[ovs-git] [openvswitch/ovs] a3c318: ovs-ctl: Don't overwrite external-id hostname.

Mark Gray noreply at github.com
Tue Jan 5 20:12:38 UTC 2021


  Branch: refs/heads/branch-2.14
  Home:   https://github.com/openvswitch/ovs
  Commit: a3c318a2c2a7a46b70166e2f6c6a47e33ff31766
      https://github.com/openvswitch/ovs/commit/a3c318a2c2a7a46b70166e2f6c6a47e33ff31766
  Author: Daniel Alvarez <dalvarez at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M utilities/ovs-ctl.in

  Log Message:
  -----------
  ovs-ctl: Don't overwrite external-id hostname.

ovs-ctl started to add the hostname as external-id [0] at some point.

However, this can be problematic as if it's already set by an external
entity it will get overwritten. In RHEL systems, systemd will invoke
ovs-ctl to start OVS and that will overwrite it to the hostname of the
machine.

For OVN this can have a big impact because if, for whatever reason the
hostname changes and the host gets restarted, ovn-controller won't
claim the ports back leaving the workloads unaccessible.

Also, it makes sense to not overwrite it as 1) it's an external_id,
so it will actually let external entities to configure it (unlike now),
and 2) it's optional. In the case that some systems were relying on
ovs-ctl to set the external-id for the first time (e.g onboarding
of a new hypervisor), this patch is not changing such behavior.

For more details, see discussion at [1].

[0] https://mail.openvswitch.org/pipermail/ovs-dev/2016-March/312054.html
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2020-May/370813.html

Signed-off-by: Daniel Alvarez <dalvarez at redhat.com>
Acked-by: Han Zhou <hzhou at ovn.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 9505f78e065ed3e535a80ba2d7ec68da0a47d0d4
      https://github.com/openvswitch/ovs/commit/9505f78e065ed3e535a80ba2d7ec68da0a47d0d4
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: Fix _nss_clear_database() parse error.

_nss_clear_database() runs `certutil` in order to get a list
of certificates currently loaded in NSS. This fails with error:

"ovs-monitor-ipsec | ERR | Failed to clear NSS database.
startswith first arg must be bytes or a tuple of bytes, not str"

Modify subprocess.Popen() to write in 'text' mode so that
'startwith' can correctly parse output.

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 8397d46ee900879425aa21834d244550238163f9
      https://github.com/openvswitch/ovs/commit/8397d46ee900879425aa21834d244550238163f9
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M lib/netdev-vport.c

  Log Message:
  -----------
  ovs-monitor-ipsec: Suppress "unknown %d argument" warning.

As 'ovs-vswitchd' does not understand IPsec tunnel options, it
gives a warning message. This can be safely suppressed.

Reported at: https://bugzilla.redhat.com/show_bug.cgi?id=1906701
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 0c976363079071df59916b4a9c186ab377d5b1c7
      https://github.com/openvswitch/ovs/commit/0c976363079071df59916b4a9c186ab377d5b1c7
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M Documentation/tutorials/ipsec.rst
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: Add support for tunnel 'local_ip'.

In the libreswan case, 'ovs-monitor-ipsec' sets
'left' to '%defaultroute' which will use the local address
of the default route interface as the source IP address. In
multihomed environments, this may not be correct if the user
wants to specify what the source IP address is. In OVS, this
can be set for tunnel ports using the 'local_ip' option. This
patch also uses that option to populate the 'ipsec.conf'
configuration. If the 'local_ip' option is not present, it
will default to the previous behaviour of using '%defaultroute'

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1906280
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: dbf2f420ce70c18a3a1d3e9b6c17259e22a7f1d7
      https://github.com/openvswitch/ovs/commit/dbf2f420ce70c18a3a1d3e9b6c17259e22a7f1d7
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: set correct 'leftcert' and 'rightcert' name

In Libreswan case, 'ovs-monitor-ipsec' incorrectly configures
'leftcert' and 'rightcert' names for self-signed certificates.
This patch resolves that.

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1906280
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 39317419eb04a030dec7edd791ae8cdab47067ba
      https://github.com/openvswitch/ovs/commit/39317419eb04a030dec7edd791ae8cdab47067ba
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: Fix active connection regex.

Connections are added to IPsec using a connection name
that is determined from the OVS port name and the tunnel
type.

GRE connections take the form:
  <iface>-<ver>
Other connections take the form:
  <iface>-in-<ver>
  <iface>-out-<ver>

The regex '|' operator parses strings left to right looking
for the first match that it can find. '.*' is also greedy. This
causes incorrect interface names to be parsed from active
connections as other tunnel types are parsed as type
GRE. This gives unexpected "is outdated" warnings and the
connection is torn down.

For example,

'ovn-424242-in-1' will produce an incorrect interface name of
'ovn-424242-in' instead of 'ovn-424242'.

There are a number of ways this could be resolved including
a cleverer regular expression, or re.findall(). However, this
approach was taken as it simplifies the code easing maintainability.

Fixes: 22c5eafb6efa ("ipsec: reintroduce IPsec support for tunneling")
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1908789
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: a433b31f706f8d79b66f00668af507ac70fe206e
      https://github.com/openvswitch/ovs/commit/a433b31f706f8d79b66f00668af507ac70fe206e
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M utilities/ovs-ctl.in

  Log Message:
  -----------
  ovs-ctl: Use 'stop_daemon' to stop ovs-monitor-ipsec.

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/f3bfb36e5fee...a433b31f706f


More information about the git mailing list