| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This patch extends RBAC restrictiveness of the encap table in
the ovn southbound database by only allowing modification by the
chassis that created the encap.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Reported-by: Lance Richardson <lrichard@redhat.com>
Acked-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit introduces the north and south db changes necessary for
the l3ha router implementation.
It defines a new Table in both NBDB and SBDB.
The Gateway_Chassis table is created, with a tiny difference between
NBDB and SBDB, NBDB references the chassis via it's name (chassis_name)
and SBDB references the chassis via reference (chassis) to the Chassis table.
In NBDB a new column (gateway_chassis) is added to Logical_Router_Ports
with a list of Gateway_Chassis which can be empty.
In SBDB a new column (gateway_chassis) is added to Port_Binding with
the same list, this column will be used for ports of type chassis-redirect.
Bump minor version since we've added new backwards compatible features.
Co-authored-by: Russell Bryant <russell@ovn.org>
Signed-off-by: Miguel Angel Ajo <majopela@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
| |
Add rbac "roles" and "permissions" tables to ovn southbound
database schema, add support to ovn-northd for managing these
tables.
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add SSL protocol and cipher columns to SSL tables in northbound
and southbound databases. Start nb/sb ovsdb-server with command-
line options to use these columns. Add support to ovn-nbctl
and ovn-sbctl "set-ssl" commands for user-friendly management
of these settings.
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The OVN ingress pipeline for a logical switch is maxed out at 16 stages.
This patch takes the simple approach of starting the ingress pipeline at
table 8 rather than table 16, and starting the egress pipeline at
table 40 rather than table 48.
Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
This makes it possible for southbound utilities to use friendlier names,
which will happen in upcoming commits.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new OVN action 'dns_lookup' to support native DNS.
ovn-controller parses this action and adds a NXT_PACKET_IN2
OF flow with 'pause' flag set.
A new table 'DNS' is added in the SB DB to look up and resolve
the DNS queries. When a valid DNS packet is received by
ovn-controller, it looks up the DNS name in the 'DNS' table
and if successful, it frames a DNS reply, resumes the packet
and stores 1 in the 1-bit subfield. If the packet is invalid
or cannot be resolved, it resumes the packet without any
modifications and stores 0 in the 1-bit subfield.
reg0[4] = dns_lookup(); next;
An upcoming patch will use this action and adds logical flows.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Gurucharan Shetty <guru@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends gratuitous ARP support for NAT addresses so that it
applies to distributed NAT rules on a distributed logical router.
Distributed NAT rules have type "dnat_and_snat" and specify
'external_mac' and 'logical_port'.
Gratuitous ARP packets for distributed NAT rules are only generated on
the chassis where the 'logical_port' specified in the NAT rule resides.
Gratuitous ARPs are issued for the 'external_ip' address, resolving to
the 'external_mac'.
Since the MAC address varies for each distributed NAT rule, a separate
'nat_addresses' string must be generated for each distributed NAT rule.
For this reason, in the southbound 'Port_Binding',
'options:nat-addresses' is replaced by a 'nat_addresses' column that
can have an unlimited number of instances. In order to allow for
upgrades, pinctrl in the ovn-controller can work off either the
'nat_addresses' column (if present), or 'options:nat-addresses'
otherwise.
Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
|
| |
|
|
|
|
|
|
|
| |
Add support for managing remote connections, including
SSL configuration, to southbound db schema, and add necessary
commands to ovn-sbctl.
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a connection table to the southbound db schema, similar
to the Open_vSwitch "Manager" table.
Add tests for pssl: and ptcp: read-only connection types.
Add support to ovn-sbctl for listing the SB Connection table.
Potential future work:
- Test cases for other connection types (punix, ssl, tcp, unix).
- SSL configuration table for southbound db.
- Connection table for NB schema.
- Add a way to specify a read-only connection as an ovsdb-server
command-line option.
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new OVN action 'put_dhcpv6_opts' to support native
DHCPv6 in OVN.
ovn-controller parses this action and adds a NXT_PACKET_IN2
OF flow with 'pause' flag set and the DHCPv6 options stored in
'userdata' field.
When the valid DHCPv6 packet is received by ovn-controller, it frames a
new DHCPv6 reply packet with the DHCPv6 options present in the
'userdata' field and resumes the packet and stores 1 in the 1-bit subfield.
If the packet is invalid, it resumes the packet without any modifying and
stores 0 in the 1-bit subfield.
Eg. reg0[3] = put_dhcpv6_opts(ia_addr = aef0::4, server_id = 00:00:00:00:10:02,
dns_server = {ae70::1,ae70::2}....)
A new 'DHCPv6_Options' table is added in SB DB which stores
the supported DHCPv6 options with DHCPv6 code and type. ovn-northd is
expected to popule this table.
Upcoming patch will add logical flows using this action.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, there has been no reliable for the CMS (or ovn-nbctl, or
anything else) to detect when changes made to the northbound configuration
have been passed through to the southbound database or to the hypervisors.
This commit adds this feature to the system, by adding sequence numbers
to the northbound and southbound databases and adding code in ovn-nbctl,
ovn-northd, and ovn-controller to keep those sequence numbers up-to-date.
The biggest user-visible change from this commit is new a new option
--wait to ovn-nbctl. With --wait=sb, ovn-nbctl now waits for ovn-northd
to update the southbound database; with --wait=hv, it waits for the
changes to make their way to Open vSwitch on every hypervisor.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
| |
This will allow ovn-controller to conditionally monitor MAC_Binding table
according to datapath column.
Signed-off-by: Liran Schour <lirans@il.ibm.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This feature was originally proposed here:
http://openvswitch.org/pipermail/dev/2016-March/067440.html
A common use case for OVN ACLs involves needing to match a set of IP
addresses.
outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50}
This example match only has 3 addresses, but it could easily have
hundreds of addresses. In some cases, the same large set of addresses
needs to be used in several ACLs.
This patch adds a new Address_Set table to OVN_Northbound so that a set
of addresses can be specified once and then referred to by name in ACLs.
To recreate the above example, you would first create an address set:
$ ovn-nbctl create Address_Set name=set1 addresses="10.0.0.5","10.0.0.25","10.0.0.50"
Then you can refer to this address set by name in an ACL match:
outport == "lp1" && ip4.src == $set1
Signed-off-by: Russell Bryant <russell@ovn.org>
Signed-off-by: Babu Shanmugam <bschanmu@redhat.com>
Co-authored-by: Flavio Fernandes <flavio@flaviof.com>
Signed-off-by: Flavio Fernandes <flavio@flaviof.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new OVN action 'put_dhcp_opts' to support native
DHCP in OVN.
ovn-controller parses this action and adds a NXT_PACKET_IN2
OF flow with 'pause' flag set and the DHCP options stored in
'userdata' field.
When the valid DHCP packet is received by ovn-controller, it frames a
new DHCP reply packet with the DHCP options present in the
'userdata' field and resumes the packet and stores 1 in the 1-bit subfield.
If the packet is invalid, it resumes the packet without any modifying and
stores 0 in the 1-bit subfield.
Eg. reg0[0] = put_dhcp_opts(offerip = 10.0.0.4, router = 10.0.0.1,
netmask = 255.255.255.0, lease_time = 3600,....)
A new 'DHCP_Options' table is added in SB DB which stores
the supported DHCP options with DHCP code and type. ovn-northd is
expected to popule this table.
The next patch will add logical flows with this action.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Co-authored-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
| |
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use the system-id from the Open_vSwitch schema on each host
to populate the unique name field of a Chassis in OVN_Southbound. On
most systems, this is a UUID. It would be very convenient to also have
the hostname available as that will allow people to more quickly
identify which host a Chassis record is associated with in most cases.
This is also useful for correlating an OVN Chassis with the knowledge of
hosts that exists in other systems (such as OpenStack).
Also add the hostname of each chassis to the output of "ovn-sbctl show".
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is sufficient support that an L3 logical router can now transmit
packets to VMs (and other destinations) without having to know the
IP-to-MAC binding in advance. The details are carefully documented in all
of the appropriate places.
There are several important caveats that need to be fixed before this can
be taken seriously in production. These are documented in ovn/TODO. The
most important of these are renewal, expiration, and limiting the size of
the ARP table.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since commit 5935835968c9d36ffe306863f0c8079d3b670e2a, the OVN nb and sb
schema definitions have included duplicate version entries. In the nb
case, the version has since been updated to 2.0.0, but only in one
place. Remove the duplicate version entries that were at the bottom of
the files.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
| |
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
| |
A tag value of 0 is not used by containers running inside
VMs.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
| |
This will be useful in a future commit.
It also introduces #define's for logical stages instead of in-place
constants.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a gateway like the VTEP L2 gateway, physical vlans belonging to
the same logical network form a "logical switch". Each logical switch
has a dedicated tunnel key and will keep records of all MACs learned
from the owned vlans. So user can just send packet to a "logical
switch" and the gateway will figure out the output port and vlan tag
automatically.
Therefore, it is really not necessary to keep record of the vlan map
for each gateway physical port in the OVN_Southbound database using
"gateway_ports" and to map each vlan to a unique ovn logical port.
Instead, we should simply map each logical switch to a ovn logical
port.
Thusly, this commit removes the "Gateway" table from the OVN_Southbound
database. In the "Chassis" table, the "gateway_ports" column is replaced
by "vtep_logical_switches" column which stores all vtep logical switch
names. The use of this column will be documented in later commit.
Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, OVN has used "flat" tunnel keys, in which the STT tunnel key or
Geneve VNI contains a logical port number. Logical port numbers are unique
within an OVN deployment.
Flat tunnel keys have the advantage of simplicity. However, for packets
that are destined to logical ports on multiple hypervisors, they require
sending one packet per destination logical port rather than one packet per
hypervisor. They also make it hard to integrate with VXLAN-based hardware
switches, which use VNIs to designate logical networks instead of logical
ports.
This commit switches OVN to a different scheme. In this scheme, in Geneve
the VNI designates a logical network and a Geneve option specifies the
logical input and output ports, which are now scoped within the logical
network rather than globally unique. In STT, all three identifiers are
encoded in the tunnel key.
To allow for the reduced amount of traffic for packets destined to logical
ports on multiple hypervisors, this commit also introduces the concept
of a logical multicast group. The membership of these groups can be set
using a new Multicast_Group table in the southbound database (and
ovn-northd does use it starting in this commit).
With multicast groups alone, it would be difficult to implement ACLs,
because an ACL might disallow only some of the packets being sent to
a remote hypervisor. Thus, this commit also splits the OVN logical
pipeline into two pipelines: the "ingress" pipeline, which makes the
decision about the logical destination of a packet as a set of logical
ports or multicast groups, and the "egress" pipeline, which runs on the
destination hypervisor with the multicast group destination exploded into
individual ports and makes a final decision on whether to deliver the
packet. The "egress" pipeline can efficiently apply ACLs.
Until now, the OVN logical and physical pipeline implementation was not
adequately documented. This commit adds extensive documentation to
the OVN manpages to cover these issues.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
|
| |
|
|
|
|
|
|
|
|
| |
The OVN pipeline is being split into two phases, which are most naturally
called "pipelines". I kept getting very confused trying to call them
anything else, and in the end it seems to make more sense to just rename
the Pipeline table.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
|
| |
|
|
|
|
|
|
| |
An upcoming patch will add a Datapath_Binding table, so clarifying the
name seems useful.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have started discussing the use of the logical port abstraction in
OVN to represent special types of connections into an OVN logical
switch. This patch proposes some schema updates to reflect these
special types of logical ports. A logical port can have a "type" and
a set of options specific to that type.
Some examples of logical port types would be "vtep" for connectivity
to a VTEP gateway or "localnet" for a connection to a locally
accessible network via an ovs bridge. Actualy support for these (or
other) types will come in later patches.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
The keys in the Chassis table's "gateway_ports" column report the same
information as the Gateway table's "attached_port" column, so this commit
removes the latter.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
This commit changes the type of 'chassis' column in 'Binding' table
from string to weak reference of 'Chassis' table entry. This will
make accessing the chassis from binding more efficient.
Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
| |
The convention in OVSDB is to use singular names for database tables,
but Bindings was plural.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Limit the supported tunnel types to Geneve and STT on hypervisors, and
VXLAN, Geneve, and STT on gateways. This commit adds "DESIGN.md" that
describes the reasoning.
Wes Felter provided suggestions for improving the wording in the
architecture document.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
| |
When packets travel among nodes in OVN over tunnels, a tunnel key value is
needed to convey the logical port to which the packet is destined. This
commit adds a tunnel_key column to the Bindings table and adds code to
ovn-northd to assign a unique tunnel_key value to each logical port.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It's possible that we could implement all of the OVN concepts as a single
collection of flow tables, but it makes more sense to me if we instead
represent each logical switch and logical router separately. This also
fits the model described in T. Koponen et al., "Network Virtualization in
Multi-tenant Data Centers," NSDI '14, the model that OVN aspires to
imitate.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
|
|
|
It was confusing having a database called "ovn", since it's also the
name of the project. Since we have an "ovn-nb", rename "ovn" to
"ovn-sb".
Signed-off-by: Justin Pettit <jpettit@nicira.com>
|
