Message ID | 20240130210810.548338-3-mmichels@redhat.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v2,1/3] rbac: Only allow relevant chassis to update service monitors. | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
On Tue, Jan 30, 2024 at 10:08 PM Mark Michelson <mmichels@redhat.com> wrote: > This adds a new "chassis_name" column to the BFD table. ovn-northd sets > this to the logical port's chassis name when creating the BFD record. > RBAC has been updated so that chassis may only update their own records. > > Signed-off-by: Mark Michelson <mmichels@redhat.com> > --- > v1 -> v2: > * Rebased on current main > --- > northd/northd.c | 9 ++++++++- > northd/ovn-northd.c | 2 +- > ovn-sb.ovsschema | 7 ++++--- > ovn-sb.xml | 4 ++++ > 4 files changed, 17 insertions(+), 5 deletions(-) > > diff --git a/northd/northd.c b/northd/northd.c > index 2a2fab231..51622c302 100644 > --- a/northd/northd.c > +++ b/northd/northd.c > @@ -10912,6 +10912,7 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, > nbrec_bfd_set_status(nb_bt, "admin_down"); > } > > + struct ovn_port *op = ovn_port_find(lr_ports, > nb_bt->logical_port); > bfd_e = bfd_port_lookup(&sb_only, nb_bt->logical_port, > nb_bt->dst_ip); > if (!bfd_e) { > int udp_src = bfd_get_unused_port(bfd_src_ports); > @@ -10925,6 +10926,9 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, > sbrec_bfd_set_disc(sb_bt, 1 + random_uint32()); > sbrec_bfd_set_src_port(sb_bt, udp_src); > sbrec_bfd_set_status(sb_bt, nb_bt->status); > + if (op && op->sb && op->sb->chassis) { > + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); > + } > > int min_tx = nb_bt->n_min_tx ? nb_bt->min_tx[0] : > BFD_DEF_MINTX; > sbrec_bfd_set_min_tx(sb_bt, min_tx); > @@ -10943,6 +10947,10 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, > } > } > build_bfd_update_sb_conf(nb_bt, bfd_e->sb_bt); > + if (op && op->sb && op->sb->chassis && > + strcmp(op->sb->chassis->name, sb_bt->chassis_name)) { > + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); > + } > > hmap_remove(&sb_only, &bfd_e->hmap_node); > bfd_e->ref = false; > @@ -10951,7 +10959,6 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, > hmap_insert(bfd_connections, &bfd_e->hmap_node, hash); > } > > - struct ovn_port *op = ovn_port_find(lr_ports, > nb_bt->logical_port); > if (op) { > op->has_bfd = true; > } > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index 90a6d62b1..fdd5939e5 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -122,7 +122,7 @@ static const char *rbac_igmp_group_auth[] = > static const char *rbac_igmp_group_update[] = > {"address", "chassis", "datapath", "ports"}; > static const char *rbac_bfd_auth[] = > - {""}; > + {"chassis_name"}; > static const char *rbac_bfd_update[] = > {"status"}; > > diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema > index b42f18b04..84ae09515 100644 > --- a/ovn-sb.ovsschema > +++ b/ovn-sb.ovsschema > @@ -1,7 +1,7 @@ > { > "name": "OVN_Southbound", > - "version": "20.32.0", > - "cksum": "1262133774 31276", > + "version": "20.33.0", > + "cksum": "4076371179 31328", > "tables": { > "SB_Global": { > "columns": { > @@ -578,7 +578,8 @@ > "min": 0, "max": "unlimited"}}, > "options": { > "type": {"key": "string", "value": "string", > - "min": 0, "max": "unlimited"}}}, > + "min": 0, "max": "unlimited"}}, > + "chassis_name": {"type": "string"}}, > "indexes": [["logical_port", "dst_ip", "src_port", "disc"]], > "isRoot": true}, > "FDB": { > diff --git a/ovn-sb.xml b/ovn-sb.xml > index 2de7228e7..1b18a27a0 100644 > --- a/ovn-sb.xml > +++ b/ovn-sb.xml > @@ -4989,6 +4989,10 @@ tcp.flags = RST; > receiving system in Asynchronous mode. > </column> > > + <column name="chassis_name"> > + The name of the chassis where the logical port is bound. > + </column> > + > <column name="options"> > Reserved for future use. > </column> > -- > 2.43.0 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Looks good to me, thanks. Acked-by: Ales Musil <amusil@redhat.com>
diff --git a/northd/northd.c b/northd/northd.c index 2a2fab231..51622c302 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -10912,6 +10912,7 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, nbrec_bfd_set_status(nb_bt, "admin_down"); } + struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port); bfd_e = bfd_port_lookup(&sb_only, nb_bt->logical_port, nb_bt->dst_ip); if (!bfd_e) { int udp_src = bfd_get_unused_port(bfd_src_ports); @@ -10925,6 +10926,9 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, sbrec_bfd_set_disc(sb_bt, 1 + random_uint32()); sbrec_bfd_set_src_port(sb_bt, udp_src); sbrec_bfd_set_status(sb_bt, nb_bt->status); + if (op && op->sb && op->sb->chassis) { + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); + } int min_tx = nb_bt->n_min_tx ? nb_bt->min_tx[0] : BFD_DEF_MINTX; sbrec_bfd_set_min_tx(sb_bt, min_tx); @@ -10943,6 +10947,10 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, } } build_bfd_update_sb_conf(nb_bt, bfd_e->sb_bt); + if (op && op->sb && op->sb->chassis && + strcmp(op->sb->chassis->name, sb_bt->chassis_name)) { + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); + } hmap_remove(&sb_only, &bfd_e->hmap_node); bfd_e->ref = false; @@ -10951,7 +10959,6 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, hmap_insert(bfd_connections, &bfd_e->hmap_node, hash); } - struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port); if (op) { op->has_bfd = true; } diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 90a6d62b1..fdd5939e5 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -122,7 +122,7 @@ static const char *rbac_igmp_group_auth[] = static const char *rbac_igmp_group_update[] = {"address", "chassis", "datapath", "ports"}; static const char *rbac_bfd_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_bfd_update[] = {"status"}; diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index b42f18b04..84ae09515 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.32.0", - "cksum": "1262133774 31276", + "version": "20.33.0", + "cksum": "4076371179 31328", "tables": { "SB_Global": { "columns": { @@ -578,7 +578,8 @@ "min": 0, "max": "unlimited"}}, "options": { "type": {"key": "string", "value": "string", - "min": 0, "max": "unlimited"}}}, + "min": 0, "max": "unlimited"}}, + "chassis_name": {"type": "string"}}, "indexes": [["logical_port", "dst_ip", "src_port", "disc"]], "isRoot": true}, "FDB": { diff --git a/ovn-sb.xml b/ovn-sb.xml index 2de7228e7..1b18a27a0 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4989,6 +4989,10 @@ tcp.flags = RST; receiving system in Asynchronous mode. </column> + <column name="chassis_name"> + The name of the chassis where the logical port is bound. + </column> + <column name="options"> Reserved for future use. </column>
This adds a new "chassis_name" column to the BFD table. ovn-northd sets this to the logical port's chassis name when creating the BFD record. RBAC has been updated so that chassis may only update their own records. Signed-off-by: Mark Michelson <mmichels@redhat.com> --- v1 -> v2: * Rebased on current main --- northd/northd.c | 9 ++++++++- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 7 ++++--- ovn-sb.xml | 4 ++++ 4 files changed, 17 insertions(+), 5 deletions(-)