From patchwork Thu Nov 9 17:31:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Flavio Leitner X-Patchwork-Id: 836452 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yXr0Y55Zkz9s71 for ; Fri, 10 Nov 2017 04:35:25 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 7902ABF0; Thu, 9 Nov 2017 17:31:58 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 85513C05 for ; Thu, 9 Nov 2017 17:31:56 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qt0-f195.google.com (mail-qt0-f195.google.com [209.85.216.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D81104CC for ; Thu, 9 Nov 2017 17:31:55 +0000 (UTC) Received: by mail-qt0-f195.google.com with SMTP id z28so8598919qtz.13 for ; Thu, 09 Nov 2017 09:31:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dOeDTX+8KlFAcDAzPPqUKYVtsCdb52jWV/YzdnU+SOU=; b=sze6gAcZGrbUk/buGYbupT54+dSg4JIB8fEeEsXHAWg6ocbvlAW2y6eFGymWM4BTCS n7wmJlja95rAOQb4sZgj6l0540wqECArIuw8tuqkTBLzHceOtFrb7hzOAO2CG69sVLQx an2CcqEIhQlcujqkvDDfFNVnDLthWHLt/gz9PRd+Doax/tqVZY89L/km2hykRG+g1Ygk lRSiR/erFyOrDwrtHK/ElAe6gDFwbvxtSsU60u9fDPRoe6f8+MUquYiwaY4gQS+vKZ+K OGkq1GH8+2xtOItUkVF7ZpvTrZWPKWj8uXZtNJKSR2wzCXis7KkdprYZEr8QvoC+GC9A fBng== X-Gm-Message-State: AJaThX7a/6Va8dyZnO54NKxo/TuTSJDjoev59i3MNK5Ueh6OSm1145MH zCWLVWNfn3oqCbsb2AM+MmlOrIefo6w= X-Google-Smtp-Source: AGs4zMZPNZVlgHtV1f+HwZPrLZGAi4tEJ1QQWHfegt6EdgE5ZQXd2GE9xLKULYxrqdyp7zdNvKi4uA== X-Received: by 10.200.43.26 with SMTP id 26mr2212191qtu.51.1510248714756; Thu, 09 Nov 2017 09:31:54 -0800 (PST) Received: from localhost ([2804:7f4:5087:e653:e8e6:b1:eeb0:fb4]) by smtp.gmail.com with ESMTPSA id n44sm5029297qtb.41.2017.11.09.09.31.53 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 09 Nov 2017 09:31:54 -0800 (PST) From: Flavio Leitner To: dev@openvswitch.org Date: Thu, 9 Nov 2017 15:31:05 -0200 Message-Id: <20171109173107.26256-7-fbl@redhat.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20171109173107.26256-1-fbl@redhat.com> References: <20171109173107.26256-1-fbl@redhat.com> X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Flavio Leitner , Jiri Benc Subject: [ovs-dev] [PATCH v2 6/8] netlink linux: enable listening to all nsids X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Internal ports may be moved to another network namespace and when that happens, the vswitch stops receiving netlink notifications. This patch enables the vswitch to listen to all network namespaces that have a nsid assigned into the network namespace where the socket has been opened. It requires kernel 4.2 or newer. Signed-off-by: Flavio Leitner --- lib/daemon-unix.c | 3 ++- lib/daemon.man | 6 +++--- lib/daemon.xml | 8 ++++---- lib/netdev-linux.c | 1 + lib/netlink-protocol.h | 6 ++++++ lib/netlink-socket.c | 27 +++++++++++++++++++++++++++ lib/netlink-socket.h | 2 ++ tests/ofproto-macros.at | 1 + tests/ovn-controller-vtep.at | 1 + 9 files changed, 47 insertions(+), 8 deletions(-) diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c index 967a28432..be6d29cbe 100644 --- a/lib/daemon-unix.c +++ b/lib/daemon-unix.c @@ -818,7 +818,8 @@ daemon_become_new_user_linux(bool access_datapath OVS_UNUSED) if (access_datapath && !ret) { ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN) - || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW); + || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW) + || capng_update(CAPNG_ADD, cap_sets, CAP_NET_BROADCAST); } } else { ret = -1; diff --git a/lib/daemon.man b/lib/daemon.man index 820a09903..68c0a312d 100644 --- a/lib/daemon.man +++ b/lib/daemon.man @@ -76,9 +76,9 @@ started by the root user accepts this argument. .IP On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before dropping root privileges. Daemons that interact with a datapath, -such as \fBovs\-vswitchd\fR, will be granted two additional capabilities, namely -CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if -new user is "root". +such as \fBovs\-vswitchd\fR, will be granted three additional capabilities, +namely CAP_NET_ADMIN, CAP_NET_BROADCAST and CAP_NET_RAW. The capability +change will apply even if the new user is root. .IP On Windows, this option is not currently supported. For security reasons, specifying this option will cause the daemon process not to start. diff --git a/lib/daemon.xml b/lib/daemon.xml index 5cb447c49..1b5e8acae 100644 --- a/lib/daemon.xml +++ b/lib/daemon.xml @@ -107,10 +107,10 @@ On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before dropping root privileges. Daemons that interact with a datapath, such as - ovs-vswitchd, will be granted two additional - capabilities, namely CAP_NET_ADMIN and - CAP_NET_RAW. The capability change will apply even - if the new user is root. + ovs-vswitchd, will be granted three additional + capabilities, namely CAP_NET_ADMIN, + CAP_NET_BROADCAST and CAP_NET_RAW. The + capability change will apply even if the new user is root.

diff --git a/lib/netdev-linux.c b/lib/netdev-linux.c index 703e1baf9..ce8df4c6b 100644 --- a/lib/netdev-linux.c +++ b/lib/netdev-linux.c @@ -653,6 +653,7 @@ netdev_linux_notify_sock(void) } } } + nl_sock_listen_all_nsid(sock, true); ovsthread_once_done(&once); } diff --git a/lib/netlink-protocol.h b/lib/netlink-protocol.h index a7b9a65fa..c0617dfad 100644 --- a/lib/netlink-protocol.h +++ b/lib/netlink-protocol.h @@ -158,6 +158,12 @@ enum { #define NETLINK_DROP_MEMBERSHIP 2 #endif +/* This was introduced in v4.2. (We want our programs to support the newer + * kernel features even if compiled with older headers.) */ +#ifndef NETLINK_LISTEN_ALL_NSID +#define NETLINK_LISTEN_ALL_NSID 8 +#endif + /* These were introduced all together in 2.6.23. (We want our programs to * support the newer kernel features even if compiled with older headers.) */ #ifndef CTRL_ATTR_MCAST_GRP_MAX diff --git a/lib/netlink-socket.c b/lib/netlink-socket.c index 4e0317fbe..022b53f2d 100644 --- a/lib/netlink-socket.c +++ b/lib/netlink-socket.c @@ -441,6 +441,33 @@ nl_sock_join_mcgroup(struct nl_sock *sock, unsigned int multicast_group) return 0; } +/* When 'enable' is true, it tries to enable 'sock' to receive netlink + * notifications form all network namespaces that have an nsid assigned + * into the network namespace where the socket has been opened. The + * running kernel needs to provide support for that. When 'enable' is + * false, it will receive netlink notifications only from the network + * namespace where the socket has been opened. + * + * Returns 0 if successful, otherwise a positive errno. */ +int +nl_sock_listen_all_nsid(struct nl_sock *sock, bool enable) +{ + int error; + int val = enable ? 1 : 0; + +#ifndef _WIN32 + if (setsockopt(sock->fd, SOL_NETLINK, NETLINK_LISTEN_ALL_NSID, &val, + sizeof val) < 0) { + error = errno; + VLOG_INFO("netlink: could not %s listening to all nsid (%s)", + enable ? "enable" : "disable", ovs_strerror(error)); + return errno; + } +#endif + + return 0; +} + #ifdef _WIN32 int nl_sock_subscribe_packet__(struct nl_sock *sock, bool subscribe) diff --git a/lib/netlink-socket.h b/lib/netlink-socket.h index 348483fad..deac8d244 100644 --- a/lib/netlink-socket.h +++ b/lib/netlink-socket.h @@ -214,6 +214,8 @@ void nl_sock_destroy(struct nl_sock *); int nl_sock_join_mcgroup(struct nl_sock *, unsigned int multicast_group); int nl_sock_leave_mcgroup(struct nl_sock *, unsigned int multicast_group); +int nl_sock_listen_all_nsid(struct nl_sock *, bool enable); + #ifdef _WIN32 int nl_sock_subscribe_packets(struct nl_sock *sock); int nl_sock_unsubscribe_packets(struct nl_sock *sock); diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at index 38449db32..5657f0f87 100644 --- a/tests/ofproto-macros.at +++ b/tests/ofproto-macros.at @@ -341,6 +341,7 @@ m4_define([_OVS_VSWITCHD_START], /netdev_linux|INFO|.*device has unknown hardware address family/d /ofproto|INFO|datapath ID changed to fedcba9876543210/d /dpdk|INFO|DPDK Disabled - Use other_config:dpdk-init to enable/d +/netlink_socket|INFO|netlink: could not enable listening to all nsid/d /netdev: Flow API/d /tc: Using policy/d']]) ]) diff --git a/tests/ovn-controller-vtep.at b/tests/ovn-controller-vtep.at index 0d2711e3a..f435ff874 100644 --- a/tests/ovn-controller-vtep.at +++ b/tests/ovn-controller-vtep.at @@ -43,6 +43,7 @@ m4_define([OVN_CONTROLLER_VTEP_START], /vswitchd|INFO|ovs-vswitchd (Open vSwitch)/d /reconnect|INFO|/d /ofproto|INFO|using datapath ID/d +/netlink_socket|INFO|netlink: could not enable listening to all nsid/d /ofproto|INFO|datapath ID changed to fedcba9876543210/d']]) AT_CHECK([ovs-vsctl -- add-br br-vtep \ -- set bridge br-vtep datapath-type=dummy other-config:datapath-id=fedcba9876543210 other-config:hwaddr=aa:55:aa:55:00:00 protocols=[[OpenFlow10,OpenFlow11,OpenFlow12,OpenFlow13,OpenFlow14,OpenFlow15]] fail-mode=secure \