Ubuntu
ovn package

Merge ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute into ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute

  1. Git
  2. lp:~fnordahl/ubuntu/+source/ovn
  3. bug/1914988-hirsute
  4. Merge into ubuntu/hirsute
Proposed by Frode Nordahl
Status: Needs review
Proposed branch: ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute
Merge into: ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute
Diff against target: 1036 lines (+972/-0)
10 files modified
debian/changelog (+17/-0)
debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch (+54/-0)
debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch (+36/-0)
debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch (+47/-0)
debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0)
debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0)
debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+188/-0)
debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0)
debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch (+111/-0)
debian/patches/series (+8/-0)
Reviewer Review Type Date Requested Status
James Page Pending
Review via email: mp+409496@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Frode Nordahl (fnordahl) wrote :

Package building here: https://launchpad.net/~fnordahl/+archive/ubuntu/hirsute-rbac-fixes/+packages

Reply
Revision history for this message
Erlon R. Cruz (sombrafam) wrote :

I've tested the patches on hirsute and they fixed the ARP issues.

Reply

Unmerged commits

414d998... by Frode Nordahl

Backport fixes

* Backport rollup for SSL+RBAC (LP: #1914988):
    - d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
    - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
    - d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
    - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
    - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
    - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
    - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
    - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch
    - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
  * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch:
    Do not forward traffic from localport to localnet ports (LP: #1943266).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index e9b9bbf..95ec54f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
1ovn (20.12.0-0ubuntu4) hirsute; urgency=medium
2
3 * Backport rollup for SSL+RBAC (LP: #1914988):
4 - d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
5 - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
6 - d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
7 - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
8 - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
9 - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
10 - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
11 - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch
12 - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
13 * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch:
14 Do not forward traffic from localport to localnet ports (LP: #1943266).
15
16 -- Frode Nordahl <frode.nordahl@canonical.com> Fri, 01 Oct 2021 09:42:00 +0200
17
1ovn (20.12.0-0ubuntu3) hirsute; urgency=medium18ovn (20.12.0-0ubuntu3) hirsute; urgency=medium
219
3 * Cherry-pick fixes from upstream branch-20.1220 * Cherry-pick fixes from upstream branch-20.12
diff --git a/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
4new file mode 10064421new file mode 100644
index 0000000..f406009
--- /dev/null
+++ b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
@@ -0,0 +1,54 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/51f2629cda614d0712ca13f4b51e30c9c2290bc1
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
3Last-Update: 2021-10-01
4
5From 23f2c7a18ec1f7690c827ea2adbab00f855c456a Mon Sep 17 00:00:00 2001
6From: Frode Nordahl <frode.nordahl@canonical.com>
7Date: Fri, 5 Mar 2021 13:16:26 +0100
8Subject: [PATCH 5/9] northd: Add Controller_Event RBAC rules
9
10The use of the Controller_Event table does currently not work
11when RBAC is enabled.
12
13Fixes: be1eeb09d ("OVN: introduce Controller_Event table")
14Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
15Signed-off-by: Numan Siddique <numans@ovn.org>
16(cherry picked from commit 51f2629cda614d0712ca13f4b51e30c9c2290bc1)
17---
18 northd/ovn-northd.c | 14 ++++++++++++++
19 1 file changed, 14 insertions(+)
20
21diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
22index ad84c52be..4abb0c7ab 100644
23--- a/northd/ovn-northd.c
24+++ b/northd/ovn-northd.c
25@@ -12687,6 +12687,12 @@ static const char *rbac_encap_auth[] =
26 static const char *rbac_encap_update[] =
27 {"type", "options", "ip"};
28
29+static const char *rbac_controller_event_auth[] =
30+ {""};
31+static const char *rbac_controller_event_update[] =
32+ {"chassis", "event_info", "event_type", "seq_num"};
33+
34+
35 static const char *rbac_port_binding_auth[] =
36 {""};
37 static const char *rbac_port_binding_update[] =
38@@ -12731,6 +12737,14 @@ static struct rbac_perm_cfg {
39 .update = rbac_chassis_private_update,
40 .n_update = ARRAY_SIZE(rbac_chassis_private_update),
41 .row = NULL
42+ },{
43+ .table = "Controller_Event",
44+ .auth = rbac_controller_event_auth,
45+ .n_auth = ARRAY_SIZE(rbac_controller_event_auth),
46+ .insdel = true,
47+ .update = rbac_controller_event_update,
48+ .n_update = ARRAY_SIZE(rbac_controller_event_update),
49+ .row = NULL
50 },{
51 .table = "Encap",
52 .auth = rbac_encap_auth,
53--
542.32.0
diff --git a/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
0new file mode 10064455new file mode 100644
index 0000000..74bd27a
--- /dev/null
+++ b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
@@ -0,0 +1,36 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/b865e502293b8504812b062321be442805f46d4a
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
3Last-Update: 2021-10-01
4
5From 0b44305ea11f5ecf3a5ba43de5f62fd1dcc3f912 Mon Sep 17 00:00:00 2001
6From: Frode Nordahl <frode.nordahl@canonical.com>
7Date: Fri, 5 Mar 2021 13:16:25 +0100
8Subject: [PATCH 4/8] northd: Amend Chassis RBAC rules
9
10The Transport Zones support does currently not work when RBAC is
11enabled.
12
13Fixes: 07d0d258d ("OVN: Add support for Transport Zones")
14Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
15Signed-off-by: Numan Siddique <numans@ovn.org>
16(cherry picked from commit b865e502293b8504812b062321be442805f46d4a)
17---
18 northd/ovn-northd.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
22index 718ed831a..ad84c52be 100644
23--- a/northd/ovn-northd.c
24+++ b/northd/ovn-northd.c
25@@ -12675,7 +12675,7 @@ static const char *rbac_chassis_auth[] =
26 {"name"};
27 static const char *rbac_chassis_update[] =
28 {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches",
29- "other_config"};
30+ "other_config", "transport_zones"};
31
32 static const char *rbac_chassis_private_auth[] =
33 {"name"};
34--
352.32.0
36
diff --git a/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
0new file mode 10064437new file mode 100644
index 0000000..27cadef
--- /dev/null
+++ b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
@@ -0,0 +1,47 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
3Last-Update: 2021-10-01
4
5From d6e9c4f2b74ead49b65a4aedb464a87631d9d329 Mon Sep 17 00:00:00 2001
6From: Frode Nordahl <frode.nordahl@canonical.com>
7Date: Fri, 5 Mar 2021 13:16:28 +0100
8Subject: [PATCH 5/8] tests: Amend release stale port binding test for RBAC
9
10The current version of the test attempts to simulate chassis
11registration prior to starting `ovn-controller`, however it does
12not set the `hostname` field.
13
14The RBAC role for `ovn-controller` does not allow for a chassis to
15change its own name or hostname, which makes sense as this is used
16for authentication.
17
18Update the test to set the `hostname` field when simulating chassis
19registration so that `ovn-controller` does not attempt to update it
20and subsequently make the test fail.
21
22Fixes b6b3823d4 ("ovn-controller: Fix I-P for SB Port_Binding and OVS Interface")
23
24Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
25Acked-by: Mark Michelson <mmichels@redhat.com>
26Signed-off-by: Numan Siddique <numans@ovn.org>
27(cherry picked from commit b92823f0e94e760c3e4b60ef132b513c3411ed2d)
28---
29 tests/ovn.at | 2 +-
30 1 file changed, 1 insertion(+), 1 deletion(-)
31
32diff --git a/tests/ovn.at b/tests/ovn.at
33index 2e0bc9c53..aae4c06be 100644
34--- a/tests/ovn.at
35+++ b/tests/ovn.at
36@@ -20871,7 +20871,7 @@ ovn-nbctl --wait=sb lsp-add ls1 lsp1
37
38 # Simulate the fact that lsp1 had been previously bound on hv1.
39 ovn-sbctl --id=@e create encap chassis_name=hv1 ip="192.168.0.1" type="geneve" \
40- -- --id=@c create chassis name=hv1 encaps=@e \
41+ -- --id=@c create chassis hostname=hv1 name=hv1 encaps=@e \
42 -- set Port_Binding lsp1 chassis=@c
43
44 as hv1
45--
462.32.0
47
diff --git a/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch
0new file mode 10064448new file mode 100644
index 0000000..073b2cb
--- /dev/null
+++ b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch
@@ -0,0 +1,213 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
3Last-Update: 2021-10-01
4
5From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001
6From: Frode Nordahl <frode.nordahl@canonical.com>
7Date: Fri, 5 Mar 2021 13:16:30 +0100
8Subject: [PATCH 2/3] tests: Make certificate generation extendable
9
10In preparation for enabling testing with SSL and RBAC enabled by
11default, rework the certificate generation so that we can easily
12add generation of more certificates/CN on demand.
13
14A side erffect of the change is a more generic naming scheme for
15the certificate files so the patch also contains an update to
16existing tests so that they use the new filenames.
17
18Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
19Acked-by: Mark Michelson <mmichels@redhat.com>
20Signed-off-by: Numan Siddique <numans@ovn.org>
21(cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7)
22---
23 tests/automake.mk | 48 ++++++++++++++++++++++-------------------------
24 tests/ovn.at | 48 +++++++++++++++++++++++------------------------
25 2 files changed, 46 insertions(+), 50 deletions(-)
26
27diff --git a/tests/automake.mk b/tests/automake.mk
28index 9740f085a..6eabb97e6 100644
29--- a/tests/automake.mk
30+++ b/tests/automake.mk
31@@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage
32 FLAKE8_PYFILES += $(CHECK_PYFILES)
33
34 if HAVE_OPENSSL
35-TESTPKI_FILES = \
36- tests/testpki-cacert.pem \
37- tests/testpki-cert.pem \
38- tests/testpki-privkey.pem \
39- tests/testpki-req.pem \
40- tests/testpki-cert2.pem \
41- tests/testpki-privkey2.pem \
42- tests/testpki-req2.pem
43+OVS_PKI_DIR = $(CURDIR)/tests/pki
44+TESTPKI_CNS = test test2
45+TESTPKI_FILES = $(shell \
46+ for cn in $(TESTPKI_CNS); do \
47+ echo tests/testpki-$$cn-cert.pem ; \
48+ echo tests/testpki-$$cn-privkey.pem ; \
49+ echo tests/testpki-$$cn-req.pem ; \
50+ done)
51+
52+tests/testpki-cacert.pem: tests/pki/stamp
53+ $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@
54+
55+$(TESTPKI_FILES): tests/pki/stamp
56+ $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@
57+
58+check_DATA += tests/testpki-cacert.pem
59 check_DATA += $(TESTPKI_FILES)
60+CLEANFILES += tests/testpki-cacert.pem
61 CLEANFILES += $(TESTPKI_FILES)
62
63-tests/testpki-cacert.pem: tests/pki/stamp
64- $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@
65-tests/testpki-cert.pem: tests/pki/stamp
66- $(AM_V_GEN)cp tests/pki/test-cert.pem $@
67-tests/testpki-req.pem: tests/pki/stamp
68- $(AM_V_GEN)cp tests/pki/test-req.pem $@
69-tests/testpki-privkey.pem: tests/pki/stamp
70- $(AM_V_GEN)cp tests/pki/test-privkey.pem $@
71-tests/testpki-cert2.pem: tests/pki/stamp
72- $(AM_V_GEN)cp tests/pki/test2-cert.pem $@
73-tests/testpki-req2.pem: tests/pki/stamp
74- $(AM_V_GEN)cp tests/pki/test2-req.pem $@
75-tests/testpki-privkey2.pem: tests/pki/stamp
76- $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@
77-
78-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log
79+
80+OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log
81 tests/pki/stamp:
82 $(AM_V_at)rm -f tests/pki/stamp
83 $(AM_V_at)rm -rf tests/pki
84 $(AM_V_GEN)$(OVS_PKI) init && \
85- $(OVS_PKI) req+sign tests/pki/test && \
86- $(OVS_PKI) req+sign tests/pki/test2 && \
87+ for cn in $(TESTPKI_CNS); do \
88+ $(OVS_PKI) req+sign tests/pki/$$cn; \
89+ done && \
90 : > tests/pki/stamp
91 CLEANFILES += tests/ovs-pki.log
92
93diff --git a/tests/ovn.at b/tests/ovn.at
94index 4d9ee1256..6de5a6d3f 100644
95--- a/tests/ovn.at
96+++ b/tests/ovn.at
97@@ -7701,8 +7701,8 @@ AT_CHECK(
98
99 start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
100 --remote=db:OVN_Southbound,SB_Global,connections \
101- --private-key="$PKIDIR/testpki-privkey2.pem" \
102- --certificate="$PKIDIR/testpki-cert2.pem" \
103+ --private-key="$PKIDIR/testpki-test2-privkey.pem" \
104+ --certificate="$PKIDIR/testpki-test2-cert.pem" \
105 --ca-cert="$PKIDIR/testpki-cacert.pem" \
106 ovn-sb.db
107
108@@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
109
110 # read-only accesses should succeed
111 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
112- --private-key=$PKIDIR/testpki-privkey.pem \
113- --certificate=$PKIDIR/testpki-cert.pem \
114+ --private-key=$PKIDIR/testpki-test-privkey.pem \
115+ --certificate=$PKIDIR/testpki-test-cert.pem \
116 --ca-cert=$PKIDIR/testpki-cacert.pem \
117 list SB_Global], [0], [stdout], [ignore])
118 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
119- --private-key=$PKIDIR/testpki-privkey.pem \
120- --certificate=$PKIDIR/testpki-cert.pem \
121+ --private-key=$PKIDIR/testpki-test-privkey.pem \
122+ --certificate=$PKIDIR/testpki-test-cert.pem \
123 --ca-cert=$PKIDIR/testpki-cacert.pem \
124 list Connection], [0], [stdout], [ignore])
125
126 # write access should fail
127 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
128- --private-key=$PKIDIR/testpki-privkey.pem \
129- --certificate=$PKIDIR/testpki-cert.pem \
130+ --private-key=$PKIDIR/testpki-test-privkey.pem \
131+ --certificate=$PKIDIR/testpki-test-cert.pem \
132 --ca-cert=$PKIDIR/testpki-cacert.pem \
133 chassis-add ch vxlan 1.2.4.8], [1], [ignore],
134 [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
135@@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
136
137 # Populate SSL configuration entries in nb db
138 AT_CHECK(
139- [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \
140- $PKIDIR/testpki-cert.pem \
141+ [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
142+ $PKIDIR/testpki-test-cert.pem \
143 $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
144
145 # Populate a passive SSL connection in nb db
146@@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
147
148 # Verify SSL connetivity to nb db server
149 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
150- --private-key=$PKIDIR/testpki-privkey.pem \
151- --certificate=$PKIDIR/testpki-cert.pem \
152+ --private-key=$PKIDIR/testpki-test-privkey.pem \
153+ --certificate=$PKIDIR/testpki-test-cert.pem \
154 --ca-cert=$PKIDIR/testpki-cacert.pem \
155 list NB_Global],
156 [0], [stdout], [ignore])
157 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
158- --private-key=$PKIDIR/testpki-privkey.pem \
159- --certificate=$PKIDIR/testpki-cert.pem \
160+ --private-key=$PKIDIR/testpki-test-privkey.pem \
161+ --certificate=$PKIDIR/testpki-test-cert.pem \
162 --ca-cert=$PKIDIR/testpki-cacert.pem \
163 list Connection],
164 [0], [stdout], [ignore])
165 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
166- --private-key=$PKIDIR/testpki-privkey.pem \
167- --certificate=$PKIDIR/testpki-cert.pem \
168+ --private-key=$PKIDIR/testpki-test-privkey.pem \
169+ --certificate=$PKIDIR/testpki-test-cert.pem \
170 --ca-cert=$PKIDIR/testpki-cacert.pem \
171 get-connection],
172 [0], [stdout], [ignore])
173@@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
174
175 # Populate SSL configuration entries in sb db
176 AT_CHECK(
177- [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \
178- $PKIDIR/testpki-cert.pem \
179+ [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
180+ $PKIDIR/testpki-test-cert.pem \
181 $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
182
183 # Populate a passive SSL connection in sb db
184@@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
185
186 # Verify SSL connetivity to sb db server
187 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
188- --private-key=$PKIDIR/testpki-privkey.pem \
189- --certificate=$PKIDIR/testpki-cert.pem \
190+ --private-key=$PKIDIR/testpki-test-privkey.pem \
191+ --certificate=$PKIDIR/testpki-test-cert.pem \
192 --ca-cert=$PKIDIR/testpki-cacert.pem \
193 list SB_Global],
194 [0], [stdout], [ignore])
195 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
196- --private-key=$PKIDIR/testpki-privkey.pem \
197- --certificate=$PKIDIR/testpki-cert.pem \
198+ --private-key=$PKIDIR/testpki-test-privkey.pem \
199+ --certificate=$PKIDIR/testpki-test-cert.pem \
200 --ca-cert=$PKIDIR/testpki-cacert.pem \
201 list Connection],
202 [0], [stdout], [ignore])
203 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
204- --private-key=$PKIDIR/testpki-privkey.pem \
205- --certificate=$PKIDIR/testpki-cert.pem \
206+ --private-key=$PKIDIR/testpki-test-privkey.pem \
207+ --certificate=$PKIDIR/testpki-test-cert.pem \
208 --ca-cert=$PKIDIR/testpki-cacert.pem \
209 get-connection],
210 [0], [stdout], [ignore])
211--
2122.32.0
213
diff --git a/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
0new file mode 100644214new file mode 100644
index 0000000..8044734
--- /dev/null
+++ b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
@@ -0,0 +1,153 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
3Last-Update: 2021-10-01
4
5From ef220e364c01af319eb378a7b6b508cc1a49266a Mon Sep 17 00:00:00 2001
6From: Frode Nordahl <frode.nordahl@canonical.com>
7Date: Fri, 5 Mar 2021 13:16:31 +0100
8Subject: [PATCH] tests: Test with SSL and RBAC for controller by default
9
10To help ourself to not forget updating RBAC rules when we land
11changes to existing functionality and new features we must enable
12SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds
13with OpenSSL enabled.
14
15Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
16Acked-by: Mark Michelson <mmichels@redhat.com>
17Signed-off-by: Numan Siddique <numans@ovn.org>
18(cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4)
19---
20 tests/automake.mk | 9 +++++++--
21 tests/ofproto-macros.at | 12 ++++++++++++
22 tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++--
23 3 files changed, 55 insertions(+), 4 deletions(-)
24
25diff --git a/tests/automake.mk b/tests/automake.mk
26index 7fab972ab..785a6e5a6 100644
27--- a/tests/automake.mk
28+++ b/tests/automake.mk
29@@ -220,7 +220,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES)
30
31 if HAVE_OPENSSL
32 OVS_PKI_DIR = $(CURDIR)/tests/pki
33-TESTPKI_CNS = test test2
34+# NOTE: Certificate generation has to be done serially, and each one adds a few
35+# seconds to the test run. Please try to re-use one of the many CNs already
36+# used in the existing tests.
37+TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1
38 TESTPKI_FILES = $(shell \
39 for cn in $(TESTPKI_CNS); do \
40 echo tests/testpki-$$cn-cert.pem ; \
41@@ -245,9 +248,11 @@ tests/pki/stamp:
42 $(AM_V_at)rm -f tests/pki/stamp
43 $(AM_V_at)rm -rf tests/pki
44 $(AM_V_GEN)$(OVS_PKI) init && \
45+ cd tests/pki && \
46 for cn in $(TESTPKI_CNS); do \
47- $(OVS_PKI) req+sign tests/pki/$$cn; \
48+ $(OVS_PKI) -u req+sign $$cn; \
49 done && \
50+ cd ../../ && \
51 : > tests/pki/stamp
52 CLEANFILES += tests/ovs-pki.log
53
54diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
55index dd5d3848d..9e8c4f051 100644
56--- a/tests/ofproto-macros.at
57+++ b/tests/ofproto-macros.at
58@@ -101,6 +101,7 @@ start_daemon () {
59 #
60 # sim_add hv0
61 # as hv0 ovs-vsctl add-br br0
62+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
63 sims=
64 sim_add () {
65 echo "adding simulator '$1'"
66@@ -123,6 +124,17 @@ sim_add () {
67 # Start ovs-vswitchd
68 as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl
69 as $1 ovs-appctl vlog/disable-rate-limit vconn
70+ if test X$HAVE_OPENSSL = Xyes; then
71+ if test -f $PKIDIR/testpki-$1-privkey.pem; then
72+ as $1 ovs-vsctl set-ssl \
73+ $PKIDIR/testpki-$1-privkey.pem \
74+ $PKIDIR/testpki-$1-cert.pem \
75+ $PKIDIR/testpki-cacert.pem \
76+ || return 1
77+ else
78+ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk"
79+ fi
80+ fi
81 }
82
83 # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1.
84diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at
85index ff71f02d0..902ff1115 100644
86--- a/tests/ovn-macros.at
87+++ b/tests/ovn-macros.at
88@@ -120,7 +120,18 @@ ovn_init_db () {
89 mkdir "$d" || return 1
90 : > "$d"/.$1.db.~lock~
91 as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema
92- as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db
93+
94+ local remote_in_db=
95+ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then
96+ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem"
97+ fi
98+
99+ as $as_d start_daemon ovsdb-server \
100+ -vjsonrpc \
101+ --remote=punix:"$d"/$1.sock \
102+ $remote_in_db \
103+ "$d"/$1.db
104+
105 local var=`echo $1_db | tr a-z- A-Z_`
106 AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var
107 }
108@@ -173,6 +184,24 @@ ovn_start () {
109 --ovnnb-db=$ovn_nb_db \
110 --ovnsb-db=$ovn_sb_db
111
112+ if test X$HAVE_OPENSSL = Xyes; then
113+ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create
114+ # SB_Global and Connection with ovsdb-tool transact at DB creation
115+ # time, but unfortunately that does not work, northd-ddlog will replace
116+ # the SB_Global record on startup.
117+ ovn-sbctl \
118+ -- --id=@c create connection \
119+ target=\"pssl:0:127.0.0.1\" role=ovn-controller \
120+ -- add SB_Global . connections @c
121+ local d=$ovs_base
122+ if test -n "$1"; then
123+ d=$d/$1
124+ fi
125+ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT])
126+ var="SSL_OVN_SB_DB"
127+ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var
128+ fi
129+
130 if test -n "$1"; then
131 as_d=$1/ic
132 echo "starting ovn-ic"
133@@ -237,11 +266,16 @@ ovn_az_attach() {
134
135 local ovn_remote
136 if test X"$az" = XNONE; then
137- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock
138+ if test X$HAVE_OPENSSL = Xyes; then
139+ ovn_remote=$SSL_OVN_SB_DB
140+ else
141+ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock
142+ fi
143 else
144 ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock
145 fi
146 ovs-vsctl \
147+ -- set Open_vSwitch . external-ids:hostname=$sandbox \
148 -- set Open_vSwitch . external-ids:system-id=$sandbox \
149 -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \
150 -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \
151--
1522.32.0
153
diff --git a/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
0new file mode 100644154new file mode 100644
index 0000000..f57d9f6
--- /dev/null
+++ b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
@@ -0,0 +1,188 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
3Last-Update: 2021-10-01
4
5From cb1560a02e968c84ef8ea1c90f894610f88db8df Mon Sep 17 00:00:00 2001
6From: Frode Nordahl <frode.nordahl@canonical.com>
7Date: Fri, 5 Mar 2021 13:16:29 +0100
8Subject: [PATCH] tests: Use ovn_start in tests/ovn-controller.at
9
10The current version of the tests only initializes the SB DB and
11instruments it directly. This does not work with SSL+RBAC as
12northd must run to program the RBAC rules into the SB DB.
13
14Run tests both for C and ddlog version of northd.
15
16Add workaround for ovn-controller not re-reading certificates to
17'ovn-controller - Chassis other_config' test.
18
19Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
20Acked-by: Mark Michelson <mmichels@redhat.com>
21Signed-off-by: Numan Siddique <numans@ovn.org>
22(cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f)
23---
24 tests/ovn-controller.at | 67 +++++++++++++++++++++++++++++++++++++----
25 1 file changed, 61 insertions(+), 6 deletions(-)
26
27diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
28index 1b4679963..3e06032ca 100644
29--- a/tests/ovn-controller.at
30+++ b/tests/ovn-controller.at
31@@ -1,8 +1,9 @@
32 AT_BANNER([ovn-controller])
33
34+OVN_FOR_EACH_NORTHD([
35 AT_SETUP([ovn-controller - ovn-bridge-mappings])
36 AT_KEYWORDS([ovn])
37-ovn_init_db ovn-sb
38+ovn_start
39 net_add n1
40 sim_add hv
41 as hv
42@@ -54,6 +55,14 @@ check_bridge_mappings () {
43 OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} other_config:ovn-bridge-mappings | sed -e 's/\"//g')])
44 }
45
46+# NOTE: This test originally ran with only the SB-DB and no northd. For the
47+# test to be successfull with SSL+RBAC we need to initially run northd to get
48+# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB
49+# directly and we need to stop northd to avoid overwriting the instrumentation.
50+kill `cat northd/ovn-northd.pid`
51+kill `cat northd-backup/ovn-northd.pid`
52+kill `cat ovn-nb/ovsdb-server.pid`
53+
54 # Initially there should be no patch ports.
55 check_patches
56
57@@ -116,12 +125,14 @@ as ovn-sb
58 OVS_APP_EXIT_AND_WAIT([ovsdb-server])
59
60 AT_CLEANUP
61+])
62
63 # Checks that ovn-controller populates datapath-type and iface-types
64 # correctly in the Chassis other_config column.
65+OVN_FOR_EACH_NORTHD([
66 AT_SETUP([ovn-controller - Chassis other_config])
67 AT_KEYWORDS([ovn])
68-ovn_init_db ovn-sb
69+ovn_start
70
71 net_add n1
72 sim_add hv
73@@ -192,7 +203,21 @@ OVS_WAIT_UNTIL([
74 # chassis_private records. Until that happens ovn-controller fails to
75 # create the records due to constraint violation on the Encap table.
76 sysid=${sysid}-foo
77-ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}"
78+current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote`
79+if test X$HAVE_OPENSSL = Xyes; then
80+ # To change chassis name we need to change certificate with matching CN
81+ ovs-vsctl set-ssl \
82+ $PKIDIR/testpki-${sysid}-privkey.pem \
83+ $PKIDIR/testpki-${sysid}-cert.pem \
84+ $PKIDIR/testpki-cacert.pem
85+ # force reconnect which makes OVN controller read the new certificates
86+ # TODO implement check for change of certificates in ovn-controller
87+ # and remove this workaround.
88+ ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null
89+fi
90+ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \
91+ -- set Open_vSwitch . external-ids:system-id="${sysid}" \
92+ -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}"
93
94 OVS_WAIT_UNTIL([
95 grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log
96@@ -216,12 +241,14 @@ as ovn-sb
97 OVS_APP_EXIT_AND_WAIT([ovsdb-server])
98
99 AT_CLEANUP
100+])
101
102 # Checks that ovn-controller correctly maintains the mapping from the Encap
103 # table in the Southbound database to OVS in the face of changes on both sides
104+OVN_FOR_EACH_NORTHD([
105 AT_SETUP([ovn-controller - change Encap properties])
106 AT_KEYWORDS([ovn])
107-ovn_init_db ovn-sb
108+ovn_start
109
110 net_add n1
111 sim_add hv
112@@ -271,11 +298,13 @@ as ovn-sb
113 OVS_APP_EXIT_AND_WAIT([ovsdb-server])
114
115 AT_CLEANUP
116+])
117
118 # Check ovn-controller connection status to Southbound database
119+OVN_FOR_EACH_NORTHD([
120 AT_SETUP([ovn-controller - check sbdb connection])
121 AT_KEYWORDS([ovn])
122-ovn_init_db ovn-sb
123+ovn_start
124
125 net_add n1
126 sim_add hv
127@@ -305,11 +334,13 @@ as ovn-sb
128 OVS_APP_EXIT_AND_WAIT([ovsdb-server])
129
130 AT_CLEANUP
131+])
132
133 # Checks that ovn-controller recreates its chassis record when deleted externally.
134+OVN_FOR_EACH_NORTHD([
135 AT_SETUP([ovn-controller - Chassis self record])
136 AT_KEYWORDS([ovn])
137-ovn_init_db ovn-sb
138+ovn_start
139
140 net_add n1
141 sim_add hv
142@@ -360,8 +391,10 @@ OVS_WAIT_UNTIL([test x0 = x`ovn-sbctl --columns nb_cfg --bare find chassis`])
143
144 OVN_CLEANUP([hv])
145 AT_CLEANUP
146+])
147
148 # Test unix command: debug/delay-nb-cfg-report
149+OVN_FOR_EACH_NORTHD([
150 AT_SETUP([ovn-controller - debug/delay-nb-cfg-report])
151 AT_KEYWORDS([ovn])
152 ovn_start
153@@ -393,7 +426,9 @@ AT_CHECK([ovn-nbctl --timeout=1 --wait=hv sync])
154
155 OVN_CLEANUP([hv])
156 AT_CLEANUP
157+])
158
159+OVN_FOR_EACH_NORTHD([
160 AT_SETUP([ovn -- nb_cfg sync to OVS])
161 ovn_start
162
163@@ -414,3 +449,23 @@ OVS_WAIT_UNTIL([ovs-vsctl get Bridge br-int external_ids:ovn-nb-cfg], [0], [1])
164
165 OVN_CLEANUP([hv1])
166 AT_CLEANUP
167+])
168+
169+OVN_FOR_EACH_NORTHD([
170+AT_SETUP([ovn -- features])
171+AT_KEYWORDS([features])
172+ovn_start
173+
174+net_add n1
175+sim_add hv1
176+ovs-vsctl add-br br-phys
177+ovn_attach n1 br-phys 192.168.0.1
178+
179+# Wait for ovn-controller to register in the SB.
180+OVS_WAIT_UNTIL([
181+ test "$(ovn-sbctl get chassis hv1 other_config:port-up-notif)" = '"true"'
182+])
183+
184+OVN_CLEANUP([hv1])
185+AT_CLEANUP
186+])
187--
1882.32.0
diff --git a/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch
0new file mode 100644189new file mode 100644
index 0000000..42632d1
--- /dev/null
+++ b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch
@@ -0,0 +1,145 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/96959e56d634c8d888af9e3ee340602593c7e4fa
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266
3Last-Update: 2021-10-01
4
5From 1cdc8ce5b4373b2169129f53e4a060b75522b286 Mon Sep 17 00:00:00 2001
6From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
7Date: Tue, 4 May 2021 19:59:00 +0200
8Subject: [PATCH 2/2] physical: do not forward traffic from localport to a
9 localnet one
10
11Since the localnet port is available on each hv, do not forward traffic
12to the localnet port if it is present in order to avoid switch fdb
13misconfiguration.
14Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877
15
16Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
17Acked-by: Mark Michelson
18Signed-off-by: Numan Siddique <numans@ovn.org>
19(cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa)
20---
21 controller/physical.c | 23 +++++++++++++++++++++++
22 include/ovn/logical-fields.h | 13 +++++++++++++
23 tests/ovn.at | 17 +++++++++++++++++
24 3 files changed, 53 insertions(+)
25
26diff --git a/controller/physical.c b/controller/physical.c
27index fa5d0d692..f41010a2b 100644
28--- a/controller/physical.c
29+++ b/controller/physical.c
30@@ -1160,6 +1160,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name,
31
32 load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p);
33
34+ if (!strcmp(binding->type, "localport")) {
35+ /* mark the packet as incoming from a localport */
36+ put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p);
37+ }
38+
39 /* Resubmit to first logical ingress pipeline table. */
40 put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p);
41 ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG,
42@@ -1219,6 +1224,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name,
43 ofport, flow_table);
44 }
45
46+ /* Table 39, priority 160.
47+ * =======================
48+ *
49+ * Do not forward local traffic from a localport to a localnet port.
50+ */
51+ if (!strcmp(binding->type, "localnet")) {
52+ /* do not forward traffic from localport to localnet port */
53+ match_init_catchall(&match);
54+ ofpbuf_clear(ofpacts_p);
55+ match_set_metadata(&match, htonll(dp_key));
56+ match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key);
57+ match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0,
58+ MLF_LOCALPORT, MLF_LOCALPORT);
59+ ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160,
60+ binding->header_.uuid.parts[0], &match,
61+ ofpacts_p, &binding->header_.uuid);
62+ }
63+
64 } else if (!tun && !is_ha_remote) {
65 /* Remote port connected by localnet port */
66 /* Table 33, priority 100.
67diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
68index aee474856..ebc4d82e3 100644
69--- a/include/ovn/logical-fields.h
70+++ b/include/ovn/logical-fields.h
71@@ -59,6 +59,9 @@ enum mff_log_flags_bits {
72 MLF_NESTED_CONTAINER_BIT = 5,
73 MLF_LOOKUP_MAC_BIT = 6,
74 MLF_LOOKUP_LB_HAIRPIN_BIT = 7,
75+ MLF_LOOKUP_FDB_BIT = 8,
76+ MLF_SKIP_SNAT_FOR_LB_BIT = 9,
77+ MLF_LOCALPORT_BIT = 10,
78 };
79
80 /* MFF_LOG_FLAGS_REG flag assignments */
81@@ -92,6 +95,16 @@ enum mff_log_flags {
82 MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT),
83
84 MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT),
85+
86+ /* Indicate that the lookup in the fdb table was successful. */
87+ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT),
88+
89+ /* Indicate that a packet must not SNAT in the gateway router when
90+ * load-balancing has taken place. */
91+ MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT),
92+
93+ /* Indicate the packet has been received from a localport */
94+ MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT),
95 };
96
97 /* OVN logical fields
98diff --git a/tests/ovn.at b/tests/ovn.at
99index ce5e9fded..914f9b949 100644
100--- a/tests/ovn.at
101+++ b/tests/ovn.at
102@@ -11490,10 +11490,17 @@ AT_CLEANUP
103 AT_SETUP([ovn -- localport suppress gARP])
104 ovn_start
105
106+send_garp() {
107+ local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5
108+ local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa}
109+ as hv1 ovs-appctl netdev-dummy/receive vif$inport $request
110+}
111+
112 net_add n1
113 sim_add hv1
114 as hv1
115 check ovs-vsctl add-br br-phys
116+ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
117 ovn_attach n1 br-phys 192.168.0.1
118
119 check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
120@@ -11504,6 +11511,7 @@ check ovn-nbctl ls-add ls \
121 -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \
122 -- lsp-add ls ln \
123 -- lsp-set-type ln localnet \
124+ -- lsp-set-addresses ln unknown \
125 -- lsp-set-options ln network_name=phys \
126 -- lsp-add ls lsp \
127 -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2"
128@@ -11537,6 +11545,15 @@ AT_CHECK([
129 test 0 -eq $pkts
130 ])
131
132+spa=$(ip_to_hex 10 0 0 1)
133+tpa=$(ip_to_hex 10 0 0 100)
134+send_garp 1 000000000001 ffffffffffff $spa $tpa
135+
136+dnl traffic from localport should not be sent to localnet
137+AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl
138+0
139+],[ignore])
140+
141 OVN_CLEANUP([hv1])
142 AT_CLEANUP
143
144--
1452.32.0
diff --git a/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch
0new file mode 100644146new file mode 100644
index 0000000..8a2de0a
--- /dev/null
+++ b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch
@@ -0,0 +1,111 @@
1Origin: backport, https://github.com/ovn-org/ovn/commit/578238b36073256c524a4c2b6ed7521f73aa0019
2Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266
3Last-Update: 2021-10-01
4
5From aefe7053eb3d9750d552eb342caed9faaaf9365a Mon Sep 17 00:00:00 2001
6From: Daniel Alvarez Sanchez <dalvarez@redhat.com>
7Date: Wed, 24 Mar 2021 18:23:47 +0100
8Subject: [PATCH 1/2] pinctrl: Don't send gARPs for localports
9
10Ports of type 'localport' are present on every hypervisor and
11ovn-controller is sending gARPs for them which makes upstream
12switches to see its MAC address flapping.
13
14In order to avoid this behavior, the current patch is skipping
15localports when sending gARP/RARP packets.
16
17Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1939470
18
19Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
20Co-authored-by: Dumitru Ceara <dceara@redhat.com>
21Signed-off-by: Dumitru Ceara <dceara@redhat.com>
22Signed-off-by: Numan Siddique <numans@ovn.org>
23(cherry picked from commit 578238b36073256c524a4c2b6ed7521f73aa0019)
24---
25 controller/pinctrl.c | 6 +++++
26 tests/ovn.at | 53 ++++++++++++++++++++++++++++++++++++++++++++
27 2 files changed, 59 insertions(+)
28
29diff --git a/controller/pinctrl.c b/controller/pinctrl.c
30index 7e3abf0a4..f20c24f0e 100644
31--- a/controller/pinctrl.c
32+++ b/controller/pinctrl.c
33@@ -4102,6 +4102,12 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn,
34 struct shash *nat_addresses)
35 {
36 volatile struct garp_rarp_data *garp_rarp = NULL;
37+
38+ /* Skip localports as they don't need to be announced */
39+ if (!strcmp(binding_rec->type, "localport")) {
40+ return;
41+ }
42+
43 /* Update GARP for NAT IP if it exists. Consider port bindings with type
44 * "l3gateway" for logical switch ports attached to gateway routers, and
45 * port bindings with type "patch" for logical switch ports attached to
46diff --git a/tests/ovn.at b/tests/ovn.at
47index 9dcb0772e..ce5e9fded 100644
48--- a/tests/ovn.at
49+++ b/tests/ovn.at
50@@ -11487,6 +11487,59 @@ OVN_CLEANUP([hv1],[hv2])
51
52 AT_CLEANUP
53
54+AT_SETUP([ovn -- localport suppress gARP])
55+ovn_start
56+
57+net_add n1
58+sim_add hv1
59+as hv1
60+check ovs-vsctl add-br br-phys
61+ovn_attach n1 br-phys 192.168.0.1
62+
63+check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
64+
65+check ovn-nbctl ls-add ls \
66+ -- lsp-add ls lp \
67+ -- lsp-set-type lp localport \
68+ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \
69+ -- lsp-add ls ln \
70+ -- lsp-set-type ln localnet \
71+ -- lsp-set-options ln network_name=phys \
72+ -- lsp-add ls lsp \
73+ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2"
74+
75+dnl First bind the localport.
76+check ovs-vsctl add-port br-int vif1 \
77+ -- set Interface vif1 external-ids:iface-id=lp
78+check ovn-nbctl --wait=hv sync
79+
80+dnl Then bind the regular vif.
81+check ovs-vsctl add-port br-int vif2 \
82+ -- set Interface vif2 external-ids:iface-id=lsp \
83+ options:tx_pcap=hv1/vif2-tx.pcap \
84+ options:rxq_pcap=hv1/vif2-rx.pcap
85+
86+wait_row_count nb:Logical_Switch_Port 1 name=lsp up=true
87+check ovn-nbctl --wait=hv sync
88+
89+dnl Wait for at least two gARPs from lsp (10.0.0.2).
90+lsp_garp=ffffffffffff000000000002080600010800060400010000000000020a0000020000000000000a000002
91+OVS_WAIT_UNTIL([
92+ garps=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep ${lsp_garp} -c`
93+ test $garps -ge 2
94+])
95+
96+dnl At this point it's safe to assume that ovn-controller skipped sending gARP
97+dnl for the localport. Check that there are no other packets than the gARPs
98+dnl for the regular vif.
99+AT_CHECK([
100+ pkts=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep -v ${lsp_garp} -c`
101+ test 0 -eq $pkts
102+])
103+
104+OVN_CLEANUP([hv1])
105+AT_CLEANUP
106+
107 AT_SETUP([ovn -- 1 LR with HA distributed router gateway port])
108 ovn_start
109
110--
1112.32.0
diff --git a/debian/patches/series b/debian/patches/series
index c004be5..de78d99 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,11 @@
1lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch1lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
2lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch2lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
3lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch3lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
4lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
5lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
6lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
7lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
8lp-1914988-tests-Make-certificate-generation-extendable.patch
9lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
10lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch
11lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch

Subscribers

People subscribed via source and target branches