[ovs-dev] [PATCH ovn] ovn-controller: Fix the missing ct zone entries for container ports.

Dumitru Ceara dceara at redhat.com
Fri Jul 17 09:51:44 UTC 2020 

On 7/17/20 11:21 AM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
> 
> After the commit in the Fixes tag, ovn-controller was not creating ct zone
> entries for the container ports in the integration bridge's external_ids
> column. Because of this, when a container port sends a traffic to
> load balancer VIP, zone id is not used (because REG13 is not set).
> But the reverse traffic doesn't go through the ct_lb action for undnat,
> but instead go to the conntrack via the ct_commit() OVN action and the
> packet gets dropped. This happens if an ACL with allow-related action
> which matches in the egress pipeline of the logical switch.
> 
> This patch fixes this regression and the tests make sure the the ct zone
> entries are created for the container ports.
> 
> Fixes: 6c8b9a132532("ovn-controller: Store the local port bindings in the runtime data I-P state.")
> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1857865
> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1858191
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---
>  controller/binding.c |  11 ++++
>  tests/ovn.at         |  30 +++++++++++
>  tests/system-ovn.at  | 118 +++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 159 insertions(+)
> 
> diff --git a/controller/binding.c b/controller/binding.c
> index e630b60801..b73abb982c 100644
> --- a/controller/binding.c
> +++ b/controller/binding.c
> @@ -1011,6 +1011,7 @@ consider_vif_lport_(const struct sbrec_port_binding *pb,
>                                 b_ctx_out->local_datapaths,
>                                 b_ctx_out->tracked_dp_bindings);
>              update_local_lport_ids(pb, b_ctx_out);
> +            update_local_lports(pb->logical_port, b_ctx_out);
>              if (lbinding->iface && qos_map && b_ctx_in->ovs_idl_txn) {
>                  get_qos_params(pb, qos_map);
>              }
> @@ -1981,6 +1982,16 @@ handle_deleted_vif_lport(const struct sbrec_port_binding *pb,
>          }
>      }
>  
> +    /* If its a container lport, then delete its entry from local_lports
> +     * if present.
> +     * Note: If a normal lport is deleted, we don't want to remove
> +     * it from local_lports if there is a VIF entry.
> +     * consider_iface_release() takes care of removing from the local_lports
> +     * when the interface change happens. */
> +    if (is_lport_container(pb)) {
> +        remove_local_lports(pb->logical_port, b_ctx_out);
> +    }
> +
>      handle_deleted_lport(pb, b_ctx_in, b_ctx_out);
>      return true;
>  }
> diff --git a/tests/ovn.at b/tests/ovn.at
> index ba1a534e92..e19efafbe2 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -8785,6 +8785,36 @@ ip_to_hex() {
>      printf "%02x%02x%02x%02x" "$@"
>  }
>  
> +# Test that ovn-controllers create ct-zone entry for container ports.
> +foo1_zoneid=$(as hv1 ovs-vsctl get bridge br-int external_ids:ct-zone-foo1)
> +AT_CHECK([test ! -z $foo1_zoneid])
> +
> +bar1_zoneid=$(as hv1 ovs-vsctl get bridge br-int external_ids:ct-zone-bar1)
> +AT_CHECK([test ! -z $bar1_zoneid])
> +
> +bar3_zoneid=$(as hv1 ovs-vsctl get bridge br-int external_ids:ct-zone-bar3)
> +AT_CHECK([test ! -z $bar3_zoneid])
> +
> +foo2_zoneid=$(as hv2 ovs-vsctl get bridge br-int external_ids:ct-zone-foo2)
> +AT_CHECK([test ! -z $foo2_zoneid])
> +
> +bar2_zoneid=$(as hv2 ovs-vsctl get bridge br-int external_ids:ct-zone-bar2)
> +AT_CHECK([test ! -z $bar2_zoneid])
> +
> +ovn-nbctl lsp-del bar2
> +ovn-nbctl --wait=hv sync
> +
> +bar2_zoneid=$(as hv2 ovs-vsctl get bridge br-int external_ids:ct-zone-bar2)
> +AT_CHECK([test  -z $bar2_zoneid])
> +
> +# Add back bar2
> +ovn-nbctl lsp-add bar bar2 vm2 1 \
> +-- lsp-set-addresses bar2 "f0:00:00:01:02:08 192.168.2.3"
> +ovn-nbctl --wait=hv sync
> +
> +bar2_zoneid=$(as hv2 ovs-vsctl get bridge br-int external_ids:ct-zone-bar2)
> +AT_CHECK([test ! -z $bar2_zoneid])
> +
>  # Send ip packets between foo1 and foo2 (same switch, different HVs and
>  # different VLAN tags).
>  src_mac="f00000010205"
> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> index 2999e52fde..77c92e86ec 100644
> --- a/tests/system-ovn.at
> +++ b/tests/system-ovn.at
> @@ -4365,3 +4365,121 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
>  /Service monitor not found.*/d"])
>  
>  AT_CLEANUP
> +
> +AT_SETUP([ovn -- Load balancer for container ports])
> +AT_SKIP_IF([test $HAVE_NC = no])
> +AT_KEYWORDS([lb])
> +
> +ovn_start
> +
> +OVS_TRAFFIC_VSWITCHD_START()
> +ADD_BR([br-int])
> +
> +# Set external-ids in br-int needed for ovn-controller
> +ovs-vsctl \
> +        -- set Open_vSwitch . external-ids:system-id=hv1 \
> +        -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \
> +        -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
> +        -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
> +        -- set bridge br-int fail-mode=secure other-config:disable-in-band=true
> +
> +# Start ovn-controller
> +start_daemon ovn-controller
> +
> +ovn-nbctl ls-add sw0
> +ovn-nbctl lsp-add sw0 sw0-p1-lbc
> +ovn-nbctl lsp-set-addresses sw0-port1 "10:54:00:00:00:03 10.0.0.3"
> +
> +ovn-nbctl lsp-add sw0 sw0-p2-lbc
> +ovn-nbctl lsp-set-addresses sw0-port2 "10:54:00:00:00:04 10.0.0.4"
> +
> +ovn-nbctl ls-add sw1
> +ovn-nbctl lsp-add sw1 sw1-port1 sw0-p1-lbc 10
> +ovn-nbctl lsp-set-addresses sw1-port1 "40:54:00:00:00:03 20.0.0.3"
> +
> +ovn-nbctl lsp-add sw1 sw1-port2 sw0-p2-lbc 20
> +ovn-nbctl lsp-set-addresses sw1-port2 "40:54:00:00:00:04 20.0.0.4"
> +
> +
> +ovn-nbctl lr-add lr0
> +ovn-nbctl lrp-add lr0 lr0-sw1 00:00:00:00:ff:02 20.0.0.1/24
> +ovn-nbctl lsp-add sw1 sw1-lr0
> +ovn-nbctl lsp-set-type sw1-lr0 router
> +ovn-nbctl lsp-set-addresses sw1-lr0 router
> +ovn-nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1
> +
> +
> +ovn-nbctl ls-add sw2
> +ovn-nbctl lsp-add sw2 sw2-port1
> +ovn-nbctl lsp-set-addresses sw2-port1 "50:54:00:00:00:03 30.0.0.3"
> +
> +ovn-nbctl lrp-add lr0 lr0-sw2 00:00:00:00:ff:03 30.0.0.1/24
> +ovn-nbctl lsp-add sw2 sw2-lr0
> +ovn-nbctl lsp-set-type sw2-lr0 router
> +ovn-nbctl lsp-set-addresses sw2-lr0 router
> +ovn-nbctl lsp-set-options sw2-lr0 router-port=lr0-sw2
> +
> +
> +ovn-nbctl lb-add lb0 "30.0.0.10:80" "20.0.0.4:80"
> +
> +ovn-nbctl ls-lb-add sw1 lb0
> +ovn-nbctl ls-lb-add sw2 lb0
> +ovn-nbctl lr-lb-add lr0 lb0
> +
> +ADD_NAMESPACES(sw0-p1-lbc)
> +ADD_VETH(sw0-p1-lbc, sw0-p1-lbc, br-int, "10.0.0.3/24", "10:54:00:00:00:03", \
> +         "10.0.0.1")
> +
> +ADD_NAMESPACES(sw0-p2-lbc)
> +ADD_VETH(sw0-p2-lbc, sw0-p2-lbc, br-int, "10.0.0.4/24", "10:54:00:00:00:04", \
> +         "10.0.0.1")
> +
> +# Create the interface for lport sw1-port1
> +NS_CHECK_EXEC([sw0-p1-lbc], [ip link add link sw0-p1-lbc name sw1p1 type vlan id 10], [0])
> +NS_CHECK_EXEC([sw0-p1-lbc], [ip link set sw1p1 address 40:54:00:00:00:03], [0])
> +NS_CHECK_EXEC([sw0-p1-lbc], [ip link set sw1p1 up], [0])
> +NS_CHECK_EXEC([sw0-p1-lbc], [ip addr add 20.0.0.3/24 dev sw1p1], [0])
> +NS_CHECK_EXEC([sw0-p1-lbc], [ip route delete default via 10.0.0.1 dev sw0-p1-lbc], [0])
> +NS_CHECK_EXEC([sw0-p1-lbc], [ip route add default via 20.0.0.1 dev sw1p1], [0])
> +
> +# Create the interface for lport sw1-port2
> +NS_CHECK_EXEC([sw0-p2-lbc], [ip link add link sw0-p2-lbc name sw1p2 type vlan id 20], [0])
> +NS_CHECK_EXEC([sw0-p2-lbc], [ip link set sw1p2 address 40:54:00:00:00:04], [0])
> +NS_CHECK_EXEC([sw0-p2-lbc], [ip link set sw1p2 up], [0])
> +NS_CHECK_EXEC([sw0-p2-lbc], [ip addr add 20.0.0.4/24 dev sw1p2], [0])
> +NS_CHECK_EXEC([sw0-p2-lbc], [ip route delete default via 10.0.0.1 dev sw0-p2-lbc], [0])
> +NS_CHECK_EXEC([sw0-p2-lbc], [ip route add default via 20.0.0.1 dev sw1p2], [0])
> +
> +# Start nc server on sw1p2 (sw0-p2-lbc is the parent)
> +NS_CHECK_EXEC([sw0-p2-lbc], [nc -l 20.0.0.4 80 -k &], [0])

This will leave nc running after the test has ended. I think we need
something like:

NS_CHECK_EXEC([sw0-p2-lbc], [timeout 2s nc -l 20.0.0.4 80 -k &], [0])

With this addressed, the rest looks good to me, thanks!

Acked-by: Dumitru Ceara <dceara at redhat.com>

Regards,
Dumitru

> +
> +# Send the packet to backend
> +NS_CHECK_EXEC([sw0-p1-lbc], [nc -z 20.0.0.4 80], [0])
> +
> +# Send the packet to VIP.
> +NS_CHECK_EXEC([sw0-p1-lbc], [nc -z 30.0.0.10 80], [0])
> +
> +# Now add an ACL in sw1.
> +ovn-nbctl --wait=hv acl-add sw1 to-lport 2002 "ip" allow-related
> +# Send the packet to backend
> +NS_CHECK_EXEC([sw0-p1-lbc], [nc -z 20.0.0.4 80], [0])
> +
> +# Send the packet to VIP.
> +NS_CHECK_EXEC([sw0-p1-lbc], [nc -z 30.0.0.10 80], [0])
> +
> +OVS_APP_EXIT_AND_WAIT([ovn-controller])
> +
> +as ovn-sb
> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> +
> +as ovn-nb
> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> +
> +as northd
> +OVS_APP_EXIT_AND_WAIT([ovn-northd])
> +
> +as
> +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
> +/connection dropped.*/d"])
> +
> +AT_CLEANUP
>

More information about the dev mailing list