[ovs-git] [openvswitch/ovs] ff48c4: ovs-ctl: Don't overwrite external-id hostname.

Mark Gray noreply at github.com
Tue Jan 5 20:12:59 UTC 2021 

  Branch: refs/heads/branch-2.13
  Home:   https://github.com/openvswitch/ovs
  Commit: ff48c43a590b28fb0a58e88dad6e725a82702ad9
      https://github.com/openvswitch/ovs/commit/ff48c43a590b28fb0a58e88dad6e725a82702ad9
  Author: Daniel Alvarez <dalvarez at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M utilities/ovs-ctl.in

  Log Message:
  -----------
  ovs-ctl: Don't overwrite external-id hostname.

ovs-ctl started to add the hostname as external-id [0] at some point.

However, this can be problematic as if it's already set by an external
entity it will get overwritten. In RHEL systems, systemd will invoke
ovs-ctl to start OVS and that will overwrite it to the hostname of the
machine.

For OVN this can have a big impact because if, for whatever reason the
hostname changes and the host gets restarted, ovn-controller won't
claim the ports back leaving the workloads unaccessible.

Also, it makes sense to not overwrite it as 1) it's an external_id,
so it will actually let external entities to configure it (unlike now),
and 2) it's optional. In the case that some systems were relying on
ovs-ctl to set the external-id for the first time (e.g onboarding
of a new hypervisor), this patch is not changing such behavior.

For more details, see discussion at [1].

[0] https://mail.openvswitch.org/pipermail/ovs-dev/2016-March/312054.html
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2020-May/370813.html

Signed-off-by: Daniel Alvarez <dalvarez at redhat.com>
Acked-by: Han Zhou <hzhou at ovn.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: d371c42bbbb522b7cfcc0df2bf23ad58478b4de9
      https://github.com/openvswitch/ovs/commit/d371c42bbbb522b7cfcc0df2bf23ad58478b4de9
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: Fix _nss_clear_database() parse error.

_nss_clear_database() runs `certutil` in order to get a list
of certificates currently loaded in NSS. This fails with error:

"ovs-monitor-ipsec | ERR | Failed to clear NSS database.
startswith first arg must be bytes or a tuple of bytes, not str"

Modify subprocess.Popen() to write in 'text' mode so that
'startwith' can correctly parse output.

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 03ee7466ca9aa614287fc2c7cc8e69b136d9637f
      https://github.com/openvswitch/ovs/commit/03ee7466ca9aa614287fc2c7cc8e69b136d9637f
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M lib/netdev-vport.c

  Log Message:
  -----------
  ovs-monitor-ipsec: Suppress "unknown %d argument" warning.

As 'ovs-vswitchd' does not understand IPsec tunnel options, it
gives a warning message. This can be safely suppressed.

Reported at: https://bugzilla.redhat.com/show_bug.cgi?id=1906701
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 6e1f4ade2547452c9b32952d5e132441fe00c96a
      https://github.com/openvswitch/ovs/commit/6e1f4ade2547452c9b32952d5e132441fe00c96a
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M Documentation/tutorials/ipsec.rst
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: Add support for tunnel 'local_ip'.

In the libreswan case, 'ovs-monitor-ipsec' sets
'left' to '%defaultroute' which will use the local address
of the default route interface as the source IP address. In
multihomed environments, this may not be correct if the user
wants to specify what the source IP address is. In OVS, this
can be set for tunnel ports using the 'local_ip' option. This
patch also uses that option to populate the 'ipsec.conf'
configuration. If the 'local_ip' option is not present, it
will default to the previous behaviour of using '%defaultroute'

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1906280
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: d59ec5359d2685911b84ae91b77f6736d714c6a4
      https://github.com/openvswitch/ovs/commit/d59ec5359d2685911b84ae91b77f6736d714c6a4
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: set correct 'leftcert' and 'rightcert' name

In Libreswan case, 'ovs-monitor-ipsec' incorrectly configures
'leftcert' and 'rightcert' names for self-signed certificates.
This patch resolves that.

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1906280
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 60c6013b7b95a61fde75932cddf9bd0fa789cd7b
      https://github.com/openvswitch/ovs/commit/60c6013b7b95a61fde75932cddf9bd0fa789cd7b
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ovs-monitor-ipsec: Fix active connection regex.

Connections are added to IPsec using a connection name
that is determined from the OVS port name and the tunnel
type.

GRE connections take the form:
  <iface>-<ver>
Other connections take the form:
  <iface>-in-<ver>
  <iface>-out-<ver>

The regex '|' operator parses strings left to right looking
for the first match that it can find. '.*' is also greedy. This
causes incorrect interface names to be parsed from active
connections as other tunnel types are parsed as type
GRE. This gives unexpected "is outdated" warnings and the
connection is torn down.

For example,

'ovn-424242-in-1' will produce an incorrect interface name of
'ovn-424242-in' instead of 'ovn-424242'.

There are a number of ways this could be resolved including
a cleverer regular expression, or re.findall(). However, this
approach was taken as it simplifies the code easing maintainability.

Fixes: 22c5eafb6efa ("ipsec: reintroduce IPsec support for tunneling")
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1908789
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 7286dc4412ea09d0888606bb76db73c9acd93241
      https://github.com/openvswitch/ovs/commit/7286dc4412ea09d0888606bb76db73c9acd93241
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-01-05 (Tue, 05 Jan 2021)

  Changed paths:
    M utilities/ovs-ctl.in

  Log Message:
  -----------
  ovs-ctl: Use 'stop_daemon' to stop ovs-monitor-ipsec.

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/73122223065e...7286dc4412ea

More information about the git mailing list