparation for enabling testing with SSL and RBAC enabled by |
197 | +default, rework the certificate generation so that we can easily |
198 | +add generation of more certificates/CN on demand. |
199 | + |
200 | +A side erffect of the change is a more generic naming scheme for |
201 | +the certificate files so the patch also contains an update to |
202 | +existing tests so that they use the new filenames. |
203 | + |
204 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
205 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
206 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
207 | +(cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7) |
208 | +--- |
209 | + tests/automake.mk | 48 ++++++++++++++++++++++------------------------- |
210 | + tests/ovn.at | 48 +++++++++++++++++++++++------------------------ |
211 | + 2 files changed, 46 insertions(+), 50 deletions(-) |
212 | + |
213 | +diff --git a/tests/automake.mk b/tests/automake.mk |
214 | +index 9740f085a..6eabb97e6 100644 |
215 | +--- a/tests/automake.mk |
216 | ++++ b/tests/automake.mk |
217 | +@@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage |
218 | + FLAKE8_PYFILES += $(CHECK_PYFILES) |
219 | + |
220 | + if HAVE_OPENSSL |
221 | +-TESTPKI_FILES = \ |
222 | +- tests/testpki-cacert.pem \ |
223 | +- tests/testpki-cert.pem \ |
224 | +- tests/testpki-privkey.pem \ |
225 | +- tests/testpki-req.pem \ |
226 | +- tests/testpki-cert2.pem \ |
227 | +- tests/testpki-privkey2.pem \ |
228 | +- tests/testpki-req2.pem |
229 | ++OVS_PKI_DIR = $(CURDIR)/tests/pki |
230 | ++TESTPKI_CNS = test test2 |
231 | ++TESTPKI_FILES = $(shell \ |
232 | ++ for cn in $(TESTPKI_CNS); do \ |
233 | ++ echo tests/testpki-$$cn-cert.pem ; \ |
234 | ++ echo tests/testpki-$$cn-privkey.pem ; \ |
235 | ++ echo tests/testpki-$$cn-req.pem ; \ |
236 | ++ done) |
237 | ++ |
238 | ++tests/testpki-cacert.pem: tests/pki/stamp |
239 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ |
240 | ++ |
241 | ++$(TESTPKI_FILES): tests/pki/stamp |
242 | ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ |
243 | ++ |
244 | ++check_DATA += tests/testpki-cacert.pem |
245 | + check_DATA += $(TESTPKI_FILES) |
246 | ++CLEANFILES += tests/testpki-cacert.pem |
247 | + CLEANFILES += $(TESTPKI_FILES) |
248 | + |
249 | +-tests/testpki-cacert.pem: tests/pki/stamp |
250 | +- $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ |
251 | +-tests/testpki-cert.pem: tests/pki/stamp |
252 | +- $(AM_V_GEN)cp tests/pki/test-cert.pem $@ |
253 | +-tests/testpki-req.pem: tests/pki/stamp |
254 | +- $(AM_V_GEN)cp tests/pki/test-req.pem $@ |
255 | +-tests/testpki-privkey.pem: tests/pki/stamp |
256 | +- $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ |
257 | +-tests/testpki-cert2.pem: tests/pki/stamp |
258 | +- $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ |
259 | +-tests/testpki-req2.pem: tests/pki/stamp |
260 | +- $(AM_V_GEN)cp tests/pki/test2-req.pem $@ |
261 | +-tests/testpki-privkey2.pem: tests/pki/stamp |
262 | +- $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ |
263 | +- |
264 | +-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log |
265 | ++ |
266 | ++OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log |
267 | + tests/pki/stamp: |
268 | + $(AM_V_at)rm -f tests/pki/stamp |
269 | + $(AM_V_at)rm -rf tests/pki |
270 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
271 | +- $(OVS_PKI) req+sign tests/pki/test && \ |
272 | +- $(OVS_PKI) req+sign tests/pki/test2 && \ |
273 | ++ for cn in $(TESTPKI_CNS); do \ |
274 | ++ $(OVS_PKI) req+sign tests/pki/$$cn; \ |
275 | ++ done && \ |
276 | + : > tests/pki/stamp |
277 | + CLEANFILES += tests/ovs-pki.log |
278 | + |
279 | +diff --git a/tests/ovn.at b/tests/ovn.at |
280 | +index 4d9ee1256..6de5a6d3f 100644 |
281 | +--- a/tests/ovn.at |
282 | ++++ b/tests/ovn.at |
283 | +@@ -7701,8 +7701,8 @@ AT_CHECK( |
284 | + |
285 | + start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ |
286 | + --remote=db:OVN_Southbound,SB_Global,connections \ |
287 | +- --private-key="$PKIDIR/testpki-privkey2.pem" \ |
288 | +- --certificate="$PKIDIR/testpki-cert2.pem" \ |
289 | ++ --private-key="$PKIDIR/testpki-test2-privkey.pem" \ |
290 | ++ --certificate="$PKIDIR/testpki-test2-cert.pem" \ |
291 | + --ca-cert="$PKIDIR/testpki-cacert.pem" \ |
292 | + ovn-sb.db |
293 | + |
294 | +@@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
295 | + |
296 | + # read-only accesses should succeed |
297 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
298 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
299 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
300 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
301 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
302 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
303 | + list SB_Global], [0], [stdout], [ignore]) |
304 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
305 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
306 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
307 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
308 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
309 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
310 | + list Connection], [0], [stdout], [ignore]) |
311 | + |
312 | + # write access should fail |
313 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
314 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
315 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
316 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
317 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
318 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
319 | + chassis-add ch vxlan 1.2.4.8], [1], [ignore], |
320 | + [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} |
321 | +@@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ |
322 | + |
323 | + # Populate SSL configuration entries in nb db |
324 | + AT_CHECK( |
325 | +- [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
326 | +- $PKIDIR/testpki-cert.pem \ |
327 | ++ [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
328 | ++ $PKIDIR/testpki-test-cert.pem \ |
329 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
330 | + |
331 | + # Populate a passive SSL connection in nb db |
332 | +@@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
333 | + |
334 | + # Verify SSL connetivity to nb db server |
335 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
336 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
337 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
338 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
339 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
340 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
341 | + list NB_Global], |
342 | + [0], [stdout], [ignore]) |
343 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
344 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
345 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
346 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
347 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
348 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
349 | + list Connection], |
350 | + [0], [stdout], [ignore]) |
351 | + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
352 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
353 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
354 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
355 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
356 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
357 | + get-connection], |
358 | + [0], [stdout], [ignore]) |
359 | +@@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ |
360 | + |
361 | + # Populate SSL configuration entries in sb db |
362 | + AT_CHECK( |
363 | +- [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ |
364 | +- $PKIDIR/testpki-cert.pem \ |
365 | ++ [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ |
366 | ++ $PKIDIR/testpki-test-cert.pem \ |
367 | + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) |
368 | + |
369 | + # Populate a passive SSL connection in sb db |
370 | +@@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) |
371 | + |
372 | + # Verify SSL connetivity to sb db server |
373 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
374 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
375 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
376 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
377 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
378 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
379 | + list SB_Global], |
380 | + [0], [stdout], [ignore]) |
381 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
382 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
383 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
384 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
385 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
386 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
387 | + list Connection], |
388 | + [0], [stdout], [ignore]) |
389 | + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ |
390 | +- --private-key=$PKIDIR/testpki-privkey.pem \ |
391 | +- --certificate=$PKIDIR/testpki-cert.pem \ |
392 | ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ |
393 | ++ --certificate=$PKIDIR/testpki-test-cert.pem \ |
394 | + --ca-cert=$PKIDIR/testpki-cacert.pem \ |
395 | + get-connection], |
396 | + [0], [stdout], [ignore]) |
397 | +-- |
398 | +2.32.0 |
399 | + |
400 | diff --git a/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
401 | new file mode 100644 |
402 | index 0000000..8044734 |
403 | --- /dev/null |
404 | +++ b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
405 | @@ -0,0 +1,153 @@ |
406 | +Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4 |
407 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
408 | +Last-Update: 2021-10-01 |
409 | + |
410 | +From ef220e364c01af319eb378a7b6b508cc1a49266a Mon Sep 17 00:00:00 2001 |
411 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
412 | +Date: Fri, 5 Mar 2021 13:16:31 +0100 |
413 | +Subject: [PATCH] tests: Test with SSL and RBAC for controller by default |
414 | + |
415 | +To help ourself to not forget updating RBAC rules when we land |
416 | +changes to existing functionality and new features we must enable |
417 | +SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds |
418 | +with OpenSSL enabled. |
419 | + |
420 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
421 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
422 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
423 | +(cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4) |
424 | +--- |
425 | + tests/automake.mk | 9 +++++++-- |
426 | + tests/ofproto-macros.at | 12 ++++++++++++ |
427 | + tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- |
428 | + 3 files changed, 55 insertions(+), 4 deletions(-) |
429 | + |
430 | +diff --git a/tests/automake.mk b/tests/automake.mk |
431 | +index 7fab972ab..785a6e5a6 100644 |
432 | +--- a/tests/automake.mk |
433 | ++++ b/tests/automake.mk |
434 | +@@ -220,7 +220,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) |
435 | + |
436 | + if HAVE_OPENSSL |
437 | + OVS_PKI_DIR = $(CURDIR)/tests/pki |
438 | +-TESTPKI_CNS = test test2 |
439 | ++# NOTE: Certificate generation has to be done serially, and each one adds a few |
440 | ++# seconds to the test run. Please try to re-use one of the many CNs already |
441 | ++# used in the existing tests. |
442 | ++TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 |
443 | + TESTPKI_FILES = $(shell \ |
444 | + for cn in $(TESTPKI_CNS); do \ |
445 | + echo tests/testpki-$$cn-cert.pem ; \ |
446 | +@@ -245,9 +248,11 @@ tests/pki/stamp: |
447 | + $(AM_V_at)rm -f tests/pki/stamp |
448 | + $(AM_V_at)rm -rf tests/pki |
449 | + $(AM_V_GEN)$(OVS_PKI) init && \ |
450 | ++ cd tests/pki && \ |
451 | + for cn in $(TESTPKI_CNS); do \ |
452 | +- $(OVS_PKI) req+sign tests/pki/$$cn; \ |
453 | ++ $(OVS_PKI) -u req+sign $$cn; \ |
454 | + done && \ |
455 | ++ cd ../../ && \ |
456 | + : > tests/pki/stamp |
457 | + CLEANFILES += tests/ovs-pki.log |
458 | + |
459 | +diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at |
460 | +index dd5d3848d..9e8c4f051 100644 |
461 | +--- a/tests/ofproto-macros.at |
462 | ++++ b/tests/ofproto-macros.at |
463 | +@@ -101,6 +101,7 @@ start_daemon () { |
464 | + # |
465 | + # sim_add hv0 |
466 | + # as hv0 ovs-vsctl add-br br0 |
467 | ++PKIDIR="$(cd $abs_top_builddir/tests && pwd)" |
468 | + sims= |
469 | + sim_add () { |
470 | + echo "adding simulator '$1'" |
471 | +@@ -123,6 +124,17 @@ sim_add () { |
472 | + # Start ovs-vswitchd |
473 | + as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl |
474 | + as $1 ovs-appctl vlog/disable-rate-limit vconn |
475 | ++ if test X$HAVE_OPENSSL = Xyes; then |
476 | ++ if test -f $PKIDIR/testpki-$1-privkey.pem; then |
477 | ++ as $1 ovs-vsctl set-ssl \ |
478 | ++ $PKIDIR/testpki-$1-privkey.pem \ |
479 | ++ $PKIDIR/testpki-$1-cert.pem \ |
480 | ++ $PKIDIR/testpki-cacert.pem \ |
481 | ++ || return 1 |
482 | ++ else |
483 | ++ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" |
484 | ++ fi |
485 | ++ fi |
486 | + } |
487 | + |
488 | + # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. |
489 | +diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at |
490 | +index ff71f02d0..902ff1115 100644 |
491 | +--- a/tests/ovn-macros.at |
492 | ++++ b/tests/ovn-macros.at |
493 | +@@ -120,7 +120,18 @@ ovn_init_db () { |
494 | + mkdir "$d" || return 1 |
495 | + : > "$d"/.$1.db.~lock~ |
496 | + as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema |
497 | +- as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db |
498 | ++ |
499 | ++ local remote_in_db= |
500 | ++ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then |
501 | ++ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" |
502 | ++ fi |
503 | ++ |
504 | ++ as $as_d start_daemon ovsdb-server \ |
505 | ++ -vjsonrpc \ |
506 | ++ --remote=punix:"$d"/$1.sock \ |
507 | ++ $remote_in_db \ |
508 | ++ "$d"/$1.db |
509 | ++ |
510 | + local var=`echo $1_db | tr a-z- A-Z_` |
511 | + AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var |
512 | + } |
513 | +@@ -173,6 +184,24 @@ ovn_start () { |
514 | + --ovnnb-db=$ovn_nb_db \ |
515 | + --ovnsb-db=$ovn_sb_db |
516 | + |
517 | ++ if test X$HAVE_OPENSSL = Xyes; then |
518 | ++ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create |
519 | ++ # SB_Global and Connection with ovsdb-tool transact at DB creation |
520 | ++ # time, but unfortunately that does not work, northd-ddlog will replace |
521 | ++ # the SB_Global record on startup. |
522 | ++ ovn-sbctl \ |
523 | ++ -- --id=@c create connection \ |
524 | ++ target=\"pssl:0:127.0.0.1\" role=ovn-controller \ |
525 | ++ -- add SB_Global . connections @c |
526 | ++ local d=$ovs_base |
527 | ++ if test -n "$1"; then |
528 | ++ d=$d/$1 |
529 | ++ fi |
530 | ++ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) |
531 | ++ var="SSL_OVN_SB_DB" |
532 | ++ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var |
533 | ++ fi |
534 | ++ |
535 | + if test -n "$1"; then |
536 | + as_d=$1/ic |
537 | + echo "starting ovn-ic" |
538 | +@@ -237,11 +266,16 @@ ovn_az_attach() { |
539 | + |
540 | + local ovn_remote |
541 | + if test X"$az" = XNONE; then |
542 | +- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
543 | ++ if test X$HAVE_OPENSSL = Xyes; then |
544 | ++ ovn_remote=$SSL_OVN_SB_DB |
545 | ++ else |
546 | ++ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock |
547 | ++ fi |
548 | + else |
549 | + ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock |
550 | + fi |
551 | + ovs-vsctl \ |
552 | ++ -- set Open_vSwitch . external-ids:hostname=$sandbox \ |
553 | + -- set Open_vSwitch . external-ids:system-id=$sandbox \ |
554 | + -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ |
555 | + -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \ |
556 | +-- |
557 | +2.32.0 |
558 | + |
559 | diff --git a/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
560 | new file mode 100644 |
561 | index 0000000..f57d9f6 |
562 | --- /dev/null |
563 | +++ b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
564 | @@ -0,0 +1,188 @@ |
565 | +Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f |
566 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 |
567 | +Last-Update: 2021-10-01 |
568 | + |
569 | +From cb1560a02e968c84ef8ea1c90f894610f88db8df Mon Sep 17 00:00:00 2001 |
570 | +From: Frode Nordahl <frode.nordahl@canonical.com> |
571 | +Date: Fri, 5 Mar 2021 13:16:29 +0100 |
572 | +Subject: [PATCH] tests: Use ovn_start in tests/ovn-controller.at |
573 | + |
574 | +The current version of the tests only initializes the SB DB and |
575 | +instruments it directly. This does not work with SSL+RBAC as |
576 | +northd must run to program the RBAC rules into the SB DB. |
577 | + |
578 | +Run tests both for C and ddlog version of northd. |
579 | + |
580 | +Add workaround for ovn-controller not re-reading certificates to |
581 | +'ovn-controller - Chassis other_config' test. |
582 | + |
583 | +Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> |
584 | +Acked-by: Mark Michelson <mmichels@redhat.com> |
585 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
586 | +(cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f) |
587 | +--- |
588 | + tests/ovn-controller.at | 67 +++++++++++++++++++++++++++++++++++++---- |
589 | + 1 file changed, 61 insertions(+), 6 deletions(-) |
590 | + |
591 | +diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at |
592 | +index 1b4679963..3e06032ca 100644 |
593 | +--- a/tests/ovn-controller.at |
594 | ++++ b/tests/ovn-controller.at |
595 | +@@ -1,8 +1,9 @@ |
596 | + AT_BANNER([ovn-controller]) |
597 | + |
598 | ++OVN_FOR_EACH_NORTHD([ |
599 | + AT_SETUP([ovn-controller - ovn-bridge-mappings]) |
600 | + AT_KEYWORDS([ovn]) |
601 | +-ovn_init_db ovn-sb |
602 | ++ovn_start |
603 | + net_add n1 |
604 | + sim_add hv |
605 | + as hv |
606 | +@@ -54,6 +55,14 @@ check_bridge_mappings () { |
607 | + OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} other_config:ovn-bridge-mappings | sed -e 's/\"//g')]) |
608 | + } |
609 | + |
610 | ++# NOTE: This test originally ran with only the SB-DB and no northd. For the |
611 | ++# test to be successfull with SSL+RBAC we need to initially run northd to get |
612 | ++# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB |
613 | ++# directly and we need to stop northd to avoid overwriting the instrumentation. |
614 | ++kill `cat northd/ovn-northd.pid` |
615 | ++kill `cat northd-backup/ovn-northd.pid` |
616 | ++kill `cat ovn-nb/ovsdb-server.pid` |
617 | ++ |
618 | + # Initially there should be no patch ports. |
619 | + check_patches |
620 | + |
621 | +@@ -116,12 +125,14 @@ as ovn-sb |
622 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
623 | + |
624 | + AT_CLEANUP |
625 | ++]) |
626 | + |
627 | + # Checks that ovn-controller populates datapath-type and iface-types |
628 | + # correctly in the Chassis other_config column. |
629 | ++OVN_FOR_EACH_NORTHD([ |
630 | + AT_SETUP([ovn-controller - Chassis other_config]) |
631 | + AT_KEYWORDS([ovn]) |
632 | +-ovn_init_db ovn-sb |
633 | ++ovn_start |
634 | + |
635 | + net_add n1 |
636 | + sim_add hv |
637 | +@@ -192,7 +203,21 @@ OVS_WAIT_UNTIL([ |
638 | + # chassis_private records. Until that happens ovn-controller fails to |
639 | + # create the records due to constraint violation on the Encap table. |
640 | + sysid=${sysid}-foo |
641 | +-ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}" |
642 | ++current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote` |
643 | ++if test X$HAVE_OPENSSL = Xyes; then |
644 | ++ # To change chassis name we need to change certificate with matching CN |
645 | ++ ovs-vsctl set-ssl \ |
646 | ++ $PKIDIR/testpki-${sysid}-privkey.pem \ |
647 | ++ $PKIDIR/testpki-${sysid}-cert.pem \ |
648 | ++ $PKIDIR/testpki-cacert.pem |
649 | ++ # force reconnect which makes OVN controller read the new certificates |
650 | ++ # TODO implement check for change of certificates in ovn-controller |
651 | ++ # and remove this workaround. |
652 | ++ ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null |
653 | ++fi |
654 | ++ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \ |
655 | ++ -- set Open_vSwitch . external-ids:system-id="${sysid}" \ |
656 | ++ -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}" |
657 | + |
658 | + OVS_WAIT_UNTIL([ |
659 | + grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log |
660 | +@@ -216,12 +241,14 @@ as ovn-sb |
661 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
662 | + |
663 | + AT_CLEANUP |
664 | ++]) |
665 | + |
666 | + # Checks that ovn-controller correctly maintains the mapping from the Encap |
667 | + # table in the Southbound database to OVS in the face of changes on both sides |
668 | ++OVN_FOR_EACH_NORTHD([ |
669 | + AT_SETUP([ovn-controller - change Encap properties]) |
670 | + AT_KEYWORDS([ovn]) |
671 | +-ovn_init_db ovn-sb |
672 | ++ovn_start |
673 | + |
674 | + net_add n1 |
675 | + sim_add hv |
676 | +@@ -271,11 +298,13 @@ as ovn-sb |
677 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
678 | + |
679 | + AT_CLEANUP |
680 | ++]) |
681 | + |
682 | + # Check ovn-controller connection status to Southbound database |
683 | ++OVN_FOR_EACH_NORTHD([ |
684 | + AT_SETUP([ovn-controller - check sbdb connection]) |
685 | + AT_KEYWORDS([ovn]) |
686 | +-ovn_init_db ovn-sb |
687 | ++ovn_start |
688 | + |
689 | + net_add n1 |
690 | + sim_add hv |
691 | +@@ -305,11 +334,13 @@ as ovn-sb |
692 | + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) |
693 | + |
694 | + AT_CLEANUP |
695 | ++]) |
696 | + |
697 | + # Checks that ovn-controller recreates its chassis record when deleted externally. |
698 | ++OVN_FOR_EACH_NORTHD([ |
699 | + AT_SETUP([ovn-controller - Chassis self record]) |
700 | + AT_KEYWORDS([ovn]) |
701 | +-ovn_init_db ovn-sb |
702 | ++ovn_start |
703 | + |
704 | + net_add n1 |
705 | + sim_add hv |
706 | +@@ -360,8 +391,10 @@ OVS_WAIT_UNTIL([test x0 = x`ovn-sbctl --columns nb_cfg --bare find chassis`]) |
707 | + |
708 | + OVN_CLEANUP([hv]) |
709 | + AT_CLEANUP |
710 | ++]) |
711 | + |
712 | + # Test unix command: debug/delay-nb-cfg-report |
713 | ++OVN_FOR_EACH_NORTHD([ |
714 | + AT_SETUP([ovn-controller - debug/delay-nb-cfg-report]) |
715 | + AT_KEYWORDS([ovn]) |
716 | + ovn_start |
717 | +@@ -393,7 +426,9 @@ AT_CHECK([ovn-nbctl --timeout=1 --wait=hv sync]) |
718 | + |
719 | + OVN_CLEANUP([hv]) |
720 | + AT_CLEANUP |
721 | ++]) |
722 | + |
723 | ++OVN_FOR_EACH_NORTHD([ |
724 | + AT_SETUP([ovn -- nb_cfg sync to OVS]) |
725 | + ovn_start |
726 | + |
727 | +@@ -414,3 +449,23 @@ OVS_WAIT_UNTIL([ovs-vsctl get Bridge br-int external_ids:ovn-nb-cfg], [0], [1]) |
728 | + |
729 | + OVN_CLEANUP([hv1]) |
730 | + AT_CLEANUP |
731 | ++]) |
732 | ++ |
733 | ++OVN_FOR_EACH_NORTHD([ |
734 | ++AT_SETUP([ovn -- features]) |
735 | ++AT_KEYWORDS([features]) |
736 | ++ovn_start |
737 | ++ |
738 | ++net_add n1 |
739 | ++sim_add hv1 |
740 | ++ovs-vsctl add-br br-phys |
741 | ++ovn_attach n1 br-phys 192.168.0.1 |
742 | ++ |
743 | ++# Wait for ovn-controller to register in the SB. |
744 | ++OVS_WAIT_UNTIL([ |
745 | ++ test "$(ovn-sbctl get chassis hv1 other_config:port-up-notif)" = '"true"' |
746 | ++]) |
747 | ++ |
748 | ++OVN_CLEANUP([hv1]) |
749 | ++AT_CLEANUP |
750 | ++]) |
751 | +-- |
752 | +2.32.0 |
753 | diff --git a/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
754 | new file mode 100644 |
755 | index 0000000..42632d1 |
756 | --- /dev/null |
757 | +++ b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
758 | @@ -0,0 +1,145 @@ |
759 | +Origin: backport, https://github.com/ovn-org/ovn/commit/96959e56d634c8d888af9e3ee340602593c7e4fa |
760 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 |
761 | +Last-Update: 2021-10-01 |
762 | + |
763 | +From 1cdc8ce5b4373b2169129f53e4a060b75522b286 Mon Sep 17 00:00:00 2001 |
764 | +From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
765 | +Date: Tue, 4 May 2021 19:59:00 +0200 |
766 | +Subject: [PATCH 2/2] physical: do not forward traffic from localport to a |
767 | + localnet one |
768 | + |
769 | +Since the localnet port is available on each hv, do not forward traffic |
770 | +to the localnet port if it is present in order to avoid switch fdb |
771 | +misconfiguration. |
772 | +Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877 |
773 | + |
774 | +Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> |
775 | +Acked-by: Mark Michelson |
776 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
777 | +(cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa) |
778 | +--- |
779 | + controller/physical.c | 23 +++++++++++++++++++++++ |
780 | + include/ovn/logical-fields.h | 13 +++++++++++++ |
781 | + tests/ovn.at | 17 +++++++++++++++++ |
782 | + 3 files changed, 53 insertions(+) |
783 | + |
784 | +diff --git a/controller/physical.c b/controller/physical.c |
785 | +index fa5d0d692..f41010a2b 100644 |
786 | +--- a/controller/physical.c |
787 | ++++ b/controller/physical.c |
788 | +@@ -1160,6 +1160,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
789 | + |
790 | + load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p); |
791 | + |
792 | ++ if (!strcmp(binding->type, "localport")) { |
793 | ++ /* mark the packet as incoming from a localport */ |
794 | ++ put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p); |
795 | ++ } |
796 | ++ |
797 | + /* Resubmit to first logical ingress pipeline table. */ |
798 | + put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p); |
799 | + ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG, |
800 | +@@ -1219,6 +1224,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, |
801 | + ofport, flow_table); |
802 | + } |
803 | + |
804 | ++ /* Table 39, priority 160. |
805 | ++ * ======================= |
806 | ++ * |
807 | ++ * Do not forward local traffic from a localport to a localnet port. |
808 | ++ */ |
809 | ++ if (!strcmp(binding->type, "localnet")) { |
810 | ++ /* do not forward traffic from localport to localnet port */ |
811 | ++ match_init_catchall(&match); |
812 | ++ ofpbuf_clear(ofpacts_p); |
813 | ++ match_set_metadata(&match, htonll(dp_key)); |
814 | ++ match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key); |
815 | ++ match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, |
816 | ++ MLF_LOCALPORT, MLF_LOCALPORT); |
817 | ++ ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160, |
818 | ++ binding->header_.uuid.parts[0], &match, |
819 | ++ ofpacts_p, &binding->header_.uuid); |
820 | ++ } |
821 | ++ |
822 | + } else if (!tun && !is_ha_remote) { |
823 | + /* Remote port connected by localnet port */ |
824 | + /* Table 33, priority 100. |
825 | +diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h |
826 | +index aee474856..ebc4d82e3 100644 |
827 | +--- a/include/ovn/logical-fields.h |
828 | ++++ b/include/ovn/logical-fields.h |
829 | +@@ -59,6 +59,9 @@ enum mff_log_flags_bits { |
830 | + MLF_NESTED_CONTAINER_BIT = 5, |
831 | + MLF_LOOKUP_MAC_BIT = 6, |
832 | + MLF_LOOKUP_LB_HAIRPIN_BIT = 7, |
833 | ++ MLF_LOOKUP_FDB_BIT = 8, |
834 | ++ MLF_SKIP_SNAT_FOR_LB_BIT = 9, |
835 | ++ MLF_LOCALPORT_BIT = 10, |
836 | + }; |
837 | + |
838 | + /* MFF_LOG_FLAGS_REG flag assignments */ |
839 | +@@ -92,6 +95,16 @@ enum mff_log_flags { |
840 | + MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT), |
841 | + |
842 | + MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT), |
843 | ++ |
844 | ++ /* Indicate that the lookup in the fdb table was successful. */ |
845 | ++ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT), |
846 | ++ |
847 | ++ /* Indicate that a packet must not SNAT in the gateway router when |
848 | ++ * load-balancing has taken place. */ |
849 | ++ MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT), |
850 | ++ |
851 | ++ /* Indicate the packet has been received from a localport */ |
852 | ++ MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT), |
853 | + }; |
854 | + |
855 | + /* OVN logical fields |
856 | +diff --git a/tests/ovn.at b/tests/ovn.at |
857 | +index ce5e9fded..914f9b949 100644 |
858 | +--- a/tests/ovn.at |
859 | ++++ b/tests/ovn.at |
860 | +@@ -11490,10 +11490,17 @@ AT_CLEANUP |
861 | + AT_SETUP([ovn -- localport suppress gARP]) |
862 | + ovn_start |
863 | + |
864 | ++send_garp() { |
865 | ++ local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5 |
866 | ++ local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa} |
867 | ++ as hv1 ovs-appctl netdev-dummy/receive vif$inport $request |
868 | ++} |
869 | ++ |
870 | + net_add n1 |
871 | + sim_add hv1 |
872 | + as hv1 |
873 | + check ovs-vsctl add-br br-phys |
874 | ++ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
875 | + ovn_attach n1 br-phys 192.168.0.1 |
876 | + |
877 | + check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
878 | +@@ -11504,6 +11511,7 @@ check ovn-nbctl ls-add ls \ |
879 | + -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ |
880 | + -- lsp-add ls ln \ |
881 | + -- lsp-set-type ln localnet \ |
882 | ++ -- lsp-set-addresses ln unknown \ |
883 | + -- lsp-set-options ln network_name=phys \ |
884 | + -- lsp-add ls lsp \ |
885 | + -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" |
886 | +@@ -11537,6 +11545,15 @@ AT_CHECK([ |
887 | + test 0 -eq $pkts |
888 | + ]) |
889 | + |
890 | ++spa=$(ip_to_hex 10 0 0 1) |
891 | ++tpa=$(ip_to_hex 10 0 0 100) |
892 | ++send_garp 1 000000000001 ffffffffffff $spa $tpa |
893 | ++ |
894 | ++dnl traffic from localport should not be sent to localnet |
895 | ++AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl |
896 | ++0 |
897 | ++],[ignore]) |
898 | ++ |
899 | + OVN_CLEANUP([hv1]) |
900 | + AT_CLEANUP |
901 | + |
902 | +-- |
903 | +2.32.0 |
904 | diff --git a/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch |
905 | new file mode 100644 |
906 | index 0000000..8a2de0a |
907 | --- /dev/null |
908 | +++ b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch |
909 | @@ -0,0 +1,111 @@ |
910 | +Origin: backport, https://github.com/ovn-org/ovn/commit/578238b36073256c524a4c2b6ed7521f73aa0019 |
911 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 |
912 | +Last-Update: 2021-10-01 |
913 | + |
914 | +From aefe7053eb3d9750d552eb342caed9faaaf9365a Mon Sep 17 00:00:00 2001 |
915 | +From: Daniel Alvarez Sanchez <dalvarez@redhat.com> |
916 | +Date: Wed, 24 Mar 2021 18:23:47 +0100 |
917 | +Subject: [PATCH 1/2] pinctrl: Don't send gARPs for localports |
918 | + |
919 | +Ports of type 'localport' are present on every hypervisor and |
920 | +ovn-controller is sending gARPs for them which makes upstream |
921 | +switches to see its MAC address flapping. |
922 | + |
923 | +In order to avoid this behavior, the current patch is skipping |
924 | +localports when sending gARP/RARP packets. |
925 | + |
926 | +Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1939470 |
927 | + |
928 | +Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com> |
929 | +Co-authored-by: Dumitru Ceara <dceara@redhat.com> |
930 | +Signed-off-by: Dumitru Ceara <dceara@redhat.com> |
931 | +Signed-off-by: Numan Siddique <numans@ovn.org> |
932 | +(cherry picked from commit 578238b36073256c524a4c2b6ed7521f73aa0019) |
933 | +--- |
934 | + controller/pinctrl.c | 6 +++++ |
935 | + tests/ovn.at | 53 ++++++++++++++++++++++++++++++++++++++++++++ |
936 | + 2 files changed, 59 insertions(+) |
937 | + |
938 | +diff --git a/controller/pinctrl.c b/controller/pinctrl.c |
939 | +index 7e3abf0a4..f20c24f0e 100644 |
940 | +--- a/controller/pinctrl.c |
941 | ++++ b/controller/pinctrl.c |
942 | +@@ -4102,6 +4102,12 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn, |
943 | + struct shash *nat_addresses) |
944 | + { |
945 | + volatile struct garp_rarp_data *garp_rarp = NULL; |
946 | ++ |
947 | ++ /* Skip localports as they don't need to be announced */ |
948 | ++ if (!strcmp(binding_rec->type, "localport")) { |
949 | ++ return; |
950 | ++ } |
951 | ++ |
952 | + /* Update GARP for NAT IP if it exists. Consider port bindings with type |
953 | + * "l3gateway" for logical switch ports attached to gateway routers, and |
954 | + * port bindings with type "patch" for logical switch ports attached to |
955 | +diff --git a/tests/ovn.at b/tests/ovn.at |
956 | +index 9dcb0772e..ce5e9fded 100644 |
957 | +--- a/tests/ovn.at |
958 | ++++ b/tests/ovn.at |
959 | +@@ -11487,6 +11487,59 @@ OVN_CLEANUP([hv1],[hv2]) |
960 | + |
961 | + AT_CLEANUP |
962 | + |
963 | ++AT_SETUP([ovn -- localport suppress gARP]) |
964 | ++ovn_start |
965 | ++ |
966 | ++net_add n1 |
967 | ++sim_add hv1 |
968 | ++as hv1 |
969 | ++check ovs-vsctl add-br br-phys |
970 | ++ovn_attach n1 br-phys 192.168.0.1 |
971 | ++ |
972 | ++check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys |
973 | ++ |
974 | ++check ovn-nbctl ls-add ls \ |
975 | ++ -- lsp-add ls lp \ |
976 | ++ -- lsp-set-type lp localport \ |
977 | ++ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ |
978 | ++ -- lsp-add ls ln \ |
979 | ++ -- lsp-set-type ln localnet \ |
980 | ++ -- lsp-set-options ln network_name=phys \ |
981 | ++ -- lsp-add ls lsp \ |
982 | ++ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" |
983 | ++ |
984 | ++dnl First bind the localport. |
985 | ++check ovs-vsctl add-port br-int vif1 \ |
986 | ++ -- set Interface vif1 external-ids:iface-id=lp |
987 | ++check ovn-nbctl --wait=hv sync |
988 | ++ |
989 | ++dnl Then bind the regular vif. |
990 | ++check ovs-vsctl add-port br-int vif2 \ |
991 | ++ -- set Interface vif2 external-ids:iface-id=lsp \ |
992 | ++ options:tx_pcap=hv1/vif2-tx.pcap \ |
993 | ++ options:rxq_pcap=hv1/vif2-rx.pcap |
994 | ++ |
995 | ++wait_row_count nb:Logical_Switch_Port 1 name=lsp up=true |
996 | ++check ovn-nbctl --wait=hv sync |
997 | ++ |
998 | ++dnl Wait for at least two gARPs from lsp (10.0.0.2). |
999 | ++lsp_garp=ffffffffffff000000000002080600010800060400010000000000020a0000020000000000000a000002 |
1000 | ++OVS_WAIT_UNTIL([ |
1001 | ++ garps=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep ${lsp_garp} -c` |
1002 | ++ test $garps -ge 2 |
1003 | ++]) |
1004 | ++ |
1005 | ++dnl At this point it's safe to assume that ovn-controller skipped sending gARP |
1006 | ++dnl for the localport. Check that there are no other packets than the gARPs |
1007 | ++dnl for the regular vif. |
1008 | ++AT_CHECK([ |
1009 | ++ pkts=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep -v ${lsp_garp} -c` |
1010 | ++ test 0 -eq $pkts |
1011 | ++]) |
1012 | ++ |
1013 | ++OVN_CLEANUP([hv1]) |
1014 | ++AT_CLEANUP |
1015 | ++ |
1016 | + AT_SETUP([ovn -- 1 LR with HA distributed router gateway port]) |
1017 | + ovn_start |
1018 | + |
1019 | +-- |
1020 | +2.32.0 |
1021 | diff --git a/debian/patches/series b/debian/patches/series |
1022 | index c004be5..de78d99 100644 |
1023 | --- a/debian/patches/series |
1024 | +++ b/debian/patches/series |
1025 | @@ -1,3 +1,11 @@ |
1026 | lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch |
1027 | lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
1028 | lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch |
1029 | +lp-1914988-northd-Amend-Chassis-RBAC-rules.patch |
1030 | +lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch |
1031 | +lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch |
1032 | +lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch |
1033 | +lp-1914988-tests-Make-certificate-generation-extendable.patch |
1034 | +lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch |
1035 | +lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch |
1036 | +lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
Package building here: https:/ /launchpad. net/~fnordahl/ +archive/ ubuntu/ hirsute- rbac-fixes/ +packages