Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2003669/?format=api
{ "id": 2003669, "url": "http://patchwork.ozlabs.org/api/patches/2003669/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/patch/20241029101608.2991596-9-i.maximets@ovn.org/", "project": { "id": 47, "url": "http://patchwork.ozlabs.org/api/projects/47/?format=api", "name": "Open vSwitch", "link_name": "openvswitch", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "git@github.com:openvswitch/ovs.git", "webscm_url": "https://github.com/openvswitch/ovs", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20241029101608.2991596-9-i.maximets@ovn.org>", "list_archive_url": null, "date": "2024-10-29T10:15:06", "name": "[ovs-dev,8/9] tests: ipsec: Add NxN + reconciliation test.", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": false, "hash": "ce253216005ea37e280c2c7d60c8e72f5b59e290", "submitter": { "id": 76798, "url": "http://patchwork.ozlabs.org/api/people/76798/?format=api", "name": "Ilya Maximets", "email": "i.maximets@ovn.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/openvswitch/patch/20241029101608.2991596-9-i.maximets@ovn.org/mbox/", "series": [ { "id": 430270, "url": "http://patchwork.ozlabs.org/api/series/430270/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/list/?series=430270", "date": "2024-10-29T10:14:58", "name": "ipsec: Resiliency to Libreswan failures.", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/430270/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2003669/comments/", "check": "success", "checks": "http://patchwork.ozlabs.org/api/patches/2003669/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "ovs-dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp4.osuosl.org;\n dmarc=none (p=none dis=none) header.from=ovn.org" ], "Received": [ "from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4Xd5lj4PVcz1xwn\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 29 Oct 2024 21:17:05 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id ACDD260AE3;\n\tTue, 29 Oct 2024 10:17:03 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Xsz6iKRpITFF; Tue, 29 Oct 2024 10:16:56 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp3.osuosl.org (Postfix) with ESMTPS id 891F060EF5;\n\tTue, 29 Oct 2024 10:16:52 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id CD74AC08A3;\n\tTue, 29 Oct 2024 10:16:51 +0000 (UTC)", "from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 3F573C08A3\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:50 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 588ED40917\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:35 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id TPfxA-VwhlL7 for <ovs-dev@openvswitch.org>;\n Tue, 29 Oct 2024 10:16:34 +0000 (UTC)", "from mail-wm1-f65.google.com (mail-wm1-f65.google.com\n [209.85.128.65])\n by smtp4.osuosl.org (Postfix) with ESMTPS id AA68D408E5\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:33 +0000 (UTC)", "by mail-wm1-f65.google.com with SMTP id\n 5b1f17b1804b1-43161c0068bso50376415e9.1\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 03:16:33 -0700 (PDT)", "from im-t490s.redhat.com (ip-86-49-44-151.bb.vodafone.cz.\n [86.49.44.151]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-431b4594ec3sm20279685e9.1.2024.10.29.03.16.30\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 29 Oct 2024 03:16:31 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.9.56;\n helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 891F060EF5", "OpenDKIM Filter v2.11.0 smtp4.osuosl.org AA68D408E5" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=209.85.128.65;\n helo=mail-wm1-f65.google.com; envelope-from=i.maximets.ovn@gmail.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp4.osuosl.org AA68D408E5", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1730196992; x=1730801792;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc\n :subject:date:message-id:reply-to;\n bh=zT8x1zKrfJ7/DWeOGoNIOmHE465d87ilfpOc473sMzw=;\n b=scWW7a7RaMVxMtlMKj0wD52kgnLD8EYgoSv2yA/LP/hD6xqrp74hE5pWvKm/+45AnD\n dj3/WDpykjx5BcWmvRCv+YLAmr4MazuLmz6978z+F+DgBEXgETvUAZQ+gaAwRxz4OQRE\n jIaYG8KChoVilTkkOkY4ZhmRveYkFV9tuI8hlIutJVmbFwB13hyHlG3o2f9iaA86y1Zd\n LMQvfjkMfrk+N8HDxn6MHJ/X0bdksQP7YvFg8oY+JeN0KkFqwdkU8eEyLNGfKdwp+Mgk\n c3+e5bEn/2jSs4O6fNgPH8UedZQVRRqcV7PKr1lLowY6zp6er7GiTM1n+R8JFyGM1Ndj\n fXTg==", "X-Gm-Message-State": "AOJu0YzYIovg1bEjXDOEh1MRiGUlfaNakWa/WqC6/sCq8xsnvChwc8ao\n a8m/90ADsi3IkKDlcWQGVVS+mgGDENLU94tsNvpnkQfNQakky+wMLPgBNkEC", "X-Google-Smtp-Source": "\n AGHT+IEI5SMAMSq4R8WFsO4DRE0aafHeM6SRep5H3KHGS23kG6LFx/Jw+whxCRb8/cdKKxRX6fOhNQ==", "X-Received": "by 2002:a05:600c:5248:b0:42c:bf94:f9a6 with SMTP id\n 5b1f17b1804b1-4319ad1593bmr109638005e9.26.1730196991453;\n Tue, 29 Oct 2024 03:16:31 -0700 (PDT)", "From": "Ilya Maximets <i.maximets@ovn.org>", "To": "ovs-dev@openvswitch.org", "Date": "Tue, 29 Oct 2024 11:15:06 +0100", "Message-ID": "<20241029101608.2991596-9-i.maximets@ovn.org>", "X-Mailer": "git-send-email 2.46.0", "In-Reply-To": "<20241029101608.2991596-1-i.maximets@ovn.org>", "References": "<20241029101608.2991596-1-i.maximets@ovn.org>", "MIME-Version": "1.0", "Subject": "[ovs-dev] [PATCH 8/9] tests: ipsec: Add NxN + reconciliation test.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "Cc": "Ilya Maximets <i.maximets@ovn.org>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "Add a test to check establishment of IPsec connections among multiple\nnodes and check the reconciliation logic along the way.\n\nThe test:\n - Creates 20 network namespaces.\n - Starts Libreswan, OVS and ovs-monitor-ipsec in each of them.\n - Adds a geneve tunnel from each namespace to every other namespace.\n - Checks that each namespace has all the IPsec connections loaded.\n - Removes a few connections manually.\n - Checks that these connections are added back.\n\nUnfortunately, many widely used versions of Libreswan have issues\nof pluto crashing frequently. For that reason the test is trying\nto bring pluto back online once it finds a dead one.\n\nAlso, since retransmit-timeout is 60 seconds and our command timeout\nis 120, we can't actually use the OVS_WAIT_UNTIL macro most of the\ntime, so the checks are done in the custom loop that waits up to\n300 seconds.\n\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>\n---\n tests/system-ipsec.at | 138 ++++++++++++++++++++++++++++++++++++++----\n 1 file changed, 125 insertions(+), 13 deletions(-)", "diff": "diff --git a/tests/system-ipsec.at b/tests/system-ipsec.at\nindex 1e155fece..5bb048cff 100644\n--- a/tests/system-ipsec.at\n+++ b/tests/system-ipsec.at\n@@ -8,6 +8,18 @@ m4_define([IPSEC_SETUP_UNDERLAY],\n dnl Set up the underlay switch\n AT_CHECK([ovs-ofctl add-flow br0 \"actions=normal\"])])\n \n+m4_define([START_PLUTO], [\n+ rm -f $ovs_base/$1/pluto.pid\n+ mkdir -p $ovs_base/$1/ipsec.d\n+ touch $ovs_base/$1/ipsec.conf\n+ touch $ovs_base/$1/secrets\n+ ipsec initnss --nssdir $ovs_base/$1/ipsec.d\n+ NS_CHECK_EXEC([$1], [ipsec pluto --config $ovs_base/$1/ipsec.conf \\\n+ --ipsecdir $ovs_base/$1 --nssdir $ovs_base/$1/ipsec.d \\\n+ --logfile $ovs_base/$1/pluto.log --secretsfile $ovs_base/$1/secrets \\\n+ --rundir $ovs_base/$1], [0], [], [stderr])\n+])\n+\n dnl IPSEC_ADD_NODE([namespace], [device], [address], [peer address]))\n dnl\n dnl Creates a dummy host that acts as an IPsec endpoint. Creates host in\n@@ -45,15 +57,8 @@ m4_define([IPSEC_ADD_NODE],\n on_exit \"kill_ovs_vswitchd `cat $ovs_base/$1/vswitchd.pid`\"\n \n dnl Start pluto\n- mkdir -p $ovs_base/$1/ipsec.d\n- touch $ovs_base/$1/ipsec.conf\n- touch $ovs_base/$1/secrets\n- ipsec initnss --nssdir $ovs_base/$1/ipsec.d\n- NS_CHECK_EXEC([$1], [ipsec pluto --config $ovs_base/$1/ipsec.conf \\\n- --ipsecdir $ovs_base/$1 --nssdir $ovs_base/$1/ipsec.d \\\n- --logfile $ovs_base/$1/pluto.log --secretsfile $ovs_base/$1/secrets \\\n- --rundir $ovs_base/$1], [0], [], [stderr])\n- on_exit \"kill `cat $ovs_base/$1/pluto.pid`\"\n+ START_PLUTO([$1])\n+ on_exit 'kill $(cat $ovs_base/$1/pluto.pid)'\n \n dnl Start ovs-monitor-ipsec\n NS_CHECK_EXEC([$1], [ovs-monitor-ipsec unix:${OVS_RUNDIR}/$1/db.sock\\\n@@ -110,16 +115,18 @@ m4_define([CHECK_LIBRESWAN],\n dnl IPSEC_STATUS_LOADED([])\n dnl\n dnl Get number of loaded connections from ipsec status\n-m4_define([IPSEC_STATUS_LOADED], [ipsec --rundir $ovs_base/$1 status | \\\n+m4_define([IPSEC_STATUS_LOADED], [\n+ ipsec --rundir $ovs_base/$1 status | \\\n grep \"Total IPsec connections\" | \\\n- sed 's/[[0-9]]* *Total IPsec connections: loaded \\([[0-2]]\\), active \\([[0-2]]\\).*/\\1/m'])\n+ sed 's/[[0-9]]* *Total IPsec connections: loaded \\([[0-9]]*\\), active \\([[0-9]]*\\).*/\\1/m'])\n \n dnl IPSEC_STATUS_ACTIVE([])\n dnl\n dnl Get number of active connections from ipsec status\n-m4_define([IPSEC_STATUS_ACTIVE], [ipsec --rundir $ovs_base/$1 status | \\\n+m4_define([IPSEC_STATUS_ACTIVE], [\n+ ipsec --rundir $ovs_base/$1 status | \\\n grep \"Total IPsec connections\" | \\\n- sed 's/[[0-9]]* *Total IPsec connections: loaded \\([[0-2]]\\), active \\([[0-2]]\\).*/\\2/m'])\n+ sed 's/[[0-9]]* *Total IPsec connections: loaded \\([[0-9]]*\\), active \\([[0-9]]*\\).*/\\2/m'])\n \n dnl CHECK_ESP_TRAFFIC()\n dnl\n@@ -401,3 +408,108 @@ CHECK_ESP_TRAFFIC\n \n OVS_TRAFFIC_VSWITCHD_STOP()\n AT_CLEANUP\n+\n+AT_SETUP([IPsec -- Libreswan NxN geneve tunnels + reconciliation])\n+AT_KEYWORDS([ipsec libreswan scale reconciliation])\n+dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645\n+dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988\n+\n+CHECK_LIBRESWAN()\n+OVS_TRAFFIC_VSWITCHD_START()\n+IPSEC_SETUP_UNDERLAY()\n+\n+m4_define([NODES], [20])\n+\n+dnl Set up fake hosts.\n+m4_for([id], [1], NODES, [1], [\n+ IPSEC_ADD_NODE([node-id], [p-id], 10.1.1.id, 10.1.1.254)\n+ AT_CHECK([ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log \\\n+ req -u node-id], [0], [stdout])\n+ AT_CHECK([ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log \\\n+ self-sign node-id], [0], [stdout])\n+ AT_CHECK(OVS_VSCTL([node-id], set Open_vSwitch . \\\n+ other_config:certificate=${ovs_base}/node-id-cert.pem \\\n+ other_config:private_key=${ovs_base}/node-id-privkey.pem),\n+ [0], [ignore], [ignore])\n+ on_exit \"ipsec --rundir $ovs_base/node-id status > $ovs_base/node-id/status\"\n+])\n+\n+dnl Create a full mesh of tunnels.\n+m4_for([LEFT], [1], NODES, [1], [\n+ m4_for([RIGHT], [1], NODES, [1], [\n+ if test LEFT -ne RIGHT; then\n+ AT_CHECK(OVS_VSCTL(node-LEFT, add-port br-ipsec tun-RIGHT \\\n+ -- set Interface tun-RIGHT type=geneve options:remote_ip=10.1.1.RIGHT \\\n+ options:remote_cert=${ovs_base}/node-RIGHT-cert.pem),\n+ [0], [ignore], [ignore])\n+ fi\n+])])\n+\n+m4_define([WAIT_FOR_LOADED_CONNS], [\n+ m4_for([id], [1], NODES, [1], [\n+ echo \"================== node-id =========================\"\n+ iterations=0\n+ loaded=0\n+ dnl Using a custom loop instead of OVS_WAIT_UNTIL, because it may take\n+ dnl much longer than a default timeout. The default retransmit timeout\n+ dnl for pluto is 60 seconds. Also, we need to make sure pluto didn't\n+ dnl crash in the process and revive it if it did, unfortunately.\n+ while true; do\n+ date\n+ AT_CHECK([ipsec --rundir $ovs_base/node-id status 2>&1 \\\n+ | grep -E \"whack|Total\"], [ignore], [stdout])\n+ if grep -E 'is Pluto running?|refused' stdout; then\n+ echo \"node-id: Pluto died, restarting...\"\n+ START_PLUTO([node-id])\n+ else\n+ loaded=$(IPSEC_STATUS_LOADED(node-id))\n+ fi\n+ if test \"$loaded\" -ne $(( (NODES - 1) * 2 )); then\n+ sleep 3\n+ else\n+ break\n+ fi\n+ let iterations=$iterations+1\n+ AT_CHECK([test $iterations -lt 100])\n+ done\n+ ])\n+])\n+\n+dnl Wait for all the connections to be loaded to pluto. Not waiting for\n+dnl them to become active, because if pluto is down on one of the nodes,\n+dnl some connections may not become active until we revive it. Some\n+dnl connections may also never become active due to bugs in libreswan 4.x.\n+WAIT_FOR_LOADED_CONNS()\n+\n+AT_CHECK([ipsec auto --help], [ignore], [ignore], [stderr])\n+auto=auto\n+if test -s stderr; then\n+ auto=\n+fi\n+\n+dnl Remove connections for two tunnels. One fully and one partially.\n+AT_CHECK([ipsec $auto --ctlsocket $ovs_base/node-1/pluto.ctl \\\n+ --config $ovs_base/node-1/ipsec.conf \\\n+ --delete tun-5-out-1], [0], [stdout])\n+AT_CHECK([ipsec $auto --ctlsocket $ovs_base/node-1/pluto.ctl \\\n+ --config $ovs_base/node-1/ipsec.conf \\\n+ --delete tun-2-in-1], [0], [stdout])\n+AT_CHECK([ipsec $auto --ctlsocket $ovs_base/node-1/pluto.ctl \\\n+ --config $ovs_base/node-1/ipsec.conf \\\n+ --delete tun-2-out-1], [0], [stdout])\n+\n+dnl Wait for the monitor to notice the missing connections.\n+OVS_WAIT_UNTIL([grep -q 'tun-2.*need to reconcile' \\\n+ $ovs_base/node-1/ovs-monitor-ipsec.log])\n+\n+dnl Wait for all the connections to be loaded back.\n+WAIT_FOR_LOADED_CONNS()\n+\n+dnl These are not necessary, but nice to have in the test log in\n+dnl order to spot pluto failures during the test.\n+grep -E 'timed out|outdated|half-loaded|defunct' \\\n+ $ovs_base/node-*/ovs-monitor-ipsec.log\n+grep -E 'ABORT' $ovs_base/node-*/pluto.log\n+\n+OVS_TRAFFIC_VSWITCHD_STOP()\n+AT_CLEANUP\n", "prefixes": [ "ovs-dev", "8/9" ] }