diff mbox series

[ovs-dev,v1,1/1] ovn-controller: Ensure br-int is using secure fail-mode

Message ID 20210507012226.1504699-1-flavio@flaviof.com
State Superseded
Headers show
Series [ovs-dev,v1,1/1] ovn-controller: Ensure br-int is using secure fail-mode | expand

Commit Message

Flaviof May 7, 2021, 1:22 a.m. UTC 
By default, OVS bridges use standalone fail-mode, which means it is
configured with a single row with the NORMAL action as its OpenFlow table.
Upon system reboot, an integration bridge with many ports and such a table
could create broadcast storms and duplicate packets. That is why
ovn-controller creates the integration bridge with secure fail-mode.
Under that mode, the OpenFlow table remains empty until the controller
populates it, which could happen many seconds after the bridge is
operational. Unfortunately, the fail-mode setting was not being
done if the bridge was already created by the time ovn-controller
starts. This change fixes that and logs a warning should the fail-mode
ever needed to be corrected.

Reported-at: https://bugzilla.redhat.com/1957025
Signed-off-by: Flavio Fernandes <flavio@flaviof.com>
---
 controller/ovn-controller.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Frode Nordahl May 7, 2021, 7:02 a.m. UTC | #1 
fre. 7. mai 2021, 03:22 skrev Flavio Fernandes <flavio@flaviof.com>:

> By default, OVS bridges use standalone fail-mode, which means it is
> configured with a single row with the NORMAL action as its OpenFlow table.
> Upon system reboot, an integration bridge with many ports and such a table
> could create broadcast storms and duplicate packets. That is why
> ovn-controller creates the integration bridge with secure fail-mode.
> Under that mode, the OpenFlow table remains empty until the controller
> populates it, which could happen many seconds after the bridge is
> operational. Unfortunately, the fail-mode setting was not being
> done if the bridge was already created by the time ovn-controller
> starts. This change fixes that and logs a warning should the fail-mode
> ever needed to be corrected.
>

It would indeed be good to liberate the deployment tooling from the
responsibility of maintaining the fail-mode, so I welcome this change.

Reported-at: https://bugzilla.redhat.com/1957025
> Signed-off-by: Flavio Fernandes <flavio@flaviof.com>
> ---
>  controller/ovn-controller.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
> index 6106a9661..e4cbf3583 100644
> --- a/controller/ovn-controller.c
> +++ b/controller/ovn-controller.c
> @@ -401,6 +401,12 @@ process_br_int(struct ovsdb_idl_txn *ovs_idl_txn,
>                                                      ovs_table);
>      if (!br_int) {
>          br_int = create_br_int(ovs_idl_txn, ovs_table);
> +    } else if (ovs_idl_txn) {
>

Would it make sense to put this code into the branch below instead? It
appears to me it already executes on the condition you want.

+        const char *fail_mode = br_int->fail_mode;
> +        if (!fail_mode || strcmp(fail_mode, "secure")) {
> +            ovsrec_bridge_set_fail_mode(br_int, "secure");
> +            VLOG_WARN("Integration bridge fail-mode set to secure.");
>

While I agree this action should be logged, I wonder if the text could be
rephrased. As it stands it could read as having br-int in secure fail-mode
is a undesirable situation, whereas the opposite is true.

+        }
>      }
>      if (br_int && ovs_idl_txn) {
>          const struct ovsrec_open_vswitch *cfg;
> --
> 2.25.1
>

--
Frode Nordahl


> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
Flaviof May 7, 2021, 1:23 p.m. UTC | #2 
> On May 7, 2021, at 3:02 AM, Frode Nordahl <frode.nordahl@canonical.com> wrote:
> 
> 
> 
> fre. 7. mai 2021, 03:22 skrev Flavio Fernandes <flavio@flaviof.com <mailto:flavio@flaviof.com>>:
> By default, OVS bridges use standalone fail-mode, which means it is
> configured with a single row with the NORMAL action as its OpenFlow table.
> Upon system reboot, an integration bridge with many ports and such a table
> could create broadcast storms and duplicate packets. That is why
> ovn-controller creates the integration bridge with secure fail-mode.
> Under that mode, the OpenFlow table remains empty until the controller
> populates it, which could happen many seconds after the bridge is
> operational. Unfortunately, the fail-mode setting was not being
> done if the bridge was already created by the time ovn-controller
> starts. This change fixes that and logs a warning should the fail-mode
> ever needed to be corrected.
> 
> It would indeed be good to liberate the deployment tooling from the responsibility of maintaining the fail-mode, so I welcome this change.

Cool beans!

> 
> Reported-at: https://bugzilla.redhat.com/1957025 <https://bugzilla.redhat.com/1957025>
> Signed-off-by: Flavio Fernandes <flavio@flaviof.com <mailto:flavio@flaviof.com>>
> ---
>  controller/ovn-controller.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
> index 6106a9661..e4cbf3583 100644
> --- a/controller/ovn-controller.c
> +++ b/controller/ovn-controller.c
> @@ -401,6 +401,12 @@ process_br_int(struct ovsdb_idl_txn *ovs_idl_txn,
>                                                      ovs_table);
>      if (!br_int) {
>          br_int = create_br_int(ovs_idl_txn, ovs_table);
> +    } else if (ovs_idl_txn) {
> 
> Would it make sense to put this code into the branch below instead? It appears to me it already executes on the condition you want.

Yeah, we could do that. Right now, the creation of the bridge in "create_br_int" is already setting the fail-mode and
by moving this below would make that potentially redundant. But the cost of an additional strcmp() for sake of simplicity
may be a valid trade off? So the new code would look more like:

if (br_int && ovs_idl_txn) {
          const struct ovsrec_open_vswitch *cfg;
...
        if (datapath_type && strcmp(br_int->datapath_type, datapath_type)) {
            ovsrec_bridge_set_datapath_type(br_int, datapath_type);
        }

+        const char *fail_mode = br_int->fail_mode;
+        if (!fail_mode || strcmp(fail_mode, "secure")) {
+            ovsrec_bridge_set_fail_mode(br_int, "secure");
+            VLOG_WARN("Integration bridge fail-mode needed to be set as secure.");}
+       }
 }
 return br_int;

Sounds reasonable?

> 
> +        const char *fail_mode = br_int->fail_mode;
> +        if (!fail_mode || strcmp(fail_mode, "secure")) {
> +            ovsrec_bridge_set_fail_mode(br_int, "secure");
> +            VLOG_WARN("Integration bridge fail-mode set to secure.");
> 
> While I agree this action should be logged, I wonder if the text could be rephrased. As it stands it could read as having br-int in secure fail-mode is a undesirable situation, whereas the opposite is true.

heh.... English troubles! ;) I can see what you mean now.

Do you think this is more appropriate:

     Integration bridge fail-mode needed to be set as secure.

? Chime in with any tweaks, please.

-- flaviof

> 
> +        }
>      }
>      if (br_int && ovs_idl_txn) {
>          const struct ovsrec_open_vswitch *cfg;
> --
> 2.25.1
> 
> --
> Frode Nordahl
> 
> 
> _______________________________________________
> dev mailing list
> dev@openvswitch.org <mailto:dev@openvswitch.org>
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>
Frode Nordahl May 7, 2021, 3:34 p.m. UTC | #3 
On Fri, May 7, 2021 at 3:23 PM Flavio Fernandes <flavio@flaviof.com> wrote:
> On May 7, 2021, at 3:02 AM, Frode Nordahl <frode.nordahl@canonical.com> wrote:
> fre. 7. mai 2021, 03:22 skrev Flavio Fernandes <flavio@flaviof.com>:
>> diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
>> index 6106a9661..e4cbf3583 100644
>> --- a/controller/ovn-controller.c
>> +++ b/controller/ovn-controller.c
>> @@ -401,6 +401,12 @@ process_br_int(struct ovsdb_idl_txn *ovs_idl_txn,
>>                                                      ovs_table);
>>      if (!br_int) {
>>          br_int = create_br_int(ovs_idl_txn, ovs_table);
>> +    } else if (ovs_idl_txn) {
>
> Would it make sense to put this code into the branch below instead? It appears to me it already executes on the condition you want.
>
> Yeah, we could do that. Right now, the creation of the bridge in "create_br_int" is already setting the fail-mode and
> by moving this below would make that potentially redundant. But the cost of an additional strcmp() for sake of simplicity
> may be a valid trade off? So the new code would look more like:

Ah I see, I like conservatism, but in reality it would only optimize
away the call for the first iteration of the main loop if the bridge
did not exist?

> if (br_int && ovs_idl_txn) {
>           const struct ovsrec_open_vswitch *cfg;
> ...
>         if (datapath_type && strcmp(br_int->datapath_type, datapath_type)) {
>             ovsrec_bridge_set_datapath_type(br_int, datapath_type);
>         }
> +        const char *fail_mode = br_int->fail_mode;
> +        if (!fail_mode || strcmp(fail_mode, "secure")) {
> +            ovsrec_bridge_set_fail_mode(br_int, "secure");
> +            VLOG_WARN("Integration bridge fail-mode needed to be set as secure.");}
> +       }
>  }
>  return br_int;
>
> Sounds reasonable?

I think this looks much better, one minor nit: the fail_mode variable
is not really necessary, or perhaps we could use it to store the
desired fail_mode "secure" instead, to avoid repetition of that
constant in the code?

>
>> +        const char *fail_mode = br_int->fail_mode;
>> +        if (!fail_mode || strcmp(fail_mode, "secure")) {
>> +            ovsrec_bridge_set_fail_mode(br_int, "secure");
>> +            VLOG_WARN("Integration bridge fail-mode set to secure.");
>
>
> While I agree this action should be logged, I wonder if the text could be rephrased. As it stands it could read as having br-int in secure fail-mode is a undesirable situation, whereas the opposite is true.
>
>
> heh.... English troubles! ;) I can see what you mean now.
>
> Do you think this is more appropriate:
>
>      Integration bridge fail-mode needed to be set as secure.
>
> ? Chime in with any tweaks, please.

Better, this could also work: "Integration bridge fail-mode changed to
'secure'."

Cheers!

--
Frode Nordahl

>
> -- flaviof
>
>
>> +        }
>>      }
>>      if (br_int && ovs_idl_txn) {
>>          const struct ovsrec_open_vswitch *cfg;
>> --
>> 2.25.1
>
>
> --
> Frode Nordahl
>
>>
>> _______________________________________________
>> dev mailing list
>> dev@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
diff mbox series

Patch

diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 6106a9661..e4cbf3583 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -401,6 +401,12 @@  process_br_int(struct ovsdb_idl_txn *ovs_idl_txn,
                                                     ovs_table);
     if (!br_int) {
         br_int = create_br_int(ovs_idl_txn, ovs_table);
+    } else if (ovs_idl_txn) {
+        const char *fail_mode = br_int->fail_mode;
+        if (!fail_mode || strcmp(fail_mode, "secure")) {
+            ovsrec_bridge_set_fail_mode(br_int, "secure");
+            VLOG_WARN("Integration bridge fail-mode set to secure.");
+        }
     }
     if (br_int && ovs_idl_txn) {
         const struct ovsrec_open_vswitch *cfg;