Re: [ovs-dev] [patch_v5 2/3] ovn: Add additional comments regarding arp responders.

[Darrell Ball]

On Sun, Oct 23, 2016 at 11:19 AM, Mickey Spiegel 
wrote:

> Acked-by: Mickey Spiegel 
>
> A few very minor nits below.
>
> On Fri, Oct 21, 2016 at 1:36 PM, Darrell Ball  wrote:
>
>> There has been enough confusion regarding logical switch datapath
>> arp responders in ovn to warrant some additional comments;
>> hence add a general description regarding why they exist and
>> document the special cases.
>>
>> Signed-off-by: Darrell Ball 
>> Signed-off-by: Ramu Ramamurthy 
>> Co-authored-by: Ramu Ramamurthy 
>> Acked-by: Han Zhou 
>> ---
>>
>> v4->v5: Splice in some rewording from review from multiple sources.
>>
>> v3->v4: Capitalization fixes.
>> Reinstate comment regarding L2 learning confusion.
>>
>> v2->v3: Reword and further elaborate.
>>
>> v1->v2: Dropped RFC code change for logical switch router
>> type ports.
>>
>>  ovn/northd/ovn-northd.8.xml | 67 ++
>> +++
>>  1 file changed, 61 insertions(+), 6 deletions(-)
>>
>> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
>> index df53d4c..930ebf4 100644
>> --- a/ovn/northd/ovn-northd.8.xml
>> +++ b/ovn/northd/ovn-northd.8.xml
>> @@ -435,20 +435,75 @@
>>  Ingress Table 10: ARP/ND responder
>>
>>  
>> -  This table implements ARP/ND responder for known IPs.  It contains
>> these
>> -  logical flows:
>> +  This table implements ARP/ND responder in a logical switch for
>> known
>> +  IPs.  The advantage of the ARP responder flow is to limit ARP
>> +  broadcasts by locally responding to ARP requests without the need
>> to
>> +  send to other hypervisors.  One common case is when the inport is a
>> +  logical port associated with a VIF and the broadcast is responded
>> to
>> +  on the local hypervisor rather than broadcast across the whole
>> +  network and responded to by the destination VM.  This behavior is
>> +  proxy ARP.
>> +
>> +
>> +
>> +  ARP requests arrive from VMs from a logical switch inport of type
>> +  default.  For this case, the logical switch proxy ARP rules can be
>> +  for other VMs or logical router ports.  Logical switch proxy ARP
>> +  rules may be programmed both for mac binding of IP addresses on
>> +  other logical switch VIF ports (which are of the default logical
>> +  switch port type, representing connectivity to VMs or containers),
>> +  and for mac binding of IP addresses on logical switch router type
>> +  ports, representing their logical router port peers.  In order to
>> +  support proxy ARP for logical router ports, an IP address must be
>> +  configured on the logical switch router type port, with the same
>> +  value as the peer of the logical router port.  The configured MAC
>>
>
> Instead of "peer of the logical router port" (did you mean the logical
> router port or the logical switch router type port?), perhaps just
> "peer logical router port"?
>

"peer logical router port" is the intended meaning - good catch.


>
>
>> +  addresses must match as well.  When a VM sends an ARP request for a
>> +  distributed logical router port and if the peer  router type port
>> of
>>
>
> There is an extra space in "peer  router".
>

thanks


>
>
>> +  the attached logical switch does not have an IP address configured,
>> +  the ARP request will be broadcast on the logical switch.  One of
>> the
>> +  copies of the ARP request will go through the logical switch router
>> +  type port to the logical router datapath, where the logical router
>> ARP
>> +  responder will generate a reply.  The mac binding in a VM for an
>> +  associated distributed logical router will be used for all
>> +  communication needing routing, hence the action of a VM re-arping
>> for
>> +  the mac binding of the logical router port should be rare.
>>
>
> There is a context switch going into the last sentence that can be a bit
> confusing. How about:
>
> After the VM learns a MAC binding for an associated distributed logical
> router, that MAC binding will be used for all communication needing
> routing, hence ...
>

MAC binding is the subject of the sentence and I prefer the active voice.
However, I partially folded in your suggestion:

"The MAC binding of a distributed logical router, once learned by an
associated VM,
is used for all that VM's communication needing routing. Hence, the action
of a
VM re-arping for the mac binding of the logical router port should be rare."



>
>
>> +
>> +
>> +
>> +  Logical switch ARP responder proxy ARP rules can also be hit when
>> +  receiving ARP requests externally on a L2 gateway port.  In this
>> case,
>> +  the hypervisor acting as an L2 gateway, responds to the ARP
>> request on
>> +  behalf of a destination VM.

[ovs-dev] [PATCH] datapath-windows: Enable support for tracking ICMP code and type

[Sairam Venugopal]

Add support for tracking ICMP code and Type in the Hyper-V Conntrack
module. This code is similar to the userspace connection tracker.

Signed-off-by: Sairam Venugopal 
---
 datapath-windows/ovsext/Conntrack-icmp.c  | 80 +++
 datapath-windows/ovsext/Conntrack-other.c | 15 ++
 datapath-windows/ovsext/Conntrack-tcp.c   | 25 +-
 datapath-windows/ovsext/Conntrack.c   | 72 +---
 datapath-windows/ovsext/Conntrack.h   | 24 +-
 datapath-windows/ovsext/ovsext.vcxproj|  1 +
 6 files changed, 185 insertions(+), 32 deletions(-)
 create mode 100644 datapath-windows/ovsext/Conntrack-icmp.c

diff --git a/datapath-windows/ovsext/Conntrack-icmp.c 
b/datapath-windows/ovsext/Conntrack-icmp.c
new file mode 100644
index 000..ffcd2df
--- /dev/null
+++ b/datapath-windows/ovsext/Conntrack-icmp.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2016 VMware, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "NetProto.h"
+#include "Conntrack.h"
+#include 
+
+enum icmp_state {
+ICMPS_FIRST,
+ICMPS_REPLY,
+};
+
+struct conn_icmp {
+struct OVS_CT_ENTRY up;
+enum icmp_state state;
+};
+
+static const enum ct_timeout icmp_timeouts[] = {
+[ICMPS_FIRST] = 60 * CT_INTERVAL_SEC,
+[ICMPS_REPLY] = 30 * CT_INTERVAL_SEC,
+};
+
+static __inline struct conn_icmp *
+OvsCastConntrackEntryToIcmpEntry(OVS_CT_ENTRY* conn)
+{
+return CONTAINER_OF(conn, struct conn_icmp, up);
+}
+
+enum CT_UPDATE_RES
+OvsConntrackUpdateIcmpEntry(OVS_CT_ENTRY* conn_,
+BOOLEAN reply,
+UINT64 now)
+{
+struct conn_icmp *conn = OvsCastConntrackEntryToIcmpEntry(conn_);
+
+if (reply && conn->state != ICMPS_REPLY) {
+conn->state = ICMPS_REPLY;
+}
+
+OvsConntrackUpdateExpiration(>up, now,
+ icmp_timeouts[conn->state]);
+
+return CT_UPDATE_VALID;
+}
+
+BOOLEAN
+OvsConntrackValidateIcmpPacket(const ICMPHdr *icmp)
+{
+return icmp->type == ICMP4_ECHO_REQUEST
+   || icmp->type == ICMP4_INFO_REQUEST
+   || icmp->type == ICMP4_TIMESTAMP_REQUEST;
+}
+
+OVS_CT_ENTRY *
+OvsConntrackCreateIcmpEntry(UINT64 now)
+{
+struct conn_icmp *conn;
+
+conn = OvsAllocateMemoryWithTag(sizeof(struct conn_icmp),
+OVS_CT_POOL_TAG);
+conn->state = ICMPS_FIRST;
+
+OvsConntrackUpdateExpiration(>up, now,
+ icmp_timeouts[conn->state]);
+
+return >up;
+}
diff --git a/datapath-windows/ovsext/Conntrack-other.c 
b/datapath-windows/ovsext/Conntrack-other.c
index b853020..6c68ba8 100644
--- a/datapath-windows/ovsext/Conntrack-other.c
+++ b/datapath-windows/ovsext/Conntrack-other.c
@@ -41,14 +41,7 @@ OvsCastConntrackEntryToOtherEntry(OVS_CT_ENTRY *conn)
 return CONTAINER_OF(conn, struct conn_other, up);
 }
 
-static __inline VOID
-OvsConntrackUpdateExpiration(struct conn_other *conn, long long now)
-{
-ASSERT(conn);
-conn->up.expiration = now + other_timeouts[conn->state];
-}
-
-enum ct_update_res
+enum CT_UPDATE_RES
 OvsConntrackUpdateOtherEntry(OVS_CT_ENTRY *conn_,
  BOOLEAN reply,
  UINT64 now)
@@ -62,7 +55,8 @@ OvsConntrackUpdateOtherEntry(OVS_CT_ENTRY *conn_,
 conn->state = OTHERS_MULTIPLE;
 }
 
-OvsConntrackUpdateExpiration(conn, now);
+OvsConntrackUpdateExpiration(>up, now,
+ other_timeouts[conn->state]);
 
 return CT_UPDATE_VALID;
 }
@@ -78,6 +72,7 @@ OvsConntrackCreateOtherEntry(UINT64 now)
 }
 conn->up = (OVS_CT_ENTRY) {0};
 conn->state = OTHERS_FIRST;
-OvsConntrackUpdateExpiration(conn, now);
+OvsConntrackUpdateExpiration(>up, now,
+ other_timeouts[conn->state]);
 return >up;
 }
diff --git a/datapath-windows/ovsext/Conntrack-tcp.c 
b/datapath-windows/ovsext/Conntrack-tcp.c
index 6adf490..c7fcfa8 100644
--- a/datapath-windows/ovsext/Conntrack-tcp.c
+++ b/datapath-windows/ovsext/Conntrack-tcp.c
@@ -199,14 +199,6 @@ OvsGetTcpPayloadLength(PNET_BUFFER_LIST nbl)
 - (sizeof * tcp);
 }
 
-static __inline void
-OvsConntrackUpdateExpiration(struct conn_tcp *conn,
- long long now,
- long long interval)
-{
-conn->up.expiration = now + interval;
-}
-
 static __inline struct conn_tcp*

Re: [ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb

[Ethan Rahn]

Added a 'Signed-off-by' line. Thanks for getting back to me and this being
patient while I learned how to use 'git send-email'. I'm glad I could
contribute upstream to the project.

Cheers,

Ethan

On Wed, Nov 2, 2016 at 4:19 PM, Ethan Rahn  wrote:

>
> Signed-off-by: Ethan Rahn 
> ---
>  AUTHORS   |  1 +
>  lib/automake.mk   |  2 +
>  lib/ssl-connect-syn.man   |  5 +++
>  lib/ssl-connect.man   | 16 +++
>  lib/stream-ssl.c  | 70
> +++
>  lib/stream-ssl.h  | 20 -
>  manpages.mk   |  8 
>  ovn/controller-vtep/ovn-controller-vtep.c |  3 +-
>  ovn/controller/ovn-controller.c   |  3 +-
>  ovn/northd/ovn-northd.c   |  1 +
>  ovn/utilities/ovn-nbctl.c |  3 +-
>  ovn/utilities/ovn-sbctl.c |  3 +-
>  ovn/utilities/ovn-trace.c |  1 +
>  ovsdb/ovsdb-client.1.in   |  3 ++
>  ovsdb/ovsdb-client.c  |  3 +-
>  ovsdb/ovsdb-server.1.in   |  3 ++
>  ovsdb/ovsdb-server.c  | 23 --
>  tests/ovsdb-server.at | 68
> +-
>  tests/test-jsonrpc.c  |  3 +-
>  utilities/ovs-ofctl.c |  3 +-
>  utilities/ovs-testcontroller.c|  3 +-
>  utilities/ovs-vsctl.c |  3 +-
>  vswitchd/ovs-vswitchd.c   |  1 +
>  vtep/vtep-ctl.c   |  3 +-
>  24 files changed, 234 insertions(+), 18 deletions(-)
>  create mode 100644 lib/ssl-connect-syn.man
>  create mode 100644 lib/ssl-connect.man
>
> diff --git a/AUTHORS b/AUTHORS
> index c089d59..197142f 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -80,6 +80,7 @@ Eitan Eliahuelia...@vmware.com
>  Eohyung Lee liquidnu...@gmail.com
>  Eric Sesterhenn eric.sesterh...@lsexperts.de
>  Ethan J. Jacksone...@eecs.berkeley.edu
> +Ethan Rahn  er...@arista.com
>  Eziz Durdyyev   ezizdu...@gmail.com
>  Flavio Fernandesfla...@flaviof.com
>  Flavio Leitner  f...@redhat.com
> diff --git a/lib/automake.mk b/lib/automake.mk
> index 165e6a8..62bb17b 100644
> --- a/lib/automake.mk
> +++ b/lib/automake.mk
> @@ -462,6 +462,8 @@ MAN_FRAGMENTS += \
> lib/ssl-peer-ca-cert-syn.man \
> lib/ssl.man \
> lib/ssl-syn.man \
> +   lib/ssl-connect.man \
> +   lib/ssl-connect-syn.man \
> lib/table.man \
> lib/unixctl.man \
> lib/unixctl-syn.man \
> diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man
> new file mode 100644
> index 000..0510a59
> --- /dev/null
> +++ b/lib/ssl-connect-syn.man
> @@ -0,0 +1,5 @@
> +.IP "SSL connection options:"
> +[\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR]
> +.br
> +[\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR]
> +.br
> diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man
> new file mode 100644
> index 000..dcc6a79
> --- /dev/null
> +++ b/lib/ssl-connect.man
> @@ -0,0 +1,16 @@
> +.de IQ
> +.  br
> +.  ns
> +.  IP "\\$1"
> +..
> +.IQ "\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR"
> +Specifies, in a comma or white-list delimited, list the SSL protocols
> \fB\*(PN\fR
> +will support for SSL connections. Supported protocols are: TLSv1, TLSv1.1,
> +TLSv1.2. Order does not matter, the highest protocol supported by both
> sides
> +will be choosen when making the connection.
> +.
> +.IQ "\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR"
> +Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
> +support for SSL connections.
> +
> +
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index a5c32a1..87b8de9 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -162,6 +162,8 @@ struct ssl_config_file {
>  static struct ssl_config_file private_key;
>  static struct ssl_config_file certificate;
>  static struct ssl_config_file ca_cert;
> +static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2";
> +static char *ssl_ciphers = "HIGH:!aNULL:!MD5";
>
>  /* Ordinarily, the SSL client and server verify each other's certificates
> using
>   * a CA certificate.  Setting this to false disables this behavior.
> (This is a
> @@ -966,6 +968,7 @@ do_ssl_init(void)
>  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_
> CERT,
> NULL);
>  SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
> +SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5");
>
>  return 0;
>  }
> @@ -1114,6 +1117,73 @@ stream_ssl_set_key_and_cert(const char
> *private_key_file,
>  }
>  }
>
> +/* Sets SSL ciphers based on string input. Aborts with an error message
> + * if 'arg' is invalid. */
> +void
> +stream_ssl_set_ciphers(const char *arg)
> +{
> +if (ssl_init() || !arg || 

[ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb

[Ethan Rahn]

OVSDB currently does not support fine-tuning the SSL parameters used for 
connections. This means that users are unable to specify not using ciphers 
widely considered to be unsafe or to avoid using TLS protocols that do not meet 
their organizational standards.

This adds two new commands "--ssl-protocols" and "--ssl-ciphers" to the ovsdb 
programs to specify which SSL protocols and ciphers to use. In addition, the 
default cipher string is set to "HIGH:!aNULL:!MD5". This is the current default 
for nginx and removes weak ciphers while allowing most services from the last 
several years to still connect.

The patch was tested by adding new test cases that check that the options can 
be set and that when incompatible SSL parameters are used that it results in a 
failure to communicate. Additionally, since this adds 2 new files, "make 
distcheck" was used to verify that this works correctly.

Ethan Rahn (1):
  Add support for specifying SSL connection parameters to ovsdb

 AUTHORS   |  1 +
 lib/automake.mk   |  2 +
 lib/ssl-connect-syn.man   |  5 +++
 lib/ssl-connect.man   | 16 +++
 lib/stream-ssl.c  | 70 +++
 lib/stream-ssl.h  | 20 -
 manpages.mk   |  8 
 ovn/controller-vtep/ovn-controller-vtep.c |  3 +-
 ovn/controller/ovn-controller.c   |  3 +-
 ovn/northd/ovn-northd.c   |  1 +
 ovn/utilities/ovn-nbctl.c |  3 +-
 ovn/utilities/ovn-sbctl.c |  3 +-
 ovn/utilities/ovn-trace.c |  1 +
 ovsdb/ovsdb-client.1.in   |  3 ++
 ovsdb/ovsdb-client.c  |  3 +-
 ovsdb/ovsdb-server.1.in   |  3 ++
 ovsdb/ovsdb-server.c  | 23 --
 tests/ovsdb-server.at | 68 +-
 tests/test-jsonrpc.c  |  3 +-
 utilities/ovs-ofctl.c |  3 +-
 utilities/ovs-testcontroller.c|  3 +-
 utilities/ovs-vsctl.c |  3 +-
 vswitchd/ovs-vswitchd.c   |  1 +
 vtep/vtep-ctl.c   |  3 +-
 24 files changed, 234 insertions(+), 18 deletions(-)
 create mode 100644 lib/ssl-connect-syn.man
 create mode 100644 lib/ssl-connect.man

-- 
1.8.1.4

___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb

[Ethan Rahn]

Signed-off-by: Ethan Rahn 
---
 AUTHORS   |  1 +
 lib/automake.mk   |  2 +
 lib/ssl-connect-syn.man   |  5 +++
 lib/ssl-connect.man   | 16 +++
 lib/stream-ssl.c  | 70 +++
 lib/stream-ssl.h  | 20 -
 manpages.mk   |  8 
 ovn/controller-vtep/ovn-controller-vtep.c |  3 +-
 ovn/controller/ovn-controller.c   |  3 +-
 ovn/northd/ovn-northd.c   |  1 +
 ovn/utilities/ovn-nbctl.c |  3 +-
 ovn/utilities/ovn-sbctl.c |  3 +-
 ovn/utilities/ovn-trace.c |  1 +
 ovsdb/ovsdb-client.1.in   |  3 ++
 ovsdb/ovsdb-client.c  |  3 +-
 ovsdb/ovsdb-server.1.in   |  3 ++
 ovsdb/ovsdb-server.c  | 23 --
 tests/ovsdb-server.at | 68 +-
 tests/test-jsonrpc.c  |  3 +-
 utilities/ovs-ofctl.c |  3 +-
 utilities/ovs-testcontroller.c|  3 +-
 utilities/ovs-vsctl.c |  3 +-
 vswitchd/ovs-vswitchd.c   |  1 +
 vtep/vtep-ctl.c   |  3 +-
 24 files changed, 234 insertions(+), 18 deletions(-)
 create mode 100644 lib/ssl-connect-syn.man
 create mode 100644 lib/ssl-connect.man

diff --git a/AUTHORS b/AUTHORS
index c089d59..197142f 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -80,6 +80,7 @@ Eitan Eliahuelia...@vmware.com
 Eohyung Lee liquidnu...@gmail.com
 Eric Sesterhenn eric.sesterh...@lsexperts.de
 Ethan J. Jacksone...@eecs.berkeley.edu
+Ethan Rahn  er...@arista.com
 Eziz Durdyyev   ezizdu...@gmail.com
 Flavio Fernandesfla...@flaviof.com
 Flavio Leitner  f...@redhat.com
diff --git a/lib/automake.mk b/lib/automake.mk
index 165e6a8..62bb17b 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -462,6 +462,8 @@ MAN_FRAGMENTS += \
lib/ssl-peer-ca-cert-syn.man \
lib/ssl.man \
lib/ssl-syn.man \
+   lib/ssl-connect.man \
+   lib/ssl-connect-syn.man \
lib/table.man \
lib/unixctl.man \
lib/unixctl-syn.man \
diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man
new file mode 100644
index 000..0510a59
--- /dev/null
+++ b/lib/ssl-connect-syn.man
@@ -0,0 +1,5 @@
+.IP "SSL connection options:"
+[\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR]
+.br
+[\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR]
+.br
diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man
new file mode 100644
index 000..dcc6a79
--- /dev/null
+++ b/lib/ssl-connect.man
@@ -0,0 +1,16 @@
+.de IQ
+.  br
+.  ns
+.  IP "\\$1"
+..
+.IQ "\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR"
+Specifies, in a comma or white-list delimited, list the SSL protocols 
\fB\*(PN\fR
+will support for SSL connections. Supported protocols are: TLSv1, TLSv1.1,
+TLSv1.2. Order does not matter, the highest protocol supported by both sides
+will be choosen when making the connection.
+.
+.IQ "\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR"
+Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will 
+support for SSL connections.
+
+
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index a5c32a1..87b8de9 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -162,6 +162,8 @@ struct ssl_config_file {
 static struct ssl_config_file private_key;
 static struct ssl_config_file certificate;
 static struct ssl_config_file ca_cert;
+static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2";
+static char *ssl_ciphers = "HIGH:!aNULL:!MD5";
 
 /* Ordinarily, the SSL client and server verify each other's certificates using
  * a CA certificate.  Setting this to false disables this behavior.  (This is a
@@ -966,6 +968,7 @@ do_ssl_init(void)
 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5");
 
 return 0;
 }
@@ -1114,6 +1117,73 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
 }
 }
 
+/* Sets SSL ciphers based on string input. Aborts with an error message
+ * if 'arg' is invalid. */
+void
+stream_ssl_set_ciphers(const char *arg)
+{
+if (ssl_init() || !arg || !strcmp(ssl_ciphers, arg)){
+   return;
+}
+if (SSL_CTX_set_cipher_list(ctx,arg) == 0)
+{
+ VLOG_ERR("SSL_CTX_set_cipher_list: %s",
+  ERR_error_string(ERR_get_error(), NULL));
+}
+ssl_ciphers = xstrdup(arg);
+}
+
+/* Set SSL protocols based on the string input. Aborts with an error message
+ * if 'arg' is invalid. */
+void
+stream_ssl_set_protocols(const char *arg)
+{
+char *s;
+char *save_ptr = NULL;
+char *word;
+long protocolFlags;
+
+if (ssl_init() 

Re: [ovs-dev] [PATCH 2/2] Prepare for 2.6.2.

[Justin Pettit]

> On Nov 1, 2016, at 7:56 PM, Ben Pfaff  wrote:
> 
> On Tue, Nov 01, 2016 at 03:44:13PM -0700, Justin Pettit wrote:
>> Signed-off-by: Justin Pettit 
> 
> Acked-by: Ben Pfaff 

Thanks.  I pushed the series to branch-2.6.  I'll kick off the release process.

--Justin



___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH v2] ovn-controller: Container can have connection to a hosting VM.

[Guru Shetty]

On 2 November 2016 at 09:09, Ben Pfaff  wrote:

> On Wed, Oct 05, 2016 at 03:17:44AM -0700, Gurucharan Shetty wrote:
> > A Container running inside a VM can have a connection to the
> > hosting VM (parent port) in the logical topology (for e.g via a router).
> > So we should be able to loop-back into the same VM, even if the
> > final packet delivered does not have any tags in it.
> >
> > Reported-by: Dustin Spinhirne 
> > Signed-off-by: Gurucharan Shetty 
>
> Sorry about the delay in review.  (It's too bad we didn't get this into
> 2.6.1, but there's always 2.6.2.)
>
> Acked-by: Ben Pfaff 
>
Thank you, I applied this to master and 2.6
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] Supply Chain Management Target Approach

[Sarah Brush]

Did you get a chance to review my previous email? Please let me know if you did 
like to review few sample records from your target audience.



Look forward to hearing back.



Regards,



Sarah

___

From: Sarah Brush
Sent: Wednesday, October 26, 2016 3:26 PM
To: dev@openvswitch.org

Subject: Supply Chain Management Target Approach

Hi,

Would you be interested in an email lead list of Supply Chain Executives? We 
can help you reach out to.

Title includes:

?  VP of Supply Chain

?  Director of Supply Chain

?  Supply Chain Manager

?  Purchasing Manager

?  Purchasing Director

?  Procurement Manager

?  Procurement Director

The list comes with complete contact information like Contact name, Email 
address, Title, Company name, Phone number, Mailing address, etc.

I'd be happy to send over few sample records on your request, and set up a time 
to discuss further.

If there is someone else in your organization that I need to speak with, I'd be 
grateful if you would forward this email to the appropriate contact and help me 
with the introduction.

Have a great day!


Regards,

Sarah Brush / INF Solutions / 302-250-4336
If you don't wish to receive emails from us reply back with "Unsubscribe".

___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH] netdev-dpdk: Fix crash in QoS.

[Stokes, Ian]

> qos_conf can be NULL.  This can be easily reproduced by setting egress QoS
> on a port:
> 
> ```
> ovs-vsctl set port dpdk2 qos=@newqos -- --id=@newqos create qos
> type=egress-policer other-config:cir=4600 other-config:cbs=2048 ```
> 
> Reported-by: Ian Stokes 
> Fixes: 78bd47cf44a5 ("netdev-dpdk: Use RCU for egress QoS.")
> Signed-off-by: Daniele Di Proietto 
> ---
>  lib/netdev-dpdk.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c index 7c1523e..49750c3
> 100644
> --- a/lib/netdev-dpdk.c
> +++ b/lib/netdev-dpdk.c
> @@ -2803,7 +2803,7 @@ netdev_dpdk_set_qos(struct netdev *netdev, const
> char *type,
>  if (type && type[0]) {
>  error = EOPNOTSUPP;
>  }
> -} else if (qos_conf->ops == new_ops
> +} else if (qos_conf && qos_conf->ops == new_ops
> && qos_conf->ops->qos_is_equal(qos_conf, details)) {
>  new_qos_conf = qos_conf;
>  } else {
> --
> 2.9.3

Thanks for this Daniele.

Tested-by: Ian Stokes 
Acked-by: Ian Stokes 


___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH 00/23] Convert next batch of docs to rST

[Joe Stringer]

On 30 October 2016 at 06:29, Stephen Finucane  wrote:
> This is the third conversion series. This one is larger yet again,
> though many of the docs are rather small. After this series, only the
> two tutorial docs in 'tutorial' require conversion (along with any
> unsuffixed files I may have missed).
>
> /me didn't realize there was quite this much documentation in the repo.

Hi Stephen,

I was wanting to make a (very minor) doc change but since this much
larger series is on the list I thought it's best for this to go in
first. I tried to rebase my doc change against this series so it could
go in after this does and save you any effort of rebasing this series
and potentially losing my change. Unfortunately I had a bit of trouble
trying to apply this series, starting with "doc: Convert
rhel/README.RHEL to rST".

I think that maybe the series needs a rebase against latest master. Is
this series also available via git somewhere? That would make it a
little easier for me to base my change on top.

Thanks again for your heroic efforts on this rST/sphinx work!
Joe
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH] ovn-nb: Document the syntax for an address set name.

[Ben Pfaff]

On Fri, Oct 07, 2016 at 09:00:13AM -0700, Ben Pfaff wrote:
> Also, it is not necessary to specify that the name must be unique because
> the schema documentation generator does that for us.
> 
> Reported-by: Kevin Lin 
> Reported-at: http://openvswitch.org/pipermail/dev/2016-October/080386.html
> Signed-off-by: Ben Pfaff 

This needs a review, which should be easy.
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH] Add support for specifying SSL connection parameters to ovsdb

[Ben Pfaff]

Thanks a lot.  I have only a few style fixes for this.  May I have a
Signed-off-by?

Thanks,

Ben.

On Thu, Oct 06, 2016 at 04:22:19PM -0700, Ethan Rahn wrote:
> Third time is the charm :) Sent via git send-email this time around.
> Thanks for your patience and sorry for the trouble.
> 
> Cheers,
> 
> Ethan
> 
> On Thu, Oct 6, 2016 at 4:21 PM, Ethan Rahn  wrote:
> > ---
> >  AUTHORS   |  1 +
> >  lib/automake.mk   |  2 +
> >  lib/ssl-connect-syn.man   |  5 +++
> >  lib/ssl-connect.man   | 16 +++
> >  lib/stream-ssl.c  | 70 
> > +++
> >  lib/stream-ssl.h  | 20 -
> >  manpages.mk   |  8 
> >  ovn/controller-vtep/ovn-controller-vtep.c |  3 +-
> >  ovn/controller/ovn-controller.c   |  3 +-
> >  ovn/northd/ovn-northd.c   |  1 +
> >  ovn/utilities/ovn-nbctl.c |  3 +-
> >  ovn/utilities/ovn-sbctl.c |  3 +-
> >  ovn/utilities/ovn-trace.c |  1 +
> >  ovsdb/ovsdb-client.1.in   |  3 ++
> >  ovsdb/ovsdb-client.c  |  3 +-
> >  ovsdb/ovsdb-server.1.in   |  3 ++
> >  ovsdb/ovsdb-server.c  | 23 --
> >  tests/ovsdb-server.at | 68 
> > +-
> >  tests/test-jsonrpc.c  |  3 +-
> >  utilities/ovs-ofctl.c |  3 +-
> >  utilities/ovs-testcontroller.c|  3 +-
> >  utilities/ovs-vsctl.c |  3 +-
> >  vswitchd/ovs-vswitchd.c   |  1 +
> >  vtep/vtep-ctl.c   |  3 +-
> >  24 files changed, 234 insertions(+), 18 deletions(-)
> >  create mode 100644 lib/ssl-connect-syn.man
> >  create mode 100644 lib/ssl-connect.man
> >
> > diff --git a/AUTHORS b/AUTHORS
> > index c089d59..197142f 100644
> > --- a/AUTHORS
> > +++ b/AUTHORS
> > @@ -80,6 +80,7 @@ Eitan Eliahuelia...@vmware.com
> >  Eohyung Lee liquidnu...@gmail.com
> >  Eric Sesterhenn eric.sesterh...@lsexperts.de
> >  Ethan J. Jacksone...@eecs.berkeley.edu
> > +Ethan Rahn  er...@arista.com
> >  Eziz Durdyyev   ezizdu...@gmail.com
> >  Flavio Fernandesfla...@flaviof.com
> >  Flavio Leitner  f...@redhat.com
> > diff --git a/lib/automake.mk b/lib/automake.mk
> > index 165e6a8..62bb17b 100644
> > --- a/lib/automake.mk
> > +++ b/lib/automake.mk
> > @@ -462,6 +462,8 @@ MAN_FRAGMENTS += \
> > lib/ssl-peer-ca-cert-syn.man \
> > lib/ssl.man \
> > lib/ssl-syn.man \
> > +   lib/ssl-connect.man \
> > +   lib/ssl-connect-syn.man \
> > lib/table.man \
> > lib/unixctl.man \
> > lib/unixctl-syn.man \
> > diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man
> > new file mode 100644
> > index 000..0510a59
> > --- /dev/null
> > +++ b/lib/ssl-connect-syn.man
> > @@ -0,0 +1,5 @@
> > +.IP "SSL connection options:"
> > +[\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR]
> > +.br
> > +[\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR]
> > +.br
> > diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man
> > new file mode 100644
> > index 000..dcc6a79
> > --- /dev/null
> > +++ b/lib/ssl-connect.man
> > @@ -0,0 +1,16 @@
> > +.de IQ
> > +.  br
> > +.  ns
> > +.  IP "\\$1"
> > +..
> > +.IQ "\fB\-\-ssl\-protocols=\fITLSv1,TLSv1.1,TLSv1.2\fR"
> > +Specifies, in a comma or white-list delimited, list the SSL protocols 
> > \fB\*(PN\fR
> > +will support for SSL connections. Supported protocols are: TLSv1, TLSv1.1,
> > +TLSv1.2. Order does not matter, the highest protocol supported by both 
> > sides
> > +will be choosen when making the connection.
> > +.
> > +.IQ "\fB\-\-ssl\-ciphers=\fIHIGH:!aNULL:!MD5\fR"
> > +Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
> > +support for SSL connections.
> > +
> > +
> > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> > index a5c32a1..87b8de9 100644
> > --- a/lib/stream-ssl.c
> > +++ b/lib/stream-ssl.c
> > @@ -162,6 +162,8 @@ struct ssl_config_file {
> >  static struct ssl_config_file private_key;
> >  static struct ssl_config_file certificate;
> >  static struct ssl_config_file ca_cert;
> > +static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2";
> > +static char *ssl_ciphers = "HIGH:!aNULL:!MD5";
> >
> >  /* Ordinarily, the SSL client and server verify each other's certificates 
> > using
> >   * a CA certificate.  Setting this to false disables this behavior.  (This 
> > is a
> > @@ -966,6 +968,7 @@ do_ssl_init(void)
> >  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | 
> > SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
> > NULL);
> >  SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
> > +SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5");
> >
> >  return 0;
> 

Re: [ovs-dev] [PATCH v2] ovn: Add a case of policy based routing.

[Ben Pfaff]

On Wed, Nov 02, 2016 at 09:28:44AM -0700, Ben Pfaff wrote:
> On Thu, Oct 06, 2016 at 03:53:12AM -0700, Gurucharan Shetty wrote:
> > OVN currently supports multiple gateway routers (residing on
> > different chassis) connected to the same logical topology.
> > 
> > When external traffic enters the logical topology, they can enter
> > from any gateway routers and reach its eventual destination. This
> > is achieved with proper static routes configured on the gateway
> > routers.
> > 
> > But when traffic is initiated in the logical space by a logical
> > port, we do not have a good way to distribute that traffic across
> > multiple gateway routers.
> > 
> > This commit introduces one particular way to do it. Based on the
> > source IP address or source IP network of the packet, we can now
> > jump to a specific gateway router.
> > 
> > This is very useful for a specific use case of Kubernetes.
> > When traffic is initiated inside a container heading to outside world,
> > we want to be able to send such traffic outside the gateway router
> > residing in the same host as that of the container. Since each
> > host gets a specific subnet, we can use source IP address based
> > policy routing to decide on the gateway router.
> > 
> > Rationale for using the same routing table for both source and
> > destination IP address based routing:
> > 
> > Some hardware network vendors support policy routing in a different table
> > on arbitrary "match".  And when a packet enters, if there is a match
> > in policy based routing table, the default routing table is not
> > consulted at all.  In case of OVN, we mainly want policy based routing
> > for north-south traffic. We want east-west traffic to flow as-is. Creating
> > a separate table for policy based routing complicates the configuration
> > quite a bit. For e.g., if we have a source IP network based rule added,
> > to decide a particular gateway router as a next hop, we should add rules at
> > a higher priority for all the connected routes to make sure that east-west
> > traffic is not effected in the policy based routing table itself.
> > 
> > Signed-off-by: Gurucharan Shetty 
> 
> Thank you!
> 
> Acked-by: Ben Pfaff 

Oh, you might also add a NEWS item given that OVN is no longer
experimental.
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH v2] ovn: Add a case of policy based routing.

[Ben Pfaff]

On Thu, Oct 06, 2016 at 03:53:12AM -0700, Gurucharan Shetty wrote:
> OVN currently supports multiple gateway routers (residing on
> different chassis) connected to the same logical topology.
> 
> When external traffic enters the logical topology, they can enter
> from any gateway routers and reach its eventual destination. This
> is achieved with proper static routes configured on the gateway
> routers.
> 
> But when traffic is initiated in the logical space by a logical
> port, we do not have a good way to distribute that traffic across
> multiple gateway routers.
> 
> This commit introduces one particular way to do it. Based on the
> source IP address or source IP network of the packet, we can now
> jump to a specific gateway router.
> 
> This is very useful for a specific use case of Kubernetes.
> When traffic is initiated inside a container heading to outside world,
> we want to be able to send such traffic outside the gateway router
> residing in the same host as that of the container. Since each
> host gets a specific subnet, we can use source IP address based
> policy routing to decide on the gateway router.
> 
> Rationale for using the same routing table for both source and
> destination IP address based routing:
> 
> Some hardware network vendors support policy routing in a different table
> on arbitrary "match".  And when a packet enters, if there is a match
> in policy based routing table, the default routing table is not
> consulted at all.  In case of OVN, we mainly want policy based routing
> for north-south traffic. We want east-west traffic to flow as-is. Creating
> a separate table for policy based routing complicates the configuration
> quite a bit. For e.g., if we have a source IP network based rule added,
> to decide a particular gateway router as a next hop, we should add rules at
> a higher priority for all the connected routes to make sure that east-west
> traffic is not effected in the policy based routing table itself.
> 
> Signed-off-by: Gurucharan Shetty 

Thank you!

Acked-by: Ben Pfaff 

I kind of like this better since it doesn't talk about priorities, which
seem like a lower level concept:

diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 3646e55..7626551 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -1083,6 +1083,12 @@
   Each record represents a static route.
 
 
+
+  When multiple routes match a packet, the longest-prefix match is chosen.
+  For a given prefix length, a dst-ip route is preferred over
+  a src-ip route.
+
+
 
   
 IP prefix of this route (e.g. 192.168.100.0/24).
@@ -1098,16 +1104,12 @@
 
   src-ip: This policy sends the packet to the
when the packet's source IP address matches
-  .  If the  has
-  a mask length of n, then this record gets an implicit
-  priority of 2*n.
+  .

 
   dst-ip: This policy sends the packet to the
when the packet's destination IP address
-  matches .  If the 
-  has a mask length of n, then this record gets an
-  implicit priority of 2*n + 1.
+  matches .
 
   
   
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH v2] ovn-controller: Container can have connection to a hosting VM.

[Ben Pfaff]

On Wed, Oct 05, 2016 at 03:17:44AM -0700, Gurucharan Shetty wrote:
> A Container running inside a VM can have a connection to the
> hosting VM (parent port) in the logical topology (for e.g via a router).
> So we should be able to loop-back into the same VM, even if the
> final packet delivered does not have any tags in it.
> 
> Reported-by: Dustin Spinhirne 
> Signed-off-by: Gurucharan Shetty 

Sorry about the delay in review.  (It's too bad we didn't get this into
2.6.1, but there's always 2.6.2.)

Acked-by: Ben Pfaff 
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH] ovn: Fix QoS marking without match

[Ben Pfaff]

On Wed, Nov 02, 2016 at 08:38:29PM +0530, Babu Shanmugam wrote:
> When a Logical_Switch's qos_rule does not have a match set, the rule should
> apply for all the logical ports in that switch.
> 
> Signed-off-by: Babu Shanmugam 

I don't think this is really a bug fix, since the documentation for the
QoS table says "match" is an expression in the syntax for the OVN
expression language, and it doesn't say anything about the behavior for
an empty "match".

I suggest that anything that wants to apply a qos rule to every port
should use "1" as the match.
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH] ovn: Fix QoS marking without match

[Babu Shanmugam]

When a Logical_Switch's qos_rule does not have a match set, the rule should
apply for all the logical ports in that switch.

Signed-off-by: Babu Shanmugam 
---
 ovn/northd/ovn-northd.c | 8 +++-
 tests/ovn.at| 4 
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 91affe4..512abb7 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -2644,12 +2644,18 @@ build_qos(struct ovn_datapath *od, struct hmap *lflows) 
{
 
 if (!strcmp(qos->key_action, "dscp")) {
 struct ds dscp_action = DS_EMPTY_INITIALIZER;
+const char *match;
 
+if (!strcmp(qos->match, "")) {
+match = "1";
+} else {
+match = qos->match;
+}
 ds_put_format(_action, "ip.dscp = %d; next;",
   (uint8_t)qos->value_action);
 ovn_lflow_add(lflows, od, stage,
   qos->priority,
-  qos->match, ds_cstr(_action));
+  match, ds_cstr(_action));
 ds_destroy(_action);
 }
 }
diff --git a/tests/ovn.at b/tests/ovn.at
index cb3e7dd..24dd12f 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -5459,6 +5459,10 @@ check_tos 63
 ovn-nbctl --wait=hv clear Logical_Switch lsw0 qos_rules
 check_tos 0
 
+# without match, packets from all all logical port should be marked
+qos_id=$(ovn-nbctl --wait=hv -- --id=@lp1-qos create QoS priority=100 
action=dscp=48 direction="from-lport" -- set Logical_Switch lsw0 
qos_rules=@lp1-qos)
+check_tos 48
+
 OVN_CLEANUP([hv])
 AT_CLEANUP
 
-- 
1.9.1

___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH v4 4/4] ovn: Add ovndb servers ocf script in debian packager

[Babu Shanmugam]

The OCF script will be present in the ovn-common package and installed
in the openvswitch scripts folder and a symbolic link to this file will
be created in the OCF resources folder.

The OCF resource agent name for this resource is ocf:ovn:ovndb-servers

Signed-off-by: Babu Shanmugam 
---
 debian/automake.mk |  2 ++
 debian/ovn-common.install  |  1 +
 debian/ovn-common.postinst | 24 
 debian/ovn-common.postrm   | 23 +++
 4 files changed, 50 insertions(+)
 create mode 100644 debian/ovn-common.postinst
 create mode 100644 debian/ovn-common.postrm

diff --git a/debian/automake.mk b/debian/automake.mk
index 73b4d00..f793d4f 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -63,6 +63,8 @@ EXTRA_DIST += \
debian/ovn-controller-vtep.manpages \
debian/ovn-common.install \
debian/ovn-common.manpages \
+   debian/ovn-common.postinst \
+   debian/ovn-common.postrm \
debian/ovn-docker.install \
debian/ovn-host.dirs \
debian/ovn-host.init \
diff --git a/debian/ovn-common.install b/debian/ovn-common.install
index acb1dc9..8b833dc 100644
--- a/debian/ovn-common.install
+++ b/debian/ovn-common.install
@@ -1,3 +1,4 @@
 usr/bin/ovn-nbctl
 usr/bin/ovn-sbctl
 usr/share/openvswitch/scripts/ovn-ctl
+usr/share/openvswitch/scripts/ovndb-servers.ocf
diff --git a/debian/ovn-common.postinst b/debian/ovn-common.postinst
new file mode 100644
index 000..588044f
--- /dev/null
+++ b/debian/ovn-common.postinst
@@ -0,0 +1,24 @@
+#!/bin/sh
+# postinst script for ovn-common
+#
+# see: dh_installdeb(1)
+
+set -e
+
+case "$1" in
+configure)
+mkdir -p /usr/lib/ocf/resource.d/ovn
+ln -sf /usr/share/openvswitch/scripts/ovndb-servers.ocf 
/usr/lib/ocf/resource.d/ovn/ovndb-servers
+;;
+abort-upgrade|abort-remove|abort-deconfigure)
+;;
+
+*)
+echo "postinst called with unknown argument \`$1'" >&2
+exit 1
+;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/ovn-common.postrm b/debian/ovn-common.postrm
new file mode 100644
index 000..9face72
--- /dev/null
+++ b/debian/ovn-common.postrm
@@ -0,0 +1,23 @@
+#!/bin/sh
+# postrm script for openvswitch-testcontroller
+#
+# see: dh_installdeb(1)
+
+set -e
+
+case "$1" in
+purge|remove)
+rm -rf /usr/lib/ocf/resource.d/ovn
+;;
+upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+;;
+
+*)
+echo "postrm called with unknown argument \`$1'" >&2
+exit 1
+;;
+esac
+
+#DEBHELPER#
+
+exit 0
-- 
1.9.1

___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH v4 0/4] High availability support for OVN DB servers using pacemaker

[Babu Shanmugam]

v3 -> v4:
  Following changes were suggested by Andy  on v3
  - Updated the ovn-ctl man page
  - Added information regarding the pacemaker integration in the 
IntegrationGuide.md
  - Added debug messages in the ocf script

This patch contains changes required to run a pacemaker resource agent
to manage OVN db servers in active/standby mode in a HA cluster.

Babu Shanmugam (4):
  ovn: ovn-ctl support for HA ovn DB servers
  ovn: OCF script for OVN OVSDB servers
  ovn: Add ovn db servers ocf script in fedora packager
  ovn: Add ovndb servers ocf script in debian packager

 IntegrationGuide.md |  63 +++
 debian/automake.mk  |   2 +
 debian/ovn-common.install   |   1 +
 debian/ovn-common.postinst  |  24 +++
 debian/ovn-common.postrm|  23 +++
 ovn/utilities/automake.mk   |   6 +-
 ovn/utilities/ovn-ctl   | 173 ---
 ovn/utilities/ovn-ctl.8.xml |  18 ++
 ovn/utilities/ovndb-servers.ocf | 356 
 rhel/openvswitch-fedora.spec.in |   8 +
 10 files changed, 647 insertions(+), 27 deletions(-)
 create mode 100644 debian/ovn-common.postinst
 create mode 100644 debian/ovn-common.postrm
 create mode 100755 ovn/utilities/ovndb-servers.ocf

-- 
1.9.1

___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH v4 3/4] ovn: Add ovn db servers ocf script in fedora packager

[Babu Shanmugam]

The OCF script will be present in the ovn-common package and installed
in the openvswitch scripts folder. A symbolic link to this file will
be created in the OCF resources folder.

The OCF resource agent name for this resource is ocf:ovn:ovndb-servers

Signed-off-by: Babu Shanmugam 
---
 rhel/openvswitch-fedora.spec.in | 8 
 1 file changed, 8 insertions(+)

diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index eda8767..fb4aecd 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -310,6 +310,10 @@ rm -rf $RPM_BUILD_ROOT
 fi
 %endif
 
+%post ovn-common
+mkdir /usr/lib/ocf/resource.d/ovn
+ln -sf %{_datadir}/openvswitch/scripts/ovndb-servers.ocf 
/usr/lib/ocf/resource.d/ovn/ovndb-servers
+
 %post ovn-central
 %if 0%{?systemd_post:1}
 %systemd_post ovn-northd.service
@@ -354,6 +358,9 @@ rm -rf $RPM_BUILD_ROOT
 fi
 %endif
 
+%postun ovn-common
+rm -rf /usr/lib/ocf/resource.d/ovn
+
 %postun ovn-central
 %if 0%{?systemd_postun_with_restart:1}
 %systemd_postun_with_restart ovn-northd.service
@@ -493,6 +500,7 @@ fi
 %{_bindir}/ovn-sbctl
 %{_bindir}/ovn-trace
 %{_datadir}/openvswitch/scripts/ovn-ctl
+%{_datadir}/openvswitch/scripts/ovndb-servers.ocf
 %{_datadir}/openvswitch/scripts/ovn-bugtool-nbctl-show
 %{_datadir}/openvswitch/scripts/ovn-bugtool-sbctl-lflow-list
 %{_datadir}/openvswitch/scripts/ovn-bugtool-sbctl-show
-- 
1.9.1

___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH v4 2/4] ovn: OCF script for OVN OVSDB servers

[Babu Shanmugam]

Co-authored-by: Numan Siddique 
Signed-off-by: Numan Siddique 
Co-authored-by: Andrew Beekhof 
Signed-off-by: Andrew Beekhof 
Signed-off-by: Babu Shanmugam 
---
 IntegrationGuide.md |  63 +++
 ovn/utilities/automake.mk   |   6 +-
 ovn/utilities/ovndb-servers.ocf | 356 
 3 files changed, 423 insertions(+), 2 deletions(-)
 create mode 100755 ovn/utilities/ovndb-servers.ocf

diff --git a/IntegrationGuide.md b/IntegrationGuide.md
index 5d3e574..945ecfd 100644
--- a/IntegrationGuide.md
+++ b/IntegrationGuide.md
@@ -167,3 +167,66 @@ following command can be used:
 
 ovs-vsctl set Interface eth0 external-ids:iface-id='"${UUID}"'
 
+
+HA for OVN DB servers using pacemaker
+-
+
+The ovsdb servers can work in either active or backup mode. In backup mode, db
+server will be connected to an active server and replicate the active servers
+contents. At all times, the data can be transacted only from the active server.
+When the active server dies for some reason, entire OVN operations will be
+stalled.
+
+[Pacemaker][] is a cluster resource manager which can manage a defined set of
+resource across a set of clustered nodes. Pacemaker manages the resource with
+the help of the resource agents. One among the resource agent is [OCF][].
+
+OCF is nothing but a shell script which accepts a set of actions and returns an
+appropriate status code.
+
+With the help of the OCF resource agent ovn/utilities/ovndb-servers.ocf, one
+can defined a resource for the pacemaker such that pacemaker will always
+maintain one running active server at any time.
+
+After creating a pacemaker cluster, use the following commands to create
+one active and multiple backup servers for OVN databases.
+
+pcs resource create ovndb_servers ocf:ovn:ovndb-servers \
+ master_ip=x.x.x.x \
+ ovn_ctl= \
+ op monitor interval="10s"
+
+pcs resource master ovndb_servers-master ovndb_servers \
+meta notify="true"
+
+The `master_ip` and `ovn_ctl` are the parameters that will be used by the
+OCF script. `ovn_ctl` is optional, if not given, it assumes a default value of
+/usr/share/openvswitch/scripts/ovn-ctl.
+
+Whenever the active server dies, pacemaker is responsible to promote one of
+the backup servers to be active. Both ovn-controller and ovn-northd needs the
+ip-address at which the active server is listening. With pacemaker changing the
+node at which the active server is run, it is not efficient to instruct all the
+ovn-controllers and the ovn-northd to listen to the latest active server's ip-
+address
+
+This problem can be solved by using a native ocf resource agent
+`ocf:heartbeat:IPaddr2`. The IPAddr2 resource agent is just a resource with an
+ip-address. When we colocate this resource with the active server, pacemaker
+will enable the active server to be connected with a single ip-address all the
+time. This is the ip-address that needs to be given as the parameter while
+creating the `ovndb_servers` resource.
+
+Use the following command to create the IPAddr2 resource and colocate it
+with the active server.
+
+pcs resource create VirtualIP ocf:heartbeat:IPaddr2 ip=x.x.x.x \
+op monitor interval=30s
+
+pcs constraint order VirtualIP then ovndb_servers-master
+
+pcs constraint colocation add ovndb_servers-master with master VirtualIP \
+score=INFINITY
+
+[Pacemaker]: http://clusterlabs.org/pacemaker.html
+[OCF]: http://www.linux-ha.org/wiki/OCF_Resource_Agents
diff --git a/ovn/utilities/automake.mk b/ovn/utilities/automake.mk
index b03d125..164cdda 100644
--- a/ovn/utilities/automake.mk
+++ b/ovn/utilities/automake.mk
@@ -1,5 +1,6 @@
 scripts_SCRIPTS += \
-ovn/utilities/ovn-ctl
+ovn/utilities/ovn-ctl \
+ovn/utilities/ovndb-servers.ocf
 
 man_MANS += \
 ovn/utilities/ovn-ctl.8 \
@@ -20,7 +21,8 @@ EXTRA_DIST += \
 ovn/utilities/ovn-docker-overlay-driver \
 ovn/utilities/ovn-docker-underlay-driver \
 ovn/utilities/ovn-nbctl.8.xml \
-ovn/utilities/ovn-trace.8.xml
+ovn/utilities/ovn-trace.8.xml \
+ovn/utilities/ovndb-servers.ocf
 
 DISTCLEANFILES += \
 ovn/utilities/ovn-ctl.8 \
diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf
new file mode 100755
index 000..1fc61a7
--- /dev/null
+++ b/ovn/utilities/ovndb-servers.ocf
@@ -0,0 +1,356 @@
+#!/bin/bash
+
+: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+: ${OVN_CTL_DEFAULT="/usr/share/openvswitch/scripts/ovn-ctl"}
+CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
+CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name 
OVN_REPL_INFO -s ovn_ovsdb_master_server"
+OVN_CTL=${OCF_RESKEY_ovn_ctl:-${OVN_CTL_DEFAULT}}
+MASTER_IP=${OCF_RESKEY_master_ip}
+
+# Invalid IP address is an address that can never exist in the 

[ovs-dev] [PATCH v4 1/4] ovn: ovn-ctl support for HA ovn DB servers

[Babu Shanmugam]

This patch adds support to start_ovsdb() function in ovn-ctl to start the
ovn db servers in backup mode. This can be done in the following ways
1. Use parameters --ovn-nb-sync-from-addr and --ovn-sb-sync-from-addr to
   set the addresses of the active server.
2. Create files $etcdir/ovnnb-active.conf and $etcdir/ovnsb-active.conf
   with the tcp url of the active servers.

Additional functions to promote a backup server to active and demote
active server to backup mode are also added in this patch

One can optionally set the DB parameters for northd in
$etcdir/ovn-northd-db-params.conf. For example,

--ovnnb-db=tcp:172.16.247.230:6641 --ovnsb-db=tcp:172.16.247.230:6642

The parameters will be used as is, by start_northd(). If this file exists,
start_northd() will not start the DB servers even if $OVN_MANAGE_OVSDB is
'yes'.

Signed-off-by: Babu Shanmugam 
---
 ovn/utilities/ovn-ctl   | 173 +---
 ovn/utilities/ovn-ctl.8.xml |  18 +
 2 files changed, 166 insertions(+), 25 deletions(-)

diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
index 07bff8a..1c1687f 100755
--- a/ovn/utilities/ovn-ctl
+++ b/ovn/utilities/ovn-ctl
@@ -26,6 +26,9 @@ for dir in "$sbindir" "$bindir" /sbin /bin /usr/sbin 
/usr/bin; do
 done
 
 
+ovnnb_active_conf_file="$etcdir/ovnnb-active.conf"
+ovnsb_active_conf_file="$etcdir/ovnsb-active.conf"
+ovn_northd_db_conf_file="$etcdir/ovn-northd-db-params.conf"
 ## - ##
 ## start ##
 ## - ##
@@ -45,6 +48,44 @@ stop_ovsdb () {
 fi
 }
 
+demote_ovnnb() {
+if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
+echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > 
$ovnnb_active_conf_file
+fi
+
+if test -e $ovnnb_active_conf_file; then
+ovs-appctl -t $rundir/ovnnb_db.ctl 
ovsdb-server/set-active-ovsdb-server `cat $ovnnb_active_conf_file`
+ovs-appctl -t $rundir/ovnnb_db.ctl 
ovsdb-server/connect-active-ovsdb-server
+else
+echo >&2 "$0: active server details not set"
+exit 1
+fi
+}
+
+demote_ovnsb() {
+if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
+echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > 
$ovnsb_active_conf_file
+fi
+
+if test -e $ovnsb_active_conf_file; then
+ovs-appctl -t $rundir/ovnsb_db.ctl 
ovsdb-server/set-active-ovsdb-server `cat $ovnsb_active_conf_file`
+ovs-appctl -t $rundir/ovnsb_db.ctl 
ovsdb-server/connect-active-ovsdb-server
+else
+echo >&2 "$0: active server details not set"
+exit 1
+fi
+}
+
+promote_ovnnb() {
+rm -f $ovnnb_active_conf_file
+ovs-appctl -t $rundir/ovnnb_db.ctl 
ovsdb-server/disconnect-active-ovsdb-server
+}
+
+promote_ovnsb() {
+rm -f $ovnsb_active_conf_file
+ovs-appctl -t $rundir/ovnsb_db.ctl 
ovsdb-server/disconnect-active-ovsdb-server
+}
+
 start_ovsdb () {
 # Check and eventually start ovsdb-server for Northbound DB
 if ! pidfile_is_running $DB_NB_PID; then
@@ -52,7 +93,20 @@ start_ovsdb () {
 
 set ovsdb-server
 
-set "$@" --detach --monitor $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE 
--remote=punix:$DB_NB_SOCK --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR 
--pidfile=$DB_NB_PID --unixctl=ovnnb_db.ctl
+set "$@" --detach --monitor $OVN_NB_LOG \
+--log-file=$OVN_NB_LOGFILE \
+--remote=punix:$DB_NB_SOCK \
+--remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
+--pidfile=$DB_NB_PID \
+--unixctl=ovnnb_db.ctl
+
+if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
+echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > 
$ovnnb_active_conf_file
+fi
+
+if test -e $ovnnb_active_conf_file; then
+set "$@" --sync-from=`cat $ovnnb_active_conf_file`
+fi
 
 $@ $DB_NB_FILE
 fi
@@ -63,11 +117,45 @@ start_ovsdb () {
 
 set ovsdb-server
 
-set "$@" --detach --monitor $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE 
--remote=punix:$DB_SB_SOCK --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR 
--pidfile=$DB_SB_PID --unixctl=ovnsb_db.ctl
+set "$@" --detach --monitor $OVN_SB_LOG \
+--log-file=$OVN_SB_LOGFILE \
+--remote=punix:$DB_SB_SOCK \
+--remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \
+--pidfile=$DB_SB_PID \
+--unixctl=ovnsb_db.ctl
+
+if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
+echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > 
$ovnsb_active_conf_file
+fi
+
+if test -e $ovnsb_active_conf_file; then
+set "$@" --sync-from=`cat $ovnsb_active_conf_file`
+fi
+
 $@ $DB_SB_FILE
 fi
 }
 
+sync_status() {
+ovs-appctl -t $rundir/ovn${1}_db.ctl ovsdb-server/sync-status | awk 
'{if(NR==1) print $2}'
+}
+
+status_ovnnb() {
+if ! pidfile_is_running $DB_NB_PID; then
+echo "not-running"
+else
+echo "running/$(sync_status nb)"
+fi
+}
+
+status_ovnsb() {
+if ! pidfile_is_running $DB_SB_PID;