From patchwork Tue Jan 30 21:08:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1893110 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ATirNuZF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TPd7G2FJQz1yQ0 for ; Wed, 31 Jan 2024 08:08:26 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CCDCB42EAA; Tue, 30 Jan 2024 21:08:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CCDCB42EAA Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ATirNuZF X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KsHF_X1whAch; Tue, 30 Jan 2024 21:08:20 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 680AD40A66; Tue, 30 Jan 2024 21:08:19 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 680AD40A66 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 42E8FC0072; Tue, 30 Jan 2024 21:08:19 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id AD0E3C0037 for ; Tue, 30 Jan 2024 21:08:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 75E4A83E28 for ; Tue, 30 Jan 2024 21:08:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 75E4A83E28 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ATirNuZF X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYaqCwp7KpsZ for ; Tue, 30 Jan 2024 21:08:16 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 7409883E26 for ; Tue, 30 Jan 2024 21:08:16 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7409883E26 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706648895; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ytvzBaVfRTfG72FECDHFJEcPgk5bj0nWkLBS4+gqoyw=; b=ATirNuZFJmWB4CVXCko00pc3hHD7HgnUuAC5H5YAgNLpGCaYMzZbNv5zx5P5BRAqyXNJrX 4RRzPxNYPcohThh7Xx0dkHy9JkybcQwDcGMUy30Rj2VQfm23XvUV8NflnxStKeWfPCrMtZ Ov4i/NI2SAqqviu2hxdfgO9ISFHk3ZY= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-561-vtAaGfOvMimxW0k5fOVrqA-1; Tue, 30 Jan 2024 16:08:12 -0500 X-MC-Unique: vtAaGfOvMimxW0k5fOVrqA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 22C0129AC022 for ; Tue, 30 Jan 2024 21:08:12 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id B0AA6C2590D for ; Tue, 30 Jan 2024 21:08:11 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 30 Jan 2024 16:08:03 -0500 Message-ID: <20240130210810.548338-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v2 1/3] rbac: Only allow relevant chassis to update service monitors. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Service monitors already had the restriction that chassis could not insert or delete records. However, there was nothing restricting chassis from updating records for service monitors that are relevant to other chassis. This change adds a new "chassis_name" column to the Service_Monitor table. ovn-northd will set this column to the chassis on which the relevant logical port is bound. This way, only that particular chassis can update the status of the service monitor. Signed-off-by: Mark Michelson Acked-by: Ales Musil --- v1 -> v2: * Rebased on top of currrent main --- northd/northd.c | 19 +++++++++++++++++-- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 5 +++-- ovn-sb.xml | 4 ++++ 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index d2091d4bc..2a2fab231 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -3799,13 +3799,19 @@ static struct service_monitor_info * create_or_get_service_mon(struct ovsdb_idl_txn *ovnsb_txn, struct hmap *monitor_map, const char *ip, const char *logical_port, - uint16_t service_port, const char *protocol) + uint16_t service_port, const char *protocol, + const char *chassis_name) { struct service_monitor_info *mon_info = get_service_mon(monitor_map, ip, logical_port, service_port, protocol); if (mon_info) { + if (chassis_name && strcmp(mon_info->sbrec_mon->chassis_name, + chassis_name)) { + sbrec_service_monitor_set_chassis_name(mon_info->sbrec_mon, + chassis_name); + } return mon_info; } @@ -3820,6 +3826,9 @@ create_or_get_service_mon(struct ovsdb_idl_txn *ovnsb_txn, sbrec_service_monitor_set_port(sbrec_mon, service_port); sbrec_service_monitor_set_logical_port(sbrec_mon, logical_port); sbrec_service_monitor_set_protocol(sbrec_mon, protocol); + if (chassis_name) { + sbrec_service_monitor_set_chassis_name(sbrec_mon, chassis_name); + } mon_info = xzalloc(sizeof *mon_info); mon_info->sbrec_mon = sbrec_mon; hmap_insert(monitor_map, &mon_info->hmap_node, hash); @@ -3862,12 +3871,18 @@ ovn_lb_svc_create(struct ovsdb_idl_txn *ovnsb_txn, protocol = "tcp"; } + const char *chassis_name = NULL; + if (op->sb && op->sb->chassis) { + chassis_name = op->sb->chassis->name; + } + struct service_monitor_info *mon_info = create_or_get_service_mon(ovnsb_txn, monitor_map, backend->ip_str, backend_nb->logical_port, backend->port, - protocol); + protocol, + chassis_name); ovs_assert(mon_info); sbrec_service_monitor_set_options( mon_info->sbrec_mon, &lb_vip_nb->lb_health_check->options); diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index dadc1af38..c32a11cbd 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -114,7 +114,7 @@ static const char *rbac_mac_binding_update[] = {"logical_port", "ip", "mac", "datapath", "timestamp"}; static const char *rbac_svc_monitor_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_svc_monitor_auth_update[] = {"status"}; static const char *rbac_igmp_group_auth[] = diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 72e230b75..1d2b3028d 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.30.0", - "cksum": "2972392849 31172", + "version": "20.31.0", + "cksum": "2473562445 31224", "tables": { "SB_Global": { "columns": { @@ -509,6 +509,7 @@ "logical_port": {"type": "string"}, "src_mac": {"type": "string"}, "src_ip": {"type": "string"}, + "chassis_name": {"type": "string"}, "status": { "type": {"key": {"type": "string", "enum": ["set", ["online", "offline", "error"]]}, diff --git a/ovn-sb.xml b/ovn-sb.xml index e393f92b3..1f3b318e0 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4815,6 +4815,10 @@ tcp.flags = RST; Source IPv4 address to use in the service monitor packet. + + The name of the chassis where the logical port is bound. + + The interval, in seconds, between service monitor checks.