Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2003670/?format=api
{ "id": 2003670, "url": "http://patchwork.ozlabs.org/api/patches/2003670/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/patch/20241029101608.2991596-10-i.maximets@ovn.org/", "project": { "id": 47, "url": "http://patchwork.ozlabs.org/api/projects/47/?format=api", "name": "Open vSwitch", "link_name": "openvswitch", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "git@github.com:openvswitch/ovs.git", "webscm_url": "https://github.com/openvswitch/ovs", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20241029101608.2991596-10-i.maximets@ovn.org>", "list_archive_url": null, "date": "2024-10-29T10:15:07", "name": "[ovs-dev,9/9] tests: ipsec: Check that nodes can ping each other in the NxN test.", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": false, "hash": "1caf91cfb32f43d2176acd01f2719ba1513089dd", "submitter": { "id": 76798, "url": "http://patchwork.ozlabs.org/api/people/76798/?format=api", "name": "Ilya Maximets", "email": "i.maximets@ovn.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/openvswitch/patch/20241029101608.2991596-10-i.maximets@ovn.org/mbox/", "series": [ { "id": 430270, "url": "http://patchwork.ozlabs.org/api/series/430270/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/list/?series=430270", "date": "2024-10-29T10:14:58", "name": "ipsec: Resiliency to Libreswan failures.", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/430270/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2003670/comments/", "check": "success", "checks": "http://patchwork.ozlabs.org/api/patches/2003670/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "ovs-dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp3.osuosl.org;\n dmarc=none (p=none dis=none) header.from=ovn.org" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4Xd5lz2F05z1xwn\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 29 Oct 2024 21:17:19 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 514DA813CE;\n\tTue, 29 Oct 2024 10:17:17 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id oKVfYDGnDG-F; Tue, 29 Oct 2024 10:17:15 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp1.osuosl.org (Postfix) with ESMTPS id C768381397;\n\tTue, 29 Oct 2024 10:17:15 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 8E8C4C08A9;\n\tTue, 29 Oct 2024 10:17:15 +0000 (UTC)", "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 2E916C08A3\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:17:14 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 8D3C960E65\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:43 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id tqAFFVagaifr for <ovs-dev@openvswitch.org>;\n Tue, 29 Oct 2024 10:16:37 +0000 (UTC)", "from mail-lf1-f65.google.com (mail-lf1-f65.google.com\n [209.85.167.65])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 9ED0760DDF\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:36 +0000 (UTC)", "by mail-lf1-f65.google.com with SMTP id\n 2adb3069b0e04-539f6e1f756so5480538e87.0\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 03:16:36 -0700 (PDT)", "from im-t490s.redhat.com (ip-86-49-44-151.bb.vodafone.cz.\n [86.49.44.151]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-431b4594ec3sm20279685e9.1.2024.10.29.03.16.33\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 29 Oct 2024 03:16:33 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org C768381397", "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9ED0760DDF" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=209.85.167.65;\n helo=mail-lf1-f65.google.com; envelope-from=i.maximets.ovn@gmail.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org 9ED0760DDF", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1730196994; x=1730801794;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc\n :subject:date:message-id:reply-to;\n bh=c3iL4ONEuzTwIaU4lY5jd0UVhjDSG21U2VmNIrUW7DY=;\n b=KXasGyNVsvmpfPmwHNMOwQ9294xY1ylshSed5BnIDU1bzAw/W9X7VTfSY1UPVZ9cGa\n /6eP+B9+dZwvUGUxi+pOXyhugW5rQ+ZoK7fdtHwRwUoHF7qMIrzLTK9dehutwjRifTCc\n N2Vim+hcTCWKNFirHxH9DTQcsOAbYQOjQ4CI9sGzUaRQGlPFZ9R9gT+sM02HeXnYblEx\n AXjUOODWyA3KoCFljQq2WR1hJX+rb2tSCyz/fA0fkIgvmRjiCmEAOUMMCxq8M4y/3dF+\n MRWYLI+g9xUKWRAjifsZ0msQ/G1/ph3UQspJPWE7rAJTkh1zjdbyJJhxA4qcL9WrmOgY\n zLyA==", "X-Gm-Message-State": "AOJu0YyawY6TZM4tr8au8ICMgS/5WJUMX9qe1g7+eEJs5ELU8rxKIC1z\n cMco6S1RQzy4LewE5VnUpT5v1RUaoJWEPc9L7eAmgTDTiNdDEvMT8fKbTh87", "X-Google-Smtp-Source": "\n AGHT+IGLg8becp1mhRu5uxe+2NszdjnWO5asgRXGDV34IrH5HHg1Gx2lzsyCdcRL3f3gnIgYrq8kdA==", "X-Received": "by 2002:a05:6512:31c3:b0:52f:d69e:bb38 with SMTP id\n 2adb3069b0e04-53b348c3836mr5114965e87.2.1730196993929;\n Tue, 29 Oct 2024 03:16:33 -0700 (PDT)", "From": "Ilya Maximets <i.maximets@ovn.org>", "To": "ovs-dev@openvswitch.org", "Date": "Tue, 29 Oct 2024 11:15:07 +0100", "Message-ID": "<20241029101608.2991596-10-i.maximets@ovn.org>", "X-Mailer": "git-send-email 2.46.0", "In-Reply-To": "<20241029101608.2991596-1-i.maximets@ovn.org>", "References": "<20241029101608.2991596-1-i.maximets@ovn.org>", "MIME-Version": "1.0", "Subject": "[ovs-dev] [PATCH 9/9] tests: ipsec: Check that nodes can ping each\n other in the NxN test.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "Cc": "Ilya Maximets <i.maximets@ovn.org>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "Expand the NxN test with the network connectivity check between all the\nnodes. Unfortunately, we can't really run this test with Libreswan 4.x,\nsince, due to internal issues in these versions, we are getting into\nstates where everything is loaded and active, but no traffic can pass.\nThis is an internal issue in Libreswan that we can't workaround from\nthe outside. So, the fix is required in Libreswan itself. 4.5 and\nearlier versions seem to not be affected by this problem, at least not\nseverely affected, but it's easier to just cut off all the 4.x versions\nfrom the test.\n\n3.32 version from Ubuntu 22.04 and Libreswna 5.1 work just fine with\nthis test.\n\nTest is relatively long, but it is very valuable, IMO. Besides\nstressing ovs-monitor-ipsec with various failure and asynchronous\nconnection establishment conditions, which are important for OVS, it\nalso was used to reproduce and fix several bugs in Libreswan 4.x.\nUnfortunately, not all the issues are understood and fixed yet.\n\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>\n---\n tests/system-ipsec.at | 82 ++++++++++++++++++++++++++++++++++++++-----\n 1 file changed, 74 insertions(+), 8 deletions(-)", "diff": "diff --git a/tests/system-ipsec.at b/tests/system-ipsec.at\nindex 5bb048cff..9582bfcc1 100644\n--- a/tests/system-ipsec.at\n+++ b/tests/system-ipsec.at\n@@ -71,7 +71,9 @@ m4_define([IPSEC_ADD_NODE],\n on_exit \"kill `cat $ovs_base/$1/ovs-monitor-ipsec.pid`\"\n \n dnl Set up OVS bridge\n- NS_EXEC([$1], [ovs-vsctl --db unix:$ovs_base/$1/db.sock add-br br-ipsec])]\n+ NS_CHECK_EXEC([$1],\n+ [ovs-vsctl --db unix:$ovs_base/$1/db.sock add-br br-ipsec \\\n+ -- set-controller br-ipsec punix:$ovs_base/br-ipsec.$1.mgmt])]\n )\n m4_define([IPSEC_ADD_NODE_LEFT], [IPSEC_ADD_NODE(left, p0, $1, $2)])\n m4_define([IPSEC_ADD_NODE_RIGHT], [IPSEC_ADD_NODE(right, p1, $1, $2)])\n@@ -429,7 +431,8 @@ m4_for([id], [1], NODES, [1], [\n self-sign node-id], [0], [stdout])\n AT_CHECK(OVS_VSCTL([node-id], set Open_vSwitch . \\\n other_config:certificate=${ovs_base}/node-id-cert.pem \\\n- other_config:private_key=${ovs_base}/node-id-privkey.pem),\n+ other_config:private_key=${ovs_base}/node-id-privkey.pem \\\n+ -- set bridge br-ipsec other-config:hwaddr=f2:ff:00:00:00:id),\n [0], [ignore], [ignore])\n on_exit \"ipsec --rundir $ovs_base/node-id status > $ovs_base/node-id/status\"\n ])\n@@ -445,11 +448,18 @@ m4_for([LEFT], [1], NODES, [1], [\n fi\n ])])\n \n+dnl These are not necessary, but nice to have in the test log in\n+dnl order to spot pluto failures during the test.\n+on_exit \"grep -E 'timed out|outdated|half-loaded|defunct' \\\n+ $ovs_base/node-*/ovs-monitor-ipsec.log\"\n+on_exit \"grep -E 'ABORT' $ovs_base/node-*/pluto.log\"\n+\n m4_define([WAIT_FOR_LOADED_CONNS], [\n m4_for([id], [1], NODES, [1], [\n echo \"================== node-id =========================\"\n iterations=0\n loaded=0\n+ active=0\n dnl Using a custom loop instead of OVS_WAIT_UNTIL, because it may take\n dnl much longer than a default timeout. The default retransmit timeout\n dnl for pluto is 60 seconds. Also, we need to make sure pluto didn't\n@@ -463,8 +473,11 @@ m4_define([WAIT_FOR_LOADED_CONNS], [\n START_PLUTO([node-id])\n else\n loaded=$(IPSEC_STATUS_LOADED(node-id))\n+ m4_if([$1], [active],\n+ [active=$(IPSEC_STATUS_ACTIVE(node-id))], [active=$loaded])\n fi\n- if test \"$loaded\" -ne $(( (NODES - 1) * 2 )); then\n+ if test \"$loaded\" -ne \"$(( (NODES - 1) * 2 ))\" -o \\\n+ \"$loaded\" -ne \"$active\"; then\n sleep 3\n else\n break\n@@ -505,11 +518,64 @@ OVS_WAIT_UNTIL([grep -q 'tun-2.*need to reconcile' \\\n dnl Wait for all the connections to be loaded back.\n WAIT_FOR_LOADED_CONNS()\n \n-dnl These are not necessary, but nice to have in the test log in\n-dnl order to spot pluto failures during the test.\n-grep -E 'timed out|outdated|half-loaded|defunct' \\\n- $ovs_base/node-*/ovs-monitor-ipsec.log\n-grep -E 'ABORT' $ovs_base/node-*/pluto.log\n+dnl Next section will check connectivity between all the nodes.\n+dnl Different versions of Libreswan 4.x have issues where connections\n+dnl are not being correctly established or never become active in a\n+dnl way that can not be mitigated from ovs-monitor-ipsec or the test.\n+dnl So, only checking connectivity for Libreswan 3- or 5+.\n+if ! (ipsec --version 2>&1 | grep -q 'Libreswan 4\\.'); then\n+ dnl Turn off IPv6 and add static ARP entries for all namespaces to avoid\n+ dnl any broadcast / multicast traffic that would otherwise be multiplied\n+ dnl by each node creating a traffic storm. Add specific OpenFlow rules\n+ dnl to forward traffic to exact destinations without any MAC learning.\n+ m4_for([LEFT], [1], NODES, [1], [\n+ NS_CHECK_EXEC([node-LEFT], [sysctl -w net.ipv6.conf.all.disable_ipv6=1],\n+ [0], [ignore])\n+ AT_CHECK([ovs-ofctl del-flows unix:$ovs_base/br-ipsec.node-LEFT.mgmt])\n+ AT_CHECK([ovs-ofctl add-flow unix:$ovs_base/br-ipsec.node-LEFT.mgmt \\\n+ \"dl_dst=f2:ff:00:00:00:LEFT actions=LOCAL\"])\n+ m4_for([RIGHT], [1], NODES, [1], [\n+ if test LEFT -ne RIGHT; then\n+ NS_CHECK_EXEC([node-LEFT],\n+ [ip neigh add 192.0.0.RIGHT lladdr f2:ff:00:00:00:RIGHT dev br-ipsec])\n+ AT_CHECK([ovs-ofctl add-flow unix:$ovs_base/br-ipsec.node-LEFT.mgmt \\\n+ \"dl_dst=f2:ff:00:00:00:RIGHT actions=tun-RIGHT\"])\n+ fi\n+ ])\n+ ])\n+\n+ dnl Bring up and add IP addresses for br-ipsec interface.\n+ m4_for([id], [1], NODES, [1], [\n+ echo \"================== node-id =========================\"\n+ NS_CHECK_EXEC([node-id], [ip addr add 192.0.0.id/24 dev br-ipsec])\n+ NS_CHECK_EXEC([node-id], [ip link set dev br-ipsec up])\n+ ])\n+\n+ dnl Wait for all the connections to be loaded and active. In case one of\n+ dnl the pluto processes crashed some of the connections may never become\n+ dnl active. But we did run this loop with a pluto reviving logic twice\n+ dnl already, so the chances for pluto to be down here are much lower.\n+ WAIT_FOR_LOADED_CONNS([active])\n+\n+ dnl Check the full mesh ping.\n+ m4_for([LEFT], [1], NODES, [1], [\n+ m4_for([RIGHT], [1], NODES, [1], [\n+ if test LEFT -ne RIGHT; then\n+ echo \"====== ping: node-LEFT --> node-RIGHT ==========\"\n+ dnl Ping without checking in case connection will recover after the\n+ dnl first packet.\n+ NS_CHECK_EXEC([node-LEFT],\n+ [ping -q -c 1 -W 2 192.0.0.RIGHT | FORMAT_PING],\n+ [ignore], [stdout])\n+ dnl Now check. If this one fails, there is no actual connectivity.\n+ NS_CHECK_EXEC([node-LEFT],\n+ [ping -q -c 3 -i 0.1 -W 2 192.0.0.RIGHT | FORMAT_PING],\n+ [0], [dnl\n+3 packets transmitted, 3 received, 0% packet loss, time 0ms\n+])\n+ fi\n+ ])])\n+fi\n \n OVS_TRAFFIC_VSWITCHD_STOP()\n AT_CLEANUP\n", "prefixes": [ "ovs-dev", "9/9" ] }