| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This will allow selected options to be interpreted locally and others to
be passed to the daemon, when the daemon is in use.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
| |
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
raft_store_snapshot() constructs a new snapshot in a local variable then
destroys the current snapshot and replaces it by the new one. Until now,
it has not cloned the data in the new snapshot until it did the
replacement. This led to the unexpected consequence that, if 'servers' in
the old and new snapshots was the same, then it would first be freed and
later cloned, which could cause a segfault.
Multiple people reported the crash. Gurucharan Shetty provided a
reproduction case.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
| |
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
void functions do not need to have a return statement, because
such statements are redundant. Warn the user of such instances.
An interim line check is added to allow gathering additional
context for each line that is being processed.
Signed-off-by: Bala Sankaran <bsankara@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Control utils should be called with the same verbose level
at least to manage output to system logs. For example, to
disable unwanted syslog messages in unit tests or to enable
higher debug levels if needed.
New arguments added before '-vconsole:off' because it's
still inconvenient to have console output.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
| |
Otherwise the code does not build.
Fixes: fa37affad362 ("Embrace anonymous unions.")
Signed-off-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
| |
Added test for snoop command to check for the initial handshake messages
when a bridge connects to a controller via 'unix' connection method.
Signed-off-by: Ashish Varma <ashishvarma.ovs@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
10 of the travis builds are failing such as
TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by default")
CC: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Han Zhou <hzhou8@ebay.com>
Acked-by: Darrell Ball <dlu998@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ovsdb-server is starting, it performs some DB steps such as
creating and upgrading the OvS DB. When we are running as
'non-root' user, the 'runuser' tool is used to manage the privileges.
However, when this happens during systemd boot, we observe the following
errors in journald:
Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Failed to add PIDs to
scope's control group: No such process
Jun 21 07:32:57 virt systemd[1]: Failed to start Session c1 of user openvswitch.
Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Unit entered failed state.
According to the analysis performed on openSUSE bugzilla[1], it seems
that ovsdb-server.service creates (via the call to runuser) a user
session and therefore call pam_systemd which in its turn tries to start
a systemd user instance: "user@474.service". However "user@474.service"
is supposed to be started after systemd-user-sessions.service which is
supposed to be started after network.target. Additionally,
ovsdb-server.service uses Before=network.target hence the deadlock.
This commit uses "setpriv" instead of "runuser" to launch "ovsdb-tool" that
doesn't use PAM and so it permits to launch "ovsdb-tool" as a user without
having the deadlock. Since some old versions for "setpriv" (such as the
one used by RHEL7) doesn't support the username / groupname, but only the
user ids / group ids, "id" is used to get the user ID and the group IDs.
To replicate the same behaviour of "runuser", the effective group ID of
the user is used as GID (usually "openvswitch") and the remaining group
IDs are used as supplementary groups (usually "hugetlbfs", if OVS is
built with DPDK support).
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1098630
Reported-by: Markos Chandras <mchandras@suse.de>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349716.html
Co-authored-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>
|
|
|
|
|
|
|
| |
Reported-by: Oscar Wilde <xdxiaobin@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-July/047070.html
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Starting from Fedora 29, gcc and gcc-c++ won't be installed by default in
buildroot and so it's necessary to specify them explicitly in the spec file.
https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
The function dpctl_flush_conntrack() and other such new functions with
multiple optional arguments can be simplified by reodering the checks
for optional parameters, where the datapath argument is checked for
last.
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit 793bdb6c0500 ("ovs-tcpdump: Fix incompatibilities with python3")
and commit 227abb77d3d1 ("ovs-tcpundump: Fix incompatibilities with python3")
ovs-tcpdump and ovs-tcpdump works with Python3 as well.
This commit allows ovs-tcpdump and ovs-tcpundump to be installed also when
only Python3 is enabled.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
| |
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently protocol_flags is populated by the list of SSL and TLS
protocols by hand. This means that when a new TLS version is added to
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
ovsdb-server automatically enable support to it with the default ciphers.
This can be a security problem (since other ciphers can be enabled) and it
also makes a test (SSL db: implementation) to fail.
This commit changes the 'protocol_flags' to use the list of all protocol
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
need to keep the list updated by hand.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[[ ]] syntax is not supported, at least, by dash that Debian, Ubuntu and other
linux distributions may use instead of bash.
This commit uses, instead, a POSIX way that is compatible with any POSIX
shell (bash, dash, busybox sh, etc).
CC: Martin Xu <martinxu9.ovs@gmail.com>
Fixes: 9763d17fbd05 ("utilities: check datapath exists before conntrack flush")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
All the users of mf_vl_mff_mf_from_nxm_header() expect it to always obtain
a valid field or to report an error. In practice, it did not report an
error in the case where the field was unknown (although it did report an
error in some other cases). This commit fixes the problem.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9652
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
|
|
|
|
|
|
|
| |
I thought I had added this while revising a previous patch but oops.
Fixes: 7ee9c6e03416 ("tests: Fix cluster torture test.")
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Generally when we know the leader for a term, in "check-cluster", it's
because we read that leader's log file. In that case, we have the leader's
log_end because it told us. However, taking a snapshot can discard that
data. In that case, log_end is 0 and we should not try to check for leader
completeness on that basis.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
| |
The user shouldn't provide a given server's log more than once but this
check makes sure.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Having the headers available before reading the complete logs means that
server IDs can be associated with the server file names earlier, which can
improve error messages in some cases.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
| |
Without this patch, server names are displayed as UUIDs even when we know
the file name; file names are easier for the user to read.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
| |
The cluster torture tests can provoke these messages, especially if run in
parallel or with valgrind, and they shouldn't cause a failure.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
| |
remove_server() is supposed to deal with its argument $i, not $victim. In
this case they happen to have the same value so the difference is moot,
but it's still best to be clear.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A previous commit to improve timing also caused the cluster torture test to
be skipped (unless it failed early). This is related to the shell "while"
loop's use of a variable $phase to indicate how far it got in the test
procedure. A very fast machine, or one on which the races went just the
right way, might finish the test before all the torture properly starts, so
the code is designed to just skip the test if that happens. However, a
commit to improve the accuracy ended up skipping it all the time.
Prior to the timing commit, the loop looked something like this:
phase=0
while :; do
...things that eventually increment $phase to 2...
done
AT_SKIP_IF([test $phase != 2])
This works fine.
The timing commit changed the "while :" to "(...something...) | while
read". This looks innocuous but it actually causes everything inside the
"while" loop to run in a subshell. Thus, the increments to $phase are not
visible after the loop ends, and the test always gets skipped.
This commit fixes the problem by storing the phase in a file instead of a
shell variable.
Fixes: 0f03ae3754ec ("ovsdb: Improve timing in cluster torture test.")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
| |
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9424
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
When multiple versions passed into the kversion for the spec file, the
variable is used as is for the kernel module paths for command
weak-modules --add-modules. Then the modules cannot be found.
Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
multiple kernels, rhel6)
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Ben Pfaff <blp@ovn.org>
CC: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
build against multiple kernels, rhel6) to support building kmod RPMs
with multiple minor revisions within 3.10.0-327 kernels. It was
discovered for RHEL 7.2 that 41.3 minor revision introduced backward
incompatible changes.
VMware-BZ: #2170334
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Ben Pfaff <blp@ovn.org>
CC: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
|
|
|
|
|
|
|
|
|
| |
When this case was adapted for Windows, asb_file_name() simply didn't work
at all there. Now, it should work OK, and it seems like the right thing
to do, and it makes the code more straightforward too.
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
abs_file_name() believed that a file name that begins with / or contains :
is absolute and that any other file name is relative. On Windows, this is
wrong in at least the following ways:
* / and \ are interchangeable on Windows.
* A name that begins with \\ or // is also absolute.
* A name that begins with X: but not X:\ is not absolute.
* A name with : in some position other than the second position is
not absolute (although it might not be valid either?).
Furthermore, Windows has more than one current working directory (one per
volume letter), so trying to make a file name absolute by just prefixing
the current working directory for the current volume results in silliness.
This patch attempts to fix the problem.
This makes OVS link against shlwapi, which is needed to use
PathIsRelative().
Found by inspection.
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
| |
The --restart flag allows for uninterrupted packet flowage when exiting
ovn-controller. This patch modifies the restart_controller argument to
ovn-ctl to use --restart.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When "--restart" is passed to ovn-controller's exit command, then
database entries are not removed for this hypervisor. This means that
* Encaps
* Chassis
* OVS ports
are not removed.
The reasoning is that if the intent is to restart ovn-controller, this
will allow for tunnels to remain up and allow for traffic not to be
interrupted during the restart. When ovn-controller is started again, it
picks back up from where it was.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
| |
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OVN offers a method of IP address management that allows for an IPv4 subnet or
IPv6 prefix to be specified on a logical switch. Then by specifying a
switch port's address as "dynamic" or "<mac address> dynamic", OVN will
automatically assign addresses to the switch port.
While this works great for initial assignment of addresses, addresses do
not automatically adjust when changes are made to the switch's
configuration. For instance:
* If the subnet, ipv6_prefix, or exclude_ips for a logical switch
changes, the affected switch ports are not updated.
* If a switch port with a static IP address is added to the switch, and
that address conflicts with a dynamically assigned IP address, the
dynamic address is not updated.
* If a MAC address switched from being statically assigned to
dynamically assigned, the MAC address would not be updated.
* If a statically assigned MAC address changed, then the IPv6 address
would not be updated.
This patch solves all of the above issues by changing the algorithm for
IPAM assignment. There are essentially three steps.
1) While joining logical ports, all statically-assigned addresses (i.e.
any ports without "dynamic" addresses) have their addresses registered
to IPAM. This gives them top priority.
2) All logical ports with dynamic addresses are inspected. Any changes
that must be made to the addresses are collected to be made later. Any
addresses that do not require change are registered to IPAM. This allows
for previously assigned dynamic addresses to be kept.
3) All gathered changes are enacted.
The change contains new tests that ensure that dynamic addresses are
updated when appropriate.
This patch also alters some existing IPAM tests. Those tests assumed
that dynamic addresses would not be updated automatically, so those
tests either had to be altered or removed.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Acked-by: Jakub Sitnicki <jsitnicki@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
| |
These caused the test to fail.
CC: Jakub Sitnicki <jkbs@redhat.com>
Fixes: 984c7d5ea8fe ("ovn-northd: Propagate dynamic addresses to port group address sets.")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
|
|
|
|
|
|
|
|
|
|
| |
Also split line at 79 characters.
Found by inspection.
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Acked-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Until now we only had optind defined in the header.
Since we are using the BSD getopt variant add opterr and optopt.
Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.")
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch modifies ovs-pki to generate x.509 version 3 certificate.
Compared with the x.509 v1 certificate generated by ovs-pki, version 3
certificate adds subjectAltName field and sets its value the same as
common name (CN). The main reason for this change is to enable
strongSwan IKE daemon to extract certificate identity string from the
subjectAltName field, which makes OVN IPsec implementation easier.
Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
| |
Support matching on tos and ttl of ip tunnels
for the TC data-path.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
|
|
|
|
|
|
|
|
| |
Allow to set the tos and ttl for TC tunnels.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
|
|
|
|
|
|
|
|
|
| |
Add the missing code to match on ip tos when dealing
with the TC data-path.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
|
|
|
|
|
|
|
|
|
|
| |
TTL can and should be used to match on IPv6's hop-limit, fix that.
Fixes: ab7ecf266b0a ('netdev-tc-offloads: Add nw_ttl matching using flower')
Fixes: 0b4b5203d12e ('tc: Add ip layer ttl matching')
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
|
|
|
|
| |
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds transport ports information for route lookup so that
IPsec can select stt tunnel traffic to do encryption.
Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds transport ports information for route lookup so that
IPsec can select vxlan tunnel traffic to do encryption.
Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
The last few OVS releases have included a "soft freeze" stage in the
release process, but this stage has never been formalized in the
documentation. This adds a description.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Ian Stokes <ian.stokes@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of "force-reload-kmod," conntrack flush command is issued as
'action "ovs-appctl dpctl/flush-conntrack"'. In case no datapath exists
yet when issuing "force-reload-kmod," there is an error message
"ovs-vswitchd: no datapaths exist\ ovs-appctl: ovs-vswitchd: server
returned an error", which is harmless but potentially shows up as "FAILED."
Add an if condition to check whether datapath exists before running the
conntrack flush command.
VMware-BZ: #2170402
Fixes: 265d70310c69 ("utilities: Fix conntrack flush command")
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Aaron Conole <aconole@redhat.com>
CC: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
The new 'map' action is needed for 'hugetlbfs_t:file' too.
CC: Aaron Conole <aconole@redhat.com>
Fixes: d2675a146130 ("selinux: changes to support newer hugetlbfs restrictions")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
|