diff options
| author | Ewan Mellor <ewan.mellor@citrix.com> | 2011-09-24 23:46:23 -0700 |
|---|---|---|
| committer | Ewan Mellor <ewan.mellor@citrix.com> | 2011-09-24 23:46:23 -0700 |
| commit | 0a56ae6fa27ee08a0cb237c7872dc872ae9cc766 (patch) | |
| tree | 1ef255559f1e433492fdfe22dbc7a90a6bf091e2 /plugins/xenserver/networking | |
| parent | 16e3f2effcddf838cc8927cc6fc8a968de0034bd (diff) | |
| download | nova-0a56ae6fa27ee08a0cb237c7872dc872ae9cc766.tar.gz | |
Allow tenant networks to be shared with domain 0.
If domain 0 has an IP address on a given bridge, then add a flow rule to
allow traffic to leave that port. This allows for the case where domain 0
and the tenant network are sharing a bridge, which is useful in non-production
environments.
At the same time, simplify the interface to ovs_configure_base_rules.py.
There is no need to pass the bridge in, because it's implicit in the selection
of the physical interface, and can be obtained using ovs-vsctl iface-to-br.
Having made these two changes, it's now reasonable to apply flow rules to all
interfaces as a default (if not overridden in the sysconfig file).
Change-Id: I2a33ed55246d49b0e4f57db909e1b40351d27602
Diffstat (limited to 'plugins/xenserver/networking')
3 files changed, 40 insertions, 13 deletions
diff --git a/plugins/xenserver/networking/etc/init.d/openvswitch-nova b/plugins/xenserver/networking/etc/init.d/openvswitch-nova index 8672a69b88..51f6b324c2 100755 --- a/plugins/xenserver/networking/etc/init.d/openvswitch-nova +++ b/plugins/xenserver/networking/etc/init.d/openvswitch-nova @@ -5,6 +5,7 @@ # chkconfig: 2345 96 89 # description: Apply initial OVS flows for Nova +# Copyright 2011 Citrix Systems, Inc. # Copyright 2011 OpenStack LLC. # Copyright (C) 2009, 2010, 2011 Nicira Networks, Inc. # All Rights Reserved. @@ -59,11 +60,11 @@ case ${NETWORK_MODE:=openvswitch} in esac function run_ovs_conf_base_flows { - # expected format: DEVICE_BRIDGES="eth0:xenbr0 eth1:xenbr1" - for pair in $DEVICE_BRIDGES; do - # below in $info, physical device is [0], bridge name is [1] - info=${pair//:/ } - /usr/bin/python $OVS_CONFIGURE_BASE_FLOWS $1 ${info[0]} ${info[1]} + local action="$1" + local all_interfaces=$(cd /sys/class/net/; /bin/ls -d eth*) + local interfaces="${INTERFACES-$all_interfaces}" + for interface in $interfaces; do + /usr/bin/python $OVS_CONFIGURE_BASE_FLOWS $action $interface done } diff --git a/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova b/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova index 829782fb60..dd5fa6ca7b 100644 --- a/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova +++ b/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova @@ -1 +1,15 @@ -#DEVICE_BRIDGES="eth0:xenbr0 eth1:xenbr1" +# The interfaces that you want to apply base OVS rules to. If this is +# unspecified then rules are applied to all eth* interfaces, which is a good +# default. +# +# If you are worried about the performance of having rules on interfaces +# that aren't carrying tenant traffic, or you want to do something +# custom, then here you can explicitly choose the interfaces that should have +# rules applied. +# +# Note that if there is an IP address on the bridge in domain 0 (i.e. the +# xenbrX interface) then a rule will be applied that allows traffic to it. +# Make sure that this is what you want. If you don't want tenant traffic +# to be able to reach domain 0 -- the usual case -- then you should have +# tenant traffic and domain 0 on entirely separate bridges. +#INTERFACES="eth0 eth1" diff --git a/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py b/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py index 514a43a2df..010c7673a1 100755 --- a/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py +++ b/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py @@ -1,6 +1,7 @@ #!/usr/bin/env python # vim: tabstop=4 shiftwidth=4 softtabstop=4 +# Copyright 2011 Citrix Systems, Inc. # Copyright 2011 OpenStack LLC. # All Rights Reserved. # @@ -27,9 +28,12 @@ import sys from novalib import execute, execute_get_output -def main(command, phys_dev_name, bridge_name): +def main(command, phys_dev_name): ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule) + bridge_name = \ + execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', phys_dev_name) + # always clear all flows first ovs_ofctl('del-flows', bridge_name) @@ -44,19 +48,27 @@ def main(command, phys_dev_name, bridge_name): ovs_ofctl('add-flow', bridge_name, "priority=2,in_port=%s,actions=normal" % pnic_ofport) + # Allow traffic from dom0 if there is a management interface + # present (its IP address is on the bridge itself) + bridge_addr = \ + execute_get_output('/sbin/ip', '-o', '-f', 'inet', 'addr', 'show', + bridge_name) + if bridge_addr != '': + ovs_ofctl('add-flow', bridge_name, + "priority=2,in_port=LOCAL,actions=normal") + # default drop ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop') if __name__ == "__main__": - if len(sys.argv) != 4 or sys.argv[1] not in ('online', 'offline', 'reset'): + if len(sys.argv) != 3 or sys.argv[1] not in ('online', 'offline', 'reset'): print sys.argv script_name = os.path.basename(sys.argv[0]) print "This script configures base ovs flows." - print "usage: %s [online|offline|reset] phys-dev-name bridge-name" \ - % script_name - print " ex: %s online eth0 xenbr0" % script_name + print "usage: %s [online|offline|reset] phys-dev-name" % script_name + print " ex: %s online eth0" % script_name sys.exit(1) else: - command, phys_dev_name, bridge_name = sys.argv[1:4] - main(command, phys_dev_name, bridge_name) + command, phys_dev_name = sys.argv[1:3] + main(command, phys_dev_name) |