| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
We've actually made a lot of improvements.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a node 'A' in the pacemaker cluster running OVN db servers in
master is brought down ungracefully ('echo b > /proc/sysrq_trigger'
for example), pacemaker is not able to promote any other node to
master in the cluster. When pacemaker selects a node B for instance to
promote, it moves the IPAddr2 resource (i.e the master ip) to node
'B'. As soon the node is configured with the IP address, when the
issue is seen, the OVN db servers which were running as standy
earlier, transitions to active. Ideally this should not have happened.
The ovsdb-servers are expected to remain in standby until there are
promoted. (This needs separate investigation). When the pacemaker
calls the OVN OCF script's promote action, the ovsdb_server_promot
function returns almost immediately without recording the present
master. And later in the notify action it demotes back the OVN db
servers since the last known master doesn't match with node 'B's
hostname. This results in pacemaker promoting/demoting in a loop.
This patch fixes the issue by not returning immediately when promote
action is called if the OVN db servers are running as active. Now it
would continue with the ovsdb_server_promot function and records the
new master by setting proper master score ($CRM_MASTER -N $host_name
-v ${master_score})
This issue is not seen when a node is brought down gracefully as
pacemaker before promoting a node, calls stop, start and then promote
actions. Not sure why pacemaker doesn't call stop, start and promote
actions when a node is reset ungracefully.
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1579025
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Appending prerequisites to sub-expressions of OR that are all over one
symbol prevents the expression-to-matches converter from applying
conjunctive matching. This happens during the annotation phase.
input: s1 == { c1, c2 } && s2 == { c3, c4 }
expanded: (s1 == c1 || s1 == c2) && (s2 == c3 || s2 == c4)
annotated: ((p1 && s1 == c1) || (p1 && s1 == c2)) &&
((p2 && s2 == c3) || (p2 && s2 == c4))
normalized: (p1 && p2 && s1 == c1 && s2 == c3) ||
(p1 && p2 && s1 == c1 && s2 == c4) ||
(p1 && p2 && s1 == c2 && s2 == c3) ||
(p1 && p2 && s1 == c2 && s2 == c4)
Where s1,s2 - symbols, c1..c4 - constants, p1,p2 - prerequisites.
Since sub-expressions of OR trees that are over one symbol all have the
same prerequisites, we can factor them out leaving the OR tree in tact,
and enabling the converter to apply conjunctive matching to
AND(OR(clause)) trees.
Going back to our example this change gives us:
input: s1 == { c1, c2 } && s2 == { c3, c4 }
expanded: (s1 == c1 || s1 == c2) && (s2 == c3 || s2 == c4)
annotated: (s1 == c1 || s1 == c2) && p1 && (s2 == c3 || s2 == c4) && p2
normalized: p1 && p2 && (s1 == c1 || s1 == c2) && (s2 == c3 || s2 == c4)
We also factor out the prerequisites out of pure AND or mixed AND/OR
trees to keep the common code path, but in this case the only thing we
gain is a shorter expression as prerequisites for each symbol appear
only once.
Documentation comments have been contributed by Ben Pfaff.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lflow_run() is the main logical flows processing routine that we spend
most of the CPU time in when testing at scale.
With the switch to incremental processing approach in the controller,
we will be trying to avoid calling to lflow_run() as much as possible.
A counter lets us confirm that we are doing logical flow processing
only when it's expected, without resorting to profiling under stress.
It can also serve as a hint as to why ovn-controller process is
consuming CPU time.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Han Zhou <hzhou8@ebay.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Presently when a VM's IPv6 stack sends a Neighbor Solicitation request for its
router IP, (mostly when the ND cache entry for the router is in STALE state)
ovn-controller responds with a Neighbor Adv packet (using the action nd_na).
But it doesn't set 'ND_RSO_ROUTER' in the RSO flags (please see RFC4861 page 23).
Because of which, the VM deletes the default route. The default route gets added
again when the next RA is received (but would again gets deleted if its sends
NS request). And this results in disruption of IPv6 traffic.
This patch addresses this issue by adding a new action 'nd_na_router' which is
same as 'nd_na' but it sets the 'ND_RSO_ROUTER' in the RSO flags. ovn-northd
uses this action. A new action is added instead of modifying the existing 'nd_na'
action. This is because
- We cannot set the RSO flags in the "nd_na { ..actions .. }"
- It would be ugly to have something like nd_na { router_flags, ...actions .. }
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1567735
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for using ovn-nbctl to add/delete/list ACLs on port
groups.
A new option --type is also supported for these commands to
explicitely specify, when needed, whether the operation is on a
port-group or a logical switch. E.g.
ovn-nbctl --type=port-group acl-add port_group1 to-lport 1000 \
'outport == @port_group1 && ip4.src == $port_group1_ip4' \
allow-related
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
| |
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
Report gateway chassis in decreasing priority order running ovn-nbctl
show sub-command. Add get_ordered_gw_chassis_prio_list routine to sort
gw chassis according to the configured priority
Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The OVN load balance tests are failing in both kernel and userspace DP.
The problem is due to bad parsing of the load balance keys because of
using the wrong default port mode in the call to inet_parse_active().
With this fix, the tests are now passing again.
system-ovn
100: ovn -- load-balancing ok
101: ovn -- load-balancing - same subnet. ok
102: ovn -- load balancing in gateway router ok
103: ovn -- multiple gateway routers, load-balancing ok
104: ovn -- load balancing in router with gateway router port ok
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
| |
There's not much value in making this a global since it's really just
parsed in one function and used in another.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The flow that handles MLF_LOCAL_ONLY flag is now added for each
multicast group, but in fact it can be more generic and only one
is needed rather than per mc group.
Suggested-by: Ben Pfaff <blp@ovn.org>
Suggested-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-May/346719.html
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although port group can be used in match conditions of ACLs, it is
still inconvenient for clients to figure out the lswitches that each
ACL should be applied to.
This patch supports applying ACLs to port groups directly instead of
applying to each related lswitch individually. It provides convenience
for clients such as k8s and OpenStack Neutron.
Requested-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/344856.html
Requested-by: Guru Shetty <guru@ovn.org>
Requested-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
eval doesn't understand white space for local var which was introduced in commit
79c7961b8b3c4b7ea0251dea2ffacfa84c84fecb for starting clustered ovn dbs.
As ovn-ctl uses sh instead of bash, parsing local var with white space will fail.
e.g. /usr/share/openvswitch/scripts/ovn-ctl --db-nb-addr=192.168.220.101 --db-nb-create-insecure-remote=yes \
--db-sb-addr=192.168.220.101 --db-sb-create-insecure-remote=yes \
--db-nb-cluster-local-addr=192.168.220.101 \
--db-sb-cluster-local-addr=192.168.220.101 \
--ovn-northd-nb-db=tcp:192.168.220.101:6641,tcp:192.168.220.102:6641,tcp:192.168.220.103:6641 \
--ovn-northd-sb-db=tcp:192.168.220.101:6642,tcp:192.168.220.102:6642,tcp:192.168.220.103:6642 \
start_northd
gives error: /usr/share/openvswitch/scripts/ovn-ctl: 1: local: -vfile:info: bad variable name
As a result ovsdb fails to even initialize and start. Hence, we need to seperate local keyword for all
variables used with eval to make it work with both dash and bash.
Signed-off-by: aginwala <aginwala@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
| |
Signed-off-by: Dan Williams <dcbw@redhat.com>
|
|
|
|
|
|
| |
The option exists but was not shown with --help.
Signed-off-by: Dan Williams <dcbw@redhat.com>
|
|
|
|
|
|
|
| |
This better reuses existing code.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I didn't realize until now that the tree had two different ways of parsing
strings in the form <host>:<port> and <port>:<host>. There are the
long-standing inet_parse_active() and inet_parse_passive() functions, and
more recently the ipv46_parse() function. This commit eliminates the
latter and changes the code to use the former.
The two implementations interpreted some input differently. In particular,
the older functions required IPv6 addresses to be [bracketed], but the
newer ones do not. For compatibility this patch changes the merged code to
use the more liberal interpretation.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, the default_port parameters to these functions have had
different types and different behavior. There is a reason for this, since
it makes sense to listen on a kernel-selected port but it does not make
sense to connect to a kernel-selected port, but this overlooks the
possibility that a caller might want to parse a string in the format
understood by inet_parse_active() without actually using it to connect to
a remote host. This commit makes the behavior consistent and updates all
the callers to work with the new semantics.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
| |
This better reuses existing code. It does require adding a slight variant
on ss_format_address(), but it still seems like a net win.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address sets are automatically generated from corresponding port
groups, and can be used directly in ACL match conditions.
There are two address sets generated for each port group:
<port group name>_ip4
<port group name>_ip6
For example, if port_group1 is created, we can directly use below
match condition in ACL:
"outport == @port_group1 && ip4.src == $port_group1_ip4"
This will simplify OVN client implementation, and avoid some tricky
problems such as race conditions when maintaining address set
memberships as discussed in the link below.
Reported-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046174.html
Reviewed-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ovn-controller when it sends out periodic RA packets, sets '0' in the
Router lifetime field. As per the RFC 4861, lifetime of 0 indicates that
the router is not a default router and SHOULD NOT appear on the default
router list. Without the default route, a VM will not able to reach to
other router ports attached to the same router unless a default route
is added by the user.
ovn-controller when encoding the 'put_nd_ra_opts' action sets the Router
Lifetime field to 0xffff. So this patch also sets the same value when
sending out the periodic RAs.
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1567735
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit f6fabcc6245 (ofproto-dpif: Mark packets as "untracked"
after call to ct().) changed the behavior after a call to ct().
The +trk bit would automatically be unset if packet is sent to
ct() and not forked. This caused a bug in the OVN gateway
pipeline when there is SNAT rule as well as load-balancing rule.
In the OVN gateway pipeline for the gateway router, we had an
optimization where the packets sent to unSNAT need not go through
a recirculation. But since doing this now means that the +trk bit
gets unset, the DNAT rules for load-balancing a new packet in the next
table won't get hit.
This commit removes the optimization for unSNAT packets so that
there is always a recirculation.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables using port group names in ACL match conditions.
Users can create a port group in northbound DB Port_Group table,
and then use the name of the port group in ACL match conditions
for "inport" or "outport". It can help reduce the number of ACLs
for CMS clients such as OpenStack Neutron, for the use cases
where a group of logical ports share same ACL rules except the
"inport"/"outport" part. Without this patch, the clients have to
create N (N = number of lports) ACLs, and this patch helps achieve
the same goal with only one ACL. E.g.:
to-lport 1000 "outport == @port_group1 && ip4.src == {IP1, IP2, ...}" allow-related
There was a similar attempt by Zong Kai Li in 2016 [1]. This patch
takes a slightly different approach by using weak refs instead of
strings, which requires a new table instead of reusing the address
set table. This way it will also benefit for a follow up patch that
enables generating address sets automatically from port groups to
avoid a lot a trouble from client perspective [2].
An extra benefit of this patch is that it could enable conjunctive
match effectively. As reported at [3], this patch was tested together
with the conjunctive match enhancement patch [4], and huge performance
improvement (more than 10x faster) was seen because of this.
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html
[2] https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046260.html
[3] https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/344873.html
[4] https://patchwork.ozlabs.org/patch/874433/
Reported-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html
Tested-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a Logical_Switch_Port P's options is set with 'requested-chassis=hv1'
and if the user has bound this logical port to two OVS interfaces each in
different host (eg. hv1 and hv2), then ovn-controller in hv1 sets the
P's Port_Binding.chassis to hv1 which is as expected. But on hv2, ovn-controller
is adding OF flows in table 0 and table 65 for the OVS interface instead of
considering 'P' as a remote port. When another logical port bound on hv2,
pings to the logical port 'P', the packet gets delivered to hv2 OVS interface
instead of hv1 OVS interface, which is wrong.
This scenario is most likely to happen when requested-chassis option is used
by CMS during migration of a VM from one chassis to another.
This patch fixes this issue by checking the Port_Binding's "requested-chassis"
option in physical.c before adding the flows in table 0 an 65.
Reported-by: Marcin Mirecki <mmirecki@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/345266.html
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Tested-by: Marcin Mirecki <mmirecki@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
| |
Whenever the acl reject rule is hit by an IPv6 packet send back
an ICMPv6 destination unreachable packet using the icmp6 action
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
icmp6 action is used to replace the IPv6 packet been processed with
an ICMPv6 packet initialized based on incoming IPv6 one.
Ethernet and IPv6 fields not listed are not changed:
- ip.proto = 58 (ICMPv6)
- ip.ttl = 255
- icmp6.type = 1 (destination unreachable)
- icmp6.code = 1 (communication administratively prohibited)
Prerequisite: ip6
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
| |
Reported-by: Wei Li <liwei@anbutu.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the options to start clustered OVN db servers in ovn-ctl.
To support this, following options are added - '--db-(nb/sb)-cluster-local-addr',
'--db-(nb/sb)-cluster-local-port', '--db-(nb/sb)-cluster-local-proto',
'--db-(nb/sb)-cluster-remote-addr', '--db-(nb/sb)-cluster-remote-port' and
'--db-(nb/sb)-cluster-remote-proto'.
If only '--db-(nb/sb)-cluster-local-addr' is defined then clustered db is created
(using ovsdb-tool create-cluster). If both are defined, then the db is added to
the cluster (using ovsdb-tool join-cluster)
This patch also adds the support to configure ovn-northd to point to all the servers
in the cluster using the options - '--ovn-northd-nb-db' and 'ovn-northd-sb-db'.
Presently this patch doesn't handle the schema update scenario when restarting the
clustered ovsdb-servers. This will be handled in a separate patch.
The initial versions of these commands are tested by Aliasgar <aginwala <aginwala@asu.edu>
and the discussion on this can be found here -
https://mail.openvswitch.org/pipermail/ovs-discuss/2018-March/046470.html
(There are 4 checkpatch warnings 'Line length is >79-characters long' in ovn-ctl.8.xml
which I couldn't resolve without losing proper rendering when "man ovn-ctl" is run.)
Co-authored-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
| |
Whenever the acl reject rule is hit by a TCP segment send back
a TCP RST packet to close the connection using the tcp_reset action.
Moreover add add tcp_reset test case to 'ACL reject rule test'
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tcp_reset action transforms the current TCP segment according to the
following pseudocode:
if (tcp.ack) {
tcp.seq = tcp.ack;
} else {
tcp.ack = tcp.seq + length(tcp.payload);
tcp.seq = 0;
}
tcp.flags = RST;
Then, the action drops all TCP options and payload data, and updates
the TCP checksum. IP ttl is set to 255.
Prerequisite: tcp
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This modifies ovn-controller to measure the amount of time it takes to
generate flows.
The statistics can be queried using:
ovs-appctl -t ovn-controller stopwatch/show
ovn-controller-flow-generation
The statistics can be reset using:
ovs-appctl -t ovn-controller stopwatch/reset
ovn-controller-flow-generation
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
| |
Encap table already supported authentication. Update the out-of-date
description.
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch can set inactivity probe for connection by command:
ovs-vsctl --inactivity-probe=30000 set-manager tcp:<CONTROLLER IP>:6640
ovs-vsctl --inactivity-probe=30000 set-controller tcp:<CONTROLLER IP>:6641
vtep-ctl --inactivity-probe=30000 set-manager tcp:<CONTROLLER IP>:6640
ovn-nbctl --inactivity-probe=30000 set-connection ptcp:6641:0.0.0.0
ovn-sbctl --inactivity-probe=30000 set-connection ptcp:6642:0.0.0.0
Signed-off-by: Guoshuai Li <ligs@dtdream.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, struct ofputil_flow_mod, which represents an OpenFlow flow table
modification request, has incorporated a struct match, which made the
overall ofputil_flow_mod about 2.5 kB. This is OK for a small number of
flows, but absurdly inflates memory requirements when there are hundreds of
thousands of flows. This commit fixes the problem by changing struct match
to struct minimatch inside ofputil_flow_mod, which reduces its size to
about 100 bytes plus the actual size of the flow match (usually a few dozen
bytes).
This affects memory usage of ovs-ofctl (when it adds a large number of
flows) more than ovs-vswitchd.
Reported-by: Michael Ben-Ami <mbenami@digitalocean.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Armando Migliaccio <armamig@gmail.com>
Tested-by: Armando Migliaccio <armamig@gmail.com>
Reviewed-by: Jan Scheurich <jan.scheurich@ericsson.com>
Tested-by: Jan Scheurich <jan.scheurich@ericsson.com>
Tested-by: Yifeng Sun <pkusunyifeng@gmail.com>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for OVSDB clustering via Raft. Please read
ovsdb(7) for information on how to set up a clustered database. It is
simple and boils down to running "ovsdb-tool create-cluster" on one server
and "ovsdb-tool join-cluster" on each of the others and then starting
ovsdb-server in the usual way on all of them.
One you have a clustered database, you configure ovn-controller and
ovn-northd to use it by pointing them to all of the servers, e.g. where
previously you might have said "tcp:1.2.3.4" was the database server,
now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12".
This also adds support for database clustering to ovs-sandbox.
Acked-by: Justin Pettit <jpettit@ovn.org>
Tested-by: aginwala <aginwala@asu.edu>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most of the OVS database-manipulation utilities (ovn-sbctl, ovn-nbctl,
ovs-vsctl, vtep-ctl) don't retry their connections by default because
they assume that the database is either up or down and likely to stay
that way. The OVN southbound database, however, is a likely candidate
for high availability clustering, so that even if it appears to be
down for a moment it will be available again soon. So, prepare for
the clustering implementation by enabling retry by default in
ovn-sbctl.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
|
|
|
|
| |
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, the ofp-print code has had a lot of logic specific to
individual messages. This code is better put with the other code specific
to those messages, so this commit starts to migrate it.
There is more work of a similar type to do, but this is a reasonable start.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
This commit relieves the caller of code that deals with the format of
packet-in messages from some of the burden of understanding the packet
format. It also renames the constants to appear to be at a higher level of
abstraction.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the Load_Balancer is added to the logical_switch,
the VIP has to be in a different subnet than the one used
for the logical_switch. Since VIP is in a different subnet,
you should connect your logical switch to either a OVN
logical router or a real router (this is because the client
can now send a packet with VIP as the destination IP address
and router's mac address as the destination MAC address).
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
| |
The priority 34000 DHCP and DNS flows are added to the
S_SWITCH_OUT_ACL table and not S_SWITCH_OUT_STATEFUL table.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
Whenever the acl reject rule is hit send back an ICMPv4 destination
unreachable packet and do not handle reject rule as drop one.
Treat TCP connections as DROP for the moment since tcp_reset{} action
has not been implemented yet.
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
icmp4 action is used to replace the IPv4 packet been processed with
an ICMPv4 packet initialized based on incoming IPv4 one.
Ethernet and IPv4 fields not listed are not changed:
- ip.proto = 1 (ICMPv4)
- ip.frag = 0 (not a fragment)
- ip.ttl = 255
- icmp4.type = 3 (destination unreachable)
- icmp4.code = 1 (host unreachable)
Prerequisite: ip4
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-By: Mark Michelson <mmichels@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike IPv4, IPv6 mandates the calculation of the UDP checksum. For DNS
resolution in OVN, we were setting the checksum to 0, which results in
errors.
This patch fixes the problem by calculating the checksum for DNS over
IPv6. It also alters the applicable test by skipping the checksum when
comparing the expected and actual packets.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
| |
Most of the tree now uses "encode" as the verb for making an OpenFlow
message, so adopt it here in this very old code as well.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
|
|
|
|
|
|
| |
Rename the remaining variables that were shadowing another definition.
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
| |
These options are not implemented by ovn-sbctl.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ovn-nbctl, ovn-sbctl, and ovs-vsctl manpages are inconsistent in
their "Database Commands" section when it comes to referring to what
database tables exist. This commit amends this by making each *ctl
manpage reference the corresponding database manpage instead.
To aid in having a more handy list, the --help text of ovn-nbctl,
ovn-sbctl, and ovs-vsctl have been modified to list the available
tables. This is also referenced in the manpages for those applications.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In one place, ovn-northd was hashing Logical_Switch or Logical_Router UUIDs
for ovn_lflow, and in another place it was hashing Datapath_Binding UUIDs.
This caused problems. This commit changes ovn-northd to always hash the
Datapath_Binding UUID.
Jacob Sitnicki reported the following performance improvement for a similar
fix:
Children Self Command Shared Object Symbol
before:
76.19% 0.01% ovn-northd ovn-northd [.] ovnnb_db_run
11.04% 0.43% ovn-northd ovn-northd [.] ovn_lflow_find
after:
75.16% 0.05% ovn-northd ovn-northd [.] ovnnb_db_run
2.49% 0.17% ovn-northd ovn-northd [.] ovn_lflow_find
Fixes: 8bf332225d4a ("ovn-northd: Reduce amount of flow hashing.")
Reported-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|