[ovs-dev] [PATCH] xenserver: allow dom0 traffic in secure pool host when controller unavailable.

Ben Pfaff blp at nicira.com
Wed Jun 15 21:05:30 UTC 2011 

On Tue, Jun 14, 2011 at 04:55:43PM -0700, David Tsai wrote:
> A pool configured for secure fail-mode can block dom0 traffic on hosts joining
> the pool or if the host reboots while the controller is unavailable.  This
> commit sets default flows on a host under these conditions to allow management
> traffic.  Once the connection with the controller is re-established, these
> default flows are replaced by the controller.
> 
> NIC-376.

Most of this looks good.  One problem I see is that it assumes that
port 1 is always the correct port number for the physical port.  This
is likely, but not guaranteed.  To be reliable, it needs to find out
the physical port's correct number.

The following patch can be applied incrementally on top of yours to
obtain slightly better unit test coverage.  It will need to be updated
a bit once the hard-coded port number issue is fixed.

diff --git a/tests/interface-reconfigure.at b/tests/interface-reconfigure.at
index b9871f3..b8b8632 100644
--- a/tests/interface-reconfigure.at
+++ b/tests/interface-reconfigure.at
@@ -40,6 +40,7 @@ EOF
         sbin/ip \
         sbin/update-issue \
         sbin/vconfig \
+        usr/bin/ovs-ofctl \
         usr/bin/ovs-vsctl \
         usr/sbin/brctl \
         usr/sbin/ovs-vlan-bug-workaround
@@ -644,7 +645,7 @@ EOF
         <pool ref="OpaqueRef:a765d06c-fc82-cc67-8f6c-fd8db45f6a84">
                 <other_config>
                         <vswitch-controller-fail-mode>
-                                standalone
+                                secure
                         </vswitch-controller-fail-mode>
                 </other_config>
         </pool>
@@ -674,6 +675,7 @@ configure_datapath: bridge      - xenbr2
 configure_datapath: physical    - [u'eth2']
 configure_datapath: extra ports - []
 configure_datapath: extra bonds - []
+/usr/bin/ovs-vsctl --timeout=5 -vANY:console:emer get-fail-mode xenbr2
 Applying changes to /etc/sysconfig/network-scripts/route-xenbr2 configuration
 Applying changes to /etc/sysconfig/network configuration
 Applying changes to /etc/sysconfig/network-scripts/ifcfg-xenbr2 configuration
@@ -685,9 +687,13 @@ Applying changes to /etc/sysconfig/network-scripts/ifcfg-xenbr2 configuration
     --may-exist add-br xenbr2
     --may-exist add-port xenbr2 eth2
     set Bridge xenbr2 other-config:hwaddr="00:15:17:a0:29:80"
-    set Bridge xenbr2 fail_mode=standalone
+    set Bridge xenbr2 fail_mode=secure
     remove Bridge xenbr2 other_config disable-in-band
     br-set-external-id xenbr2 xs-network-uuids d08c8749-0c8f-9e8d-ce25-fd364661ee99
+/usr/bin/ovs-ofctl add-flow xenbr2 idle_timeout=0,priority=0,in_port=1,arp,nw_proto=1,actions=local
+/usr/bin/ovs-ofctl add-flow xenbr2 idle_timeout=0,priority=0,in_port=local,arp,dl_src=00:15:17:a0:29:80,actions=1
+/usr/bin/ovs-ofctl add-flow xenbr2 idle_timeout=0,priority=0,in_port=1,dl_dst=00:15:17:a0:29:80,actions=local
+/usr/bin/ovs-ofctl add-flow xenbr2 idle_timeout=0,priority=0,in_port=local,dl_src=00:15:17:a0:29:80,actions=1
 /sbin/ifup xenbr2
 /sbin/update-issue
 Committing changes to /etc/sysconfig/network-scripts/route-xenbr2 configuration
@@ -752,7 +758,7 @@ Applying changes to /etc/sysconfig/network-scripts/ifcfg-xapi3 configuration
     --may-exist add-br xenbr3
     --may-exist add-port xenbr3 eth3
     set Bridge xenbr3 other-config:hwaddr="00:15:17:a0:29:81"
-    set Bridge xenbr3 fail_mode=standalone
+    set Bridge xenbr3 fail_mode=secure
     remove Bridge xenbr3 other_config disable-in-band
     br-set-external-id xenbr3 xs-network-uuids 2902ae1b-8013-897a-b697-0b200ea3aaa5;db7bdc03-074d-42ae-fc73-9b06de1d57f6
     --if-exists del-br xapi3
@@ -843,7 +849,7 @@ Applying changes to /etc/sysconfig/network-scripts/ifcfg-xapi1 configuration
     --fake-iface add-bond xapi1 bond0 eth0 eth1
     set Port bond0 MAC="00:22:19:22:4b:af" other-config:bond-miimon-interval=100 bond_downdelay=200 bond_updelay=31000 other-config:bond-detect-mode=carrier lacp=off bond_mode=balance-slb
     set Bridge xapi1 other-config:hwaddr="00:22:19:22:4b:af"
-    set Bridge xapi1 fail_mode=standalone
+    set Bridge xapi1 fail_mode=secure
     remove Bridge xapi1 other_config disable-in-band
     br-set-external-id xapi1 xs-network-uuids 45cbbb43-113d-a712-3231-c6463f253cef;99be2da4-6c33-6f8e-49ea-3bc592fe3c85
 /sbin/ifup xapi1
@@ -930,7 +936,7 @@ Applying changes to /etc/sysconfig/network-scripts/ifcfg-xapi2 configuration
     --fake-iface add-bond xapi1 bond0 eth0 eth1
     set Port bond0 MAC="00:22:19:22:4b:af" other-config:bond-miimon-interval=100 bond_downdelay=200 bond_updelay=31000 other-config:bond-detect-mode=carrier lacp=off bond_mode=balance-slb
     set Bridge xapi1 other-config:hwaddr="00:22:19:22:4b:af"
-    set Bridge xapi1 fail_mode=standalone
+    set Bridge xapi1 fail_mode=secure
     remove Bridge xapi1 other_config disable-in-band
     br-set-external-id xapi1 xs-network-uuids 45cbbb43-113d-a712-3231-c6463f253cef;99be2da4-6c33-6f8e-49ea-3bc592fe3c85
     --if-exists del-br xapi2
diff --git a/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py b/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py
index b00aca3..4ed3486 100644
--- a/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py
+++ b/xenserver/opt_xensource_libexec_InterfaceReconfigureVswitch.py
@@ -717,7 +717,8 @@ class DatapathVswitch(Datapath):
 #
 
 def vswitchCfgQuery(action_args):
-    cmd = ['/usr/bin/ovs-vsctl', '--timeout=5', '-vANY:console:emer'] + action_args
+    cmd = ['%s/usr/bin/ovs-vsctl' % root_prefix(),
+           '--timeout=5', '-vANY:console:emer'] + action_args
     output = subprocess.Popen(cmd, stdout=subprocess.PIPE).communicate()
     if len(output) == 0 or output[0] == None:
         output = ""

More information about the dev mailing list