| Message ID | 20240228104232.2096185-1-mheib@redhat.com |
|---|---|
| State | Accepted |
| Delegated to: | Numan Siddique |
| Headers | show |
| Series | [ovs-dev,v3] controller: Release container lport when releasing parent port. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
On Wed, Feb 28, 2024 at 5:43 AM Mohammad Heib <mheib@redhat.com> wrote: > > Currently if the user sets the container parent_port:requested-chassis > option after the VIF/CIF is bonded to the chassis, this will migrate > the VIF/CIF flows to the new chassis but will still have the > container flows installed in the old chassis which can allow unwanted > tagged traffic to reach VMS/containers on the old chassis. > > This patch will resolve the above issue by remove the CIF flows > from the old chassis and prevent the CIF from being bonded to a > chassis different from the parent port VIF binding chassis. > > Rreported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2220938 > Signed-off-by: Mohammad Heib <mheib@redhat.com> Thanks v3. I applied this patch to main and backported it down till branch-22.03 with the below small change. -------------------------- diff --git a/controller/binding.c b/controller/binding.c index c2d15a6c43..8ac2ce3e2b 100644 --- a/controller/binding.c +++ b/controller/binding.c @@ -1709,10 +1709,10 @@ consider_container_lport(const struct sbrec_port_binding *pb, } ovs_assert(parent_b_lport && parent_b_lport->pb); - bool can_bind = lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, pb); /* cannot bind to this chassis if the parent_port cannot be bounded. */ - can_bind &= lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, - parent_b_lport->pb); + bool can_bind = lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, + parent_b_lport->pb) && + lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, pb); return consider_vif_lport_(pb, can_bind, b_ctx_in, b_ctx_out, container_b_lport); -------------------------- Thanks Numan > --- > controller/binding.c | 3 +++ > controller/physical.c | 9 ++++++++ > tests/ovn.at | 53 +++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 65 insertions(+) > > diff --git a/controller/binding.c b/controller/binding.c > index 2afc5d48a..c2d15a6c4 100644 > --- a/controller/binding.c > +++ b/controller/binding.c > @@ -1710,6 +1710,9 @@ consider_container_lport(const struct sbrec_port_binding *pb, > > ovs_assert(parent_b_lport && parent_b_lport->pb); > bool can_bind = lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, pb); > + /* cannot bind to this chassis if the parent_port cannot be bounded. */ > + can_bind &= lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, > + parent_b_lport->pb); > > return consider_vif_lport_(pb, can_bind, b_ctx_in, b_ctx_out, > container_b_lport); > diff --git a/controller/physical.c b/controller/physical.c > index 7ef259da4..86d4b4578 100644 > --- a/controller/physical.c > +++ b/controller/physical.c > @@ -1631,6 +1631,15 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, > nested_container = true; > parent_port = lport_lookup_by_name( > sbrec_port_binding_by_name, binding->parent_port); > + > + if (parent_port > + && !lport_can_bind_on_this_chassis(chassis, parent_port)) { > + /* Even though there is an ofport for this container > + * parent port, it is requested on different chassis ignore > + * this container port. > + */ > + return; > + } > } > } else if (!strcmp(binding->type, "localnet") > || !strcmp(binding->type, "l2gateway")) { > diff --git a/tests/ovn.at b/tests/ovn.at > index d26c95054..6f0fc1043 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -38351,3 +38351,56 @@ OVS_WAIT_UNTIL([test 1 = $(as hv ovs-ofctl dump-flows br-int | grep -E "pkt_mark > OVN_CLEANUP([hv]) > AT_CLEANUP > ]) > + > +OVN_FOR_EACH_NORTHD([ > +AT_SETUP([ovn-controller - cleanup VIF/CIF related flows/fields when updating requested-chassis]) > +ovn_start > + > +net_add n1 > +sim_add hv1 > +ovs-vsctl add-br br-phys > +ovn_attach n1 br-phys 192.168.0.1 > +check ovs-vsctl -- add-port br-int vif1 -- \ > + set Interface vif1 external-ids:iface-id=lsp1 \ > + ofport-request=8 > + > +check ovn-nbctl ls-add lsw0 > + > +check ovn-nbctl lsp-add lsw0 lsp1 > +check ovn-nbctl lsp-add lsw0 sw0-port1.1 lsp1 7 > + > +# wait for the VIF to be claimed to this chassis > +wait_row_count Chassis 1 name=hv1 > +hv1_uuid=$(fetch_column Chassis _uuid name=hv1) > +wait_for_ports_up lsp1 > +wait_for_ports_up sw0-port1.1 > +wait_column "$hv1_uuid" Port_Binding chassis logical_port=lsp1 > +wait_column "$hv1_uuid" Port_Binding chassis logical_port=sw0-port1.1 > + > +# check that flows is installed > +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=100 | grep -c in_port=8], [0],[dnl > +1 > +]) > +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=150|grep dl_vlan=7| grep -c in_port=8], [0],[dnl > +1 > +]) > + > +# set lport requested-chassis to differant chassis > +check ovn-nbctl set Logical_Switch_Port lsp1 \ > + options:requested-chassis=foo > + > +OVS_WAIT_UNTIL([test `ovn-sbctl get Port_Binding lsp1 up` = 'false']) > +OVS_WAIT_UNTIL([test `ovn-sbctl get Port_Binding sw0-port1.1 up` = 'false']) > +wait_column "" Port_Binding chassis logical_port=lsp1 > +wait_column "" Port_Binding chassis logical_port=sw0-port1.1 > + > +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=100 |grep -c in_port=8], [1],[dnl > +0 > +]) > +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=150|grep dl_vlan=7| grep -c in_port=8], [1],[dnl > +0 > +]) > + > +OVN_CLEANUP([hv1]) > +AT_CLEANUP > +]) > -- > 2.34.3 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/controller/binding.c b/controller/binding.c index 2afc5d48a..c2d15a6c4 100644 --- a/controller/binding.c +++ b/controller/binding.c @@ -1710,6 +1710,9 @@ consider_container_lport(const struct sbrec_port_binding *pb, ovs_assert(parent_b_lport && parent_b_lport->pb); bool can_bind = lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, pb); + /* cannot bind to this chassis if the parent_port cannot be bounded. */ + can_bind &= lport_can_bind_on_this_chassis(b_ctx_in->chassis_rec, + parent_b_lport->pb); return consider_vif_lport_(pb, can_bind, b_ctx_in, b_ctx_out, container_b_lport); diff --git a/controller/physical.c b/controller/physical.c index 7ef259da4..86d4b4578 100644 --- a/controller/physical.c +++ b/controller/physical.c @@ -1631,6 +1631,15 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, nested_container = true; parent_port = lport_lookup_by_name( sbrec_port_binding_by_name, binding->parent_port); + + if (parent_port + && !lport_can_bind_on_this_chassis(chassis, parent_port)) { + /* Even though there is an ofport for this container + * parent port, it is requested on different chassis ignore + * this container port. + */ + return; + } } } else if (!strcmp(binding->type, "localnet") || !strcmp(binding->type, "l2gateway")) { diff --git a/tests/ovn.at b/tests/ovn.at index d26c95054..6f0fc1043 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -38351,3 +38351,56 @@ OVS_WAIT_UNTIL([test 1 = $(as hv ovs-ofctl dump-flows br-int | grep -E "pkt_mark OVN_CLEANUP([hv]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn-controller - cleanup VIF/CIF related flows/fields when updating requested-chassis]) +ovn_start + +net_add n1 +sim_add hv1 +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.168.0.1 +check ovs-vsctl -- add-port br-int vif1 -- \ + set Interface vif1 external-ids:iface-id=lsp1 \ + ofport-request=8 + +check ovn-nbctl ls-add lsw0 + +check ovn-nbctl lsp-add lsw0 lsp1 +check ovn-nbctl lsp-add lsw0 sw0-port1.1 lsp1 7 + +# wait for the VIF to be claimed to this chassis +wait_row_count Chassis 1 name=hv1 +hv1_uuid=$(fetch_column Chassis _uuid name=hv1) +wait_for_ports_up lsp1 +wait_for_ports_up sw0-port1.1 +wait_column "$hv1_uuid" Port_Binding chassis logical_port=lsp1 +wait_column "$hv1_uuid" Port_Binding chassis logical_port=sw0-port1.1 + +# check that flows is installed +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=100 | grep -c in_port=8], [0],[dnl +1 +]) +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=150|grep dl_vlan=7| grep -c in_port=8], [0],[dnl +1 +]) + +# set lport requested-chassis to differant chassis +check ovn-nbctl set Logical_Switch_Port lsp1 \ + options:requested-chassis=foo + +OVS_WAIT_UNTIL([test `ovn-sbctl get Port_Binding lsp1 up` = 'false']) +OVS_WAIT_UNTIL([test `ovn-sbctl get Port_Binding sw0-port1.1 up` = 'false']) +wait_column "" Port_Binding chassis logical_port=lsp1 +wait_column "" Port_Binding chassis logical_port=sw0-port1.1 + +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=100 |grep -c in_port=8], [1],[dnl +0 +]) +OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=150|grep dl_vlan=7| grep -c in_port=8], [1],[dnl +0 +]) + +OVN_CLEANUP([hv1]) +AT_CLEANUP +])
Currently if the user sets the container parent_port:requested-chassis option after the VIF/CIF is bonded to the chassis, this will migrate the VIF/CIF flows to the new chassis but will still have the container flows installed in the old chassis which can allow unwanted tagged traffic to reach VMS/containers on the old chassis. This patch will resolve the above issue by remove the CIF flows from the old chassis and prevent the CIF from being bonded to a chassis different from the parent port VIF binding chassis. Rreported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2220938 Signed-off-by: Mohammad Heib <mheib@redhat.com> --- controller/binding.c | 3 +++ controller/physical.c | 9 ++++++++ tests/ovn.at | 53 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+)