From patchwork Tue Mar 31 12:34:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timothy Redaelli X-Patchwork-Id: 2218113 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=OuDJnmJ4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4flSHt0z7Xz1yGT for ; Tue, 31 Mar 2026 23:35:06 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id B03C560F61; Tue, 31 Mar 2026 12:35:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Ckti35mlAUBZ; Tue, 31 Mar 2026 12:35:02 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6004360F6E Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=OuDJnmJ4 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 6004360F6E; Tue, 31 Mar 2026 12:35:02 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 37E1FC054B; Tue, 31 Mar 2026 12:35:02 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 12BB0C054D for ; Tue, 31 Mar 2026 12:35:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CBBBE40691 for ; Tue, 31 Mar 2026 12:34:59 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 5oMw8WGsbpoH for ; Tue, 31 Mar 2026 12:34:58 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=tredaelli@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org A8B7940692 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A8B7940692 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=OuDJnmJ4 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id A8B7940692 for ; Tue, 31 Mar 2026 12:34:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774960497; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KVYzjT/VmK5pDXTQZQ1N+3KkDBJj3laStxGErcCzKnk=; b=OuDJnmJ4BO9wyojtu9l2WASRga8wdvKn+mR7oyyBamqCYPaQbxyThygGO2hnIIOB9fTEtx WA92qOETliGn8ggGVSAcJRoaXRM/6AFdhKt/Vqr5zra6pqT27J8rm33HvLTXjz6gXgxLaL F3D0gja5wrvM4omgaik7Avq2fWQylus= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-556-wibR8qcLP1OzKM8FUhVflw-1; Tue, 31 Mar 2026 08:34:53 -0400 X-MC-Unique: wibR8qcLP1OzKM8FUhVflw-1 X-Mimecast-MFC-AGG-ID: wibR8qcLP1OzKM8FUhVflw_1774960492 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 07E581956065; Tue, 31 Mar 2026 12:34:52 +0000 (UTC) Received: from aldebaran.char-dominant.ts.net (unknown [10.44.32.65]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C9B191955F42; Tue, 31 Mar 2026 12:34:50 +0000 (UTC) To: dev@openvswitch.org Date: Tue, 31 Mar 2026 14:34:21 +0200 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: CEo0vcT64KqmAzgAkyYRG1d1A0jfBVKPXvX_X_iTwcs_1774960492 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v2 1/5] stream: Add "pfd:" passive stream for pre-opened file descriptors. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Timothy Redaelli via dev From: Timothy Redaelli Reply-To: Timothy Redaelli Cc: Lubomir Rintel Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Add a new "pfd:" passive stream class that accepts a pre-opened file descriptor number. This is the core building block for systemd socket activation, where systemd opens and binds the listening socket before starting the service. The pfd_open() function validates that the file descriptor refers to a listening stream socket via getsockopt(SO_TYPE) and getsockopt(SO_ACCEPTCONN), sets it non-blocking, and wraps it in an fd_pstream. Unlike punix:, the unlink_path is NULL because the service does not own the socket file. Use str_to_long() for parsing the file descriptor number. For security, pfd: remotes are restricted to the command line (--remote=pfd:N). Runtime addition via ovsdb-server/add-remote or the database is rejected at three entry points (ovsdb_server_add_remote, add_manager_options, query_db_remotes), preventing an attacker with database write access from hijacking arbitrary file descriptors. Reported-at: https://issues.redhat.com/browse/FDP-3413 Co-authored-by: Lubomir Rintel Signed-off-by: Lubomir Rintel Signed-off-by: Timothy Redaelli --- Documentation/ref/ovsdb.7.rst | 12 ++++++++ lib/stream-provider.h | 1 + lib/stream-unix.c | 52 +++++++++++++++++++++++++++++++++++ lib/stream.c | 5 ++++ ovsdb/ovsdb-server.c | 23 +++++++++++++++- 5 files changed, 92 insertions(+), 1 deletion(-) diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst index 42541dd7e..cf1ef3736 100644 --- a/Documentation/ref/ovsdb.7.rst +++ b/Documentation/ref/ovsdb.7.rst @@ -709,6 +709,18 @@ punix: to mimic the behavior of a Unix domain socket. The ACLs of the named pipe include LocalSystem, Administrators, and Creator Owner. +pfd: + Listen on a pre-opened file descriptor . The file descriptor must + refer to a bound, listening Unix domain stream socket. This is intended + for use with systemd socket activation, where systemd opens the socket + and passes it to the service. + + For security, ``pfd:`` may only be specified on the command line + (``--remote=pfd:``). It is rejected if added at runtime via + ``ovsdb-server/add-remote`` or through the database. + + This connection method is not supported on Windows. + All IP-based connection methods accept IPv4 and IPv6 addresses. To specify an IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive IP-based connection methods by default listen for IPv4 connections only; use diff --git a/lib/stream-provider.h b/lib/stream-provider.h index 44e3c6431..ddd468b09 100644 --- a/lib/stream-provider.h +++ b/lib/stream-provider.h @@ -195,6 +195,7 @@ extern const struct pstream_class ptcp_pstream_class; #ifndef _WIN32 extern const struct stream_class unix_stream_class; extern const struct pstream_class punix_pstream_class; +extern const struct pstream_class pfd_pstream_class; #else extern const struct stream_class windows_stream_class; extern const struct pstream_class pwindows_pstream_class; diff --git a/lib/stream-unix.c b/lib/stream-unix.c index d265efb83..2374d0fbf 100644 --- a/lib/stream-unix.c +++ b/lib/stream-unix.c @@ -136,3 +136,55 @@ const struct pstream_class punix_pstream_class = { NULL, }; +/* Pre-opened file descriptor passive stream. + * + * Used for systemd socket activation: systemd opens and binds the socket, + * then passes it to the service as a pre-opened file descriptor. */ + +static int +pfd_open(const char *name, char *suffix, + struct pstream **pstreamp, uint8_t dscp OVS_UNUSED) +{ + long fd; + + if (!str_to_long(suffix, 10, &fd) || fd < 0) { + VLOG_ERR("%s: bad file descriptor", name); + return EINVAL; + } + + /* Verify it is a listening stream socket. */ + int sock_type; + socklen_t len = sizeof sock_type; + if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &sock_type, &len)) { + VLOG_ERR("%s: not a socket (%s)", name, ovs_strerror(errno)); + return errno; + } + if (sock_type != SOCK_STREAM) { + VLOG_ERR("%s: not a stream socket (type %d)", name, sock_type); + return EINVAL; + } + int listening; + len = sizeof listening; + if (getsockopt(fd, SOL_SOCKET, SO_ACCEPTCONN, &listening, &len) + || !listening) { + VLOG_ERR("%s: not a listening socket", name); + return EINVAL; + } + + int error = set_nonblocking(fd); + if (error) { + return error; + } + + return new_fd_pstream(xstrdup(name), fd, punix_accept, NULL, pstreamp); +} + +const struct pstream_class pfd_pstream_class = { + "pfd", + false, + pfd_open, + NULL, + NULL, + NULL, +}; + diff --git a/lib/stream.c b/lib/stream.c index feaa1cb2d..b3b21588a 100644 --- a/lib/stream.c +++ b/lib/stream.c @@ -69,6 +69,7 @@ static const struct pstream_class *pstream_classes[] = { &ptcp_pstream_class, #ifndef _WIN32 &punix_pstream_class, + &pfd_pstream_class, #else &pwindows_pstream_class, #endif @@ -147,6 +148,10 @@ stream_usage(const char *name, bool active, bool passive, #endif printf(" punix:FILE " "listen on Unix domain socket FILE\n"); +#ifndef _WIN32 + printf(" pfd:FD " + "listen on pre-opened file descriptor FD\n"); +#endif } #ifdef HAVE_OPENSSL diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c index 7c3a5ef11..2af62071e 100644 --- a/ovsdb/ovsdb-server.c +++ b/ovsdb/ovsdb-server.c @@ -1425,6 +1425,12 @@ add_manager_options(struct shash *remotes, const struct ovsdb_row *row) return; } + if (!strncmp("pfd:", target, 4)) { + VLOG_WARN_RL(&rl, "pfd: remotes can only be specified on the " + "command line; ignoring \"%s\" from database", target); + return; + } + options = add_remote(remotes, target, NULL); if (ovsdb_util_read_integer_column(row, "max_backoff", &max_backoff)) { options->rpc.max_backoff = max_backoff; @@ -1485,7 +1491,16 @@ query_db_remotes(const char *name, const struct shash *all_dbs, datum = &row->fields[column->index]; for (i = 0; i < datum->n; i++) { - add_remote(remotes, json_string(datum->keys[i].s), NULL); + const char *t = json_string(datum->keys[i].s); + if (!strncmp("pfd:", t, 4)) { + static struct vlog_rate_limit pfd_rl + = VLOG_RATE_LIMIT_INIT(1, 1); + VLOG_WARN_RL(&pfd_rl, "pfd: remotes can only be " + "specified on the command line; ignoring " + "\"%s\" from database", t); + continue; + } + add_remote(remotes, t, NULL); } } } else if (column->type.key.type == OVSDB_TYPE_UUID @@ -2291,6 +2306,12 @@ ovsdb_server_add_remote(struct unixctl_conn *conn, int argc OVS_UNUSED, return; } + if (!strncmp("pfd:", remote, 4)) { + unixctl_command_reply_error(conn, + "pfd: remotes can only be specified on the command line"); + return; + } + retval = (strncmp("db:", remote, 3) ? NULL : parse_db_column(config->all_dbs, remote, From patchwork Tue Mar 31 12:34:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timothy Redaelli X-Patchwork-Id: 2218111 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=eCh0EWgd; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4flSHp4Nctz1yGH for ; Tue, 31 Mar 2026 23:35:02 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 4C17960F31; Tue, 31 Mar 2026 12:35:00 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id qgC6W_S9DUdc; Tue, 31 Mar 2026 12:34:59 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 49239606CC Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=eCh0EWgd Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 49239606CC; Tue, 31 Mar 2026 12:34:59 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2BBBAC054A; Tue, 31 Mar 2026 12:34:59 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5A303C054A for ; Tue, 31 Mar 2026 12:34:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 4BEC640691 for ; Tue, 31 Mar 2026 12:34:58 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id XBucfGOWc_0q for ; Tue, 31 Mar 2026 12:34:57 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=tredaelli@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 31241400A5 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 31241400A5 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=eCh0EWgd Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 31241400A5 for ; Tue, 31 Mar 2026 12:34:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774960496; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aN9TvBW/rbaarnbkEqB9EEaHkDAeICh4Lqp+nfJTQ1E=; b=eCh0EWgd9DDZN6DCpu/ANYg25AlAsBiedcjJq0yI/drePrmvLLpEOUsndAxPRQ/CmWbmf2 D03LiB69iJV6lL5iHXsyC20zl3Uz9o/16RQgZxnqBb0nG+e76NfYu64Y0NtkB6MM7gbpqF KTGHNVXocgEWQOXOCEnKp4Dxy+R9CnI= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-562-44hk_QVHOY-kkUR6LNks5w-1; Tue, 31 Mar 2026 08:34:54 -0400 X-MC-Unique: 44hk_QVHOY-kkUR6LNks5w-1 X-Mimecast-MFC-AGG-ID: 44hk_QVHOY-kkUR6LNks5w_1774960493 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BE0D1180034F; Tue, 31 Mar 2026 12:34:53 +0000 (UTC) Received: from aldebaran.char-dominant.ts.net (unknown [10.44.32.65]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 76F111955F2B; Tue, 31 Mar 2026 12:34:52 +0000 (UTC) To: dev@openvswitch.org Date: Tue, 31 Mar 2026 14:34:22 +0200 Message-ID: <1b626d8576fb86cf7911c224c19a469c3509a906.1774960196.git.tredaelli@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: kpzhmxFkHnzDgxEH8PIODAwUZc7noBvWp8-uMpJJWvk_1774960493 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v2 2/5] ovs-ctl: Detect systemd socket activation. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Timothy Redaelli via dev From: Timothy Redaelli Reply-To: Timothy Redaelli Cc: Lubomir Rintel Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When systemd socket-activates ovsdb-server, it sets LISTEN_FDNAMES to the socket unit name and passes the listening socket as fd 3. Detect this in do_start_ovsdb() and use --remote=pfd:3 instead of --remote=punix:$DB_SOCK. Validate LISTEN_PID against the current shell's PID, as required by sd_listen_fds(3), to ensure the variables were set for this process and not inherited from a parent. Unset LISTEN_FDS, LISTEN_FDNAMES, LISTEN_PID, and LISTEN_PIDFDID after consuming them to prevent propagation to child processes. Co-authored-by: Lubomir Rintel Signed-off-by: Lubomir Rintel Signed-off-by: Timothy Redaelli --- utilities/ovs-ctl.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in index c65c76812..8ebd720dc 100644 --- a/utilities/ovs-ctl.in +++ b/utilities/ovs-ctl.in @@ -149,7 +149,13 @@ do_start_ovsdb () { set "$@" --no-self-confinement fi set "$@" -vconsole:emer -vsyslog:err -vfile:info - set "$@" --remote=punix:"$DB_SOCK" + if test X"$LISTEN_PID" = X"$$" && \ + test X"$LISTEN_FDNAMES" = X"ovsdb-server.socket"; then + unset LISTEN_FDS LISTEN_FDNAMES LISTEN_PID LISTEN_PIDFDID + set "$@" --remote=pfd:3 + else + set "$@" --remote=punix:"$DB_SOCK" + fi set "$@" --private-key=db:Open_vSwitch,SSL,private_key set "$@" --certificate=db:Open_vSwitch,SSL,certificate set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert From patchwork Tue Mar 31 12:34:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timothy Redaelli X-Patchwork-Id: 2218114 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=QegynNfp; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4flSHx4WkYz1y1q for ; Tue, 31 Mar 2026 23:35:09 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id E918D400A5; Tue, 31 Mar 2026 12:35:06 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id rm4uiNEsEWBw; Tue, 31 Mar 2026 12:35:05 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 35A9E406B1 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=QegynNfp Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 35A9E406B1; Tue, 31 Mar 2026 12:35:04 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9DF3EC054C; Tue, 31 Mar 2026 12:35:03 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 146BBC0549 for ; Tue, 31 Mar 2026 12:35:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 1A71640691 for ; Tue, 31 Mar 2026 12:35:00 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id sjeqZyZMNC2g for ; Tue, 31 Mar 2026 12:34:59 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=tredaelli@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 2CE7E40696 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 2CE7E40696 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 2CE7E40696 for ; Tue, 31 Mar 2026 12:34:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774960497; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4aOiMp19j1s1pRVKHZnCgVrvs8BXsxiRbAoP+BG5Pws=; b=QegynNfp1x15cF8WQRKIDfjz29dGjv7SwG2b6YkfVs+/hBlvtsNc0mA4TWjwC4FUtQql45 rNUiGb5VgEGYjE2bEscac8hMXj9ILmX/7wE95sOFE92IFGSJzuW+sd9pHeQKJjkEdopG3R pz0Q/xlIOFmzpmeHLSrCI56WQ7X5p2E= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-59-HXkksL34N0mRA17IcuHwAw-1; Tue, 31 Mar 2026 08:34:56 -0400 X-MC-Unique: HXkksL34N0mRA17IcuHwAw-1 X-Mimecast-MFC-AGG-ID: HXkksL34N0mRA17IcuHwAw_1774960495 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5274D18005B4; Tue, 31 Mar 2026 12:34:55 +0000 (UTC) Received: from aldebaran.char-dominant.ts.net (unknown [10.44.32.65]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 2238919560AB; Tue, 31 Mar 2026 12:34:53 +0000 (UTC) To: dev@openvswitch.org Date: Tue, 31 Mar 2026 14:34:23 +0200 Message-ID: <15920e29c27bce96b361cad7b8e7a623dc0b144f.1774960196.git.tredaelli@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: Yg7RkJu3ljLl_vByxi2tysrBAzQlR0bpUbubHcCTCZM_1774960495 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v2 3/5] rhel: Add ovsdb-server.socket unit for systemd socket activation. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Timothy Redaelli via dev From: Timothy Redaelli Reply-To: Timothy Redaelli Cc: Lubomir Rintel Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Add an ovsdb-server.socket unit that has systemd create and manage the /run/openvswitch/db.sock listening socket. This eliminates the window during ovsdb-server restarts when clients cannot connect to the database. The socket unit reads OVS_USER_ID from the same configuration files as the service unit (/etc/openvswitch/default.conf, /etc/sysconfig/openvswitch) and adjusts socket group ownership via ExecStartPost so that non-root OVS deployments can connect. Update service dependencies: - ovsdb-server.service: Requires=ovsdb-server.socket - ovs-vswitchd.service: After/Requires=ovsdb-server.socket instead of ovsdb-server.service, remove AssertPathIsReadWrite (socket exists before the service starts) - ovs-delete-transient-ports.service: After=ovsdb-server.socket, remove AssertPathExists (same reason) Co-authored-by: Lubomir Rintel Signed-off-by: Lubomir Rintel Signed-off-by: Timothy Redaelli --- rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 4 ++++ ...md_system_ovs-delete-transient-ports.service | 3 +-- ...r_lib_systemd_system_ovs-vswitchd.service.in | 5 ++--- .../usr_lib_systemd_system_ovsdb-server.service | 1 + rhel/usr_lib_systemd_system_ovsdb-server.socket | 17 +++++++++++++++++ 6 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 rhel/usr_lib_systemd_system_ovsdb-server.socket diff --git a/rhel/automake.mk b/rhel/automake.mk index 246bfb51e..9a08bf556 100644 --- a/rhel/automake.mk +++ b/rhel/automake.mk @@ -23,6 +23,7 @@ EXTRA_DIST += \ rhel/usr_lib_udev_rules.d_91-vfio.rules \ rhel/usr_lib_systemd_system_openvswitch.service \ rhel/usr_lib_systemd_system_ovsdb-server.service \ + rhel/usr_lib_systemd_system_ovsdb-server.socket \ rhel/usr_lib_systemd_system_ovs-vswitchd.service.in \ rhel/usr_lib_systemd_system_ovs-delete-transient-ports.service \ rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 320b1ad86..88bb734ad 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -229,6 +229,9 @@ for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports rhel/usr_lib_systemd_system_${service}.service \ $RPM_BUILD_ROOT%{_unitdir}/${service}.service done +install -p -D -m 0644 \ + rhel/usr_lib_systemd_system_ovsdb-server.socket \ + $RPM_BUILD_ROOT%{_unitdir}/ovsdb-server.socket install -m 0755 rhel/etc_init.d_openvswitch \ $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/openvswitch.init @@ -460,6 +463,7 @@ fi %config(noreplace) %{_sysconfdir}/logrotate.d/openvswitch %{_unitdir}/openvswitch.service %{_unitdir}/ovsdb-server.service +%{_unitdir}/ovsdb-server.socket %{_unitdir}/ovs-vswitchd.service %{_unitdir}/ovs-delete-transient-ports.service %{_datadir}/openvswitch/scripts/openvswitch.init diff --git a/rhel/usr_lib_systemd_system_ovs-delete-transient-ports.service b/rhel/usr_lib_systemd_system_ovs-delete-transient-ports.service index d4d7b204b..5f993e304 100644 --- a/rhel/usr_lib_systemd_system_ovs-delete-transient-ports.service +++ b/rhel/usr_lib_systemd_system_ovs-delete-transient-ports.service @@ -1,8 +1,7 @@ [Unit] Description=Open vSwitch Delete Transient Ports -After=ovsdb-server.service +After=ovsdb-server.socket Before=ovs-vswitchd.service -AssertPathExists=/run/openvswitch/db.sock [Service] Type=oneshot diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in index 6d021618b..28f6dfc54 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in @@ -1,10 +1,9 @@ [Unit] Description=Open vSwitch Forwarding Unit -After=ovsdb-server.service network-pre.target systemd-udev-settle.service +After=ovsdb-server.socket network-pre.target systemd-udev-settle.service Before=network.target network.service -Requires=ovsdb-server.service +Requires=ovsdb-server.socket ReloadPropagatedFrom=ovsdb-server.service -AssertPathIsReadWrite=/run/openvswitch/db.sock PartOf=openvswitch.service [Service] diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 43ea3a570..c6d5d4b52 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -2,6 +2,7 @@ Description=Open vSwitch Database Unit After=syslog.target network-pre.target Before=network.target network.service +Requires=ovsdb-server.socket Wants=ovs-delete-transient-ports.service PartOf=openvswitch.service diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.socket b/rhel/usr_lib_systemd_system_ovsdb-server.socket new file mode 100644 index 000000000..543813e8c --- /dev/null +++ b/rhel/usr_lib_systemd_system_ovsdb-server.socket @@ -0,0 +1,17 @@ +[Unit] +Description=Open vSwitch Database Socket +Before=ovsdb-server.service + +[Socket] +# Read OVS_USER_ID to set socket group ownership below. +# Note: /run/openvswitch.useropts is not available here because +# it is generated by ovsdb-server.service, which starts after us. +EnvironmentFile=/etc/openvswitch/default.conf +EnvironmentFile=-/etc/sysconfig/openvswitch +ListenStream=/run/openvswitch/db.sock +Service=ovsdb-server.service +SocketMode=0770 +ExecStartPost=-/bin/sh -c 'GRP="${OVS_USER_ID##*:}"; [ -n "$GRP" ] && [ "$GRP" != "root" ] && chgrp "$GRP" /run/openvswitch/db.sock || true' + +[Install] +WantedBy=sockets.target From patchwork Tue Mar 31 12:34:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timothy Redaelli X-Patchwork-Id: 2218115 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=hnImNwD0; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4flSHz1vkTz1y1q for ; Tue, 31 Mar 2026 23:35:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4232080CDC; Tue, 31 Mar 2026 12:35:09 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id XL8IELqHnV-Z; Tue, 31 Mar 2026 12:35:07 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 11BB080982 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=hnImNwD0 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 11BB080982; Tue, 31 Mar 2026 12:35:05 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id BA8E9C054B; Tue, 31 Mar 2026 12:35:04 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id A5808C0549 for ; Tue, 31 Mar 2026 12:35:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 92E76807DA for ; Tue, 31 Mar 2026 12:35:01 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id eIb8CkiJ5eF0 for ; Tue, 31 Mar 2026 12:35:00 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=tredaelli@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 571E280982 Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 571E280982 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 571E280982 for ; Tue, 31 Mar 2026 12:35:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774960499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N6dW7aiO/yOmYT2R78sabwVjUX/+jLreltZx07bZnr4=; b=hnImNwD0okygGQKnOLnW+j+BXs2EtB5M/vZ8L3pDfW6MSQjgn8nfGjsVkI5Mod0cUsKqdr 9ctC6PqMwEukz9Frb6qbq9iAMW7OMcR7wCCJEV6sufG2neJ2BBt6XIFVOgCoMP7kmGdAbW Rsh2D1poHzOex6YRiA2GqJog6jI78O0= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-580-JZo2wyaSM6GvMTp4UciuKg-1; Tue, 31 Mar 2026 08:34:57 -0400 X-MC-Unique: JZo2wyaSM6GvMTp4UciuKg-1 X-Mimecast-MFC-AGG-ID: JZo2wyaSM6GvMTp4UciuKg_1774960496 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C1BBC1800372 for ; Tue, 31 Mar 2026 12:34:56 +0000 (UTC) Received: from aldebaran.char-dominant.ts.net (unknown [10.44.32.65]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C917A1955F21; Tue, 31 Mar 2026 12:34:55 +0000 (UTC) To: dev@openvswitch.org Date: Tue, 31 Mar 2026 14:34:24 +0200 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: o6k2evSjXaY9Yo4Hyjvk2T-iV_wQZ5C81wQgk1hW2Qc_1774960496 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v2 4/5] debian: Add ovsdb-server.socket unit for systemd socket activation. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Timothy Redaelli via dev From: Timothy Redaelli Reply-To: Timothy Redaelli Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Add an ovsdb-server.socket unit that has systemd create and manage the /run/openvswitch/db.sock listening socket. This eliminates the window during ovsdb-server restarts when clients cannot connect to the database. Update service dependencies: - ovsdb-server.service: Requires=ovsdb-server.socket - ovs-vswitchd.service: After/Requires=ovsdb-server.socket instead of ovsdb-server.service, remove AssertPathIsReadWrite (socket exists before the service starts) Signed-off-by: Timothy Redaelli --- debian/automake.mk | 1 + debian/openvswitch-switch.install | 1 + debian/openvswitch-switch.ovs-vswitchd.service | 5 ++--- debian/openvswitch-switch.ovsdb-server.service | 1 + debian/openvswitch-switch.ovsdb-server.socket | 11 +++++++++++ 5 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 debian/openvswitch-switch.ovsdb-server.socket diff --git a/debian/automake.mk b/debian/automake.mk index 7ae4e00e5..caa665a6b 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -40,6 +40,7 @@ EXTRA_DIST += \ debian/openvswitch-switch.ovs-record-hostname.service \ debian/openvswitch-switch.ovs-vswitchd.service \ debian/openvswitch-switch.ovsdb-server.service \ + debian/openvswitch-switch.ovsdb-server.socket \ debian/openvswitch-switch.postinst \ debian/openvswitch-switch.postrm \ debian/openvswitch-switch.preinst \ diff --git a/debian/openvswitch-switch.install b/debian/openvswitch-switch.install index 213c83bfe..9d74dfda5 100755 --- a/debian/openvswitch-switch.install +++ b/debian/openvswitch-switch.install @@ -1,4 +1,5 @@ #!/usr/bin/dh-exec +debian/openvswitch-switch.ovsdb-server.socket => /lib/systemd/system/ovsdb-server.socket debian/ifupdown.sh usr/share/openvswitch/scripts debian/openvswitch-switch.default => /usr/share/openvswitch/switch/default.template debian/ovs-systemd-reload /usr/share/openvswitch/scripts diff --git a/debian/openvswitch-switch.ovs-vswitchd.service b/debian/openvswitch-switch.ovs-vswitchd.service index a4d445b95..6a624b39a 100644 --- a/debian/openvswitch-switch.ovs-vswitchd.service +++ b/debian/openvswitch-switch.ovs-vswitchd.service @@ -1,10 +1,9 @@ [Unit] Description=Open vSwitch Forwarding Unit -After=ovsdb-server.service network-pre.target systemd-udev-settle.service +After=ovsdb-server.socket network-pre.target systemd-udev-settle.service Before=network.target networking.service -Requires=ovsdb-server.service +Requires=ovsdb-server.socket ReloadPropagatedFrom=ovsdb-server.service -AssertPathIsReadWrite=/var/run/openvswitch/db.sock PartOf=openvswitch-switch.service DefaultDependencies=no diff --git a/debian/openvswitch-switch.ovsdb-server.service b/debian/openvswitch-switch.ovsdb-server.service index 35654d705..207478b7e 100644 --- a/debian/openvswitch-switch.ovsdb-server.service +++ b/debian/openvswitch-switch.ovsdb-server.service @@ -2,6 +2,7 @@ Description=Open vSwitch Database Unit After=systemd-journald.socket network-pre.target dpdk.service local-fs.target Before=network.target networking.service +Requires=ovsdb-server.socket PartOf=openvswitch-switch.service DefaultDependencies=no diff --git a/debian/openvswitch-switch.ovsdb-server.socket b/debian/openvswitch-switch.ovsdb-server.socket new file mode 100644 index 000000000..ea46c55e6 --- /dev/null +++ b/debian/openvswitch-switch.ovsdb-server.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Open vSwitch Database Socket +Before=ovsdb-server.service + +[Socket] +ListenStream=/run/openvswitch/db.sock +Service=ovsdb-server.service +SocketMode=0770 + +[Install] +WantedBy=sockets.target From patchwork Tue Mar 31 12:34:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timothy Redaelli X-Patchwork-Id: 2218116 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=F5MafcKG; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4flSJH5tFnz1y1q for ; Tue, 31 Mar 2026 23:35:27 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id E3C334093E; Tue, 31 Mar 2026 12:35:25 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id wN3ZmQbicJ9d; Tue, 31 Mar 2026 12:35:24 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 9083540888 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=F5MafcKG Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 9083540888; Tue, 31 Mar 2026 12:35:24 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6B012C054A; Tue, 31 Mar 2026 12:35:24 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 45998C054A for ; Tue, 31 Mar 2026 12:35:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 2651D80AF1 for ; Tue, 31 Mar 2026 12:35:07 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id yFDBIRt-kFfa for ; Tue, 31 Mar 2026 12:35:04 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=tredaelli@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 50E4C80A76 Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 50E4C80A76 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=F5MafcKG Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 50E4C80A76 for ; Tue, 31 Mar 2026 12:35:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774960501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SFRfZw3UnPUONNlHmEZZsEu0tk8asQwUZE17taEOHQ0=; b=F5MafcKG4/p4YL4oUfuGpMLVBj7ar2jaN/gA/U8za3Usvh1zLoD3YnzcrSGVP/EmmCPOYk L0jNPH214j+JMaowbVhDBfCNQ99Oqx0Mr8sm9n+Gvfg23bZs50hfTSUGYUOP/RXv+4FcsG UGqFsUdqlKkE+PgtXtqX8cOapUAPFGA= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-539-2-zvr9FFNu6YiwxGeGEDNw-1; Tue, 31 Mar 2026 08:34:59 -0400 X-MC-Unique: 2-zvr9FFNu6YiwxGeGEDNw-1 X-Mimecast-MFC-AGG-ID: 2-zvr9FFNu6YiwxGeGEDNw_1774960498 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4515D19560AE for ; Tue, 31 Mar 2026 12:34:58 +0000 (UTC) Received: from aldebaran.char-dominant.ts.net (unknown [10.44.32.65]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 3BE901955F21; Tue, 31 Mar 2026 12:34:57 +0000 (UTC) To: dev@openvswitch.org Date: Tue, 31 Mar 2026 14:34:25 +0200 Message-ID: <995b5d7afb40934a842b58e7371212311a602fcd.1774960196.git.tredaelli@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: sdiU8akIvHmd_zpxiRvT5H4CiKvM769bFLq7PnPIR1A_1774960498 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v2 5/5] tests: Add pfd stream tests. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Timothy Redaelli via dev From: Timothy Redaelli Reply-To: Timothy Redaelli Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Add tests for the pfd: (pre-opened file descriptor) passive stream provider. Test cases cover: - Basic listen and accept via ovsdb-server. - JSON-RPC request/reply over pfd. - Invalid fd number (fd 99, not open). - Fd that is not a socket (regular file). - Fd that is a socket but not listening. - Runtime rejection via ovs-appctl add-remote. - Runtime rejection via database remote insertion (string column). - Runtime rejection via Manager table insertion (UUID ref column). Each test uses a small Python helper to create or set up file descriptors and then exec the server with --remote=pfd:. Signed-off-by: Timothy Redaelli --- tests/automake.mk | 1 + tests/pfd-stream.at | 248 ++++++++++++++++++++++++++++++++++++++++++++ tests/testsuite.at | 1 + 3 files changed, 250 insertions(+) create mode 100644 tests/pfd-stream.at diff --git a/tests/automake.mk b/tests/automake.mk index da569b022..50006e675 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -65,6 +65,7 @@ TESTSUITE_AT = \ tests/json.at \ tests/jsonrpc.at \ tests/jsonrpc-py.at \ + tests/pfd-stream.at \ tests/pmd.at \ tests/alb.at \ tests/tunnel.at \ diff --git a/tests/pfd-stream.at b/tests/pfd-stream.at new file mode 100644 index 000000000..95a8cba15 --- /dev/null +++ b/tests/pfd-stream.at @@ -0,0 +1,248 @@ +AT_BANNER([pfd stream - pre-opened file descriptor]) + +AT_SETUP([pfd stream - basic listen and accept]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +ordinal_schema > schema +AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) +on_exit 'kill `cat *.pid`' + +# Use Python to create a listening socket and exec ovsdb-server with +# that fd as --remote=pfd:. +AT_DATA([serve.py], [[ +import os, socket, sys +s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +s.bind(sys.argv[1]) +s.listen(64) +fd = s.fileno() +os.set_inheritable(fd, True) +argv = sys.argv[2:] +argv[argv.index('PFD')] = '--remote=pfd:' + str(fd) +os.execvp(argv[0], argv) +]]) +AT_CHECK([$PYTHON3 serve.py db.sock \ + ovsdb-server --detach --no-chdir --log-file --pidfile db PFD], + [0], [ignore], [ignore]) + +OVS_WAIT_UNTIL([test -e ovsdb-server.pid]) + +# Connect via the socket and run a simple transaction. +AT_CHECK([ovs-appctl -t ovsdb-server ovsdb-server/list-remotes], [0], [stdout]) +AT_CHECK([grep -c pfd stdout], [0], [1 +]) + +AT_CHECK([ovsdb-client list-dbs unix:db.sock], [0], [stdout]) +AT_CHECK([grep ordinals stdout], [0], [ignore]) + +OVSDB_SERVER_SHUTDOWN +AT_CLEANUP + +AT_SETUP([pfd stream - JSON-RPC over pfd]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +on_exit 'kill `cat *.pid`' + +# Use Python to create a listening socket and exec test-jsonrpc. +AT_DATA([serve.py], [[ +import os, socket, sys +s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +s.bind(sys.argv[1]) +s.listen(64) +fd = s.fileno() +os.set_inheritable(fd, True) +argv = sys.argv[2:] +argv[argv.index('PFD')] = 'pfd:' + str(fd) +os.execvp(argv[0], argv) +]]) +AT_CHECK([$PYTHON3 serve.py socket \ + ovstest test-jsonrpc --detach --no-chdir --pidfile listen PFD], + [0], [ignore], [ignore]) + +OVS_WAIT_UNTIL([test -e test-jsonrpc.pid]) + +AT_CHECK( + [[ovstest test-jsonrpc request unix:socket echo '[{"a": "b", "x": null}]']], [0], + [[{"error":null,"id":0,"result":[{"a":"b","x":null}]} +]]) +AT_CLEANUP + +AT_SETUP([pfd stream - invalid fd]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +ordinal_schema > schema +AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) +on_exit 'kill `cat *.pid`' + +# Start ovsdb-server with an invalid pfd: remote (fd 99 should not be open). +# ovsdb-server will start but fail to open the remote. +AT_DATA([serve.py], [[ +import os, socket, sys +s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +s.bind(sys.argv[1]) +s.listen(64) +fd = s.fileno() +os.set_inheritable(fd, True) +# Pass a different fd number that is not a valid socket. +os.execvp(sys.argv[2], sys.argv[2:]) +]]) +AT_CHECK([$PYTHON3 serve.py db.sock ovsdb-server --detach --no-chdir \ + --log-file --pidfile --remote=pfd:99 --remote=punix:db.sock db], + [0], [ignore], [ignore]) + +OVS_WAIT_UNTIL([test -e ovsdb-server.pid]) +OVS_WAIT_UNTIL([grep "pfd:99: not a socket" ovsdb-server.log]) + +OVSDB_SERVER_SHUTDOWN(["/pfd:99/d"]) +AT_CLEANUP + +AT_SETUP([pfd stream - fd is not a socket]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +ordinal_schema > schema +AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) +on_exit 'kill `cat *.pid`' + +# Use Python to open a regular file and exec ovsdb-server with that fd. +AT_DATA([notasock.py], [[ +import os, socket, sys +# Create a listening socket for punix: so we can still connect. +ls = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +ls.bind('db.sock') +ls.listen(64) +ls_fd = ls.fileno() +os.set_inheritable(ls_fd, True) +# Open a regular file. +f = open('regular-file', 'w') +fd = f.fileno() +os.set_inheritable(fd, True) +os.execvp(sys.argv[1], sys.argv[1:] + [ + '--remote=pfd:' + str(fd), + '--remote=pfd:' + str(ls_fd), +]) +]]) +touch regular-file +AT_CHECK([$PYTHON3 notasock.py ovsdb-server --detach --no-chdir \ + --log-file --pidfile db], + [0], [ignore], [ignore]) + +OVS_WAIT_UNTIL([test -e ovsdb-server.pid]) +OVS_WAIT_UNTIL([grep "not a socket" ovsdb-server.log]) + +OVSDB_SERVER_SHUTDOWN(["/not a socket/d;/listen failed/d"]) +AT_CLEANUP + +AT_SETUP([pfd stream - fd is not listening]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +ordinal_schema > schema +AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) +on_exit 'kill `cat *.pid`' + +# Use Python to create a bound (not listening) socket. +AT_DATA([notlistening.py], [[ +import os, socket, sys +s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +s.bind('connected.sock') +fd = s.fileno() +os.set_inheritable(fd, True) +os.execvp(sys.argv[1], sys.argv[1:] + ['--remote=pfd:' + str(fd)]) +]]) +AT_CHECK([$PYTHON3 notlistening.py ovsdb-server --detach --no-chdir \ + --log-file --pidfile --remote=punix:db.sock db], + [0], [ignore], [ignore]) + +OVS_WAIT_UNTIL([test -e ovsdb-server.pid]) +OVS_WAIT_UNTIL([grep "not a listening socket" ovsdb-server.log]) + +OVSDB_SERVER_SHUTDOWN(["/not a listening socket/d;/listen failed/d"]) +AT_CLEANUP + +AT_SETUP([pfd stream - rejected via add-remote]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +ordinal_schema > schema +AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) +on_exit 'kill `cat *.pid`' +AT_CHECK([ovsdb-server --detach --no-chdir --log-file --pidfile \ + --remote=punix:db.sock db], [0], [ignore], [ignore]) + +# Try to add pfd: remote via ovs-appctl; should be rejected. +AT_CHECK([ovs-appctl -t ovsdb-server ovsdb-server/add-remote pfd:3], [2], + [], [pfd: remotes can only be specified on the command line +ovs-appctl: ovsdb-server: server returned an error +]) + +OVSDB_SERVER_SHUTDOWN +AT_CLEANUP + +AT_SETUP([pfd stream - rejected via database]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +ordinal_schema > schema +AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) +on_exit 'kill `cat *.pid`' +AT_CHECK([ovsdb-server --detach --no-chdir --log-file --pidfile \ + --remote=punix:db.sock \ + --remote=db:ordinals,ordinals,name db], [0], [ignore], [ignore]) + +# Insert a row with pfd:3 as the remote name. +AT_CHECK( + [[ovsdb-client transact unix:db.sock \ + '["ordinals", {"op": "insert", "table": "ordinals", + "row": {"name": "pfd:3", "number": 0}}]']], + [0], [ignore]) + +# Give ovsdb-server time to process the change. +OVS_WAIT_UNTIL([grep "pfd: remotes can only be specified on the command line" ovsdb-server.log]) + +# Verify the pfd:3 remote was NOT added. +AT_CHECK([ovs-appctl -t ovsdb-server ovsdb-server/list-remotes], [0], [stdout]) +AT_CHECK([grep pfd stdout], [1]) + +OVSDB_SERVER_SHUTDOWN(["/pfd: remotes can only be specified/d"]) +AT_CLEANUP + +AT_SETUP([pfd stream - rejected via Manager table]) +AT_KEYWORDS([pfd]) +AT_SKIP_IF([test "$IS_WIN32" = "yes"]) +AT_DATA([schema], + [[{"name": "mydb", + "tables": { + "Root": { + "columns": { + "manager_options": { + "type": { + "key": {"type": "uuid", "refTable": "Manager"}, + "min": 0, + "max": "unlimited"}}}}, + "Manager": { + "columns": { + "target": { + "type": "string"}}}}} +]]) +AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) +AT_CHECK( + [[ovsdb-tool transact db \ + '["mydb", + {"op": "insert", + "table": "Root", + "row": { + "manager_options": ["set", [["named-uuid", "x"]]]}}, + {"op": "insert", + "table": "Manager", + "uuid-name": "x", + "row": {"target": "pfd:3"}}]']], [0], [ignore], [ignore]) +on_exit 'kill `cat *.pid`' +AT_CHECK([ovsdb-server --detach --no-chdir --log-file --pidfile \ + --remote=punix:db.sock \ + --remote=db:mydb,Root,manager_options db], [0], [ignore], [ignore]) + +OVS_WAIT_UNTIL([grep "pfd: remotes can only be specified on the command line" ovsdb-server.log]) + +# Verify the pfd:3 remote was NOT added. +AT_CHECK([ovs-appctl -t ovsdb-server ovsdb-server/list-remotes], [0], [stdout]) +AT_CHECK([grep pfd stdout], [1]) + +OVSDB_SERVER_SHUTDOWN(["/pfd: remotes can only be specified/d +/No status column present in the Manager table/d"]) +AT_CLEANUP diff --git a/tests/testsuite.at b/tests/testsuite.at index 9d77a9f51..661f295f9 100644 --- a/tests/testsuite.at +++ b/tests/testsuite.at @@ -50,6 +50,7 @@ m4_include([tests/uuid.at]) m4_include([tests/json.at]) m4_include([tests/jsonrpc.at]) m4_include([tests/jsonrpc-py.at]) +m4_include([tests/pfd-stream.at]) m4_include([tests/tunnel.at]) m4_include([tests/tunnel-push-pop.at]) m4_include([tests/tunnel-push-pop-ipv6.at])