Merge ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute into ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute
- Git
- lp:~fnordahl/ubuntu/+source/ovn
- bug/1914988-hirsute
- Merge into ubuntu/hirsute
Status: | Needs review |
---|---|
Proposed branch: | ~fnordahl/ubuntu/+source/ovn:bug/1914988-hirsute |
Merge into: | ~ubuntu-server-dev/ubuntu/+source/ovn:ubuntu/hirsute |
Diff against target: |
1036 lines (+972/-0) 10 files modified
debian/changelog (+17/-0) debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch (+54/-0) debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch (+36/-0) debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch (+47/-0) debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0) debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0) debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+188/-0) debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0) debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch (+111/-0) debian/patches/series (+8/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
James Page | Pending | ||
Review via email: mp+409496@code.launchpad.net |
Commit message
Description of the change
Erlon R. Cruz (sombrafam) wrote : | # |
I've tested the patches on hirsute and they fixed the ARP issues.
Unmerged commits
- 414d998... by Frode Nordahl
-
Backport fixes
* Backport rollup for SSL+RBAC (LP: #1914988):
- d/p/lp-1913024- northd- Add-Chassis_ Private- external_ ids-column- to-RB.patch
- d/p/lp-1914988- Add-IGMP_ Group-to- ovn-controller- RBAC.patch
- d/p/lp-1917475- northd- Amend-RBAC- rules-for- Port_Binding- table.patch
- d/p/lp-1914988- northd- Amend-Chassis- RBAC-rules. patch
- d/p/lp-1914988- northd- Add-Controller_ Event-RBAC- rules.patch
- d/p/lp-1914988- tests-Amend- release- stale-port- binding- test-for- RBAC.patch
- d/p/lp-1914988- tests-Use- ovn_start- in-tests- ovn-controller. at.patch
- d/p/lp-1914988- tests-Make- certificate- generation- extendable. patch
- d/p/lp-1914988- tests-Test- with-SSL- and-RBAC- for-controller- by-defau. patch
* d/p/lp-1943266- physical- do-not- forward- traffic- from-localport- to-a-.patch:
Do not forward traffic from localport to localnet ports (LP: #1943266).
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index e9b9bbf..95ec54f 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,20 @@ | |||
6 | 1 | ovn (20.12.0-0ubuntu4) hirsute; urgency=medium | ||
7 | 2 | |||
8 | 3 | * Backport rollup for SSL+RBAC (LP: #1914988): | ||
9 | 4 | - d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch | ||
10 | 5 | - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch | ||
11 | 6 | - d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch | ||
12 | 7 | - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch | ||
13 | 8 | - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch | ||
14 | 9 | - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch | ||
15 | 10 | - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch | ||
16 | 11 | - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch | ||
17 | 12 | - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch | ||
18 | 13 | * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: | ||
19 | 14 | Do not forward traffic from localport to localnet ports (LP: #1943266). | ||
20 | 15 | |||
21 | 16 | -- Frode Nordahl <frode.nordahl@canonical.com> Fri, 01 Oct 2021 09:42:00 +0200 | ||
22 | 17 | |||
23 | 1 | ovn (20.12.0-0ubuntu3) hirsute; urgency=medium | 18 | ovn (20.12.0-0ubuntu3) hirsute; urgency=medium |
24 | 2 | 19 | ||
25 | 3 | * Cherry-pick fixes from upstream branch-20.12 | 20 | * Cherry-pick fixes from upstream branch-20.12 |
26 | diff --git a/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch | |||
27 | 4 | new file mode 100644 | 21 | new file mode 100644 |
28 | index 0000000..f406009 | |||
29 | --- /dev/null | |||
30 | +++ b/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch | |||
31 | @@ -0,0 +1,54 @@ | |||
32 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/51f2629cda614d0712ca13f4b51e30c9c2290bc1 | ||
33 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 | ||
34 | 3 | Last-Update: 2021-10-01 | ||
35 | 4 | |||
36 | 5 | From 23f2c7a18ec1f7690c827ea2adbab00f855c456a Mon Sep 17 00:00:00 2001 | ||
37 | 6 | From: Frode Nordahl <frode.nordahl@canonical.com> | ||
38 | 7 | Date: Fri, 5 Mar 2021 13:16:26 +0100 | ||
39 | 8 | Subject: [PATCH 5/9] northd: Add Controller_Event RBAC rules | ||
40 | 9 | |||
41 | 10 | The use of the Controller_Event table does currently not work | ||
42 | 11 | when RBAC is enabled. | ||
43 | 12 | |||
44 | 13 | Fixes: be1eeb09d ("OVN: introduce Controller_Event table") | ||
45 | 14 | Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> | ||
46 | 15 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
47 | 16 | (cherry picked from commit 51f2629cda614d0712ca13f4b51e30c9c2290bc1) | ||
48 | 17 | --- | ||
49 | 18 | northd/ovn-northd.c | 14 ++++++++++++++ | ||
50 | 19 | 1 file changed, 14 insertions(+) | ||
51 | 20 | |||
52 | 21 | diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c | ||
53 | 22 | index ad84c52be..4abb0c7ab 100644 | ||
54 | 23 | --- a/northd/ovn-northd.c | ||
55 | 24 | +++ b/northd/ovn-northd.c | ||
56 | 25 | @@ -12687,6 +12687,12 @@ static const char *rbac_encap_auth[] = | ||
57 | 26 | static const char *rbac_encap_update[] = | ||
58 | 27 | {"type", "options", "ip"}; | ||
59 | 28 | |||
60 | 29 | +static const char *rbac_controller_event_auth[] = | ||
61 | 30 | + {""}; | ||
62 | 31 | +static const char *rbac_controller_event_update[] = | ||
63 | 32 | + {"chassis", "event_info", "event_type", "seq_num"}; | ||
64 | 33 | + | ||
65 | 34 | + | ||
66 | 35 | static const char *rbac_port_binding_auth[] = | ||
67 | 36 | {""}; | ||
68 | 37 | static const char *rbac_port_binding_update[] = | ||
69 | 38 | @@ -12731,6 +12737,14 @@ static struct rbac_perm_cfg { | ||
70 | 39 | .update = rbac_chassis_private_update, | ||
71 | 40 | .n_update = ARRAY_SIZE(rbac_chassis_private_update), | ||
72 | 41 | .row = NULL | ||
73 | 42 | + },{ | ||
74 | 43 | + .table = "Controller_Event", | ||
75 | 44 | + .auth = rbac_controller_event_auth, | ||
76 | 45 | + .n_auth = ARRAY_SIZE(rbac_controller_event_auth), | ||
77 | 46 | + .insdel = true, | ||
78 | 47 | + .update = rbac_controller_event_update, | ||
79 | 48 | + .n_update = ARRAY_SIZE(rbac_controller_event_update), | ||
80 | 49 | + .row = NULL | ||
81 | 50 | },{ | ||
82 | 51 | .table = "Encap", | ||
83 | 52 | .auth = rbac_encap_auth, | ||
84 | 53 | -- | ||
85 | 54 | 2.32.0 | ||
86 | diff --git a/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch | |||
87 | 0 | new file mode 100644 | 55 | new file mode 100644 |
88 | index 0000000..74bd27a | |||
89 | --- /dev/null | |||
90 | +++ b/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch | |||
91 | @@ -0,0 +1,36 @@ | |||
92 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/b865e502293b8504812b062321be442805f46d4a | ||
93 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 | ||
94 | 3 | Last-Update: 2021-10-01 | ||
95 | 4 | |||
96 | 5 | From 0b44305ea11f5ecf3a5ba43de5f62fd1dcc3f912 Mon Sep 17 00:00:00 2001 | ||
97 | 6 | From: Frode Nordahl <frode.nordahl@canonical.com> | ||
98 | 7 | Date: Fri, 5 Mar 2021 13:16:25 +0100 | ||
99 | 8 | Subject: [PATCH 4/8] northd: Amend Chassis RBAC rules | ||
100 | 9 | |||
101 | 10 | The Transport Zones support does currently not work when RBAC is | ||
102 | 11 | enabled. | ||
103 | 12 | |||
104 | 13 | Fixes: 07d0d258d ("OVN: Add support for Transport Zones") | ||
105 | 14 | Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> | ||
106 | 15 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
107 | 16 | (cherry picked from commit b865e502293b8504812b062321be442805f46d4a) | ||
108 | 17 | --- | ||
109 | 18 | northd/ovn-northd.c | 2 +- | ||
110 | 19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
111 | 20 | |||
112 | 21 | diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c | ||
113 | 22 | index 718ed831a..ad84c52be 100644 | ||
114 | 23 | --- a/northd/ovn-northd.c | ||
115 | 24 | +++ b/northd/ovn-northd.c | ||
116 | 25 | @@ -12675,7 +12675,7 @@ static const char *rbac_chassis_auth[] = | ||
117 | 26 | {"name"}; | ||
118 | 27 | static const char *rbac_chassis_update[] = | ||
119 | 28 | {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches", | ||
120 | 29 | - "other_config"}; | ||
121 | 30 | + "other_config", "transport_zones"}; | ||
122 | 31 | |||
123 | 32 | static const char *rbac_chassis_private_auth[] = | ||
124 | 33 | {"name"}; | ||
125 | 34 | -- | ||
126 | 35 | 2.32.0 | ||
127 | 36 | |||
128 | diff --git a/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch | |||
129 | 0 | new file mode 100644 | 37 | new file mode 100644 |
130 | index 0000000..27cadef | |||
131 | --- /dev/null | |||
132 | +++ b/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch | |||
133 | @@ -0,0 +1,47 @@ | |||
134 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307 | ||
135 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 | ||
136 | 3 | Last-Update: 2021-10-01 | ||
137 | 4 | |||
138 | 5 | From d6e9c4f2b74ead49b65a4aedb464a87631d9d329 Mon Sep 17 00:00:00 2001 | ||
139 | 6 | From: Frode Nordahl <frode.nordahl@canonical.com> | ||
140 | 7 | Date: Fri, 5 Mar 2021 13:16:28 +0100 | ||
141 | 8 | Subject: [PATCH 5/8] tests: Amend release stale port binding test for RBAC | ||
142 | 9 | |||
143 | 10 | The current version of the test attempts to simulate chassis | ||
144 | 11 | registration prior to starting `ovn-controller`, however it does | ||
145 | 12 | not set the `hostname` field. | ||
146 | 13 | |||
147 | 14 | The RBAC role for `ovn-controller` does not allow for a chassis to | ||
148 | 15 | change its own name or hostname, which makes sense as this is used | ||
149 | 16 | for authentication. | ||
150 | 17 | |||
151 | 18 | Update the test to set the `hostname` field when simulating chassis | ||
152 | 19 | registration so that `ovn-controller` does not attempt to update it | ||
153 | 20 | and subsequently make the test fail. | ||
154 | 21 | |||
155 | 22 | Fixes b6b3823d4 ("ovn-controller: Fix I-P for SB Port_Binding and OVS Interface") | ||
156 | 23 | |||
157 | 24 | Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> | ||
158 | 25 | Acked-by: Mark Michelson <mmichels@redhat.com> | ||
159 | 26 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
160 | 27 | (cherry picked from commit b92823f0e94e760c3e4b60ef132b513c3411ed2d) | ||
161 | 28 | --- | ||
162 | 29 | tests/ovn.at | 2 +- | ||
163 | 30 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
164 | 31 | |||
165 | 32 | diff --git a/tests/ovn.at b/tests/ovn.at | ||
166 | 33 | index 2e0bc9c53..aae4c06be 100644 | ||
167 | 34 | --- a/tests/ovn.at | ||
168 | 35 | +++ b/tests/ovn.at | ||
169 | 36 | @@ -20871,7 +20871,7 @@ ovn-nbctl --wait=sb lsp-add ls1 lsp1 | ||
170 | 37 | |||
171 | 38 | # Simulate the fact that lsp1 had been previously bound on hv1. | ||
172 | 39 | ovn-sbctl --id=@e create encap chassis_name=hv1 ip="192.168.0.1" type="geneve" \ | ||
173 | 40 | - -- --id=@c create chassis name=hv1 encaps=@e \ | ||
174 | 41 | + -- --id=@c create chassis hostname=hv1 name=hv1 encaps=@e \ | ||
175 | 42 | -- set Port_Binding lsp1 chassis=@c | ||
176 | 43 | |||
177 | 44 | as hv1 | ||
178 | 45 | -- | ||
179 | 46 | 2.32.0 | ||
180 | 47 | |||
181 | diff --git a/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch | |||
182 | 0 | new file mode 100644 | 48 | new file mode 100644 |
183 | index 0000000..073b2cb | |||
184 | --- /dev/null | |||
185 | +++ b/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch | |||
186 | @@ -0,0 +1,213 @@ | |||
187 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7 | ||
188 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 | ||
189 | 3 | Last-Update: 2021-10-01 | ||
190 | 4 | |||
191 | 5 | From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001 | ||
192 | 6 | From: Frode Nordahl <frode.nordahl@canonical.com> | ||
193 | 7 | Date: Fri, 5 Mar 2021 13:16:30 +0100 | ||
194 | 8 | Subject: [PATCH 2/3] tests: Make certificate generation extendable | ||
195 | 9 | |||
196 | 10 | In preparation for enabling testing with SSL and RBAC enabled by | ||
197 | 11 | default, rework the certificate generation so that we can easily | ||
198 | 12 | add generation of more certificates/CN on demand. | ||
199 | 13 | |||
200 | 14 | A side erffect of the change is a more generic naming scheme for | ||
201 | 15 | the certificate files so the patch also contains an update to | ||
202 | 16 | existing tests so that they use the new filenames. | ||
203 | 17 | |||
204 | 18 | Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> | ||
205 | 19 | Acked-by: Mark Michelson <mmichels@redhat.com> | ||
206 | 20 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
207 | 21 | (cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7) | ||
208 | 22 | --- | ||
209 | 23 | tests/automake.mk | 48 ++++++++++++++++++++++------------------------- | ||
210 | 24 | tests/ovn.at | 48 +++++++++++++++++++++++------------------------ | ||
211 | 25 | 2 files changed, 46 insertions(+), 50 deletions(-) | ||
212 | 26 | |||
213 | 27 | diff --git a/tests/automake.mk b/tests/automake.mk | ||
214 | 28 | index 9740f085a..6eabb97e6 100644 | ||
215 | 29 | --- a/tests/automake.mk | ||
216 | 30 | +++ b/tests/automake.mk | ||
217 | 31 | @@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage | ||
218 | 32 | FLAKE8_PYFILES += $(CHECK_PYFILES) | ||
219 | 33 | |||
220 | 34 | if HAVE_OPENSSL | ||
221 | 35 | -TESTPKI_FILES = \ | ||
222 | 36 | - tests/testpki-cacert.pem \ | ||
223 | 37 | - tests/testpki-cert.pem \ | ||
224 | 38 | - tests/testpki-privkey.pem \ | ||
225 | 39 | - tests/testpki-req.pem \ | ||
226 | 40 | - tests/testpki-cert2.pem \ | ||
227 | 41 | - tests/testpki-privkey2.pem \ | ||
228 | 42 | - tests/testpki-req2.pem | ||
229 | 43 | +OVS_PKI_DIR = $(CURDIR)/tests/pki | ||
230 | 44 | +TESTPKI_CNS = test test2 | ||
231 | 45 | +TESTPKI_FILES = $(shell \ | ||
232 | 46 | + for cn in $(TESTPKI_CNS); do \ | ||
233 | 47 | + echo tests/testpki-$$cn-cert.pem ; \ | ||
234 | 48 | + echo tests/testpki-$$cn-privkey.pem ; \ | ||
235 | 49 | + echo tests/testpki-$$cn-req.pem ; \ | ||
236 | 50 | + done) | ||
237 | 51 | + | ||
238 | 52 | +tests/testpki-cacert.pem: tests/pki/stamp | ||
239 | 53 | + $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ | ||
240 | 54 | + | ||
241 | 55 | +$(TESTPKI_FILES): tests/pki/stamp | ||
242 | 56 | + $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ | ||
243 | 57 | + | ||
244 | 58 | +check_DATA += tests/testpki-cacert.pem | ||
245 | 59 | check_DATA += $(TESTPKI_FILES) | ||
246 | 60 | +CLEANFILES += tests/testpki-cacert.pem | ||
247 | 61 | CLEANFILES += $(TESTPKI_FILES) | ||
248 | 62 | |||
249 | 63 | -tests/testpki-cacert.pem: tests/pki/stamp | ||
250 | 64 | - $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ | ||
251 | 65 | -tests/testpki-cert.pem: tests/pki/stamp | ||
252 | 66 | - $(AM_V_GEN)cp tests/pki/test-cert.pem $@ | ||
253 | 67 | -tests/testpki-req.pem: tests/pki/stamp | ||
254 | 68 | - $(AM_V_GEN)cp tests/pki/test-req.pem $@ | ||
255 | 69 | -tests/testpki-privkey.pem: tests/pki/stamp | ||
256 | 70 | - $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ | ||
257 | 71 | -tests/testpki-cert2.pem: tests/pki/stamp | ||
258 | 72 | - $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ | ||
259 | 73 | -tests/testpki-req2.pem: tests/pki/stamp | ||
260 | 74 | - $(AM_V_GEN)cp tests/pki/test2-req.pem $@ | ||
261 | 75 | -tests/testpki-privkey2.pem: tests/pki/stamp | ||
262 | 76 | - $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ | ||
263 | 77 | - | ||
264 | 78 | -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log | ||
265 | 79 | + | ||
266 | 80 | +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log | ||
267 | 81 | tests/pki/stamp: | ||
268 | 82 | $(AM_V_at)rm -f tests/pki/stamp | ||
269 | 83 | $(AM_V_at)rm -rf tests/pki | ||
270 | 84 | $(AM_V_GEN)$(OVS_PKI) init && \ | ||
271 | 85 | - $(OVS_PKI) req+sign tests/pki/test && \ | ||
272 | 86 | - $(OVS_PKI) req+sign tests/pki/test2 && \ | ||
273 | 87 | + for cn in $(TESTPKI_CNS); do \ | ||
274 | 88 | + $(OVS_PKI) req+sign tests/pki/$$cn; \ | ||
275 | 89 | + done && \ | ||
276 | 90 | : > tests/pki/stamp | ||
277 | 91 | CLEANFILES += tests/ovs-pki.log | ||
278 | 92 | |||
279 | 93 | diff --git a/tests/ovn.at b/tests/ovn.at | ||
280 | 94 | index 4d9ee1256..6de5a6d3f 100644 | ||
281 | 95 | --- a/tests/ovn.at | ||
282 | 96 | +++ b/tests/ovn.at | ||
283 | 97 | @@ -7701,8 +7701,8 @@ AT_CHECK( | ||
284 | 98 | |||
285 | 99 | start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ | ||
286 | 100 | --remote=db:OVN_Southbound,SB_Global,connections \ | ||
287 | 101 | - --private-key="$PKIDIR/testpki-privkey2.pem" \ | ||
288 | 102 | - --certificate="$PKIDIR/testpki-cert2.pem" \ | ||
289 | 103 | + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ | ||
290 | 104 | + --certificate="$PKIDIR/testpki-test2-cert.pem" \ | ||
291 | 105 | --ca-cert="$PKIDIR/testpki-cacert.pem" \ | ||
292 | 106 | ovn-sb.db | ||
293 | 107 | |||
294 | 108 | @@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) | ||
295 | 109 | |||
296 | 110 | # read-only accesses should succeed | ||
297 | 111 | AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
298 | 112 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
299 | 113 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
300 | 114 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
301 | 115 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
302 | 116 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
303 | 117 | list SB_Global], [0], [stdout], [ignore]) | ||
304 | 118 | AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
305 | 119 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
306 | 120 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
307 | 121 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
308 | 122 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
309 | 123 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
310 | 124 | list Connection], [0], [stdout], [ignore]) | ||
311 | 125 | |||
312 | 126 | # write access should fail | ||
313 | 127 | AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
314 | 128 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
315 | 129 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
316 | 130 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
317 | 131 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
318 | 132 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
319 | 133 | chassis-add ch vxlan 1.2.4.8], [1], [ignore], | ||
320 | 134 | [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} | ||
321 | 135 | @@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ | ||
322 | 136 | |||
323 | 137 | # Populate SSL configuration entries in nb db | ||
324 | 138 | AT_CHECK( | ||
325 | 139 | - [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ | ||
326 | 140 | - $PKIDIR/testpki-cert.pem \ | ||
327 | 141 | + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ | ||
328 | 142 | + $PKIDIR/testpki-test-cert.pem \ | ||
329 | 143 | $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) | ||
330 | 144 | |||
331 | 145 | # Populate a passive SSL connection in nb db | ||
332 | 146 | @@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) | ||
333 | 147 | |||
334 | 148 | # Verify SSL connetivity to nb db server | ||
335 | 149 | AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
336 | 150 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
337 | 151 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
338 | 152 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
339 | 153 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
340 | 154 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
341 | 155 | list NB_Global], | ||
342 | 156 | [0], [stdout], [ignore]) | ||
343 | 157 | AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
344 | 158 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
345 | 159 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
346 | 160 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
347 | 161 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
348 | 162 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
349 | 163 | list Connection], | ||
350 | 164 | [0], [stdout], [ignore]) | ||
351 | 165 | AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
352 | 166 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
353 | 167 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
354 | 168 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
355 | 169 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
356 | 170 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
357 | 171 | get-connection], | ||
358 | 172 | [0], [stdout], [ignore]) | ||
359 | 173 | @@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ | ||
360 | 174 | |||
361 | 175 | # Populate SSL configuration entries in sb db | ||
362 | 176 | AT_CHECK( | ||
363 | 177 | - [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ | ||
364 | 178 | - $PKIDIR/testpki-cert.pem \ | ||
365 | 179 | + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ | ||
366 | 180 | + $PKIDIR/testpki-test-cert.pem \ | ||
367 | 181 | $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) | ||
368 | 182 | |||
369 | 183 | # Populate a passive SSL connection in sb db | ||
370 | 184 | @@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) | ||
371 | 185 | |||
372 | 186 | # Verify SSL connetivity to sb db server | ||
373 | 187 | AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
374 | 188 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
375 | 189 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
376 | 190 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
377 | 191 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
378 | 192 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
379 | 193 | list SB_Global], | ||
380 | 194 | [0], [stdout], [ignore]) | ||
381 | 195 | AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
382 | 196 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
383 | 197 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
384 | 198 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
385 | 199 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
386 | 200 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
387 | 201 | list Connection], | ||
388 | 202 | [0], [stdout], [ignore]) | ||
389 | 203 | AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ | ||
390 | 204 | - --private-key=$PKIDIR/testpki-privkey.pem \ | ||
391 | 205 | - --certificate=$PKIDIR/testpki-cert.pem \ | ||
392 | 206 | + --private-key=$PKIDIR/testpki-test-privkey.pem \ | ||
393 | 207 | + --certificate=$PKIDIR/testpki-test-cert.pem \ | ||
394 | 208 | --ca-cert=$PKIDIR/testpki-cacert.pem \ | ||
395 | 209 | get-connection], | ||
396 | 210 | [0], [stdout], [ignore]) | ||
397 | 211 | -- | ||
398 | 212 | 2.32.0 | ||
399 | 213 | |||
400 | diff --git a/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch | |||
401 | 0 | new file mode 100644 | 214 | new file mode 100644 |
402 | index 0000000..8044734 | |||
403 | --- /dev/null | |||
404 | +++ b/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch | |||
405 | @@ -0,0 +1,153 @@ | |||
406 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4 | ||
407 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 | ||
408 | 3 | Last-Update: 2021-10-01 | ||
409 | 4 | |||
410 | 5 | From ef220e364c01af319eb378a7b6b508cc1a49266a Mon Sep 17 00:00:00 2001 | ||
411 | 6 | From: Frode Nordahl <frode.nordahl@canonical.com> | ||
412 | 7 | Date: Fri, 5 Mar 2021 13:16:31 +0100 | ||
413 | 8 | Subject: [PATCH] tests: Test with SSL and RBAC for controller by default | ||
414 | 9 | |||
415 | 10 | To help ourself to not forget updating RBAC rules when we land | ||
416 | 11 | changes to existing functionality and new features we must enable | ||
417 | 12 | SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds | ||
418 | 13 | with OpenSSL enabled. | ||
419 | 14 | |||
420 | 15 | Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> | ||
421 | 16 | Acked-by: Mark Michelson <mmichels@redhat.com> | ||
422 | 17 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
423 | 18 | (cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4) | ||
424 | 19 | --- | ||
425 | 20 | tests/automake.mk | 9 +++++++-- | ||
426 | 21 | tests/ofproto-macros.at | 12 ++++++++++++ | ||
427 | 22 | tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- | ||
428 | 23 | 3 files changed, 55 insertions(+), 4 deletions(-) | ||
429 | 24 | |||
430 | 25 | diff --git a/tests/automake.mk b/tests/automake.mk | ||
431 | 26 | index 7fab972ab..785a6e5a6 100644 | ||
432 | 27 | --- a/tests/automake.mk | ||
433 | 28 | +++ b/tests/automake.mk | ||
434 | 29 | @@ -220,7 +220,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) | ||
435 | 30 | |||
436 | 31 | if HAVE_OPENSSL | ||
437 | 32 | OVS_PKI_DIR = $(CURDIR)/tests/pki | ||
438 | 33 | -TESTPKI_CNS = test test2 | ||
439 | 34 | +# NOTE: Certificate generation has to be done serially, and each one adds a few | ||
440 | 35 | +# seconds to the test run. Please try to re-use one of the many CNs already | ||
441 | 36 | +# used in the existing tests. | ||
442 | 37 | +TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 | ||
443 | 38 | TESTPKI_FILES = $(shell \ | ||
444 | 39 | for cn in $(TESTPKI_CNS); do \ | ||
445 | 40 | echo tests/testpki-$$cn-cert.pem ; \ | ||
446 | 41 | @@ -245,9 +248,11 @@ tests/pki/stamp: | ||
447 | 42 | $(AM_V_at)rm -f tests/pki/stamp | ||
448 | 43 | $(AM_V_at)rm -rf tests/pki | ||
449 | 44 | $(AM_V_GEN)$(OVS_PKI) init && \ | ||
450 | 45 | + cd tests/pki && \ | ||
451 | 46 | for cn in $(TESTPKI_CNS); do \ | ||
452 | 47 | - $(OVS_PKI) req+sign tests/pki/$$cn; \ | ||
453 | 48 | + $(OVS_PKI) -u req+sign $$cn; \ | ||
454 | 49 | done && \ | ||
455 | 50 | + cd ../../ && \ | ||
456 | 51 | : > tests/pki/stamp | ||
457 | 52 | CLEANFILES += tests/ovs-pki.log | ||
458 | 53 | |||
459 | 54 | diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at | ||
460 | 55 | index dd5d3848d..9e8c4f051 100644 | ||
461 | 56 | --- a/tests/ofproto-macros.at | ||
462 | 57 | +++ b/tests/ofproto-macros.at | ||
463 | 58 | @@ -101,6 +101,7 @@ start_daemon () { | ||
464 | 59 | # | ||
465 | 60 | # sim_add hv0 | ||
466 | 61 | # as hv0 ovs-vsctl add-br br0 | ||
467 | 62 | +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" | ||
468 | 63 | sims= | ||
469 | 64 | sim_add () { | ||
470 | 65 | echo "adding simulator '$1'" | ||
471 | 66 | @@ -123,6 +124,17 @@ sim_add () { | ||
472 | 67 | # Start ovs-vswitchd | ||
473 | 68 | as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl | ||
474 | 69 | as $1 ovs-appctl vlog/disable-rate-limit vconn | ||
475 | 70 | + if test X$HAVE_OPENSSL = Xyes; then | ||
476 | 71 | + if test -f $PKIDIR/testpki-$1-privkey.pem; then | ||
477 | 72 | + as $1 ovs-vsctl set-ssl \ | ||
478 | 73 | + $PKIDIR/testpki-$1-privkey.pem \ | ||
479 | 74 | + $PKIDIR/testpki-$1-cert.pem \ | ||
480 | 75 | + $PKIDIR/testpki-cacert.pem \ | ||
481 | 76 | + || return 1 | ||
482 | 77 | + else | ||
483 | 78 | + echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" | ||
484 | 79 | + fi | ||
485 | 80 | + fi | ||
486 | 81 | } | ||
487 | 82 | |||
488 | 83 | # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. | ||
489 | 84 | diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at | ||
490 | 85 | index ff71f02d0..902ff1115 100644 | ||
491 | 86 | --- a/tests/ovn-macros.at | ||
492 | 87 | +++ b/tests/ovn-macros.at | ||
493 | 88 | @@ -120,7 +120,18 @@ ovn_init_db () { | ||
494 | 89 | mkdir "$d" || return 1 | ||
495 | 90 | : > "$d"/.$1.db.~lock~ | ||
496 | 91 | as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema | ||
497 | 92 | - as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db | ||
498 | 93 | + | ||
499 | 94 | + local remote_in_db= | ||
500 | 95 | + if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then | ||
501 | 96 | + remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" | ||
502 | 97 | + fi | ||
503 | 98 | + | ||
504 | 99 | + as $as_d start_daemon ovsdb-server \ | ||
505 | 100 | + -vjsonrpc \ | ||
506 | 101 | + --remote=punix:"$d"/$1.sock \ | ||
507 | 102 | + $remote_in_db \ | ||
508 | 103 | + "$d"/$1.db | ||
509 | 104 | + | ||
510 | 105 | local var=`echo $1_db | tr a-z- A-Z_` | ||
511 | 106 | AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var | ||
512 | 107 | } | ||
513 | 108 | @@ -173,6 +184,24 @@ ovn_start () { | ||
514 | 109 | --ovnnb-db=$ovn_nb_db \ | ||
515 | 110 | --ovnsb-db=$ovn_sb_db | ||
516 | 111 | |||
517 | 112 | + if test X$HAVE_OPENSSL = Xyes; then | ||
518 | 113 | + # Create the SB DB pssl+RBAC connection. Ideally we could pre-create | ||
519 | 114 | + # SB_Global and Connection with ovsdb-tool transact at DB creation | ||
520 | 115 | + # time, but unfortunately that does not work, northd-ddlog will replace | ||
521 | 116 | + # the SB_Global record on startup. | ||
522 | 117 | + ovn-sbctl \ | ||
523 | 118 | + -- --id=@c create connection \ | ||
524 | 119 | + target=\"pssl:0:127.0.0.1\" role=ovn-controller \ | ||
525 | 120 | + -- add SB_Global . connections @c | ||
526 | 121 | + local d=$ovs_base | ||
527 | 122 | + if test -n "$1"; then | ||
528 | 123 | + d=$d/$1 | ||
529 | 124 | + fi | ||
530 | 125 | + PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) | ||
531 | 126 | + var="SSL_OVN_SB_DB" | ||
532 | 127 | + AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var | ||
533 | 128 | + fi | ||
534 | 129 | + | ||
535 | 130 | if test -n "$1"; then | ||
536 | 131 | as_d=$1/ic | ||
537 | 132 | echo "starting ovn-ic" | ||
538 | 133 | @@ -237,11 +266,16 @@ ovn_az_attach() { | ||
539 | 134 | |||
540 | 135 | local ovn_remote | ||
541 | 136 | if test X"$az" = XNONE; then | ||
542 | 137 | - ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock | ||
543 | 138 | + if test X$HAVE_OPENSSL = Xyes; then | ||
544 | 139 | + ovn_remote=$SSL_OVN_SB_DB | ||
545 | 140 | + else | ||
546 | 141 | + ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock | ||
547 | 142 | + fi | ||
548 | 143 | else | ||
549 | 144 | ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock | ||
550 | 145 | fi | ||
551 | 146 | ovs-vsctl \ | ||
552 | 147 | + -- set Open_vSwitch . external-ids:hostname=$sandbox \ | ||
553 | 148 | -- set Open_vSwitch . external-ids:system-id=$sandbox \ | ||
554 | 149 | -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ | ||
555 | 150 | -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \ | ||
556 | 151 | -- | ||
557 | 152 | 2.32.0 | ||
558 | 153 | |||
559 | diff --git a/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch | |||
560 | 0 | new file mode 100644 | 154 | new file mode 100644 |
561 | index 0000000..f57d9f6 | |||
562 | --- /dev/null | |||
563 | +++ b/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch | |||
564 | @@ -0,0 +1,188 @@ | |||
565 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f | ||
566 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 | ||
567 | 3 | Last-Update: 2021-10-01 | ||
568 | 4 | |||
569 | 5 | From cb1560a02e968c84ef8ea1c90f894610f88db8df Mon Sep 17 00:00:00 2001 | ||
570 | 6 | From: Frode Nordahl <frode.nordahl@canonical.com> | ||
571 | 7 | Date: Fri, 5 Mar 2021 13:16:29 +0100 | ||
572 | 8 | Subject: [PATCH] tests: Use ovn_start in tests/ovn-controller.at | ||
573 | 9 | |||
574 | 10 | The current version of the tests only initializes the SB DB and | ||
575 | 11 | instruments it directly. This does not work with SSL+RBAC as | ||
576 | 12 | northd must run to program the RBAC rules into the SB DB. | ||
577 | 13 | |||
578 | 14 | Run tests both for C and ddlog version of northd. | ||
579 | 15 | |||
580 | 16 | Add workaround for ovn-controller not re-reading certificates to | ||
581 | 17 | 'ovn-controller - Chassis other_config' test. | ||
582 | 18 | |||
583 | 19 | Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> | ||
584 | 20 | Acked-by: Mark Michelson <mmichels@redhat.com> | ||
585 | 21 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
586 | 22 | (cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f) | ||
587 | 23 | --- | ||
588 | 24 | tests/ovn-controller.at | 67 +++++++++++++++++++++++++++++++++++++---- | ||
589 | 25 | 1 file changed, 61 insertions(+), 6 deletions(-) | ||
590 | 26 | |||
591 | 27 | diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at | ||
592 | 28 | index 1b4679963..3e06032ca 100644 | ||
593 | 29 | --- a/tests/ovn-controller.at | ||
594 | 30 | +++ b/tests/ovn-controller.at | ||
595 | 31 | @@ -1,8 +1,9 @@ | ||
596 | 32 | AT_BANNER([ovn-controller]) | ||
597 | 33 | |||
598 | 34 | +OVN_FOR_EACH_NORTHD([ | ||
599 | 35 | AT_SETUP([ovn-controller - ovn-bridge-mappings]) | ||
600 | 36 | AT_KEYWORDS([ovn]) | ||
601 | 37 | -ovn_init_db ovn-sb | ||
602 | 38 | +ovn_start | ||
603 | 39 | net_add n1 | ||
604 | 40 | sim_add hv | ||
605 | 41 | as hv | ||
606 | 42 | @@ -54,6 +55,14 @@ check_bridge_mappings () { | ||
607 | 43 | OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} other_config:ovn-bridge-mappings | sed -e 's/\"//g')]) | ||
608 | 44 | } | ||
609 | 45 | |||
610 | 46 | +# NOTE: This test originally ran with only the SB-DB and no northd. For the | ||
611 | 47 | +# test to be successfull with SSL+RBAC we need to initially run northd to get | ||
612 | 48 | +# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB | ||
613 | 49 | +# directly and we need to stop northd to avoid overwriting the instrumentation. | ||
614 | 50 | +kill `cat northd/ovn-northd.pid` | ||
615 | 51 | +kill `cat northd-backup/ovn-northd.pid` | ||
616 | 52 | +kill `cat ovn-nb/ovsdb-server.pid` | ||
617 | 53 | + | ||
618 | 54 | # Initially there should be no patch ports. | ||
619 | 55 | check_patches | ||
620 | 56 | |||
621 | 57 | @@ -116,12 +125,14 @@ as ovn-sb | ||
622 | 58 | OVS_APP_EXIT_AND_WAIT([ovsdb-server]) | ||
623 | 59 | |||
624 | 60 | AT_CLEANUP | ||
625 | 61 | +]) | ||
626 | 62 | |||
627 | 63 | # Checks that ovn-controller populates datapath-type and iface-types | ||
628 | 64 | # correctly in the Chassis other_config column. | ||
629 | 65 | +OVN_FOR_EACH_NORTHD([ | ||
630 | 66 | AT_SETUP([ovn-controller - Chassis other_config]) | ||
631 | 67 | AT_KEYWORDS([ovn]) | ||
632 | 68 | -ovn_init_db ovn-sb | ||
633 | 69 | +ovn_start | ||
634 | 70 | |||
635 | 71 | net_add n1 | ||
636 | 72 | sim_add hv | ||
637 | 73 | @@ -192,7 +203,21 @@ OVS_WAIT_UNTIL([ | ||
638 | 74 | # chassis_private records. Until that happens ovn-controller fails to | ||
639 | 75 | # create the records due to constraint violation on the Encap table. | ||
640 | 76 | sysid=${sysid}-foo | ||
641 | 77 | -ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}" | ||
642 | 78 | +current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote` | ||
643 | 79 | +if test X$HAVE_OPENSSL = Xyes; then | ||
644 | 80 | + # To change chassis name we need to change certificate with matching CN | ||
645 | 81 | + ovs-vsctl set-ssl \ | ||
646 | 82 | + $PKIDIR/testpki-${sysid}-privkey.pem \ | ||
647 | 83 | + $PKIDIR/testpki-${sysid}-cert.pem \ | ||
648 | 84 | + $PKIDIR/testpki-cacert.pem | ||
649 | 85 | + # force reconnect which makes OVN controller read the new certificates | ||
650 | 86 | + # TODO implement check for change of certificates in ovn-controller | ||
651 | 87 | + # and remove this workaround. | ||
652 | 88 | + ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null | ||
653 | 89 | +fi | ||
654 | 90 | +ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \ | ||
655 | 91 | + -- set Open_vSwitch . external-ids:system-id="${sysid}" \ | ||
656 | 92 | + -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}" | ||
657 | 93 | |||
658 | 94 | OVS_WAIT_UNTIL([ | ||
659 | 95 | grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log | ||
660 | 96 | @@ -216,12 +241,14 @@ as ovn-sb | ||
661 | 97 | OVS_APP_EXIT_AND_WAIT([ovsdb-server]) | ||
662 | 98 | |||
663 | 99 | AT_CLEANUP | ||
664 | 100 | +]) | ||
665 | 101 | |||
666 | 102 | # Checks that ovn-controller correctly maintains the mapping from the Encap | ||
667 | 103 | # table in the Southbound database to OVS in the face of changes on both sides | ||
668 | 104 | +OVN_FOR_EACH_NORTHD([ | ||
669 | 105 | AT_SETUP([ovn-controller - change Encap properties]) | ||
670 | 106 | AT_KEYWORDS([ovn]) | ||
671 | 107 | -ovn_init_db ovn-sb | ||
672 | 108 | +ovn_start | ||
673 | 109 | |||
674 | 110 | net_add n1 | ||
675 | 111 | sim_add hv | ||
676 | 112 | @@ -271,11 +298,13 @@ as ovn-sb | ||
677 | 113 | OVS_APP_EXIT_AND_WAIT([ovsdb-server]) | ||
678 | 114 | |||
679 | 115 | AT_CLEANUP | ||
680 | 116 | +]) | ||
681 | 117 | |||
682 | 118 | # Check ovn-controller connection status to Southbound database | ||
683 | 119 | +OVN_FOR_EACH_NORTHD([ | ||
684 | 120 | AT_SETUP([ovn-controller - check sbdb connection]) | ||
685 | 121 | AT_KEYWORDS([ovn]) | ||
686 | 122 | -ovn_init_db ovn-sb | ||
687 | 123 | +ovn_start | ||
688 | 124 | |||
689 | 125 | net_add n1 | ||
690 | 126 | sim_add hv | ||
691 | 127 | @@ -305,11 +334,13 @@ as ovn-sb | ||
692 | 128 | OVS_APP_EXIT_AND_WAIT([ovsdb-server]) | ||
693 | 129 | |||
694 | 130 | AT_CLEANUP | ||
695 | 131 | +]) | ||
696 | 132 | |||
697 | 133 | # Checks that ovn-controller recreates its chassis record when deleted externally. | ||
698 | 134 | +OVN_FOR_EACH_NORTHD([ | ||
699 | 135 | AT_SETUP([ovn-controller - Chassis self record]) | ||
700 | 136 | AT_KEYWORDS([ovn]) | ||
701 | 137 | -ovn_init_db ovn-sb | ||
702 | 138 | +ovn_start | ||
703 | 139 | |||
704 | 140 | net_add n1 | ||
705 | 141 | sim_add hv | ||
706 | 142 | @@ -360,8 +391,10 @@ OVS_WAIT_UNTIL([test x0 = x`ovn-sbctl --columns nb_cfg --bare find chassis`]) | ||
707 | 143 | |||
708 | 144 | OVN_CLEANUP([hv]) | ||
709 | 145 | AT_CLEANUP | ||
710 | 146 | +]) | ||
711 | 147 | |||
712 | 148 | # Test unix command: debug/delay-nb-cfg-report | ||
713 | 149 | +OVN_FOR_EACH_NORTHD([ | ||
714 | 150 | AT_SETUP([ovn-controller - debug/delay-nb-cfg-report]) | ||
715 | 151 | AT_KEYWORDS([ovn]) | ||
716 | 152 | ovn_start | ||
717 | 153 | @@ -393,7 +426,9 @@ AT_CHECK([ovn-nbctl --timeout=1 --wait=hv sync]) | ||
718 | 154 | |||
719 | 155 | OVN_CLEANUP([hv]) | ||
720 | 156 | AT_CLEANUP | ||
721 | 157 | +]) | ||
722 | 158 | |||
723 | 159 | +OVN_FOR_EACH_NORTHD([ | ||
724 | 160 | AT_SETUP([ovn -- nb_cfg sync to OVS]) | ||
725 | 161 | ovn_start | ||
726 | 162 | |||
727 | 163 | @@ -414,3 +449,23 @@ OVS_WAIT_UNTIL([ovs-vsctl get Bridge br-int external_ids:ovn-nb-cfg], [0], [1]) | ||
728 | 164 | |||
729 | 165 | OVN_CLEANUP([hv1]) | ||
730 | 166 | AT_CLEANUP | ||
731 | 167 | +]) | ||
732 | 168 | + | ||
733 | 169 | +OVN_FOR_EACH_NORTHD([ | ||
734 | 170 | +AT_SETUP([ovn -- features]) | ||
735 | 171 | +AT_KEYWORDS([features]) | ||
736 | 172 | +ovn_start | ||
737 | 173 | + | ||
738 | 174 | +net_add n1 | ||
739 | 175 | +sim_add hv1 | ||
740 | 176 | +ovs-vsctl add-br br-phys | ||
741 | 177 | +ovn_attach n1 br-phys 192.168.0.1 | ||
742 | 178 | + | ||
743 | 179 | +# Wait for ovn-controller to register in the SB. | ||
744 | 180 | +OVS_WAIT_UNTIL([ | ||
745 | 181 | + test "$(ovn-sbctl get chassis hv1 other_config:port-up-notif)" = '"true"' | ||
746 | 182 | +]) | ||
747 | 183 | + | ||
748 | 184 | +OVN_CLEANUP([hv1]) | ||
749 | 185 | +AT_CLEANUP | ||
750 | 186 | +]) | ||
751 | 187 | -- | ||
752 | 188 | 2.32.0 | ||
753 | diff --git a/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch | |||
754 | 0 | new file mode 100644 | 189 | new file mode 100644 |
755 | index 0000000..42632d1 | |||
756 | --- /dev/null | |||
757 | +++ b/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch | |||
758 | @@ -0,0 +1,145 @@ | |||
759 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/96959e56d634c8d888af9e3ee340602593c7e4fa | ||
760 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 | ||
761 | 3 | Last-Update: 2021-10-01 | ||
762 | 4 | |||
763 | 5 | From 1cdc8ce5b4373b2169129f53e4a060b75522b286 Mon Sep 17 00:00:00 2001 | ||
764 | 6 | From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> | ||
765 | 7 | Date: Tue, 4 May 2021 19:59:00 +0200 | ||
766 | 8 | Subject: [PATCH 2/2] physical: do not forward traffic from localport to a | ||
767 | 9 | localnet one | ||
768 | 10 | |||
769 | 11 | Since the localnet port is available on each hv, do not forward traffic | ||
770 | 12 | to the localnet port if it is present in order to avoid switch fdb | ||
771 | 13 | misconfiguration. | ||
772 | 14 | Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877 | ||
773 | 15 | |||
774 | 16 | Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> | ||
775 | 17 | Acked-by: Mark Michelson | ||
776 | 18 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
777 | 19 | (cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa) | ||
778 | 20 | --- | ||
779 | 21 | controller/physical.c | 23 +++++++++++++++++++++++ | ||
780 | 22 | include/ovn/logical-fields.h | 13 +++++++++++++ | ||
781 | 23 | tests/ovn.at | 17 +++++++++++++++++ | ||
782 | 24 | 3 files changed, 53 insertions(+) | ||
783 | 25 | |||
784 | 26 | diff --git a/controller/physical.c b/controller/physical.c | ||
785 | 27 | index fa5d0d692..f41010a2b 100644 | ||
786 | 28 | --- a/controller/physical.c | ||
787 | 29 | +++ b/controller/physical.c | ||
788 | 30 | @@ -1160,6 +1160,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, | ||
789 | 31 | |||
790 | 32 | load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p); | ||
791 | 33 | |||
792 | 34 | + if (!strcmp(binding->type, "localport")) { | ||
793 | 35 | + /* mark the packet as incoming from a localport */ | ||
794 | 36 | + put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p); | ||
795 | 37 | + } | ||
796 | 38 | + | ||
797 | 39 | /* Resubmit to first logical ingress pipeline table. */ | ||
798 | 40 | put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p); | ||
799 | 41 | ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG, | ||
800 | 42 | @@ -1219,6 +1224,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, | ||
801 | 43 | ofport, flow_table); | ||
802 | 44 | } | ||
803 | 45 | |||
804 | 46 | + /* Table 39, priority 160. | ||
805 | 47 | + * ======================= | ||
806 | 48 | + * | ||
807 | 49 | + * Do not forward local traffic from a localport to a localnet port. | ||
808 | 50 | + */ | ||
809 | 51 | + if (!strcmp(binding->type, "localnet")) { | ||
810 | 52 | + /* do not forward traffic from localport to localnet port */ | ||
811 | 53 | + match_init_catchall(&match); | ||
812 | 54 | + ofpbuf_clear(ofpacts_p); | ||
813 | 55 | + match_set_metadata(&match, htonll(dp_key)); | ||
814 | 56 | + match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key); | ||
815 | 57 | + match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, | ||
816 | 58 | + MLF_LOCALPORT, MLF_LOCALPORT); | ||
817 | 59 | + ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160, | ||
818 | 60 | + binding->header_.uuid.parts[0], &match, | ||
819 | 61 | + ofpacts_p, &binding->header_.uuid); | ||
820 | 62 | + } | ||
821 | 63 | + | ||
822 | 64 | } else if (!tun && !is_ha_remote) { | ||
823 | 65 | /* Remote port connected by localnet port */ | ||
824 | 66 | /* Table 33, priority 100. | ||
825 | 67 | diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h | ||
826 | 68 | index aee474856..ebc4d82e3 100644 | ||
827 | 69 | --- a/include/ovn/logical-fields.h | ||
828 | 70 | +++ b/include/ovn/logical-fields.h | ||
829 | 71 | @@ -59,6 +59,9 @@ enum mff_log_flags_bits { | ||
830 | 72 | MLF_NESTED_CONTAINER_BIT = 5, | ||
831 | 73 | MLF_LOOKUP_MAC_BIT = 6, | ||
832 | 74 | MLF_LOOKUP_LB_HAIRPIN_BIT = 7, | ||
833 | 75 | + MLF_LOOKUP_FDB_BIT = 8, | ||
834 | 76 | + MLF_SKIP_SNAT_FOR_LB_BIT = 9, | ||
835 | 77 | + MLF_LOCALPORT_BIT = 10, | ||
836 | 78 | }; | ||
837 | 79 | |||
838 | 80 | /* MFF_LOG_FLAGS_REG flag assignments */ | ||
839 | 81 | @@ -92,6 +95,16 @@ enum mff_log_flags { | ||
840 | 82 | MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT), | ||
841 | 83 | |||
842 | 84 | MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT), | ||
843 | 85 | + | ||
844 | 86 | + /* Indicate that the lookup in the fdb table was successful. */ | ||
845 | 87 | + MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT), | ||
846 | 88 | + | ||
847 | 89 | + /* Indicate that a packet must not SNAT in the gateway router when | ||
848 | 90 | + * load-balancing has taken place. */ | ||
849 | 91 | + MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT), | ||
850 | 92 | + | ||
851 | 93 | + /* Indicate the packet has been received from a localport */ | ||
852 | 94 | + MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT), | ||
853 | 95 | }; | ||
854 | 96 | |||
855 | 97 | /* OVN logical fields | ||
856 | 98 | diff --git a/tests/ovn.at b/tests/ovn.at | ||
857 | 99 | index ce5e9fded..914f9b949 100644 | ||
858 | 100 | --- a/tests/ovn.at | ||
859 | 101 | +++ b/tests/ovn.at | ||
860 | 102 | @@ -11490,10 +11490,17 @@ AT_CLEANUP | ||
861 | 103 | AT_SETUP([ovn -- localport suppress gARP]) | ||
862 | 104 | ovn_start | ||
863 | 105 | |||
864 | 106 | +send_garp() { | ||
865 | 107 | + local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5 | ||
866 | 108 | + local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa} | ||
867 | 109 | + as hv1 ovs-appctl netdev-dummy/receive vif$inport $request | ||
868 | 110 | +} | ||
869 | 111 | + | ||
870 | 112 | net_add n1 | ||
871 | 113 | sim_add hv1 | ||
872 | 114 | as hv1 | ||
873 | 115 | check ovs-vsctl add-br br-phys | ||
874 | 116 | +ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys | ||
875 | 117 | ovn_attach n1 br-phys 192.168.0.1 | ||
876 | 118 | |||
877 | 119 | check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys | ||
878 | 120 | @@ -11504,6 +11511,7 @@ check ovn-nbctl ls-add ls \ | ||
879 | 121 | -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ | ||
880 | 122 | -- lsp-add ls ln \ | ||
881 | 123 | -- lsp-set-type ln localnet \ | ||
882 | 124 | + -- lsp-set-addresses ln unknown \ | ||
883 | 125 | -- lsp-set-options ln network_name=phys \ | ||
884 | 126 | -- lsp-add ls lsp \ | ||
885 | 127 | -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" | ||
886 | 128 | @@ -11537,6 +11545,15 @@ AT_CHECK([ | ||
887 | 129 | test 0 -eq $pkts | ||
888 | 130 | ]) | ||
889 | 131 | |||
890 | 132 | +spa=$(ip_to_hex 10 0 0 1) | ||
891 | 133 | +tpa=$(ip_to_hex 10 0 0 100) | ||
892 | 134 | +send_garp 1 000000000001 ffffffffffff $spa $tpa | ||
893 | 135 | + | ||
894 | 136 | +dnl traffic from localport should not be sent to localnet | ||
895 | 137 | +AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl | ||
896 | 138 | +0 | ||
897 | 139 | +],[ignore]) | ||
898 | 140 | + | ||
899 | 141 | OVN_CLEANUP([hv1]) | ||
900 | 142 | AT_CLEANUP | ||
901 | 143 | |||
902 | 144 | -- | ||
903 | 145 | 2.32.0 | ||
904 | diff --git a/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch | |||
905 | 0 | new file mode 100644 | 146 | new file mode 100644 |
906 | index 0000000..8a2de0a | |||
907 | --- /dev/null | |||
908 | +++ b/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch | |||
909 | @@ -0,0 +1,111 @@ | |||
910 | 1 | Origin: backport, https://github.com/ovn-org/ovn/commit/578238b36073256c524a4c2b6ed7521f73aa0019 | ||
911 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 | ||
912 | 3 | Last-Update: 2021-10-01 | ||
913 | 4 | |||
914 | 5 | From aefe7053eb3d9750d552eb342caed9faaaf9365a Mon Sep 17 00:00:00 2001 | ||
915 | 6 | From: Daniel Alvarez Sanchez <dalvarez@redhat.com> | ||
916 | 7 | Date: Wed, 24 Mar 2021 18:23:47 +0100 | ||
917 | 8 | Subject: [PATCH 1/2] pinctrl: Don't send gARPs for localports | ||
918 | 9 | |||
919 | 10 | Ports of type 'localport' are present on every hypervisor and | ||
920 | 11 | ovn-controller is sending gARPs for them which makes upstream | ||
921 | 12 | switches to see its MAC address flapping. | ||
922 | 13 | |||
923 | 14 | In order to avoid this behavior, the current patch is skipping | ||
924 | 15 | localports when sending gARP/RARP packets. | ||
925 | 16 | |||
926 | 17 | Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1939470 | ||
927 | 18 | |||
928 | 19 | Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com> | ||
929 | 20 | Co-authored-by: Dumitru Ceara <dceara@redhat.com> | ||
930 | 21 | Signed-off-by: Dumitru Ceara <dceara@redhat.com> | ||
931 | 22 | Signed-off-by: Numan Siddique <numans@ovn.org> | ||
932 | 23 | (cherry picked from commit 578238b36073256c524a4c2b6ed7521f73aa0019) | ||
933 | 24 | --- | ||
934 | 25 | controller/pinctrl.c | 6 +++++ | ||
935 | 26 | tests/ovn.at | 53 ++++++++++++++++++++++++++++++++++++++++++++ | ||
936 | 27 | 2 files changed, 59 insertions(+) | ||
937 | 28 | |||
938 | 29 | diff --git a/controller/pinctrl.c b/controller/pinctrl.c | ||
939 | 30 | index 7e3abf0a4..f20c24f0e 100644 | ||
940 | 31 | --- a/controller/pinctrl.c | ||
941 | 32 | +++ b/controller/pinctrl.c | ||
942 | 33 | @@ -4102,6 +4102,12 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn, | ||
943 | 34 | struct shash *nat_addresses) | ||
944 | 35 | { | ||
945 | 36 | volatile struct garp_rarp_data *garp_rarp = NULL; | ||
946 | 37 | + | ||
947 | 38 | + /* Skip localports as they don't need to be announced */ | ||
948 | 39 | + if (!strcmp(binding_rec->type, "localport")) { | ||
949 | 40 | + return; | ||
950 | 41 | + } | ||
951 | 42 | + | ||
952 | 43 | /* Update GARP for NAT IP if it exists. Consider port bindings with type | ||
953 | 44 | * "l3gateway" for logical switch ports attached to gateway routers, and | ||
954 | 45 | * port bindings with type "patch" for logical switch ports attached to | ||
955 | 46 | diff --git a/tests/ovn.at b/tests/ovn.at | ||
956 | 47 | index 9dcb0772e..ce5e9fded 100644 | ||
957 | 48 | --- a/tests/ovn.at | ||
958 | 49 | +++ b/tests/ovn.at | ||
959 | 50 | @@ -11487,6 +11487,59 @@ OVN_CLEANUP([hv1],[hv2]) | ||
960 | 51 | |||
961 | 52 | AT_CLEANUP | ||
962 | 53 | |||
963 | 54 | +AT_SETUP([ovn -- localport suppress gARP]) | ||
964 | 55 | +ovn_start | ||
965 | 56 | + | ||
966 | 57 | +net_add n1 | ||
967 | 58 | +sim_add hv1 | ||
968 | 59 | +as hv1 | ||
969 | 60 | +check ovs-vsctl add-br br-phys | ||
970 | 61 | +ovn_attach n1 br-phys 192.168.0.1 | ||
971 | 62 | + | ||
972 | 63 | +check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys | ||
973 | 64 | + | ||
974 | 65 | +check ovn-nbctl ls-add ls \ | ||
975 | 66 | + -- lsp-add ls lp \ | ||
976 | 67 | + -- lsp-set-type lp localport \ | ||
977 | 68 | + -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ | ||
978 | 69 | + -- lsp-add ls ln \ | ||
979 | 70 | + -- lsp-set-type ln localnet \ | ||
980 | 71 | + -- lsp-set-options ln network_name=phys \ | ||
981 | 72 | + -- lsp-add ls lsp \ | ||
982 | 73 | + -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" | ||
983 | 74 | + | ||
984 | 75 | +dnl First bind the localport. | ||
985 | 76 | +check ovs-vsctl add-port br-int vif1 \ | ||
986 | 77 | + -- set Interface vif1 external-ids:iface-id=lp | ||
987 | 78 | +check ovn-nbctl --wait=hv sync | ||
988 | 79 | + | ||
989 | 80 | +dnl Then bind the regular vif. | ||
990 | 81 | +check ovs-vsctl add-port br-int vif2 \ | ||
991 | 82 | + -- set Interface vif2 external-ids:iface-id=lsp \ | ||
992 | 83 | + options:tx_pcap=hv1/vif2-tx.pcap \ | ||
993 | 84 | + options:rxq_pcap=hv1/vif2-rx.pcap | ||
994 | 85 | + | ||
995 | 86 | +wait_row_count nb:Logical_Switch_Port 1 name=lsp up=true | ||
996 | 87 | +check ovn-nbctl --wait=hv sync | ||
997 | 88 | + | ||
998 | 89 | +dnl Wait for at least two gARPs from lsp (10.0.0.2). | ||
999 | 90 | +lsp_garp=ffffffffffff000000000002080600010800060400010000000000020a0000020000000000000a000002 | ||
1000 | 91 | +OVS_WAIT_UNTIL([ | ||
1001 | 92 | + garps=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep ${lsp_garp} -c` | ||
1002 | 93 | + test $garps -ge 2 | ||
1003 | 94 | +]) | ||
1004 | 95 | + | ||
1005 | 96 | +dnl At this point it's safe to assume that ovn-controller skipped sending gARP | ||
1006 | 97 | +dnl for the localport. Check that there are no other packets than the gARPs | ||
1007 | 98 | +dnl for the regular vif. | ||
1008 | 99 | +AT_CHECK([ | ||
1009 | 100 | + pkts=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep -v ${lsp_garp} -c` | ||
1010 | 101 | + test 0 -eq $pkts | ||
1011 | 102 | +]) | ||
1012 | 103 | + | ||
1013 | 104 | +OVN_CLEANUP([hv1]) | ||
1014 | 105 | +AT_CLEANUP | ||
1015 | 106 | + | ||
1016 | 107 | AT_SETUP([ovn -- 1 LR with HA distributed router gateway port]) | ||
1017 | 108 | ovn_start | ||
1018 | 109 | |||
1019 | 110 | -- | ||
1020 | 111 | 2.32.0 | ||
1021 | diff --git a/debian/patches/series b/debian/patches/series | |||
1022 | index c004be5..de78d99 100644 | |||
1023 | --- a/debian/patches/series | |||
1024 | +++ b/debian/patches/series | |||
1025 | @@ -1,3 +1,11 @@ | |||
1026 | 1 | lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch | 1 | lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch |
1027 | 2 | lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch | 2 | lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch |
1028 | 3 | lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch | 3 | lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch |
1029 | 4 | lp-1914988-northd-Amend-Chassis-RBAC-rules.patch | ||
1030 | 5 | lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch | ||
1031 | 6 | lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch | ||
1032 | 7 | lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch | ||
1033 | 8 | lp-1914988-tests-Make-certificate-generation-extendable.patch | ||
1034 | 9 | lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch | ||
1035 | 10 | lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch | ||
1036 | 11 | lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch |
Package building here: https:/ /launchpad. net/~fnordahl/ +archive/ ubuntu/ hirsute- rbac-fixes/ +packages