On 24/03/2021 11:12, Numan Siddique wrote: > On Tue, Mar 16, 2021 at 2:32 AM Mark Michelson <[email protected]> wrote: >> >> LGMT >> >> Acked-by: Mark Michelson <[email protected]> > > Thank you Mark G (and Mark M for the reviews). > > I applied this patch to master. > > Numan > Thank everyone.
>> >> On 2/16/21 6:55 AM, Mark Gray wrote: >>> If a chassis has multiple interfaces, 'ovn-encap-ip' can be used >>> to specify the IP address of the interface that is used for tunnel >>> traffic. OVN uses that IP address to configure the 'remote_ip' of >>> a tunnel port. OVS tunnel ports also accept 'options:local_ip', which, >>> according to the OVS documentation specifies "the tunnel destination >>> IP that received packets must match. Default is to match all addresses". >>> OVN does not set 'local_ip'. >>> >>> 'ovs-monitor-ipsec' is an OVS daemon that is used to configure and IPsec >>> IKE daemon on the host. In order to correctly specify an IPsec >>> connection, it requires the source and destination IP address of >>> that connection. In the OVN case, as 'local_ip' is not specified, it >>> is unable to infer the IP address of both sides of a tunnel and, therefore, >>> cannot setup an IPsec connection. >>> >>> This patch configures 'local_ip' on tunnel ports when IPsec has >>> been enabled. This allows for OVS/OVN IPsec to work when 'ovn-encap-ip' >>> is not specified as the chassis default gateway interface. >>> >>> This patch also adds some unit tests. The OVS daemon 'ovs-monitor-ipsec' >>> requires a number of options to be configured on OVS tunnel ports in order >>> to function correctly. These unit tests ensure that these options are >>> configured correctly when IPsec has been enabled through the northbound >>> database. >>> >>> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1924041 >>> Signed-off-by: Mark Gray <[email protected]> >>> --- >>> >>> v2: Updated topic filter to "PATCH ovn" >>> v3: Rebased due to 0-day bot warning >>> >>> controller/chassis.c | 5 +++ >>> controller/encaps.c | 26 ++++++++++- >>> tests/automake.mk | 3 +- >>> tests/ovn-ipsec.at | 104 +++++++++++++++++++++++++++++++++++++++++++ >>> tests/testsuite.at | 1 + >>> 5 files changed, 137 insertions(+), 2 deletions(-) >>> create mode 100644 tests/ovn-ipsec.at >>> >>> diff --git a/controller/chassis.c b/controller/chassis.c >>> index 310132d09d2e..9b0a36cf076f 100644 >>> --- a/controller/chassis.c >>> +++ b/controller/chassis.c >>> @@ -279,6 +279,11 @@ chassis_parse_ovs_config(const struct >>> ovsrec_open_vswitch_table *ovs_table, >>> return false; >>> } >>> >>> + /* 'ovn-encap-ip' can accept a comma-delimited list of IP addresses >>> instead >>> + * of a single IP address. Although this is undocumented, it can be >>> used >>> + * to enable certain hardware-offloaded use cases in which a host has >>> + * multiple NICs and is assigning SR-IOV VFs to a guest (as logical >>> ports). >>> + */ >>> if (!chassis_parse_ovs_encap_ip(encap_ips, &ovs_cfg->encap_ip_set)) { >>> sset_destroy(&ovs_cfg->encap_type_set); >>> return false; >>> diff --git a/controller/encaps.c b/controller/encaps.c >>> index 7eac4bb064ac..fc93bf1eeb87 100644 >>> --- a/controller/encaps.c >>> +++ b/controller/encaps.c >>> @@ -59,6 +59,7 @@ struct tunnel_ctx { >>> >>> struct ovsdb_idl_txn *ovs_txn; >>> const struct ovsrec_bridge *br_int; >>> + const struct sbrec_chassis *this_chassis; >>> }; >>> >>> struct chassis_node { >>> @@ -176,6 +177,28 @@ tunnel_add(struct tunnel_ctx *tc, const struct >>> sbrec_sb_global *sbg, >>> >>> /* Add auth info if ipsec is enabled. */ >>> if (sbg->ipsec) { >>> + const struct sbrec_chassis *this_chassis = tc->this_chassis; >>> + const char *local_ip = NULL; >>> + >>> + /* Determine 'ovn-encap-ip' of the local chassis as this will be >>> the >>> + * tunnel port's 'local_ip'. We do not support the case in which >>> + * 'ovn-encap-ip' holds multiple comma-delimited IP addresses. >>> + */ >>> + for (int i = 0; i < this_chassis->n_encaps; i++) { >>> + if (local_ip && strcmp(local_ip, this_chassis->encaps[i]->ip)) >>> { >>> + VLOG_ERR("ovn-encap-ip has been configured as a list. This >>> " >>> + "is unsupported for IPsec."); >>> + /* No need to loop further as we know this condition has >>> been >>> + * hit */ >>> + break; >>> + } else { >>> + local_ip = this_chassis->encaps[i]->ip; >>> + } >>> + } >>> + >>> + if (local_ip) { >>> + smap_add(&options, "local_ip", local_ip); >>> + } >>> smap_add(&options, "remote_name", new_chassis_id); >>> } >>> >>> @@ -310,7 +333,8 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, >>> struct tunnel_ctx tc = { >>> .chassis = SHASH_INITIALIZER(&tc.chassis), >>> .port_names = SSET_INITIALIZER(&tc.port_names), >>> - .br_int = br_int >>> + .br_int = br_int, >>> + .this_chassis = this_chassis >>> }; >>> >>> tc.ovs_txn = ovs_idl_txn; >>> diff --git a/tests/automake.mk b/tests/automake.mk >>> index df6d0a2a9074..bef40bde07bb 100644 >>> --- a/tests/automake.mk >>> +++ b/tests/automake.mk >>> @@ -34,7 +34,8 @@ TESTSUITE_AT = \ >>> tests/ovn-performance.at \ >>> tests/ovn-ofctrl-seqno.at \ >>> tests/ovn-ipam.at \ >>> - tests/ovn-lflow-cache.at >>> + tests/ovn-lflow-cache.at \ >>> + tests/ovn-ipsec.at >>> >>> SYSTEM_KMOD_TESTSUITE_AT = \ >>> tests/system-common-macros.at \ >>> diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at >>> new file mode 100644 >>> index 000000000000..887281d5be0e >>> --- /dev/null >>> +++ b/tests/ovn-ipsec.at >>> @@ -0,0 +1,104 @@ >>> +AT_BANNER([OVN - IPsec]) >>> + >>> +AT_SETUP([ovn -- ipsec -- basic configuration]) >>> +ovn_start >>> + >>> +# Configure the Northbound database >>> +ovn-nbctl ls-add lsw0 >>> + >>> +ovn-nbctl lsp-add lsw0 lp1 >>> +ovn-nbctl lsp-set-addresses lp1 "f0:00:00:00:00:01 10.1.1.1" >>> + >>> +ovn-nbctl lsp-add lsw0 lp2 >>> +ovn-nbctl lsp-set-addresses lp2 "f0:00:00:00:00:02 10.1.1.2" >>> + >>> +net_add n1 # Network to connect hv1 and hv2 >>> + >>> +# Enable IPsec >>> +ovn-nbctl set nb_global . ipsec=true >>> + >>> +# Create hypervisor hv1 connected to n1 >>> +sim_add hv1 >>> +as hv1 >>> +ovs-vsctl add-br br-phys >>> +ovn_attach n1 br-phys 192.168.0.1 >>> +ovs-vsctl add-port br-int vif1 -- set Interface vif1 >>> external-ids:iface-id=lp1 >>> +ovs-vsctl \ >>> + -- set Open_vSwitch . external-ids:system-id=hv1 \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-ip=192.168.0.1 \ >>> + -- set Open_vSwitch . other_config:certificate=dummy-cert.pem \ >>> + -- set Open_vSwitch . other_config:private_key=dummy-privkey.pem \ >>> + -- set Open_vSwitch . other_config:ca_cert=dummy-cacert.pem >>> + >>> +# Create hypervisor hv2 connected to n1 >>> +sim_add hv2 >>> +as hv2 >>> +ovs-vsctl add-br br-phys >>> +ovn_attach n1 br-phys 192.168.0.2 >>> +ovs-vsctl add-port br-int vif2 -- set Interface vif2 >>> external-ids:iface-id=lp2 >>> +ovs-vsctl \ >>> + -- set Open_vSwitch . external-ids:system-id=hv2 \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-ip=192.168.0.2 \ >>> + -- set Open_vSwitch . other_config:certificate=dummy-cert.pem \ >>> + -- set Open_vSwitch . other_config:private_key=dummy-privkey.pem \ >>> + -- set Open_vSwitch . other_config:ca_cert=dummy-cacert.pem >>> + >>> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr >>> -d '"\n'], [0], [192.168.0.1]) >>> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr >>> -d '"\n'], [0], [192.168.0.2]) >>> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | >>> tr -d '\n'], [0], [hv1]) >>> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr >>> -d '"\n'], [0], [192.168.0.2]) >>> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr >>> -d '"\n'], [0], [192.168.0.1]) >>> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | >>> tr -d '\n'], [0], [hv2]) >>> + >>> +AT_CLEANUP >>> + >>> +AT_SETUP([ovn -- ipsec -- unsupported multiple ovn-encap-ip values]) >>> +ovn_start >>> + >>> +# Configure the Northbound database >>> +ovn-nbctl ls-add lsw0 >>> + >>> +ovn-nbctl lsp-add lsw0 lp1 >>> +ovn-nbctl lsp-set-addresses lp1 "f0:00:00:00:00:01 10.1.1.1" >>> + >>> +ovn-nbctl lsp-add lsw0 lp2 >>> +ovn-nbctl lsp-set-addresses lp2 "f0:00:00:00:00:02 10.1.1.2" >>> + >>> +net_add n1 # Network to connect hv1 and hv2 >>> + >>> +# Enable IPsec >>> +ovn-nbctl set nb_global . ipsec=true >>> + >>> +# Create hypervisor hv1 connected to n1 >>> +sim_add hv1 >>> +as hv1 >>> +ovs-vsctl add-br br-phys >>> +ovn_attach n1 br-phys 192.168.0.1 >>> +ovs-vsctl add-port br-int vif1 -- set Interface vif1 >>> external-ids:iface-id=lp1 >>> +ovs-vsctl \ >>> + -- set Open_vSwitch . external-ids:system-id=hv1 \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-ip="192.168.0.1, >>> 192.169.0.1" \ >>> + -- set Open_vSwitch . other_config:certificate=dummy-cert.pem \ >>> + -- set Open_vSwitch . other_config:private_key=dummy-privkey.pem \ >>> + -- set Open_vSwitch . other_config:ca_cert=dummy-cacert.pem >>> + >>> +# Create hypervisor hv2 connected to n1 >>> +sim_add hv2 >>> +as hv2 >>> +ovs-vsctl add-br br-phys >>> +ovn_attach n1 br-phys 192.168.0.2 >>> +ovs-vsctl add-port br-int vif2 -- set Interface vif2 >>> external-ids:iface-id=lp2 >>> +ovs-vsctl \ >>> + -- set Open_vSwitch . external-ids:system-id=hv2 \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ >>> + -- set Open_vSwitch . external-ids:ovn-encap-ip="192.168.0.2, >>> 192.169.0.2" \ >>> + -- set Open_vSwitch . other_config:certificate=dummy-cert.pem \ >>> + -- set Open_vSwitch . other_config:private_key=dummy-privkey.pem \ >>> + -- set Open_vSwitch . other_config:ca_cert=dummy-cacert.pem >>> + >>> +AT_CHECK([grep "ovn-encap-ip has been configured as a list. This is >>> unsupported for IPsec." hv1/ovn-controller.log],[0], ignore) >>> + >>> +AT_CLEANUP >>> \ No newline at end of file >>> diff --git a/tests/testsuite.at b/tests/testsuite.at >>> index 35908ad3f3fe..ddc3f11d6850 100644 >>> --- a/tests/testsuite.at >>> +++ b/tests/testsuite.at >>> @@ -36,3 +36,4 @@ m4_include([tests/ovn-controller.at]) >>> m4_include([tests/ovn-controller-vtep.at]) >>> m4_include([tests/ovn-ic.at]) >>> m4_include([tests/checkpatch.at]) >>> +m4_include([tests/ovn-ipsec.at]) >>> >> >> _______________________________________________ >> dev mailing list >> [email protected] >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
