Re: [ovs-dev] [patch_v5 2/3] ovn: Add additional comments regarding arp responders.
On Sun, Oct 23, 2016 at 11:19 AM, Mickey Spiegelwrote: > Acked-by: Mickey Spiegel > > A few very minor nits below. > > On Fri, Oct 21, 2016 at 1:36 PM, Darrell Ball wrote: > >> There has been enough confusion regarding logical switch datapath >> arp responders in ovn to warrant some additional comments; >> hence add a general description regarding why they exist and >> document the special cases. >> >> Signed-off-by: Darrell Ball >> Signed-off-by: Ramu Ramamurthy >> Co-authored-by: Ramu Ramamurthy >> Acked-by: Han Zhou >> --- >> >> v4->v5: Splice in some rewording from review from multiple sources. >> >> v3->v4: Capitalization fixes. >> Reinstate comment regarding L2 learning confusion. >> >> v2->v3: Reword and further elaborate. >> >> v1->v2: Dropped RFC code change for logical switch router >> type ports. >> >> ovn/northd/ovn-northd.8.xml | 67 ++ >> +++ >> 1 file changed, 61 insertions(+), 6 deletions(-) >> >> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml >> index df53d4c..930ebf4 100644 >> --- a/ovn/northd/ovn-northd.8.xml >> +++ b/ovn/northd/ovn-northd.8.xml >> @@ -435,20 +435,75 @@ >> Ingress Table 10: ARP/ND responder >> >> >> - This table implements ARP/ND responder for known IPs. It contains >> these >> - logical flows: >> + This table implements ARP/ND responder in a logical switch for >> known >> + IPs. The advantage of the ARP responder flow is to limit ARP >> + broadcasts by locally responding to ARP requests without the need >> to >> + send to other hypervisors. One common case is when the inport is a >> + logical port associated with a VIF and the broadcast is responded >> to >> + on the local hypervisor rather than broadcast across the whole >> + network and responded to by the destination VM. This behavior is >> + proxy ARP. >> + >> + >> + >> + ARP requests arrive from VMs from a logical switch inport of type >> + default. For this case, the logical switch proxy ARP rules can be >> + for other VMs or logical router ports. Logical switch proxy ARP >> + rules may be programmed both for mac binding of IP addresses on >> + other logical switch VIF ports (which are of the default logical >> + switch port type, representing connectivity to VMs or containers), >> + and for mac binding of IP addresses on logical switch router type >> + ports, representing their logical router port peers. In order to >> + support proxy ARP for logical router ports, an IP address must be >> + configured on the logical switch router type port, with the same >> + value as the peer of the logical router port. The configured MAC >> > > Instead of "peer of the logical router port" (did you mean the logical > router port or the logical switch router type port?), perhaps just > "peer logical router port"? > "peer logical router port" is the intended meaning - good catch. > > >> + addresses must match as well. When a VM sends an ARP request for a >> + distributed logical router port and if the peer router type port >> of >> > > There is an extra space in "peer router". > thanks > > >> + the attached logical switch does not have an IP address configured, >> + the ARP request will be broadcast on the logical switch. One of >> the >> + copies of the ARP request will go through the logical switch router >> + type port to the logical router datapath, where the logical router >> ARP >> + responder will generate a reply. The mac binding in a VM for an >> + associated distributed logical router will be used for all >> + communication needing routing, hence the action of a VM re-arping >> for >> + the mac binding of the logical router port should be rare. >> > > There is a context switch going into the last sentence that can be a bit > confusing. How about: > > After the VM learns a MAC binding for an associated distributed logical > router, that MAC binding will be used for all communication needing > routing, hence ... > MAC binding is the subject of the sentence and I prefer the active voice. However, I partially folded in your suggestion: "The MAC binding of a distributed logical router, once learned by an associated VM, is used for all that VM's communication needing routing. Hence, the action of a VM re-arping for the mac binding of the logical router port should be rare." > > >> + >> + >> + >> + Logical switch ARP responder proxy ARP rules can also be hit when >> + receiving ARP requests externally on a L2 gateway port. In this >> case, >> + the hypervisor acting as an L2 gateway, responds to the ARP >> request on >> + behalf of a destination VM.
[ovs-dev] [PATCH] datapath-windows: Enable support for tracking ICMP code and type
Add support for tracking ICMP code and Type in the Hyper-V Conntrack module. This code is similar to the userspace connection tracker. Signed-off-by: Sairam Venugopal--- datapath-windows/ovsext/Conntrack-icmp.c | 80 +++ datapath-windows/ovsext/Conntrack-other.c | 15 ++ datapath-windows/ovsext/Conntrack-tcp.c | 25 +- datapath-windows/ovsext/Conntrack.c | 72 +--- datapath-windows/ovsext/Conntrack.h | 24 +- datapath-windows/ovsext/ovsext.vcxproj| 1 + 6 files changed, 185 insertions(+), 32 deletions(-) create mode 100644 datapath-windows/ovsext/Conntrack-icmp.c diff --git a/datapath-windows/ovsext/Conntrack-icmp.c b/datapath-windows/ovsext/Conntrack-icmp.c new file mode 100644 index 000..ffcd2df --- /dev/null +++ b/datapath-windows/ovsext/Conntrack-icmp.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2016 VMware, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "NetProto.h" +#include "Conntrack.h" +#include + +enum icmp_state { +ICMPS_FIRST, +ICMPS_REPLY, +}; + +struct conn_icmp { +struct OVS_CT_ENTRY up; +enum icmp_state state; +}; + +static const enum ct_timeout icmp_timeouts[] = { +[ICMPS_FIRST] = 60 * CT_INTERVAL_SEC, +[ICMPS_REPLY] = 30 * CT_INTERVAL_SEC, +}; + +static __inline struct conn_icmp * +OvsCastConntrackEntryToIcmpEntry(OVS_CT_ENTRY* conn) +{ +return CONTAINER_OF(conn, struct conn_icmp, up); +} + +enum CT_UPDATE_RES +OvsConntrackUpdateIcmpEntry(OVS_CT_ENTRY* conn_, +BOOLEAN reply, +UINT64 now) +{ +struct conn_icmp *conn = OvsCastConntrackEntryToIcmpEntry(conn_); + +if (reply && conn->state != ICMPS_REPLY) { +conn->state = ICMPS_REPLY; +} + +OvsConntrackUpdateExpiration(>up, now, + icmp_timeouts[conn->state]); + +return CT_UPDATE_VALID; +} + +BOOLEAN +OvsConntrackValidateIcmpPacket(const ICMPHdr *icmp) +{ +return icmp->type == ICMP4_ECHO_REQUEST + || icmp->type == ICMP4_INFO_REQUEST + || icmp->type == ICMP4_TIMESTAMP_REQUEST; +} + +OVS_CT_ENTRY * +OvsConntrackCreateIcmpEntry(UINT64 now) +{ +struct conn_icmp *conn; + +conn = OvsAllocateMemoryWithTag(sizeof(struct conn_icmp), +OVS_CT_POOL_TAG); +conn->state = ICMPS_FIRST; + +OvsConntrackUpdateExpiration(>up, now, + icmp_timeouts[conn->state]); + +return >up; +} diff --git a/datapath-windows/ovsext/Conntrack-other.c b/datapath-windows/ovsext/Conntrack-other.c index b853020..6c68ba8 100644 --- a/datapath-windows/ovsext/Conntrack-other.c +++ b/datapath-windows/ovsext/Conntrack-other.c @@ -41,14 +41,7 @@ OvsCastConntrackEntryToOtherEntry(OVS_CT_ENTRY *conn) return CONTAINER_OF(conn, struct conn_other, up); } -static __inline VOID -OvsConntrackUpdateExpiration(struct conn_other *conn, long long now) -{ -ASSERT(conn); -conn->up.expiration = now + other_timeouts[conn->state]; -} - -enum ct_update_res +enum CT_UPDATE_RES OvsConntrackUpdateOtherEntry(OVS_CT_ENTRY *conn_, BOOLEAN reply, UINT64 now) @@ -62,7 +55,8 @@ OvsConntrackUpdateOtherEntry(OVS_CT_ENTRY *conn_, conn->state = OTHERS_MULTIPLE; } -OvsConntrackUpdateExpiration(conn, now); +OvsConntrackUpdateExpiration(>up, now, + other_timeouts[conn->state]); return CT_UPDATE_VALID; } @@ -78,6 +72,7 @@ OvsConntrackCreateOtherEntry(UINT64 now) } conn->up = (OVS_CT_ENTRY) {0}; conn->state = OTHERS_FIRST; -OvsConntrackUpdateExpiration(conn, now); +OvsConntrackUpdateExpiration(>up, now, + other_timeouts[conn->state]); return >up; } diff --git a/datapath-windows/ovsext/Conntrack-tcp.c b/datapath-windows/ovsext/Conntrack-tcp.c index 6adf490..c7fcfa8 100644 --- a/datapath-windows/ovsext/Conntrack-tcp.c +++ b/datapath-windows/ovsext/Conntrack-tcp.c @@ -199,14 +199,6 @@ OvsGetTcpPayloadLength(PNET_BUFFER_LIST nbl) - (sizeof * tcp); } -static __inline void -OvsConntrackUpdateExpiration(struct conn_tcp *conn, - long long now, - long long interval) -{ -conn->up.expiration = now + interval; -} - static __inline struct conn_tcp*
Re: [ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb
Added a 'Signed-off-by' line. Thanks for getting back to me and this being patient while I learned how to use 'git send-email'. I'm glad I could contribute upstream to the project. Cheers, Ethan On Wed, Nov 2, 2016 at 4:19 PM, Ethan Rahnwrote: > > Signed-off-by: Ethan Rahn > --- > AUTHORS | 1 + > lib/automake.mk | 2 + > lib/ssl-connect-syn.man | 5 +++ > lib/ssl-connect.man | 16 +++ > lib/stream-ssl.c | 70 > +++ > lib/stream-ssl.h | 20 - > manpages.mk | 8 > ovn/controller-vtep/ovn-controller-vtep.c | 3 +- > ovn/controller/ovn-controller.c | 3 +- > ovn/northd/ovn-northd.c | 1 + > ovn/utilities/ovn-nbctl.c | 3 +- > ovn/utilities/ovn-sbctl.c | 3 +- > ovn/utilities/ovn-trace.c | 1 + > ovsdb/ovsdb-client.1.in | 3 ++ > ovsdb/ovsdb-client.c | 3 +- > ovsdb/ovsdb-server.1.in | 3 ++ > ovsdb/ovsdb-server.c | 23 -- > tests/ovsdb-server.at | 68 > +- > tests/test-jsonrpc.c | 3 +- > utilities/ovs-ofctl.c | 3 +- > utilities/ovs-testcontroller.c| 3 +- > utilities/ovs-vsctl.c | 3 +- > vswitchd/ovs-vswitchd.c | 1 + > vtep/vtep-ctl.c | 3 +- > 24 files changed, 234 insertions(+), 18 deletions(-) > create mode 100644 lib/ssl-connect-syn.man > create mode 100644 lib/ssl-connect.man > > diff --git a/AUTHORS b/AUTHORS > index c089d59..197142f 100644 > --- a/AUTHORS > +++ b/AUTHORS > @@ -80,6 +80,7 @@ Eitan Eliahuelia...@vmware.com > Eohyung Lee liquidnu...@gmail.com > Eric Sesterhenn eric.sesterh...@lsexperts.de > Ethan J. Jacksone...@eecs.berkeley.edu > +Ethan Rahn er...@arista.com > Eziz Durdyyev ezizdu...@gmail.com > Flavio Fernandesfla...@flaviof.com > Flavio Leitner f...@redhat.com > diff --git a/lib/automake.mk b/lib/automake.mk > index 165e6a8..62bb17b 100644 > --- a/lib/automake.mk > +++ b/lib/automake.mk > @@ -462,6 +462,8 @@ MAN_FRAGMENTS += \ > lib/ssl-peer-ca-cert-syn.man \ > lib/ssl.man \ > lib/ssl-syn.man \ > + lib/ssl-connect.man \ > + lib/ssl-connect-syn.man \ > lib/table.man \ > lib/unixctl.man \ > lib/unixctl-syn.man \ > diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man > new file mode 100644 > index 000..0510a59 > --- /dev/null > +++ b/lib/ssl-connect-syn.man > @@ -0,0 +1,5 @@ > +.IP "SSL connection options:" > +[\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR] > +.br > +[\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR] > +.br > diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man > new file mode 100644 > index 000..dcc6a79 > --- /dev/null > +++ b/lib/ssl-connect.man > @@ -0,0 +1,16 @@ > +.de IQ > +. br > +. ns > +. IP "\\$1" > +.. > +.IQ "\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR" > +Specifies, in a comma or white-list delimited, list the SSL protocols > \fB\*(PN\fR > +will support for SSL connections. Supported protocols are: TLSv1, TLSv1.1, > +TLSv1.2. Order does not matter, the highest protocol supported by both > sides > +will be choosen when making the connection. > +. > +.IQ "\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR" > +Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will > +support for SSL connections. > + > + > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c > index a5c32a1..87b8de9 100644 > --- a/lib/stream-ssl.c > +++ b/lib/stream-ssl.c > @@ -162,6 +162,8 @@ struct ssl_config_file { > static struct ssl_config_file private_key; > static struct ssl_config_file certificate; > static struct ssl_config_file ca_cert; > +static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2"; > +static char *ssl_ciphers = "HIGH:!aNULL:!MD5"; > > /* Ordinarily, the SSL client and server verify each other's certificates > using > * a CA certificate. Setting this to false disables this behavior. > (This is a > @@ -966,6 +968,7 @@ do_ssl_init(void) > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_ > CERT, > NULL); > SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); > +SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5"); > > return 0; > } > @@ -1114,6 +1117,73 @@ stream_ssl_set_key_and_cert(const char > *private_key_file, > } > } > > +/* Sets SSL ciphers based on string input. Aborts with an error message > + * if 'arg' is invalid. */ > +void > +stream_ssl_set_ciphers(const char *arg) > +{ > +if (ssl_init() || !arg ||
[ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb
OVSDB currently does not support fine-tuning the SSL parameters used for connections. This means that users are unable to specify not using ciphers widely considered to be unsafe or to avoid using TLS protocols that do not meet their organizational standards. This adds two new commands "--ssl-protocols" and "--ssl-ciphers" to the ovsdb programs to specify which SSL protocols and ciphers to use. In addition, the default cipher string is set to "HIGH:!aNULL:!MD5". This is the current default for nginx and removes weak ciphers while allowing most services from the last several years to still connect. The patch was tested by adding new test cases that check that the options can be set and that when incompatible SSL parameters are used that it results in a failure to communicate. Additionally, since this adds 2 new files, "make distcheck" was used to verify that this works correctly. Ethan Rahn (1): Add support for specifying SSL connection parameters to ovsdb AUTHORS | 1 + lib/automake.mk | 2 + lib/ssl-connect-syn.man | 5 +++ lib/ssl-connect.man | 16 +++ lib/stream-ssl.c | 70 +++ lib/stream-ssl.h | 20 - manpages.mk | 8 ovn/controller-vtep/ovn-controller-vtep.c | 3 +- ovn/controller/ovn-controller.c | 3 +- ovn/northd/ovn-northd.c | 1 + ovn/utilities/ovn-nbctl.c | 3 +- ovn/utilities/ovn-sbctl.c | 3 +- ovn/utilities/ovn-trace.c | 1 + ovsdb/ovsdb-client.1.in | 3 ++ ovsdb/ovsdb-client.c | 3 +- ovsdb/ovsdb-server.1.in | 3 ++ ovsdb/ovsdb-server.c | 23 -- tests/ovsdb-server.at | 68 +- tests/test-jsonrpc.c | 3 +- utilities/ovs-ofctl.c | 3 +- utilities/ovs-testcontroller.c| 3 +- utilities/ovs-vsctl.c | 3 +- vswitchd/ovs-vswitchd.c | 1 + vtep/vtep-ctl.c | 3 +- 24 files changed, 234 insertions(+), 18 deletions(-) create mode 100644 lib/ssl-connect-syn.man create mode 100644 lib/ssl-connect.man -- 1.8.1.4 ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb
Signed-off-by: Ethan Rahn--- AUTHORS | 1 + lib/automake.mk | 2 + lib/ssl-connect-syn.man | 5 +++ lib/ssl-connect.man | 16 +++ lib/stream-ssl.c | 70 +++ lib/stream-ssl.h | 20 - manpages.mk | 8 ovn/controller-vtep/ovn-controller-vtep.c | 3 +- ovn/controller/ovn-controller.c | 3 +- ovn/northd/ovn-northd.c | 1 + ovn/utilities/ovn-nbctl.c | 3 +- ovn/utilities/ovn-sbctl.c | 3 +- ovn/utilities/ovn-trace.c | 1 + ovsdb/ovsdb-client.1.in | 3 ++ ovsdb/ovsdb-client.c | 3 +- ovsdb/ovsdb-server.1.in | 3 ++ ovsdb/ovsdb-server.c | 23 -- tests/ovsdb-server.at | 68 +- tests/test-jsonrpc.c | 3 +- utilities/ovs-ofctl.c | 3 +- utilities/ovs-testcontroller.c| 3 +- utilities/ovs-vsctl.c | 3 +- vswitchd/ovs-vswitchd.c | 1 + vtep/vtep-ctl.c | 3 +- 24 files changed, 234 insertions(+), 18 deletions(-) create mode 100644 lib/ssl-connect-syn.man create mode 100644 lib/ssl-connect.man diff --git a/AUTHORS b/AUTHORS index c089d59..197142f 100644 --- a/AUTHORS +++ b/AUTHORS @@ -80,6 +80,7 @@ Eitan Eliahuelia...@vmware.com Eohyung Lee liquidnu...@gmail.com Eric Sesterhenn eric.sesterh...@lsexperts.de Ethan J. Jacksone...@eecs.berkeley.edu +Ethan Rahn er...@arista.com Eziz Durdyyev ezizdu...@gmail.com Flavio Fernandesfla...@flaviof.com Flavio Leitner f...@redhat.com diff --git a/lib/automake.mk b/lib/automake.mk index 165e6a8..62bb17b 100644 --- a/lib/automake.mk +++ b/lib/automake.mk @@ -462,6 +462,8 @@ MAN_FRAGMENTS += \ lib/ssl-peer-ca-cert-syn.man \ lib/ssl.man \ lib/ssl-syn.man \ + lib/ssl-connect.man \ + lib/ssl-connect-syn.man \ lib/table.man \ lib/unixctl.man \ lib/unixctl-syn.man \ diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man new file mode 100644 index 000..0510a59 --- /dev/null +++ b/lib/ssl-connect-syn.man @@ -0,0 +1,5 @@ +.IP "SSL connection options:" +[\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR] +.br +[\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR] +.br diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man new file mode 100644 index 000..dcc6a79 --- /dev/null +++ b/lib/ssl-connect.man @@ -0,0 +1,16 @@ +.de IQ +. br +. ns +. IP "\\$1" +.. +.IQ "\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR" +Specifies, in a comma or white-list delimited, list the SSL protocols \fB\*(PN\fR +will support for SSL connections. Supported protocols are: TLSv1, TLSv1.1, +TLSv1.2. Order does not matter, the highest protocol supported by both sides +will be choosen when making the connection. +. +.IQ "\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR" +Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will +support for SSL connections. + + diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index a5c32a1..87b8de9 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -162,6 +162,8 @@ struct ssl_config_file { static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; +static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2"; +static char *ssl_ciphers = "HIGH:!aNULL:!MD5"; /* Ordinarily, the SSL client and server verify each other's certificates using * a CA certificate. Setting this to false disables this behavior. (This is a @@ -966,6 +968,7 @@ do_ssl_init(void) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); +SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5"); return 0; } @@ -1114,6 +1117,73 @@ stream_ssl_set_key_and_cert(const char *private_key_file, } } +/* Sets SSL ciphers based on string input. Aborts with an error message + * if 'arg' is invalid. */ +void +stream_ssl_set_ciphers(const char *arg) +{ +if (ssl_init() || !arg || !strcmp(ssl_ciphers, arg)){ + return; +} +if (SSL_CTX_set_cipher_list(ctx,arg) == 0) +{ + VLOG_ERR("SSL_CTX_set_cipher_list: %s", + ERR_error_string(ERR_get_error(), NULL)); +} +ssl_ciphers = xstrdup(arg); +} + +/* Set SSL protocols based on the string input. Aborts with an error message + * if 'arg' is invalid. */ +void +stream_ssl_set_protocols(const char *arg) +{ +char *s; +char *save_ptr = NULL; +char *word; +long protocolFlags; + +if (ssl_init()
Re: [ovs-dev] [PATCH 2/2] Prepare for 2.6.2.
> On Nov 1, 2016, at 7:56 PM, Ben Pfaffwrote: > > On Tue, Nov 01, 2016 at 03:44:13PM -0700, Justin Pettit wrote: >> Signed-off-by: Justin Pettit > > Acked-by: Ben Pfaff Thanks. I pushed the series to branch-2.6. I'll kick off the release process. --Justin ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH v2] ovn-controller: Container can have connection to a hosting VM.
On 2 November 2016 at 09:09, Ben Pfaffwrote: > On Wed, Oct 05, 2016 at 03:17:44AM -0700, Gurucharan Shetty wrote: > > A Container running inside a VM can have a connection to the > > hosting VM (parent port) in the logical topology (for e.g via a router). > > So we should be able to loop-back into the same VM, even if the > > final packet delivered does not have any tags in it. > > > > Reported-by: Dustin Spinhirne > > Signed-off-by: Gurucharan Shetty > > Sorry about the delay in review. (It's too bad we didn't get this into > 2.6.1, but there's always 2.6.2.) > > Acked-by: Ben Pfaff > Thank you, I applied this to master and 2.6 ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] Supply Chain Management Target Approach
Did you get a chance to review my previous email? Please let me know if you did like to review few sample records from your target audience. Look forward to hearing back. Regards, Sarah ___ From: Sarah Brush Sent: Wednesday, October 26, 2016 3:26 PM To: dev@openvswitch.org Subject: Supply Chain Management Target Approach Hi, Would you be interested in an email lead list of Supply Chain Executives? We can help you reach out to. Title includes: ? VP of Supply Chain ? Director of Supply Chain ? Supply Chain Manager ? Purchasing Manager ? Purchasing Director ? Procurement Manager ? Procurement Director The list comes with complete contact information like Contact name, Email address, Title, Company name, Phone number, Mailing address, etc. I'd be happy to send over few sample records on your request, and set up a time to discuss further. If there is someone else in your organization that I need to speak with, I'd be grateful if you would forward this email to the appropriate contact and help me with the introduction. Have a great day! Regards, Sarah Brush / INF Solutions / 302-250-4336 If you don't wish to receive emails from us reply back with "Unsubscribe". ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] netdev-dpdk: Fix crash in QoS.
> qos_conf can be NULL. This can be easily reproduced by setting egress QoS > on a port: > > ``` > ovs-vsctl set port dpdk2 qos=@newqos -- --id=@newqos create qos > type=egress-policer other-config:cir=4600 other-config:cbs=2048 ``` > > Reported-by: Ian Stokes> Fixes: 78bd47cf44a5 ("netdev-dpdk: Use RCU for egress QoS.") > Signed-off-by: Daniele Di Proietto > --- > lib/netdev-dpdk.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c index 7c1523e..49750c3 > 100644 > --- a/lib/netdev-dpdk.c > +++ b/lib/netdev-dpdk.c > @@ -2803,7 +2803,7 @@ netdev_dpdk_set_qos(struct netdev *netdev, const > char *type, > if (type && type[0]) { > error = EOPNOTSUPP; > } > -} else if (qos_conf->ops == new_ops > +} else if (qos_conf && qos_conf->ops == new_ops > && qos_conf->ops->qos_is_equal(qos_conf, details)) { > new_qos_conf = qos_conf; > } else { > -- > 2.9.3 Thanks for this Daniele. Tested-by: Ian Stokes Acked-by: Ian Stokes ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH 00/23] Convert next batch of docs to rST
On 30 October 2016 at 06:29, Stephen Finucanewrote: > This is the third conversion series. This one is larger yet again, > though many of the docs are rather small. After this series, only the > two tutorial docs in 'tutorial' require conversion (along with any > unsuffixed files I may have missed). > > /me didn't realize there was quite this much documentation in the repo. Hi Stephen, I was wanting to make a (very minor) doc change but since this much larger series is on the list I thought it's best for this to go in first. I tried to rebase my doc change against this series so it could go in after this does and save you any effort of rebasing this series and potentially losing my change. Unfortunately I had a bit of trouble trying to apply this series, starting with "doc: Convert rhel/README.RHEL to rST". I think that maybe the series needs a rebase against latest master. Is this series also available via git somewhere? That would make it a little easier for me to base my change on top. Thanks again for your heroic efforts on this rST/sphinx work! Joe ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] ovn-nb: Document the syntax for an address set name.
On Fri, Oct 07, 2016 at 09:00:13AM -0700, Ben Pfaff wrote: > Also, it is not necessary to specify that the name must be unique because > the schema documentation generator does that for us. > > Reported-by: Kevin Lin> Reported-at: http://openvswitch.org/pipermail/dev/2016-October/080386.html > Signed-off-by: Ben Pfaff This needs a review, which should be easy. ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb
Thanks a lot. I have only a few style fixes for this. May I have a Signed-off-by? Thanks, Ben. On Thu, Oct 06, 2016 at 04:22:19PM -0700, Ethan Rahn wrote: > Third time is the charm :) Sent via git send-email this time around. > Thanks for your patience and sorry for the trouble. > > Cheers, > > Ethan > > On Thu, Oct 6, 2016 at 4:21 PM, Ethan Rahnwrote: > > --- > > AUTHORS | 1 + > > lib/automake.mk | 2 + > > lib/ssl-connect-syn.man | 5 +++ > > lib/ssl-connect.man | 16 +++ > > lib/stream-ssl.c | 70 > > +++ > > lib/stream-ssl.h | 20 - > > manpages.mk | 8 > > ovn/controller-vtep/ovn-controller-vtep.c | 3 +- > > ovn/controller/ovn-controller.c | 3 +- > > ovn/northd/ovn-northd.c | 1 + > > ovn/utilities/ovn-nbctl.c | 3 +- > > ovn/utilities/ovn-sbctl.c | 3 +- > > ovn/utilities/ovn-trace.c | 1 + > > ovsdb/ovsdb-client.1.in | 3 ++ > > ovsdb/ovsdb-client.c | 3 +- > > ovsdb/ovsdb-server.1.in | 3 ++ > > ovsdb/ovsdb-server.c | 23 -- > > tests/ovsdb-server.at | 68 > > +- > > tests/test-jsonrpc.c | 3 +- > > utilities/ovs-ofctl.c | 3 +- > > utilities/ovs-testcontroller.c| 3 +- > > utilities/ovs-vsctl.c | 3 +- > > vswitchd/ovs-vswitchd.c | 1 + > > vtep/vtep-ctl.c | 3 +- > > 24 files changed, 234 insertions(+), 18 deletions(-) > > create mode 100644 lib/ssl-connect-syn.man > > create mode 100644 lib/ssl-connect.man > > > > diff --git a/AUTHORS b/AUTHORS > > index c089d59..197142f 100644 > > --- a/AUTHORS > > +++ b/AUTHORS > > @@ -80,6 +80,7 @@ Eitan Eliahuelia...@vmware.com > > Eohyung Lee liquidnu...@gmail.com > > Eric Sesterhenn eric.sesterh...@lsexperts.de > > Ethan J. Jacksone...@eecs.berkeley.edu > > +Ethan Rahn er...@arista.com > > Eziz Durdyyev ezizdu...@gmail.com > > Flavio Fernandesfla...@flaviof.com > > Flavio Leitner f...@redhat.com > > diff --git a/lib/automake.mk b/lib/automake.mk > > index 165e6a8..62bb17b 100644 > > --- a/lib/automake.mk > > +++ b/lib/automake.mk > > @@ -462,6 +462,8 @@ MAN_FRAGMENTS += \ > > lib/ssl-peer-ca-cert-syn.man \ > > lib/ssl.man \ > > lib/ssl-syn.man \ > > + lib/ssl-connect.man \ > > + lib/ssl-connect-syn.man \ > > lib/table.man \ > > lib/unixctl.man \ > > lib/unixctl-syn.man \ > > diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man > > new file mode 100644 > > index 000..0510a59 > > --- /dev/null > > +++ b/lib/ssl-connect-syn.man > > @@ -0,0 +1,5 @@ > > +.IP "SSL connection options:" > > +[\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR] > > +.br > > +[\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR] > > +.br > > diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man > > new file mode 100644 > > index 000..dcc6a79 > > --- /dev/null > > +++ b/lib/ssl-connect.man > > @@ -0,0 +1,16 @@ > > +.de IQ > > +. br > > +. ns > > +. IP "\\$1" > > +.. > > +.IQ "\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR" > > +Specifies, in a comma or white-list delimited, list the SSL protocols > > \fB\*(PN\fR > > +will support for SSL connections. Supported protocols are: TLSv1, TLSv1.1, > > +TLSv1.2. Order does not matter, the highest protocol supported by both > > sides > > +will be choosen when making the connection. > > +. > > +.IQ "\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR" > > +Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will > > +support for SSL connections. > > + > > + > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c > > index a5c32a1..87b8de9 100644 > > --- a/lib/stream-ssl.c > > +++ b/lib/stream-ssl.c > > @@ -162,6 +162,8 @@ struct ssl_config_file { > > static struct ssl_config_file private_key; > > static struct ssl_config_file certificate; > > static struct ssl_config_file ca_cert; > > +static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2"; > > +static char *ssl_ciphers = "HIGH:!aNULL:!MD5"; > > > > /* Ordinarily, the SSL client and server verify each other's certificates > > using > > * a CA certificate. Setting this to false disables this behavior. (This > > is a > > @@ -966,6 +968,7 @@ do_ssl_init(void) > > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, > > NULL); > > SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); > > +SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5"); > > > > return 0; >
Re: [ovs-dev] [PATCH v2] ovn: Add a case of policy based routing.
On Wed, Nov 02, 2016 at 09:28:44AM -0700, Ben Pfaff wrote: > On Thu, Oct 06, 2016 at 03:53:12AM -0700, Gurucharan Shetty wrote: > > OVN currently supports multiple gateway routers (residing on > > different chassis) connected to the same logical topology. > > > > When external traffic enters the logical topology, they can enter > > from any gateway routers and reach its eventual destination. This > > is achieved with proper static routes configured on the gateway > > routers. > > > > But when traffic is initiated in the logical space by a logical > > port, we do not have a good way to distribute that traffic across > > multiple gateway routers. > > > > This commit introduces one particular way to do it. Based on the > > source IP address or source IP network of the packet, we can now > > jump to a specific gateway router. > > > > This is very useful for a specific use case of Kubernetes. > > When traffic is initiated inside a container heading to outside world, > > we want to be able to send such traffic outside the gateway router > > residing in the same host as that of the container. Since each > > host gets a specific subnet, we can use source IP address based > > policy routing to decide on the gateway router. > > > > Rationale for using the same routing table for both source and > > destination IP address based routing: > > > > Some hardware network vendors support policy routing in a different table > > on arbitrary "match". And when a packet enters, if there is a match > > in policy based routing table, the default routing table is not > > consulted at all. In case of OVN, we mainly want policy based routing > > for north-south traffic. We want east-west traffic to flow as-is. Creating > > a separate table for policy based routing complicates the configuration > > quite a bit. For e.g., if we have a source IP network based rule added, > > to decide a particular gateway router as a next hop, we should add rules at > > a higher priority for all the connected routes to make sure that east-west > > traffic is not effected in the policy based routing table itself. > > > > Signed-off-by: Gurucharan Shetty> > Thank you! > > Acked-by: Ben Pfaff Oh, you might also add a NEWS item given that OVN is no longer experimental. ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH v2] ovn: Add a case of policy based routing.
On Thu, Oct 06, 2016 at 03:53:12AM -0700, Gurucharan Shetty wrote: > OVN currently supports multiple gateway routers (residing on > different chassis) connected to the same logical topology. > > When external traffic enters the logical topology, they can enter > from any gateway routers and reach its eventual destination. This > is achieved with proper static routes configured on the gateway > routers. > > But when traffic is initiated in the logical space by a logical > port, we do not have a good way to distribute that traffic across > multiple gateway routers. > > This commit introduces one particular way to do it. Based on the > source IP address or source IP network of the packet, we can now > jump to a specific gateway router. > > This is very useful for a specific use case of Kubernetes. > When traffic is initiated inside a container heading to outside world, > we want to be able to send such traffic outside the gateway router > residing in the same host as that of the container. Since each > host gets a specific subnet, we can use source IP address based > policy routing to decide on the gateway router. > > Rationale for using the same routing table for both source and > destination IP address based routing: > > Some hardware network vendors support policy routing in a different table > on arbitrary "match". And when a packet enters, if there is a match > in policy based routing table, the default routing table is not > consulted at all. In case of OVN, we mainly want policy based routing > for north-south traffic. We want east-west traffic to flow as-is. Creating > a separate table for policy based routing complicates the configuration > quite a bit. For e.g., if we have a source IP network based rule added, > to decide a particular gateway router as a next hop, we should add rules at > a higher priority for all the connected routes to make sure that east-west > traffic is not effected in the policy based routing table itself. > > Signed-off-by: Gurucharan ShettyThank you! Acked-by: Ben Pfaff I kind of like this better since it doesn't talk about priorities, which seem like a lower level concept: diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 3646e55..7626551 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -1083,6 +1083,12 @@ Each record represents a static route. + + When multiple routes match a packet, the longest-prefix match is chosen. + For a given prefix length, a dst-ip route is preferred over + a src-ip route. + + IP prefix of this route (e.g. 192.168.100.0/24). @@ -1098,16 +1104,12 @@ src-ip: This policy sends the packet to the when the packet's source IP address matches - . If the has - a mask length of n, then this record gets an implicit - priority of 2*n. + . dst-ip: This policy sends the packet to the when the packet's destination IP address - matches . If the - has a mask length of n, then this record gets an - implicit priority of 2*n + 1. + matches . ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH v2] ovn-controller: Container can have connection to a hosting VM.
On Wed, Oct 05, 2016 at 03:17:44AM -0700, Gurucharan Shetty wrote: > A Container running inside a VM can have a connection to the > hosting VM (parent port) in the logical topology (for e.g via a router). > So we should be able to loop-back into the same VM, even if the > final packet delivered does not have any tags in it. > > Reported-by: Dustin Spinhirne> Signed-off-by: Gurucharan Shetty Sorry about the delay in review. (It's too bad we didn't get this into 2.6.1, but there's always 2.6.2.) Acked-by: Ben Pfaff ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] ovn: Fix QoS marking without match
On Wed, Nov 02, 2016 at 08:38:29PM +0530, Babu Shanmugam wrote: > When a Logical_Switch's qos_rule does not have a match set, the rule should > apply for all the logical ports in that switch. > > Signed-off-by: Babu ShanmugamI don't think this is really a bug fix, since the documentation for the QoS table says "match" is an expression in the syntax for the OVN expression language, and it doesn't say anything about the behavior for an empty "match". I suggest that anything that wants to apply a qos rule to every port should use "1" as the match. ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] [PATCH] ovn: Fix QoS marking without match
When a Logical_Switch's qos_rule does not have a match set, the rule should apply for all the logical ports in that switch. Signed-off-by: Babu Shanmugam--- ovn/northd/ovn-northd.c | 8 +++- tests/ovn.at| 4 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 91affe4..512abb7 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -2644,12 +2644,18 @@ build_qos(struct ovn_datapath *od, struct hmap *lflows) { if (!strcmp(qos->key_action, "dscp")) { struct ds dscp_action = DS_EMPTY_INITIALIZER; +const char *match; +if (!strcmp(qos->match, "")) { +match = "1"; +} else { +match = qos->match; +} ds_put_format(_action, "ip.dscp = %d; next;", (uint8_t)qos->value_action); ovn_lflow_add(lflows, od, stage, qos->priority, - qos->match, ds_cstr(_action)); + match, ds_cstr(_action)); ds_destroy(_action); } } diff --git a/tests/ovn.at b/tests/ovn.at index cb3e7dd..24dd12f 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -5459,6 +5459,10 @@ check_tos 63 ovn-nbctl --wait=hv clear Logical_Switch lsw0 qos_rules check_tos 0 +# without match, packets from all all logical port should be marked +qos_id=$(ovn-nbctl --wait=hv -- --id=@lp1-qos create QoS priority=100 action=dscp=48 direction="from-lport" -- set Logical_Switch lsw0 qos_rules=@lp1-qos) +check_tos 48 + OVN_CLEANUP([hv]) AT_CLEANUP -- 1.9.1 ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] [PATCH v4 4/4] ovn: Add ovndb servers ocf script in debian packager
The OCF script will be present in the ovn-common package and installed in the openvswitch scripts folder and a symbolic link to this file will be created in the OCF resources folder. The OCF resource agent name for this resource is ocf:ovn:ovndb-servers Signed-off-by: Babu Shanmugam--- debian/automake.mk | 2 ++ debian/ovn-common.install | 1 + debian/ovn-common.postinst | 24 debian/ovn-common.postrm | 23 +++ 4 files changed, 50 insertions(+) create mode 100644 debian/ovn-common.postinst create mode 100644 debian/ovn-common.postrm diff --git a/debian/automake.mk b/debian/automake.mk index 73b4d00..f793d4f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -63,6 +63,8 @@ EXTRA_DIST += \ debian/ovn-controller-vtep.manpages \ debian/ovn-common.install \ debian/ovn-common.manpages \ + debian/ovn-common.postinst \ + debian/ovn-common.postrm \ debian/ovn-docker.install \ debian/ovn-host.dirs \ debian/ovn-host.init \ diff --git a/debian/ovn-common.install b/debian/ovn-common.install index acb1dc9..8b833dc 100644 --- a/debian/ovn-common.install +++ b/debian/ovn-common.install @@ -1,3 +1,4 @@ usr/bin/ovn-nbctl usr/bin/ovn-sbctl usr/share/openvswitch/scripts/ovn-ctl +usr/share/openvswitch/scripts/ovndb-servers.ocf diff --git a/debian/ovn-common.postinst b/debian/ovn-common.postinst new file mode 100644 index 000..588044f --- /dev/null +++ b/debian/ovn-common.postinst @@ -0,0 +1,24 @@ +#!/bin/sh +# postinst script for ovn-common +# +# see: dh_installdeb(1) + +set -e + +case "$1" in +configure) +mkdir -p /usr/lib/ocf/resource.d/ovn +ln -sf /usr/share/openvswitch/scripts/ovndb-servers.ocf /usr/lib/ocf/resource.d/ovn/ovndb-servers +;; +abort-upgrade|abort-remove|abort-deconfigure) +;; + +*) +echo "postinst called with unknown argument \`$1'" >&2 +exit 1 +;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/ovn-common.postrm b/debian/ovn-common.postrm new file mode 100644 index 000..9face72 --- /dev/null +++ b/debian/ovn-common.postrm @@ -0,0 +1,23 @@ +#!/bin/sh +# postrm script for openvswitch-testcontroller +# +# see: dh_installdeb(1) + +set -e + +case "$1" in +purge|remove) +rm -rf /usr/lib/ocf/resource.d/ovn +;; +upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) +;; + +*) +echo "postrm called with unknown argument \`$1'" >&2 +exit 1 +;; +esac + +#DEBHELPER# + +exit 0 -- 1.9.1 ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] [PATCH v4 0/4] High availability support for OVN DB servers using pacemaker
v3 -> v4: Following changes were suggested by Andyon v3 - Updated the ovn-ctl man page - Added information regarding the pacemaker integration in the IntegrationGuide.md - Added debug messages in the ocf script This patch contains changes required to run a pacemaker resource agent to manage OVN db servers in active/standby mode in a HA cluster. Babu Shanmugam (4): ovn: ovn-ctl support for HA ovn DB servers ovn: OCF script for OVN OVSDB servers ovn: Add ovn db servers ocf script in fedora packager ovn: Add ovndb servers ocf script in debian packager IntegrationGuide.md | 63 +++ debian/automake.mk | 2 + debian/ovn-common.install | 1 + debian/ovn-common.postinst | 24 +++ debian/ovn-common.postrm| 23 +++ ovn/utilities/automake.mk | 6 +- ovn/utilities/ovn-ctl | 173 --- ovn/utilities/ovn-ctl.8.xml | 18 ++ ovn/utilities/ovndb-servers.ocf | 356 rhel/openvswitch-fedora.spec.in | 8 + 10 files changed, 647 insertions(+), 27 deletions(-) create mode 100644 debian/ovn-common.postinst create mode 100644 debian/ovn-common.postrm create mode 100755 ovn/utilities/ovndb-servers.ocf -- 1.9.1 ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] [PATCH v4 3/4] ovn: Add ovn db servers ocf script in fedora packager
The OCF script will be present in the ovn-common package and installed in the openvswitch scripts folder. A symbolic link to this file will be created in the OCF resources folder. The OCF resource agent name for this resource is ocf:ovn:ovndb-servers Signed-off-by: Babu Shanmugam--- rhel/openvswitch-fedora.spec.in | 8 1 file changed, 8 insertions(+) diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index eda8767..fb4aecd 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -310,6 +310,10 @@ rm -rf $RPM_BUILD_ROOT fi %endif +%post ovn-common +mkdir /usr/lib/ocf/resource.d/ovn +ln -sf %{_datadir}/openvswitch/scripts/ovndb-servers.ocf /usr/lib/ocf/resource.d/ovn/ovndb-servers + %post ovn-central %if 0%{?systemd_post:1} %systemd_post ovn-northd.service @@ -354,6 +358,9 @@ rm -rf $RPM_BUILD_ROOT fi %endif +%postun ovn-common +rm -rf /usr/lib/ocf/resource.d/ovn + %postun ovn-central %if 0%{?systemd_postun_with_restart:1} %systemd_postun_with_restart ovn-northd.service @@ -493,6 +500,7 @@ fi %{_bindir}/ovn-sbctl %{_bindir}/ovn-trace %{_datadir}/openvswitch/scripts/ovn-ctl +%{_datadir}/openvswitch/scripts/ovndb-servers.ocf %{_datadir}/openvswitch/scripts/ovn-bugtool-nbctl-show %{_datadir}/openvswitch/scripts/ovn-bugtool-sbctl-lflow-list %{_datadir}/openvswitch/scripts/ovn-bugtool-sbctl-show -- 1.9.1 ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] [PATCH v4 2/4] ovn: OCF script for OVN OVSDB servers
Co-authored-by: Numan SiddiqueSigned-off-by: Numan Siddique Co-authored-by: Andrew Beekhof Signed-off-by: Andrew Beekhof Signed-off-by: Babu Shanmugam --- IntegrationGuide.md | 63 +++ ovn/utilities/automake.mk | 6 +- ovn/utilities/ovndb-servers.ocf | 356 3 files changed, 423 insertions(+), 2 deletions(-) create mode 100755 ovn/utilities/ovndb-servers.ocf diff --git a/IntegrationGuide.md b/IntegrationGuide.md index 5d3e574..945ecfd 100644 --- a/IntegrationGuide.md +++ b/IntegrationGuide.md @@ -167,3 +167,66 @@ following command can be used: ovs-vsctl set Interface eth0 external-ids:iface-id='"${UUID}"' + +HA for OVN DB servers using pacemaker +- + +The ovsdb servers can work in either active or backup mode. In backup mode, db +server will be connected to an active server and replicate the active servers +contents. At all times, the data can be transacted only from the active server. +When the active server dies for some reason, entire OVN operations will be +stalled. + +[Pacemaker][] is a cluster resource manager which can manage a defined set of +resource across a set of clustered nodes. Pacemaker manages the resource with +the help of the resource agents. One among the resource agent is [OCF][]. + +OCF is nothing but a shell script which accepts a set of actions and returns an +appropriate status code. + +With the help of the OCF resource agent ovn/utilities/ovndb-servers.ocf, one +can defined a resource for the pacemaker such that pacemaker will always +maintain one running active server at any time. + +After creating a pacemaker cluster, use the following commands to create +one active and multiple backup servers for OVN databases. + +pcs resource create ovndb_servers ocf:ovn:ovndb-servers \ + master_ip=x.x.x.x \ + ovn_ctl= \ + op monitor interval="10s" + +pcs resource master ovndb_servers-master ovndb_servers \ +meta notify="true" + +The `master_ip` and `ovn_ctl` are the parameters that will be used by the +OCF script. `ovn_ctl` is optional, if not given, it assumes a default value of +/usr/share/openvswitch/scripts/ovn-ctl. + +Whenever the active server dies, pacemaker is responsible to promote one of +the backup servers to be active. Both ovn-controller and ovn-northd needs the +ip-address at which the active server is listening. With pacemaker changing the +node at which the active server is run, it is not efficient to instruct all the +ovn-controllers and the ovn-northd to listen to the latest active server's ip- +address + +This problem can be solved by using a native ocf resource agent +`ocf:heartbeat:IPaddr2`. The IPAddr2 resource agent is just a resource with an +ip-address. When we colocate this resource with the active server, pacemaker +will enable the active server to be connected with a single ip-address all the +time. This is the ip-address that needs to be given as the parameter while +creating the `ovndb_servers` resource. + +Use the following command to create the IPAddr2 resource and colocate it +with the active server. + +pcs resource create VirtualIP ocf:heartbeat:IPaddr2 ip=x.x.x.x \ +op monitor interval=30s + +pcs constraint order VirtualIP then ovndb_servers-master + +pcs constraint colocation add ovndb_servers-master with master VirtualIP \ +score=INFINITY + +[Pacemaker]: http://clusterlabs.org/pacemaker.html +[OCF]: http://www.linux-ha.org/wiki/OCF_Resource_Agents diff --git a/ovn/utilities/automake.mk b/ovn/utilities/automake.mk index b03d125..164cdda 100644 --- a/ovn/utilities/automake.mk +++ b/ovn/utilities/automake.mk @@ -1,5 +1,6 @@ scripts_SCRIPTS += \ -ovn/utilities/ovn-ctl +ovn/utilities/ovn-ctl \ +ovn/utilities/ovndb-servers.ocf man_MANS += \ ovn/utilities/ovn-ctl.8 \ @@ -20,7 +21,8 @@ EXTRA_DIST += \ ovn/utilities/ovn-docker-overlay-driver \ ovn/utilities/ovn-docker-underlay-driver \ ovn/utilities/ovn-nbctl.8.xml \ -ovn/utilities/ovn-trace.8.xml +ovn/utilities/ovn-trace.8.xml \ +ovn/utilities/ovndb-servers.ocf DISTCLEANFILES += \ ovn/utilities/ovn-ctl.8 \ diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf new file mode 100755 index 000..1fc61a7 --- /dev/null +++ b/ovn/utilities/ovndb-servers.ocf @@ -0,0 +1,356 @@ +#!/bin/bash + +: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} +. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs +: ${OVN_CTL_DEFAULT="/usr/share/openvswitch/scripts/ovn-ctl"} +CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" +CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" +OVN_CTL=${OCF_RESKEY_ovn_ctl:-${OVN_CTL_DEFAULT}} +MASTER_IP=${OCF_RESKEY_master_ip} + +# Invalid IP address is an address that can never exist in the
[ovs-dev] [PATCH v4 1/4] ovn: ovn-ctl support for HA ovn DB servers
This patch adds support to start_ovsdb() function in ovn-ctl to start the ovn db servers in backup mode. This can be done in the following ways 1. Use parameters --ovn-nb-sync-from-addr and --ovn-sb-sync-from-addr to set the addresses of the active server. 2. Create files $etcdir/ovnnb-active.conf and $etcdir/ovnsb-active.conf with the tcp url of the active servers. Additional functions to promote a backup server to active and demote active server to backup mode are also added in this patch One can optionally set the DB parameters for northd in $etcdir/ovn-northd-db-params.conf. For example, --ovnnb-db=tcp:172.16.247.230:6641 --ovnsb-db=tcp:172.16.247.230:6642 The parameters will be used as is, by start_northd(). If this file exists, start_northd() will not start the DB servers even if $OVN_MANAGE_OVSDB is 'yes'. Signed-off-by: Babu Shanmugam--- ovn/utilities/ovn-ctl | 173 +--- ovn/utilities/ovn-ctl.8.xml | 18 + 2 files changed, 166 insertions(+), 25 deletions(-) diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl index 07bff8a..1c1687f 100755 --- a/ovn/utilities/ovn-ctl +++ b/ovn/utilities/ovn-ctl @@ -26,6 +26,9 @@ for dir in "$sbindir" "$bindir" /sbin /bin /usr/sbin /usr/bin; do done +ovnnb_active_conf_file="$etcdir/ovnnb-active.conf" +ovnsb_active_conf_file="$etcdir/ovnsb-active.conf" +ovn_northd_db_conf_file="$etcdir/ovn-northd-db-params.conf" ## - ## ## start ## ## - ## @@ -45,6 +48,44 @@ stop_ovsdb () { fi } +demote_ovnnb() { +if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then +echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file +fi + +if test -e $ovnnb_active_conf_file; then +ovs-appctl -t $rundir/ovnnb_db.ctl ovsdb-server/set-active-ovsdb-server `cat $ovnnb_active_conf_file` +ovs-appctl -t $rundir/ovnnb_db.ctl ovsdb-server/connect-active-ovsdb-server +else +echo >&2 "$0: active server details not set" +exit 1 +fi +} + +demote_ovnsb() { +if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then +echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file +fi + +if test -e $ovnsb_active_conf_file; then +ovs-appctl -t $rundir/ovnsb_db.ctl ovsdb-server/set-active-ovsdb-server `cat $ovnsb_active_conf_file` +ovs-appctl -t $rundir/ovnsb_db.ctl ovsdb-server/connect-active-ovsdb-server +else +echo >&2 "$0: active server details not set" +exit 1 +fi +} + +promote_ovnnb() { +rm -f $ovnnb_active_conf_file +ovs-appctl -t $rundir/ovnnb_db.ctl ovsdb-server/disconnect-active-ovsdb-server +} + +promote_ovnsb() { +rm -f $ovnsb_active_conf_file +ovs-appctl -t $rundir/ovnsb_db.ctl ovsdb-server/disconnect-active-ovsdb-server +} + start_ovsdb () { # Check and eventually start ovsdb-server for Northbound DB if ! pidfile_is_running $DB_NB_PID; then @@ -52,7 +93,20 @@ start_ovsdb () { set ovsdb-server -set "$@" --detach --monitor $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE --remote=punix:$DB_NB_SOCK --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR --pidfile=$DB_NB_PID --unixctl=ovnnb_db.ctl +set "$@" --detach --monitor $OVN_NB_LOG \ +--log-file=$OVN_NB_LOGFILE \ +--remote=punix:$DB_NB_SOCK \ +--remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ +--pidfile=$DB_NB_PID \ +--unixctl=ovnnb_db.ctl + +if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then +echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file +fi + +if test -e $ovnnb_active_conf_file; then +set "$@" --sync-from=`cat $ovnnb_active_conf_file` +fi $@ $DB_NB_FILE fi @@ -63,11 +117,45 @@ start_ovsdb () { set ovsdb-server -set "$@" --detach --monitor $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE --remote=punix:$DB_SB_SOCK --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR --pidfile=$DB_SB_PID --unixctl=ovnsb_db.ctl +set "$@" --detach --monitor $OVN_SB_LOG \ +--log-file=$OVN_SB_LOGFILE \ +--remote=punix:$DB_SB_SOCK \ +--remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ +--pidfile=$DB_SB_PID \ +--unixctl=ovnsb_db.ctl + +if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then +echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file +fi + +if test -e $ovnsb_active_conf_file; then +set "$@" --sync-from=`cat $ovnsb_active_conf_file` +fi + $@ $DB_SB_FILE fi } +sync_status() { +ovs-appctl -t $rundir/ovn${1}_db.ctl ovsdb-server/sync-status | awk '{if(NR==1) print $2}' +} + +status_ovnnb() { +if ! pidfile_is_running $DB_NB_PID; then +echo "not-running" +else +echo "running/$(sync_status nb)" +fi +} + +status_ovnsb() { +if ! pidfile_is_running $DB_SB_PID;