[ovs-dev] [PATCH] xenserver: allow dom0 traffic in secure pool host when controller unavailable.
David Tsai
dtsai at nicira.com
Tue Jun 14 23:55:43 UTC 2011
A pool configured for secure fail-mode can block dom0 traffic on hosts joining
the pool or if the host reboots while the controller is unavailable. This
commit sets default flows on a host under these conditions to allow management
traffic. Once the connection with the controller is re-established, these
default flows are replaced by the controller.
NIC-376.
---
.../etc_xapi.d_plugins_openvswitch-cfg-update | 41 +++++++++++++
...ensource_libexec_InterfaceReconfigureVswitch.py | 61 +++++++++++++++++++-
2 files changed, 100 insertions(+), 2 deletions(-)
diff --git a/xenserver/etc_xapi.d_plugins_openvswitch-cfg-update b/xenserver/etc_xapi.d_plugins_openvswitch-cfg-update
index e1c8546..8932774 100755
--- a/xenserver/etc_xapi.d_plugins_openvswitch-cfg-update
+++ b/xenserver/etc_xapi.d_plugins_openvswitch-cfg-update
@@ -26,8 +26,10 @@ import XenAPI
import os
import subprocess
import syslog
+import re
vsctl="/usr/bin/ovs-vsctl"
+ofctl="/usr/bin/ovs-ofctl"
cacert_filename="/etc/openvswitch/vswitchd.cacert"
# Delete the CA certificate, so that we go back to boot-strapping mode
@@ -54,6 +56,7 @@ def update(session, args):
raise XenAPIPlugin.Failure("NO_POOL_FOR_HOST", [])
if len(pools) > 1:
raise XenAPIPlugin.Failure("MORE_THAN_ONE_POOL_FOR_HOST", [])
+ new_controller = False
pool = session.xenapi.pool.get_record(pools[0])
controller = pool.get("vswitch_controller", "")
ret_str = ""
@@ -73,6 +76,7 @@ def update(session, args):
except:
pass
setControllerCfg(controller)
+ new_controller = True
ret_str += "Successfully set controller to %s. " % controller
try:
@@ -89,6 +93,17 @@ def update(session, args):
except KeyError:
pass
+ # If new controller, get managagment MAC addresses from XAPI now
+ # in case fail_mode set to secure which may affect XAPI access
+ mgmt_bridge = None
+ host_mgmt_mac = None
+ pool_mgmt_macs = []
+ if new_controller:
+ for n in session.xenapi.PIF.get_all():
+ rec = session.xenapi.PIF.get_record(n)
+ if rec.get('management', False):
+ pool_mgmt_macs.append(rec.get('MAC'))
+
dib_changed = False
fail_mode_changed = False
for bridge in vswitchCfgQuery(['list-br']).split():
@@ -140,6 +155,25 @@ def update(session, args):
"fail_mode=%s" % fail_mode])
fail_mode_changed = True
+ # Determine local mgmt MAC address if host being added to secure
+ # pool so we can add default flows to allow management traffic
+ if new_controller and fail_mode_changed and pool_fail_mode == "secure":
+ oc = vswitchCfgQuery(["get", "Bridge", bridge, "other-config"])
+ m = re.match('.*hwaddr="([0-9a-fA-F:].*)".*', oc)
+ if m and m.group(1) in pool_mgmt_macs:
+ mgmt_bridge = bridge
+ host_mgmt_mac = m.group(1)
+
+ if host_mgmt_mac is not None and mgmt_bridge is not None:
+ tp = "idle_timeout=0,priority=0"
+ addFlow(mgmt_bridge, "%s,in_port=1,arp,nw_proto=1,actions=local" % (tp))
+ addFlow(mgmt_bridge, "%s,in_port=local,arp,dl_src=%s,actions=1" % \
+ (tp, host_mgmt_mac))
+ addFlow(mgmt_bridge, "%s,in_port=1,dl_dst=%s,actions=local" % \
+ (tp, host_mgmt_mac))
+ addFlow(mgmt_bridge, "%s,in_port=local,dl_src=%s,actions=1" % \
+ (tp, host_mgmt_mac))
+
if dib_changed:
ret_str += "Updated in-band management. "
if fail_mode_changed:
@@ -198,6 +232,13 @@ def emergency_reset(session, args):
[ str(exitcode) ])
return "Successfully reset configuration"
+
+def addFlow(switch, flow):
+ cmd = [ofctl, "add-flow", switch, flow]
+ exitcode = subprocess.call(cmd)
+ if exitcode != 0:
+ raise XenAPIPlugin.Failure("VSWITCH_ADD_FLOW_FAILURE",
+ [ str(exitcode) , str(switch), str(flow) ])
if __name__ == "__main__":
XenAPIPlugin.dispatch({"update": update,
diff --git a/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py b/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py
index 10c6bd2..b00aca3 100644
--- a/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py
+++ b/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py
@@ -14,6 +14,7 @@
from InterfaceReconfigure import *
import os
import re
+import subprocess
#
# Bare Network Devices -- network devices without IP configuration
@@ -292,10 +293,14 @@ def configure_datapath(pif):
- A list containing the necessary vsctl command line arguments
- A list of additional devices which should be brought up after
the configuration is applied.
+ - A list containing flows to apply to the pif bridge, note in
+ case of bonds, slave port numbers need to be substituted
+ once ofport is known
"""
vsctl_argv = []
extra_up_ports = []
+ bridge_flows = []
assert not pif_is_vlan(pif)
bridge = pif_bridge_name(pif)
@@ -404,6 +409,25 @@ def configure_datapath(pif):
if (fail_mode not in valid_fail_modes) and pool:
fail_mode = pool['other_config'].get('vswitch-controller-fail-mode')
+ # Add default flows to allow management traffic if fail-mode
+ # transitions to secure based on pool fail-mode setting
+ if fail_mode == 'secure' and db().get_pif_record(pif).get('management', False):
+ prev_fail_mode = vswitchCfgQuery(['get-fail-mode', bridge])
+ if prev_fail_mode != 'secure':
+ tp = 'idle_timeout=0,priority=0'
+ host_mgmt_mac = db().get_pif_record(pif)['MAC']
+ # account for bond as management interface
+ if len(physical_devices) > 1:
+ bridge_flows += ['%s,in_port=local,arp,dl_src=%s,actions=NORMAL' % (tp, host_mgmt_mac)]
+ bridge_flows += ['%s,in_port=local,dl_src=%s,actions=NORMAL' % (tp, host_mgmt_mac)]
+ # we don't know slave ofports yet, substitute later
+ bridge_flows += ['%s,in_port=%%s,arp,nw_proto=1,actions=local' % (tp)]
+ bridge_flows += ['%s,in_port=%%s,dl_dst=%s,actions=local' % (tp, host_mgmt_mac)]
+ else:
+ bridge_flows += ['%s,in_port=1,arp,nw_proto=1,actions=local' % (tp)]
+ bridge_flows += ['%s,in_port=local,arp,dl_src=%s,actions=1' % (tp, host_mgmt_mac)]
+ bridge_flows += ['%s,in_port=1,dl_dst=%s,actions=local' % (tp, host_mgmt_mac)]
+ bridge_flows += ['%s,in_port=local,dl_src=%s,actions=1' % (tp, host_mgmt_mac)]
if fail_mode not in valid_fail_modes:
fail_mode = 'standalone'
@@ -422,7 +446,7 @@ def configure_datapath(pif):
vsctl_argv += set_br_external_ids(pif)
vsctl_argv += ['## done configuring datapath %s' % bridge]
- return vsctl_argv,extra_up_ports
+ return vsctl_argv,extra_up_ports,bridge_flows
def deconfigure_bridge(pif):
vsctl_argv = []
@@ -475,6 +499,7 @@ class DatapathVswitch(Datapath):
Datapath.__init__(self, pif)
self._dp = pif_datapath(pif)
self._ipdev = pif_ipdev_name(pif)
+ self._bridge_flows = []
if pif_is_vlan(pif) and not self._dp:
raise Error("Unbridged VLAN devices not implemented yet")
@@ -505,15 +530,17 @@ class DatapathVswitch(Datapath):
def preconfigure(self, parent):
vsctl_argv = []
extra_ports = []
+ bridge_flows = []
pifrec = db().get_pif_record(self._pif)
dprec = db().get_pif_record(self._dp)
ipdev = self._ipdev
- c,e = configure_datapath(self._dp)
+ c,e,f = configure_datapath(self._dp)
bridge = pif_bridge_name(self._pif)
vsctl_argv += c
extra_ports += e
+ bridge_flows += f
dpname = pif_bridge_name(self._dp)
@@ -542,6 +569,7 @@ class DatapathVswitch(Datapath):
self._vsctl_argv = vsctl_argv
self._extra_ports = extra_ports
+ self._bridge_flows = bridge_flows
def bring_down_existing(self):
# interface-reconfigure is never explicitly called to down a
@@ -612,6 +640,22 @@ class DatapathVswitch(Datapath):
run_command(['/usr/sbin/ovs-vlan-bug-workaround', dev, setting])
datapath_modify_config(self._vsctl_argv)
+ if self._bridge_flows:
+ bond_ofports = []
+ physical_devices = datapath_get_physical_pifs(self._dp)
+ if len(physical_devices) > 1:
+ for slave in physical_devices:
+ name = pif_netdev_name(slave)
+ ofport = vswitchCfgQuery(['get', 'interface', name, 'ofport'])
+ bond_ofports.append(ofport)
+ dpname = pif_bridge_name(self._dp)
+ for flow in self._bridge_flows:
+ if bond_ofports and flow.find('in_port=%s') != -1:
+ for ofport in bond_ofports:
+ f = flow % (ofport)
+ run_command(['/usr/bin/ovs-ofctl', 'add-flow', dpname, f])
+ else:
+ run_command(['/usr/bin/ovs-ofctl', 'add-flow', dpname, flow])
def post(self):
for p in self._extra_ports:
@@ -667,3 +711,16 @@ class DatapathVswitch(Datapath):
netdev_down(p)
datapath_modify_config(vsctl_argv)
+
+#
+# utility methods
+#
+
+def vswitchCfgQuery(action_args):
+ cmd = ['/usr/bin/ovs-vsctl', '--timeout=5', '-vANY:console:emer'] + action_args
+ output = subprocess.Popen(cmd, stdout=subprocess.PIPE).communicate()
+ if len(output) == 0 or output[0] == None:
+ output = ""
+ else:
+ output = output[0].strip()
+ return output
--
1.5.6.5
More information about the dev
mailing list