From patchwork Tue Jan 30 21:08:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1893110 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ATirNuZF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TPd7G2FJQz1yQ0 for ; Wed, 31 Jan 2024 08:08:26 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CCDCB42EAA; Tue, 30 Jan 2024 21:08:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CCDCB42EAA Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ATirNuZF X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KsHF_X1whAch; Tue, 30 Jan 2024 21:08:20 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 680AD40A66; Tue, 30 Jan 2024 21:08:19 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 680AD40A66 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 42E8FC0072; Tue, 30 Jan 2024 21:08:19 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id AD0E3C0037 for ; Tue, 30 Jan 2024 21:08:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 75E4A83E28 for ; Tue, 30 Jan 2024 21:08:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 75E4A83E28 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ATirNuZF X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYaqCwp7KpsZ for ; Tue, 30 Jan 2024 21:08:16 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 7409883E26 for ; Tue, 30 Jan 2024 21:08:16 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7409883E26 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706648895; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ytvzBaVfRTfG72FECDHFJEcPgk5bj0nWkLBS4+gqoyw=; b=ATirNuZFJmWB4CVXCko00pc3hHD7HgnUuAC5H5YAgNLpGCaYMzZbNv5zx5P5BRAqyXNJrX 4RRzPxNYPcohThh7Xx0dkHy9JkybcQwDcGMUy30Rj2VQfm23XvUV8NflnxStKeWfPCrMtZ Ov4i/NI2SAqqviu2hxdfgO9ISFHk3ZY= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-561-vtAaGfOvMimxW0k5fOVrqA-1; Tue, 30 Jan 2024 16:08:12 -0500 X-MC-Unique: vtAaGfOvMimxW0k5fOVrqA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 22C0129AC022 for ; Tue, 30 Jan 2024 21:08:12 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id B0AA6C2590D for ; Tue, 30 Jan 2024 21:08:11 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 30 Jan 2024 16:08:03 -0500 Message-ID: <20240130210810.548338-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v2 1/3] rbac: Only allow relevant chassis to update service monitors. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Service monitors already had the restriction that chassis could not insert or delete records. However, there was nothing restricting chassis from updating records for service monitors that are relevant to other chassis. This change adds a new "chassis_name" column to the Service_Monitor table. ovn-northd will set this column to the chassis on which the relevant logical port is bound. This way, only that particular chassis can update the status of the service monitor. Signed-off-by: Mark Michelson Acked-by: Ales Musil --- v1 -> v2: * Rebased on top of currrent main --- northd/northd.c | 19 +++++++++++++++++-- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 5 +++-- ovn-sb.xml | 4 ++++ 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index d2091d4bc..2a2fab231 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -3799,13 +3799,19 @@ static struct service_monitor_info * create_or_get_service_mon(struct ovsdb_idl_txn *ovnsb_txn, struct hmap *monitor_map, const char *ip, const char *logical_port, - uint16_t service_port, const char *protocol) + uint16_t service_port, const char *protocol, + const char *chassis_name) { struct service_monitor_info *mon_info = get_service_mon(monitor_map, ip, logical_port, service_port, protocol); if (mon_info) { + if (chassis_name && strcmp(mon_info->sbrec_mon->chassis_name, + chassis_name)) { + sbrec_service_monitor_set_chassis_name(mon_info->sbrec_mon, + chassis_name); + } return mon_info; } @@ -3820,6 +3826,9 @@ create_or_get_service_mon(struct ovsdb_idl_txn *ovnsb_txn, sbrec_service_monitor_set_port(sbrec_mon, service_port); sbrec_service_monitor_set_logical_port(sbrec_mon, logical_port); sbrec_service_monitor_set_protocol(sbrec_mon, protocol); + if (chassis_name) { + sbrec_service_monitor_set_chassis_name(sbrec_mon, chassis_name); + } mon_info = xzalloc(sizeof *mon_info); mon_info->sbrec_mon = sbrec_mon; hmap_insert(monitor_map, &mon_info->hmap_node, hash); @@ -3862,12 +3871,18 @@ ovn_lb_svc_create(struct ovsdb_idl_txn *ovnsb_txn, protocol = "tcp"; } + const char *chassis_name = NULL; + if (op->sb && op->sb->chassis) { + chassis_name = op->sb->chassis->name; + } + struct service_monitor_info *mon_info = create_or_get_service_mon(ovnsb_txn, monitor_map, backend->ip_str, backend_nb->logical_port, backend->port, - protocol); + protocol, + chassis_name); ovs_assert(mon_info); sbrec_service_monitor_set_options( mon_info->sbrec_mon, &lb_vip_nb->lb_health_check->options); diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index dadc1af38..c32a11cbd 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -114,7 +114,7 @@ static const char *rbac_mac_binding_update[] = {"logical_port", "ip", "mac", "datapath", "timestamp"}; static const char *rbac_svc_monitor_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_svc_monitor_auth_update[] = {"status"}; static const char *rbac_igmp_group_auth[] = diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 72e230b75..1d2b3028d 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.30.0", - "cksum": "2972392849 31172", + "version": "20.31.0", + "cksum": "2473562445 31224", "tables": { "SB_Global": { "columns": { @@ -509,6 +509,7 @@ "logical_port": {"type": "string"}, "src_mac": {"type": "string"}, "src_ip": {"type": "string"}, + "chassis_name": {"type": "string"}, "status": { "type": {"key": {"type": "string", "enum": ["set", ["online", "offline", "error"]]}, diff --git a/ovn-sb.xml b/ovn-sb.xml index e393f92b3..1f3b318e0 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4815,6 +4815,10 @@ tcp.flags = RST; Source IPv4 address to use in the service monitor packet. + + The name of the chassis where the logical port is bound. + + The interval, in seconds, between service monitor checks. From patchwork Tue Jan 30 21:08:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1893111 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JjSrwZO1; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TPd7J4yVCz1yQ0 for ; Wed, 31 Jan 2024 08:08:28 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 4ECBC42EC5; Tue, 30 Jan 2024 21:08:25 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4ECBC42EC5 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JjSrwZO1 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lGEwRbWMJ7eU; Tue, 30 Jan 2024 21:08:23 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 5687842E96; Tue, 30 Jan 2024 21:08:22 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5687842E96 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 356A7C0DCE; Tue, 30 Jan 2024 21:08:22 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id D3B7FC0037 for ; Tue, 30 Jan 2024 21:08:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id AF1AB83E26 for ; Tue, 30 Jan 2024 21:08:18 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org AF1AB83E26 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JjSrwZO1 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sX2OzSN-R2Ie for ; Tue, 30 Jan 2024 21:08:16 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 22FAB83E23 for ; Tue, 30 Jan 2024 21:08:15 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 22FAB83E23 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706648895; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eqTzejrT43vsXXQWYLiTnKi7Qe7FQMI+tVNN2riGJaE=; b=JjSrwZO1PhUKd3O85w0UW0JwC6gjOF85Zu8tU54J3IGhSFOoOnuwKcIhZXGmllKYuh+I+a ghHlcdgz5dRQ2AZRJHTSl/xLAxurXtKQYWipDnBylomsKK36EbOCahqTJ0CubA0pyWbVU+ tZtiPkWaS8A+5uJ5hPPok0LeYonH80I= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-65-RKBvnJ1yNkKoPRX27b30Yg-1; Tue, 30 Jan 2024 16:08:13 -0500 X-MC-Unique: RKBvnJ1yNkKoPRX27b30Yg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BBA8A83514A for ; Tue, 30 Jan 2024 21:08:12 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5B537C2590D for ; Tue, 30 Jan 2024 21:08:12 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 30 Jan 2024 16:08:04 -0500 Message-ID: <20240130210810.548338-2-mmichels@redhat.com> In-Reply-To: <20240130210810.548338-1-mmichels@redhat.com> References: <20240130210810.548338-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v2 2/3] rbac: Restrict IGMP_Group updates to relevant chassis. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" RBAC did not restrict which chassis could update IGMP_Groups. With this change, we add a new "chassis_name" column to IGMP_Group. This may seem odd since there is already a "chassis" column in IGMP_Group. But RBAC specifically works by string matching based on the certificate common name. Therefore, we need to have a chassis_name string column instead of a chassis UUID column. Getting RBAC to function properly required me to fix an existing bug as well. igmp_group_cleanup() did not ensure that only local IGMP group records were deleted. This presumably meant that when one ovn-controller in a cluster was shut down, it would delete ALL IGMP_Group records in the southbound DB, not just the local ones. Signed-off-by: Mark Michelson Acked-by: Ales Musil --- v1 -> v2: * Rebased on top of current main * Fixed igmp_group_cleanup() to only delete local records. --- controller/ip-mcast.c | 26 +++++++++++++++++++------- controller/ip-mcast.h | 9 ++++++--- controller/ovn-controller.c | 3 ++- controller/pinctrl.c | 16 +++++++++++++--- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 7 ++++--- ovn-sb.xml | 5 +++++ tests/ovn.at | 2 +- 8 files changed, 51 insertions(+), 19 deletions(-) diff --git a/controller/ip-mcast.c b/controller/ip-mcast.c index a870fb29e..b457c7e69 100644 --- a/controller/ip-mcast.c +++ b/controller/ip-mcast.c @@ -38,7 +38,8 @@ static struct sbrec_igmp_group * igmp_group_create_(struct ovsdb_idl_txn *idl_txn, const char *addr_str, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis); + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name); struct ovsdb_idl_index * igmp_group_index_create(struct ovsdb_idl *idl) @@ -86,7 +87,8 @@ struct sbrec_igmp_group * igmp_group_create(struct ovsdb_idl_txn *idl_txn, const struct in6_addr *address, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis) + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name) { char addr_str[INET6_ADDRSTRLEN]; @@ -94,16 +96,18 @@ igmp_group_create(struct ovsdb_idl_txn *idl_txn, return NULL; } - return igmp_group_create_(idl_txn, addr_str, datapath, chassis); + return igmp_group_create_(idl_txn, addr_str, datapath, chassis, + igmp_group_has_chassis_name); } struct sbrec_igmp_group * igmp_mrouter_create(struct ovsdb_idl_txn *idl_txn, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis) + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name) { return igmp_group_create_(idl_txn, OVN_IGMP_GROUP_MROUTERS, datapath, - chassis); + chassis, igmp_group_has_chassis_name); } void @@ -211,7 +215,8 @@ igmp_group_delete(const struct sbrec_igmp_group *g) bool igmp_group_cleanup(struct ovsdb_idl_txn *ovnsb_idl_txn, - struct ovsdb_idl_index *igmp_groups) + struct ovsdb_idl_index *igmp_groups, + const struct sbrec_chassis *chassis) { const struct sbrec_igmp_group *g; @@ -220,6 +225,9 @@ igmp_group_cleanup(struct ovsdb_idl_txn *ovnsb_idl_txn, } SBREC_IGMP_GROUP_FOR_EACH_BYINDEX (g, igmp_groups) { + if (chassis != g->chassis) { + continue; + } igmp_group_delete(g); } @@ -249,13 +257,17 @@ static struct sbrec_igmp_group * igmp_group_create_(struct ovsdb_idl_txn *idl_txn, const char *addr_str, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis) + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name) { struct sbrec_igmp_group *g = sbrec_igmp_group_insert(idl_txn); sbrec_igmp_group_set_address(g, addr_str); sbrec_igmp_group_set_datapath(g, datapath); sbrec_igmp_group_set_chassis(g, chassis); + if (igmp_group_has_chassis_name) { + sbrec_igmp_group_set_chassis_name(g, chassis->name); + } return g; } diff --git a/controller/ip-mcast.h b/controller/ip-mcast.h index 326f39db1..eebada968 100644 --- a/controller/ip-mcast.h +++ b/controller/ip-mcast.h @@ -39,11 +39,13 @@ struct sbrec_igmp_group *igmp_group_create( struct ovsdb_idl_txn *idl_txn, const struct in6_addr *address, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis); + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name); struct sbrec_igmp_group *igmp_mrouter_create( struct ovsdb_idl_txn *idl_txn, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis); + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name); void igmp_group_update_ports(const struct sbrec_igmp_group *g, struct ovsdb_idl_index *datapaths, @@ -61,6 +63,7 @@ igmp_mrouter_update_ports(const struct sbrec_igmp_group *g, void igmp_group_delete(const struct sbrec_igmp_group *g); bool igmp_group_cleanup(struct ovsdb_idl_txn *ovnsb_idl_txn, - struct ovsdb_idl_index *igmp_groups); + struct ovsdb_idl_index *igmp_groups, + const struct sbrec_chassis *chassis); #endif /* controller/ip-mcast.h */ diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index 54e742dfe..7e7bc71b3 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -6136,7 +6136,8 @@ loop_done: done = chassis_cleanup(ovs_idl_txn, ovnsb_idl_txn, ovs_table, chassis, chassis_private) && done; done = encaps_cleanup(ovs_idl_txn, br_int) && done; - done = igmp_group_cleanup(ovnsb_idl_txn, sbrec_igmp_group) && done; + done = igmp_group_cleanup(ovnsb_idl_txn, sbrec_igmp_group, chassis) + && done; if (done) { poll_immediate_wake(); } diff --git a/controller/pinctrl.c b/controller/pinctrl.c index bd3bd3d81..faa3f9226 100644 --- a/controller/pinctrl.c +++ b/controller/pinctrl.c @@ -180,6 +180,7 @@ struct pinctrl { bool mac_binding_can_timestamp; bool fdb_can_timestamp; bool dns_supports_ovn_owned; + bool igmp_group_has_chassis_name; }; static struct pinctrl pinctrl; @@ -3591,6 +3592,13 @@ pinctrl_update(const struct ovsdb_idl *idl, const char *br_int_name) notify_pinctrl_handler(); } + bool igmp_group_has_chassis_name = + sbrec_server_has_igmp_group_table_col_chassis_name(idl); + if (igmp_group_has_chassis_name != pinctrl.igmp_group_has_chassis_name) { + pinctrl.igmp_group_has_chassis_name = igmp_group_has_chassis_name; + notify_pinctrl_handler(); + } + ovs_mutex_unlock(&pinctrl_mutex); } @@ -5396,8 +5404,9 @@ ip_mcast_sync(struct ovsdb_idl_txn *ovnsb_idl_txn, sbrec_igmp = igmp_group_lookup(sbrec_igmp_groups, &mc_group->addr, local_dp->datapath, chassis); if (!sbrec_igmp) { - sbrec_igmp = igmp_group_create(ovnsb_idl_txn, &mc_group->addr, - local_dp->datapath, chassis); + sbrec_igmp = igmp_group_create( + ovnsb_idl_txn, &mc_group->addr, local_dp->datapath, + chassis, pinctrl.igmp_group_has_chassis_name); } igmp_group_update_ports(sbrec_igmp, sbrec_datapath_binding_by_key, @@ -5412,7 +5421,8 @@ ip_mcast_sync(struct ovsdb_idl_txn *ovnsb_idl_txn, if (!sbrec_ip_mrouter) { sbrec_ip_mrouter = igmp_mrouter_create(ovnsb_idl_txn, local_dp->datapath, - chassis); + chassis, + pinctrl.igmp_group_has_chassis_name); } igmp_mrouter_update_ports(sbrec_ip_mrouter, sbrec_datapath_binding_by_key, diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index c32a11cbd..90a6d62b1 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -118,7 +118,7 @@ static const char *rbac_svc_monitor_auth[] = static const char *rbac_svc_monitor_auth_update[] = {"status"}; static const char *rbac_igmp_group_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_igmp_group_update[] = {"address", "chassis", "datapath", "ports"}; static const char *rbac_bfd_auth[] = diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 1d2b3028d..b42f18b04 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.31.0", - "cksum": "2473562445 31224", + "version": "20.32.0", + "cksum": "1262133774 31276", "tables": { "SB_Global": { "columns": { @@ -493,7 +493,8 @@ "ports": {"type": {"key": {"type": "uuid", "refTable": "Port_Binding", "refType": "weak"}, - "min": 0, "max": "unlimited"}}}, + "min": 0, "max": "unlimited"}}, + "chassis_name": {"type": "string"}}, "indexes": [["address", "datapath", "chassis"]], "isRoot": true}, "Service_Monitor": { diff --git a/ovn-sb.xml b/ovn-sb.xml index 1f3b318e0..2de7228e7 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4767,6 +4767,11 @@ tcp.flags = RST; The destination port bindings for this IGMP group. + + + The chassis that inserted this record. This column is used for RBAC + purposes only. + diff --git a/tests/ovn.at b/tests/ovn.at index 28c6b6c34..b6130d069 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -22951,7 +22951,7 @@ wait_row_count Chassis 1 name=hv3 other_config:ovn-monitor-all='"true"' # Inject a fake IGMP_Group entry. dp=$(fetch_column Datapath_Binding _uuid external_ids:name=sw2) ch=$(fetch_column Chassis _uuid name=hv3) -ovn-sbctl create IGMP_Group address=239.0.1.42 datapath=$dp chassis=$ch +ovn-sbctl create IGMP_Group address=239.0.1.42 datapath=$dp chassis=$ch chassis_name=hv3 ovn-nbctl --wait=hv sync wait_row_count IGMP_Group 2 address=239.0.1.68 From patchwork Tue Jan 30 21:08:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1893112 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=GErJmdBX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TPd7M4vFyz1yQ0 for ; Wed, 31 Jan 2024 08:08:31 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 31CC542EC6; Tue, 30 Jan 2024 21:08:26 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 31CC542EC6 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=GErJmdBX X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wr6q5RFwv5sG; Tue, 30 Jan 2024 21:08:25 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id F1E6142EAE; Tue, 30 Jan 2024 21:08:23 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org F1E6142EAE Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 043A7C0DD5; Tue, 30 Jan 2024 21:08:23 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id EDD83C0037 for ; Tue, 30 Jan 2024 21:08:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id BC45B409C3 for ; Tue, 30 Jan 2024 21:08:18 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BC45B409C3 Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=GErJmdBX X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZ526eZM2U_D for ; Tue, 30 Jan 2024 21:08:17 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 7091B409C2 for ; Tue, 30 Jan 2024 21:08:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7091B409C2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706648895; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Mpieb/Tvk2JtRbMluGo5BTPFdEzQgM5DrGYwVCVV0e8=; b=GErJmdBXnTDaDuId2SrhwNJL1hssHYL1WFo+kBiXRqvWLpvuaDkAWXvgg/0vWi6LLAKBLh fpDRBJolAl461QaXjCPHG7a+TKUIJ5OoZQ4kEKejsaQkbJvpPM+voJ1u9LTy3GyDpK7LCw m27J8M24mri+K7IaHzuTETC7WkLFmTM= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-66-S55vVzeXP6-jEyILNz5V9w-1; Tue, 30 Jan 2024 16:08:14 -0500 X-MC-Unique: S55vVzeXP6-jEyILNz5V9w-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D73E51C05158 for ; Tue, 30 Jan 2024 21:08:13 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2F8ADC2590D for ; Tue, 30 Jan 2024 21:08:12 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 30 Jan 2024 16:08:05 -0500 Message-ID: <20240130210810.548338-3-mmichels@redhat.com> In-Reply-To: <20240130210810.548338-1-mmichels@redhat.com> References: <20240130210810.548338-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v2 3/3] rbac: Only allow relevant chassis to update BFD. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This adds a new "chassis_name" column to the BFD table. ovn-northd sets this to the logical port's chassis name when creating the BFD record. RBAC has been updated so that chassis may only update their own records. Signed-off-by: Mark Michelson Acked-by: Ales Musil --- v1 -> v2: * Rebased on current main --- northd/northd.c | 9 ++++++++- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 7 ++++--- ovn-sb.xml | 4 ++++ 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 2a2fab231..51622c302 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -10912,6 +10912,7 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, nbrec_bfd_set_status(nb_bt, "admin_down"); } + struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port); bfd_e = bfd_port_lookup(&sb_only, nb_bt->logical_port, nb_bt->dst_ip); if (!bfd_e) { int udp_src = bfd_get_unused_port(bfd_src_ports); @@ -10925,6 +10926,9 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, sbrec_bfd_set_disc(sb_bt, 1 + random_uint32()); sbrec_bfd_set_src_port(sb_bt, udp_src); sbrec_bfd_set_status(sb_bt, nb_bt->status); + if (op && op->sb && op->sb->chassis) { + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); + } int min_tx = nb_bt->n_min_tx ? nb_bt->min_tx[0] : BFD_DEF_MINTX; sbrec_bfd_set_min_tx(sb_bt, min_tx); @@ -10943,6 +10947,10 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, } } build_bfd_update_sb_conf(nb_bt, bfd_e->sb_bt); + if (op && op->sb && op->sb->chassis && + strcmp(op->sb->chassis->name, sb_bt->chassis_name)) { + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); + } hmap_remove(&sb_only, &bfd_e->hmap_node); bfd_e->ref = false; @@ -10951,7 +10959,6 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, hmap_insert(bfd_connections, &bfd_e->hmap_node, hash); } - struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port); if (op) { op->has_bfd = true; } diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 90a6d62b1..fdd5939e5 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -122,7 +122,7 @@ static const char *rbac_igmp_group_auth[] = static const char *rbac_igmp_group_update[] = {"address", "chassis", "datapath", "ports"}; static const char *rbac_bfd_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_bfd_update[] = {"status"}; diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index b42f18b04..84ae09515 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.32.0", - "cksum": "1262133774 31276", + "version": "20.33.0", + "cksum": "4076371179 31328", "tables": { "SB_Global": { "columns": { @@ -578,7 +578,8 @@ "min": 0, "max": "unlimited"}}, "options": { "type": {"key": "string", "value": "string", - "min": 0, "max": "unlimited"}}}, + "min": 0, "max": "unlimited"}}, + "chassis_name": {"type": "string"}}, "indexes": [["logical_port", "dst_ip", "src_port", "disc"]], "isRoot": true}, "FDB": { diff --git a/ovn-sb.xml b/ovn-sb.xml index 2de7228e7..1b18a27a0 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4989,6 +4989,10 @@ tcp.flags = RST; receiving system in Asynchronous mode. + + The name of the chassis where the logical port is bound. + + Reserved for future use.