Open vSwitch does not have native integration with Docker.
INSTALL.Docker explains how Open vSwitch can be integrated
with docker non-natively.
ovs-docker is a helper script to add network interfaces to
docker containers and to attach them as ports to OVS bridge.
This script can be further enhanced as we understand different
use cases.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
OpenFlow 1.5 (draft) extends the OFPAT_SET_FIELD action originally
introduced in OpenFlow 1.2 so that it can set not just entire fields but
any subset of bits within a field as well. This commit adds support for
that feature when OpenFlow 1.5 is used.
With this feature, OFPAT_SET_FIELD becomes a superset of NXAST_REG_LOAD.
Thus, this commit merges the implementations of the two actions into a
single ofpact_set_field.
ONF-JIRA: EXT-314
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
OVSDB has the concept of "immutable" columns, which are columns whose
values are fixed once a row is inserted. Until now, ovs-vsctl has not
allowed these columns to be modified at all. However, this is a little too
strict, because these columns can be set to any value at the time that the
row is inserted. This commit relaxes the ovs-vsctl requirement, then, to
allow an immutable column's value to be modified if its row has been
inserted within this transaction.
Requested-by: Mukesh Hira <mhira@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Whenever OVS restarts, it pseudo-randomly picks an interface
of a bond port to be the active slave. This can cause traffic
disruption in case the upstream switch does not support LACP, or
in case of multi-chassis switches that do not support mLACP.
This patch helps the situation by always record the last active
slave into ovsdb. When OVS restarts, the stored last active slave
has the highest priority to be selected again. In case this interface
is available, due to configuration changes or being offline, OVS then
consider other interfaces with the bond as it does today.
In a nutshell, this patch makes the active slave selection stickier
across OVS restart.
VMware-BZ: 1332235
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
Commit 9ff33ca7 (ovs-pki: Use SHA-512 instead of MD5 as message
digest.) changes the message digest algorithm to SHA-512. This
seems to break the unit tests on some xenserver 5.6/6.0 builds
causing the error: "SSL_connect: error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm".
As a solution, this commit changes the message digest algorithm
to SHA-1 which works for both the above xenserver builds and
centos 7.
VMware-BZ: #1319116
Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
This fixes numerous testsuite failures of the form "SSL_connect:
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
digest algorithm" on systems that disable MD5 in OpenSSL. Centos 7 is one
example. Presumably it increase security as well for anyone who generates
certificates based on a new configuration created by the new ovs-pki.
Reported-by: Robert Strickler <anomalyst@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
There are couple of reasons to remove this support:
* This is used in very old OVS use-case. It is much better
to read stats directly from OVS.
* Forthcoming commit will remove support for setting stats
for vport. The stats update depends on stats-set.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Fixing issue where "resubmit" action in a group action set was not
considered sufficient to retain the full action set. This patch allows
a group action set (considered terminal with OF1.4 and earlier spec)
to have the "output" action come from a different table.
Signed-off-by: Srini Seetharaman <srini.seetharaman@gmail.com>
[blp@nicira.com added documentation]
Signed-off-by: Ben Pfaff <blp@nicira.com>
This allows things like initiating a wait request on an interface
ofport being set.
When the optional field is empty and operation is != or excludes
then the result is true; otherwise it is false. If the field is
set then the field is compared normally for its type.
Signed-off-by: Terry Wilson <twilson@redhat.com>
[blp@nicira.com updated ovsdb-server(1) and NEWS.]
Signed-off-by: Ben Pfaff <blp@nicira.com>
Treating OFPACT_REG_MOVE as a "set" action preserves the order of loads
and moves and allows a load to overwrite a previous move to the same
register.
This makes the following work:
add-group br0 group_id=1234,type=all, \
bucket=output:10,move:NXM_NX_REG1[]->NXM_OF_IP_SRC[], \
bucket=output:11
add-flow br0 ip actions=load:0xffffffff->NXM_NX_REG1[],group:1234
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
This commit introduces multiple appctl commands (dpctl/*)
They are needed to interact with userspace datapaths (dpif-netdev), because the
ovs-dpctl command runs in a separate process and cannot see the userspace
datapaths inside vswitchd.
This change moves most of the code of utilities/ovs-dpctl.c in lib/dpctl.c.
Both the ovs-dpctl command and the ovs-appctl dpctl/* commands make calls to
lib/dpctl.c functions, to interact with datapaths.
The code from utilities/ovs-dpctl.c has been moved to lib/dpctl.c and has been
changed for different reasons:
- An exit() call in the old code made perfectly sense. Now (since the code
can be run inside vswitchd) it would terminate the daemon. Same reasoning
can be applied to ovs_fatal_*() calls.
- The lib/dpctl.c code _should_ not leak memory.
- All the print* have been replaced with a function pointer provided by the
caller, since this code can be run in the ovs-dpctl process (in which
case we need to print to stdout) or in response to a unixctl request (and
in this case we need to send everything through a socket, using JSON
encapsulation).
The syntax is
ovs-appctl dpctl/(COMMAND) [OPTIONS] [PARAMETERS]
while the ovs-dpctl syntax (which _should_ remain the same after this change)
is
ovs-dpctl [OPTIONS] (COMMAND) [PARAMETERS]
Signed-off-by: Daniele Di Proietto <ddiproietto@vmware.com>
[blp@nicira.com made stylistic and documentation changes]
Signed-off-by: Ben Pfaff <blp@nicira.com>
These 64-bit registers are intended to conform with the OpenFlow 1.5
draft specification.
EXT-244.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Reduces the dependency on autoconf from 2.64 to 2.63 to ease building
on older platforms. There is only a few macros missing and they can
be provided easily.
A handful of tests needed modification. The difference in quoting
behaviour between 2.63 and later require the m4_define() to be
manually unfolded.
The Debian control file is left untouched on purpose. The decision
whether to adjust the dependency is left to the respective maintainers.
Tested with autoconf 2.63 and 2.69.
Cc: Scott Mann <smann@noironetworks.com>
Cc: Don Kehn <dkehn@noironetworks.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
This adds support for Geneve - Generic Network Virtualization
Encapsulation. The protocol is documented at
http://tools.ietf.org/html/draft-gross-geneve-00
The kernel implementation is completely agnostic to the options
that are in use and can handle newly defined options without
further work. It does this by simply matching on a byte array
of options and allowing userspace to setup flows on this array.
Userspace currently implements only support for basic version of
Geneve. It can work with the base header (including the VNI) and
is capable of parsing options but does not currently support any
particular option definitions. Over time, the intention is to
allow options to be matched through OpenFlow without requiring
explicit support in OVS userspace.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
When a flow with a "learn" action is deleted, one often wants the flows
that it created (the "learned flows") to be deleted as well. This commit
makes that possible.
I am aware of a race condition that could lead to a learned flow not being
properly deleted. Suppose thread A deletes a flow with a "learn" action.
Meanwhile, thread B obtains the actions for this flow and translates and
executes them. Thread B could obtain the actions for the flow before it is
deleted, but execute them after the "learn" flow and its learned flows are
deleted. The result is that the flow created by thread B persists despite
its "learn" flow having been deleted. This race can and should be fixed,
but I think that this commit is worth reviewing without it.
VMware-BZ: #1254021
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Ethan Jackson <ethan@nicira.com>
a425a102-c317-4743-b0ba-79d59ff04a74
Bridge "br0"
[...]
Port test
Interface test
type: vxlan
options: {unknown="1"}
error: "test: could not set configuration (Invalid argument)"
ovs_version: "2.1.90"
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Using a prefix tree (aka 'trie') for transport ports matching produces
less specific (more wildcarded) datapath megaflows.
Each subtable that matches on transport ports has it's own ports trie.
This trie is consulted only after a failing lookup to determine the
number of bits that need to be unwildcarded to guarantee that any
packet that should match on any of the other rules will not match this
megaflow.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
The Open vSwitch software switch now supports all the required features of
OpenFlow 1.0 through 1.3, with one known trivial exception[*]. Enable them
by default in ovs-vswitchd.
For now, ovs-ofctl only enables OpenFlow 1.0 by default. This is
because ovs-ofctl implements command such as "add-flow" as raw
OpenFlow requests, but those requests have subtly different semantics
in different OpenFlow versions. For example:
- In OpenFlow 1.0, a "mod-flow" operation that does not find any
existing flow to modify adds a new flow.
- In OpenFlow 1.1, a "mod-flow" operation that does not find any
existing flow to modify adds a new flow, but only if the
mod-flow did not match on the flow cookie.
- In OpenFlow 1.2 and a later, a "mod-flow" operation never adds a
new flow.
[*] OpenFlow 1.1, but not any earlier or later version of OpenFlow,
requires support for VLANs introduced by Ethertype 0x88a8, but Open
vSwitch does not support this Ethertype.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Reviewed-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
The Open vSwitch daemons written in C support user-configured logging
patterns as described in ovs-appctl(8). This commit adds this capability
to the daemons written in Python.
- Add a '__log_patterns' attribute to the Vlog class
- Populate this using the default patterns in ovs-appctl(8)
- Add a '__start_time' attribute to the Vlog class to support '%r'
- Update the '_log' method to build the log message according to the
pattern
- Add a 'set_pattern' method to allow the default patterns to be changed
- Update 'set_levels_from_string' to support setting the pattern from a
string
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Add support for building the in-tree kernel datapath for
Linux kernels up to 3.13. There were some changes in the
netlink area which required adding new compatibility code
for this layer. Also, some new per-cpu stats initialization
code was added.
Based on patch from Kyle Mestery.
Signed-off-by: Kyle Mestery <mestery@noironetworks.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Kyle Mestery <mestery@noironetworks.com>
It should be an administrator task to bring up devices as they
are configured properly.
Currently, Fedora is deleting the bridges when the interface is
brought down. Therefore, there is no bridge on the next boot and
the initscripts can apply the networking configuration properly
for a new bridge.
However, if the system didn't execute ifdown for some reason, the
bridge is left in the ovsdb and since internal ports are brought
up by default, there is no way for initscripts to known if the
adminitrator has already configured it or not.
This patch reverts commit bef071a5fd
(bridge: Always "up" internal devices.).
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
ovs-vsctl is a command-line interface to the Open vSwitch database,
and as such it just modifies the desired Open vSwitch configuration in
the database. ovs-vswitchd, on the other hand, monitors the database
and implements the actual configuration specified in the database.
This can lead to surprises when the user makes a change to the
database, with ovs-vsctl, that ovs-vswitchd cannot actually
implement. In such a case, the ovs-vsctl command silently succeeds
(because the database was successfully updated) but its desired
effects don't actually take place. One good example of such a change
is attempting to add a port with a misspelled name (e.g. ``ovs-vsctl
add-port br0 fth0'', where fth0 should be eth0); another is creating
a bridge or a port whose name is longer than supported
(e.g. ``ovs-vsctl add-br'' with a 16-character bridge name on
Linux). It can take users a long time to realize the error, because it
requires looking through the ovs-vswitchd log.
The patch improves the situation by checking whether operations that
ovs executes succeed and report an error when
they do not. This patch only report add-br and add-port
operation errors by examining the `ofport' value that
ovs-vswitchd stores into the database record for the newly created
interface. Until ovs-vswitchd finishes implementing the new
configuration, this column is empty, and after it finishes it is
either -1 (on failure) or a positive number (on success).
Signed-off-by: Andy Zhou <azhou@nicira.com>
Co-authored-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Co-authored-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Following patch adds DPDK netdev-class to userspace datapath. Now
OVS can use DPDK port for IO by just configuring DPDK port and then
adding dpdk type port to userspace datapath.
Refer to INSTALL.DPDK doc for further info.
This is based a patch from Gerald Rogers.
Signed-off-by: Gerald Rogers <gerald.rogers@intel.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Thomas Graf <tgraf@redhat.com>
Bump kernel support for datapath module to include 3.12.
Make use of native ip-tunnel API for Kernel >= 3.12.
Based on patch from James Page.
Signed-off-by: James Page <james.page@ubuntu.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Reviewed-by: Kyle Mestery <mestery@noironetworks.com>
We are registering an interest in SIGHUP to reopen
log files. But there is an 'ovs-appctl vlog/reopen'
command that does the same and is used in the
logrotate config for the distributions.
So remove the redundant functionality.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
The Ryu controller comes with an extensive library of OpenFlow tests, but
it doesn't seem so easy to me to run all of them against a development
version of Open vSwitch. This commit introduces a Makefile target so that
one can run all the Ryu tests with a simple "make check-ryu".
This commit adds documentation for the new target to INSTALL. It also
moves the documentation for the "check-oftest" target and the
--enable-coverage configure option into INSTALL.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Reviewed-by: Simon Horman <horms@verge.net.au>
This patch moves flow installation and eviction from ofproto-dpif and
the main thread, into ofproto-dpif-upcall. This performs
significantly better (approximately 2x TCP_CRR improvement), and
allows ovs-vswitchd to maintain significantly larger datapath flow
tables. On top of that, it significantly simplifies the code,
retiring "struct facet" and friends.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Users may find this feature useful, but the reason to add this feature is
to allow a test to use it in an upcoming commit.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Add a prefix tree (trie) structure for tracking the used address
space, enabling skipping classifier tables containing longer masks
than necessary for an address field value in a packet header being
classified. This enables less unwildcarding for datapath flows in
parts of the address space without host routes.
Trie lookup is interwoven to the staged lookup, so that a trie is
searched only when the configured trie field becomes relevant
for the lookup. The trie lookup results are retained so that each
trie is checked at most once for each classifier lookup.
This implementation tracks the number of rules at each address prefix
for the whole classifier. More aggressive table skipping would be
possible by maintaining lists of tables that have prefixes at the
lengths encountered on tree traversal, or by maintaining separate
tries for subsets of rules separated by metadata fields.
Prefix tracking is configured via OVSDB. A new column "prefixes" is
added to the database table "Flow_Table". "prefixes" is a set of
string values listing the field names for which prefix lookup should
be used.
As of now, the fields for which prefix lookup can be enabled are:
- tun_id, tun_src, tun_dst
- nw_src, nw_dst (or aliases ip_src and ip_dst)
- ipv6_src, ipv6_dst
There is a maximum number of fields that can be enabled for any one
flow table. Currently this limit is 3.
Examples:
ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \
--id=@N1 create Flow_Table name=table0
ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \
--id=@N1 create Flow_Table name=table1
ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
ovs-vsctl set Flow_Table table1 prefixes=[]
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
