Re: [ovs-dev] [PATCH ovn v2 1/4] multinode tests: Fix tests for ENABLE_SSL="yes" clusters.

Thu, 24 Jul 2025 10:00:39 -0700 

On Tue, Jul 22, 2025 at 2:34 PM Xavier Simonart <[email protected]> wrote:

> Test "ovn multinode - Transit Router basic functionality" stops
> ovn-controller, restarts it using local sb, and finally, restarts it
> using ovn-central sb using tcp.
> If the cluster was started with ENABLE_SSL="yes" (e.g. on local laptop),
> then all following tests were failing.
>
> This patch ensures that, by default, multinode tests use same defaults as
> ovn-fake-multinode (i.e. ENABLE_SSL=yes and cert path /opt/ovn).
> It also supports an option ENABLE_SSL=no, in case the ovn-fake-multinode
> was setup w/o SSL.
>
> Fixes: 7c3f7f415f1d ("northd, controller: Flood ARP and NA packet on
> transit router.")
> Signed-off-by: Xavier Simonart <[email protected]>
>

---
>

Hi Xavier,

it seems that 24.03 cluster is failing with the ENABLE_SSL: yes, I have
flipped
during merge, we probably need to investigate it a bit before we can go with
yes in the CI.


> - v2: Updated based on Ales' feedback i.e. use ENABLE_SSL variable, and
>       do not detect certs_path.
> ---
>  .../workflows/ovn-fake-multinode-tests.yml    |  2 +-
>  tests/multinode-macros.at                     | 37 ++++++++++++++++---
>  2 files changed, 33 insertions(+), 6 deletions(-)
>
> diff --git a/.github/workflows/ovn-fake-multinode-tests.yml
> b/.github/workflows/ovn-fake-multinode-tests.yml
> index a2744d085..abbb15631 100644
> --- a/.github/workflows/ovn-fake-multinode-tests.yml
> +++ b/.github/workflows/ovn-fake-multinode-tests.yml
> @@ -101,7 +101,7 @@ jobs:
>        RELAY_IMAGE: "ovn/ovn-multi-node:${{ github.ref_name }}"
>        GW_IMAGE: "ovn/ovn-multi-node:${{ github.ref_name }}"
>        # Disable SSL/TLS for now. Revisit this if required.
> -      ENABLE_SSL: no
> +      ENABLE_SSL: yes
>        CC: gcc
>        OPTS: "--disable-ssl"
>        dependencies: |
> diff --git a/tests/multinode-macros.at b/tests/multinode-macros.at
> index 9c23073ef..282f836f7 100644
> --- a/tests/multinode-macros.at
> +++ b/tests/multinode-macros.at
> @@ -88,6 +88,31 @@ check_fake_multinode_setup_by_nodes() {
>          on_exit "m_as $c ovs-ofctl dump-flows br-int > flow-${c}.txt"
>          on_exit "m_as $c ovs-vsctl get open . external_ids >
> extids-${c}.txt"
>      done
> +
> +    # Check $ENABLE_SSL variable, and use SSL if unset (default) or not
> set to "no".
> +    if [[ "$ENABLE_SSL" != "no" ]]; then
> +        REMOTE_PROT=ssl
> +        SSL_CERTS_PATH=/opt/ovn
> +
> CONTROLLER_SSL_ARGS="--ovn-controller-ssl-key=${SSL_CERTS_PATH}/ovn-privkey.pem
> \
> +
>  --ovn-controller-ssl-cert=${SSL_CERTS_PATH}/ovn-cert.pem \
> +
>  --ovn-controller-ssl-ca-cert=${SSL_CERTS_PATH}/pki/switchca/cacert.pem"
> +
> NORTHD_SSL_ARGS="--ovn-nb-db-ssl-key=${SSL_CERTS_PATH}/ovn-privkey.pem \
> +              --ovn-nb-db-ssl-cert=${SSL_CERTS_PATH}/ovn-cert.pem \
> +
> --ovn-nb-db-ssl-ca-cert=${SSL_CERTS_PATH}/pki/switchca/cacert.pem \
> +              --ovn-sb-db-ssl-key=${SSL_CERTS_PATH}/ovn-privkey.pem \
> +              --ovn-sb-db-ssl-cert=${SSL_CERTS_PATH}/ovn-cert.pem \
> +
> --ovn-sb-db-ssl-ca-cert=${SSL_CERTS_PATH}/pki/switchca/cacert.pem \
> +              --ovn-northd-ssl-key=${SSL_CERTS_PATH}/ovn-privkey.pem \
> +              --ovn-northd-ssl-cert=${SSL_CERTS_PATH}/ovn-cert.pem \
> +
> --ovn-northd-ssl-ca-cert=${SSL_CERTS_PATH}/pki/switchca/cacert.pem"
> +    else
> +        REMOTE_PROT=tcp
> +        CONTROLLER_SSL_ARGS=""
> +        NORTHD_SSL_ARGS=""
> +    fi
> +        export CONTROLLER_SSL_ARGS
> +        export NORTHD_SSL_ARGS
> +        export REMOTE_PROT
>  }
>
>  check_fake_multinode_setup() {
> @@ -130,9 +155,10 @@ multinode_setup_northd() {
>
>      multinode_cleanup_northd $c
>
> -    m_as $c /usr/share/ovn/scripts/ovn-ctl start_northd
> -    m_as $c ovn-nbctl set-connection ptcp:6641
> -    m_as $c ovn-sbctl set-connection ptcp:6642
> +    echo "Using ${NORTHD_SSL_ARGS} for northd".
> +    m_as $c /usr/share/ovn/scripts/ovn-ctl start_northd ${NORTHD_SSL_ARGS}
> +    m_as $c ovn-nbctl set-connection p${REMOTE_PROT}:6641
> +    m_as $c ovn-sbctl set-connection p${REMOTE_PROT}:6642
>  }
>
>  # multinode_setup_controller NODE ENCAP_IP REMOTE_IP [ENCAP_TYPE]
> @@ -150,11 +176,12 @@ multinode_setup_controller() {
>      m_as $c sh -c "rm -f /etc/openvswitch/*.db"
>
>      m_as $c /usr/share/openvswitch/scripts/ovs-ctl start --system-id=$c
> -    m_as $c /usr/share/ovn/scripts/ovn-ctl start_controller
> +    echo "Using ${CONTROLLER_SSL_ARGS} for ovn-controller".
> +    m_as $c /usr/share/ovn/scripts/ovn-ctl start_controller
> ${CONTROLLER_SSL_ARGS}
>
>      m_as $c ovs-vsctl set open . external_ids:ovn-encap-ip=$encap_ip
>      m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=$encap_type
> -    m_as $c ovs-vsctl set open .
> external-ids:ovn-remote=tcp:$remote_ip:6642
> +    m_as $c ovs-vsctl set open .
> external-ids:ovn-remote=${REMOTE_PROT}:$remote_ip:6642
>      m_as $c ovs-vsctl set open .
> external-ids:ovn-openflow-probe-interval=60
>      m_as $c ovs-vsctl set open .
> external-ids:ovn-remote-probe-interval=180000
>      m_as $c ovs-vsctl set open .
> external-ids:ovn-bridge-datapath-type=system
> --
> 2.47.1
>
>
Thanks,
Ales
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to