For tunnels, TOS ECN bits are never wildcard for the reason that they
are always inherited. OVS will create a rewrite action if we add rule
to modify other IP headers. But it also adds an extra ECN rewrite for
the action because of this ECN un-wildcarding.
It seems no error because the ECN bits to be changed are same in this
case. But as rule can't be offloaded to hardware, the unnecssary ECN
rewrite should be removed.
Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
The conntrack-counters ought to be incremented only if it's a new lookup
or if it's recirculated through a different zone for the first time.
Signed-off-by: Anand Kumar <kumaranand@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
A reader reported that "network database system" made it sound like OVSDB
was specialized for databases about networks. It's not, it's just
accessible over the network.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
In case where "use_names" is set (e.g. in an interactive session) to show
the port and table names when ovs-ofctl is run with snoop command,
ovs-ofctl would get stuck in an endless loop inside "table_iterator_next"
function's while loop checking for "while (ti->send_xid != recv_xid)".
This would happening because the "vconn" to "<bridge>.snoop" socket would
not respond to TABLE_FEATURES_REQUEST sent by ovs-ofctl.
This commit disables showing port or table names in the snoop command.
Signed-off-by: Ashish Varma <ashishvarma.ovs@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch automates building of Fedora rpm packages (Just
like we are already doing this for for CentOS and Ubuntu).
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
ICMP checksum is calculated from ICMP headers and data, so hardware doesn't
need to calculate it again because we only rewrite IP headers.
Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Misc. fixes to the Proof of Concepts section to help render the
information a bit nicer.
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
New OVS-DPDK testsuite, which can be launched via `make check-dpdk`,
tests OVS using a DPDK datapath. The testsuite contains already
initial tests:
1. EAL init
2. Add standard DPDK PHY port
3. Add vhost-user-client port
Signed-off-by: Marcin Rybka <marcinx.rybka@intel.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Two mistakes here:
- Automatic assignment of Rx queues to PMD threads has always existed -
it was simply switched from round-robin allocation to
utilization-based allocation
- The above, along with the 'pmd-rxq-rebalance' command, was added in
OVS 2.9.0 - not OVS 2.8.0 - while the 'pmd-rxq-show' command was added
in OVS 2.6.0 and modified in OVS 2.9.0
Correct both of these and modify the NEWS entry for this to clarify
things a little (it took a bit of git spelunking and bothering people on
IRC to figure out).
Signed-off-by: Stephen Finucane <stephen@that.guru>
Cc: Kevin Traynor <ktraynor@redhat.com>
Cc: Ian Stokes <ian.stokes@intel.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
We include references from the physical and vhost-user interface guides.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Yet another section that's far too detailed for someone getting started
with DPDK in OVS. Split it out.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
This details configuration steps that apply to the entire bridge, rather
than individual ports.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Again, this stuff is too detailed for a high-level howto.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
These are separate things from physical, ring and vhost-user interfaces
and deserve their own documents. A couple of small typos are fixed along
the way.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
The "hotplugging", "flow control", and "Rx checksum offload" sections
only apply to 'dpdk' ports and are too detailed to include in a
high-level howto. Move them, reworking some aspects of this in the
process.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
This continues the breakup of the huge DPDK "howto" into smaller
components. There are a couple of related changes included, such as
using "Rx queue" instead of "rxq" and noting how Tx queues cannot be
configured.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
These ports are used to allow ingress/egress from the host and are
therefore _reasonably_ important. However, there is no clear overview of
what these ports actually are or why things are done the way they are.
Start closing this gap by providing a standalone example of using these
ports along with a little more detailed overview of the binding process.
There is additional cleanup to be done for the DPDK howto, but that will
be done separately.
We enable the TODO directive so we can actually start calling out some
TODOs.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
This patch prepends 'www' to openvswitch urls in index.rst. Without this
make check-docs fails when verifying url liveness. Also remove url
referencing ovsdb-server(5) as these are no longer accessible.
Cc: Stephen Finucane <stephen@that.guru>
Fixes: 4f6ec357c ("doc: Populate 'ref' section")
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Stephen Finucane <stephen@that.guru>
Update dead url links for sphinx documentation to avoid
make check-docs failing.
Cc: Stephen Finucane <stephen@that.guru>
Fixes: 26ea2d409 ("docs: Add writing guide")
Fixes: 73c76b447 ("doc: Add info on building documentation")
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Stephen Finucane <stephen@that.guru>
The link used for IBM Style Guide is no longer valid. As there is no
longer a valid link via redbooks remove the url to avoid make
check-docs failing.
Cc: Stephen Finucane <stephen@that.guru>
Fixes: 26ea2d409 ("docs: Add writing guide")
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Stephen Finucane <stephen@that.guru>
The link url link for the blog in sflow documentation causes make
check-docs to fail with a broken link warning. Fix this by correcting
the url address. Also use correct markup for note regarding the
configuration of sflow.
CC: Stephen Finucane <stephen@that.guru>
Fixes: 198c5d3d0 ("doc: Add sFlow cookbook from website")
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Stephen Finucane <stephen@that.guru>
DPDK mempools are freed when they are no longer needed.
This can happen when a port is removed or a port's mtu
is reconfigured so that a new mempool is used.
It is possible that an mbuf is attempted to be returned
to a freed mempool from NIC Tx queues and this can lead
to a segfault.
In order to prevent this, only free mempools when they
are not needed and have no in-use mbufs. As this might
not be possible immediately, create a free list of
mempools and sweep it anytime a port tries to get a
mempool.
Fixes: 8d38823bdf8b ("netdev-dpdk: fix memory leak")
Cc: mark.b.kavanagh81@gmail.com
Cc: Ilya Maximets <i.maximets@samsung.com>
Reported-by: Venkatesan Pradeep <venkatesan.pradeep@ericsson.com>
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
When explaining on how to add vhost-user ports to a guest, using
libvirt, the following piece of configuration is used:
<disk type='dir' device='disk'>
<driver name='qemu' type='fat'/>
<source dir='/usr/src/dpdk-stable-17.11.1'/>
<target dev='vdb' bus='virtio'/>
<readonly/>
</disk>
This is used to facilitate sharing of a DPDK directory between the host
and the guest. However, for this to work selinux also needs to be
configured (or disabled). Furthermore, if one is using Ubuntu, libvirtd
would need to be added to complain only in AppArmor. Instead, in [1] it
is advised to use wget to get the DPDK sources over the internet, which
avoids this differentiation. Thus, we drop this piece of configuration
here as well and keep the example configuration as simple as possible.
This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
image.
[1] http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
Signed-off-by: Tiago Lam <tiago.lam@intel.com>
Acked-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
When explaining on how to add vhost-user ports to a guest, using
libvirt, point to the qemu-system-x86_64 binary by default, instead of
using qemu-kvm. The latter has been made obsolete and dropped from a
number of distributions (although it is still available on Fedora).
This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
image.
Signed-off-by: Tiago Lam <tiago.lam@intel.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
The MAC address is always 6-bytes long, never 7. The extra :01 and :02
doesn't belong in there as it doesn't mean selecting one port or
another.
Instead, use an incrementing MAC address, which is what usually happens
on such cards.
See-also: http://www.dpdk.org/ml/archives/dev/2018-April/094976.html
Fixes: 5e7588186839 ("netdev-dpdk: fix port addition for ports sharing same PCI id")
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Currently, ovsrcu_postpone() is called even with a NULL argument,
i.e. when there is no data to be freed. This is causing additional
overhead because work is scheduled for the urcu thread. This change
avoids adding the postpone callback if no work needs to be done.
This especially helps for the OVS-DPDK case where the PMD threads
might no longer have to do a write() due to the latch_set(), and thus
saving a syscall.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Check if we are dealing with a Unicode string that needs
encoding for both Python 2 & 3.
Also, do the encoding the same way for Python 2 & 3 and avoid using
negation to make the code simpler.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The sed package in RHEL/CentOS 7 only provides /bin/sed and not
/usr/bin/sed, but later versions (including Fedora) provide both.
Signed-off-by: Isaac Freeman <memotype@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Currently OVS snoops any ARP or ND packets in any bridge and populates
the tunnel neighbor cache with the retreived data. For instance, when
an ARP reply originated by a tenant is received in an overlay bridge, the
ARP packet is snooped and tunnel neighbor cache is filled with tenant
address information. This is at best useless as tunnel endpoints can only
reside on an underlay bridge.
The real problem starts if different tenants on the overlay bridge have
overlapping IP addresses such that they keep overwriting each other's
pseudo tunnel neighbor entries. These frequent updates are treated as
configuration changes and trigger revalidation each time, thus causing
a lot of useless revalidation load on the system.
To keep the ARP neighbor cache clean, this patch moves tunnel neighbor
snooping from the generic function do_xlate_actions() to the specific
funtion terminate_native_tunnel() in compose_output_action(). Thus,
only ARP and Neighbor Advertisement packets addressing a local
tunnel endpoint (on the LOCAL port of the underlay bridge) are snooped.
In order to achieve this, IP addresses of the bridge ports are retrieved
and then stored in xbridge by calling xlate_xbridge_set(). The
destination address extracted from the ARP or Neighbor Advertisement
packet is then matched against the known xbridge addresses in
is_neighbor_reply_correct() to filter the snooped packets further.
Signed-off-by: Zoltan Balogh <zoltan.balogh.eth@gmail.com>
Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The ARP replies injected into the underlay bridge 'br0' to trigger
ARP snooping should be destined to the the bridges LOCAL port. So far
the tests injected them on LOCAL port 'br0' itself, which didn't matter
as OVS snooped on all ARP packets passing the bridge.
This patch injects the ARP replies on a different port in preparation for
an upcoming commit that will make OVS only snoop on ARP packets output
to the LOCAL port.
The clone() wrapper must be added to the generated datapath flows now as
the traced packets would actually be transmitted through the tunnel port.
Previously the underlay bridge dropped the packets as the learned egress
port for the tunnel nexthop was the LOCAL port, which also served as
virtual ingress port for the encapsulated traffic. The translation
end result was an expensive way to say 'drop'.
Signed-off-by: Zoltan Balogh <zoltan.balogh.eth@gmail.com>
Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
It makes OVS native tunneling honor tunnel-specified source addresses,
in the same way that Linux kernel tunneling honors them.
This patch made valid tun_src specified by flow-action can be used for
tunnel_src of packet. add a "local" property for a route entry and enhance
the priority of local route higher than user route.
Like the kernel space when lookup the route, if there are tun_src specified
by flow-action or port options. Check the tun_src wheather is a local
address, then lookup the route.
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: frank.zeng <frank.zeng@ucloud.cn>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Currently OVS does not provide any command to display stats for LACP
without which it is difficult to debug LACP issues. Here we propose
to display various statistics about LACP PDUs and slave state change.
Sample output:
ovs_lacp # ovs-appctl lacp/stats-show
---- bond-prv statistics ----
slave: dpdk0:
RX PDUs: 128
RX Bad PDUs: 0
TX PDUs: 5
Link Expired: 2
Link Defaulted: 1
Carrier Status Changed: 0
Signed-off-by: Nitin Katiyar <nitin.katiyar@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
current params uses two sb1.db which is redundant:
e.g. ovsdb-server --remote=punix:sb1.ovsdb sb1.db sb1.db
expected:
e.g. ovsdb-server --remote=punix:sb1.ovsdb sb1.db
tested and works as expected:
ovn-sbctl --db=unix:/root/ovs/tutorial/sandbox/sb2.ovsdb show
Chassis "chassis-1"
hostname: sandbox
Encap geneve
ip: "127.0.0.1"
options: {csum="true"}
Signed-off-by: aginwala <aginwala@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Extend the macro for running a Python IDL test against an OVSDB server
that uses SSL so that it can be used for regular IDL tests and for the
notify tests.
This makes it easy to generate additional Python IDL tests that run
using SSL, so do it.
As it turns out, newly added SSL tests unearth a pre-existing issue with
unicode encoding when SSL is used, which will be fixed in the following
patch.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Encoding from 'unicode' to 'str' that has been added to the Stream class
in commit 2254074e3067 ("python: fix python3 encode/decode on Windows")
conflicts with SSLStream which already contains a quirk for pyopenssl
that does the same thing.
This results in a double encoding attempt when SSL is used and we crash
and burn due to:
Traceback (most recent call last):
File "../.././test-ovsdb.py", line 874, in <module>
main(sys.argv)
File "../.././test-ovsdb.py", line 869, in main
func(*args)
File "../.././test-ovsdb.py", line 655, in do_idl
idl_set(idl, command, step)
File "../.././test-ovsdb.py", line 526, in idl_set
status = txn.commit_block()
File "/home/jkbs/src/ovs/python/ovs/db/idl.py", line 1405, in commit_block
status = self.commit()
File "/home/jkbs/src/ovs/python/ovs/db/idl.py", line 1388, in commit
if not self.idl._session.send(msg):
File "/home/jkbs/src/ovs/python/ovs/jsonrpc.py", line 540, in send
return self.rpc.send(msg)
File "/home/jkbs/src/ovs/python/ovs/jsonrpc.py", line 244, in send
self.run()
File "/home/jkbs/src/ovs/python/ovs/jsonrpc.py", line 203, in run
retval = self.stream.send(self.output)
File "/home/jkbs/src/ovs/python/ovs/stream.py", line 808, in send
return super(SSLStream, self).send(buf)
File "/home/jkbs/src/ovs/python/ovs/stream.py", line 391, in send
buf = buf.encode('utf-8')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 83: ordinal not in range(128)
Remove the quirk from SSLStream as the base class now does encoding.
Reported-by: Marcin Mirecki <mmirecki@redhat.com>
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
OVSDB_CHECK_IDL_NOTIFY_PYN macro is the same as OVSDB_CHECK_IDL_PYN
except it doesn't support PRE-IDL-TXN parameter. Reuse the more generic
OVSDB_CHECK_IDL_PYN macro.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Path to ovsdb-server's pidfile has changed long ago when
ovsdb_start_idltest() helper was introduced in commit 561205007e17
("tests: Get rid of overly specific --pidfile and --unixctl options.")
but the run-if-fail commands were left behind.
Besides, we don't need to kill the ovs-db-server from the AT_CHECK
anymore since ovsdb_start_idltest() registers an on_exit hook that will
do it.
Clean up any run-if-fail commands that attempt to kill ovsdb-server
using an invalid pidfile.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Add an argument check to test-ovsdb.py to ensure that the user has
provided the private key, the certificate, and the peer CA certificate
needed to set up an SSL connection.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Recently, an issue was debugged that was thought to be a bond
failover triggered issue. It turned out to an vlan interface MTU set issue
that had nothing to do with bonding or most other likely possibilities.
Besides the effect of not setting the MTU to the desired value, this can
result in increased netlink traffic and processing with associated wasted
work. Let us flag a configuration issue at warn level (rather than dbg) to
catch the problem early.
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
In Python OVSDB tester, we are not unpacking a value from n_args tuple
that holds the accepted range of arguments. This causes an error:
$ python tests/test-ovsdb.py idl tests/idltest.schema
Traceback (most recent call last):
File "./tests/test-ovsdb.py", line 869, in <module>
main(sys.argv)
File "./tests/test-ovsdb.py", line 852, in main
n_args, len(args)))
TypeError: %d format: a number is required, not tuple
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
When a new rst document is added under Documentation, check if the
new file is added to the proper index.rst and to the automake.mk.
Signed-off-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This adds multi-column index support for the Python IDL that is
similar to the feature in the C IDL. Since it adds sortedcontainers
as a dependency and some distros don't yet package it, the library
is copied in-tree and used if sortedcontainers is not installed.
Signed-off-by: Terry Wilson <twilson@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Currently (at least on RHEL 7.5) openvswitch fails to start (with DPDK
enabled) as non-root, since chown fails and "/dev/hugepages" group is not
changed.
Commit tested on Fedora 28 and RHEL 7.5, both as root as non-root user.
From man 5 systemd.service:
To pass a literal dollar sign, use "$$". Variables whose value is not known
at expansion time are treated as empty strings. Note that the first argument
(i.e. the program to execute) may not be a variable.
CC: Aaron Conole <aconole@redhat.com>
Fixes: 4299145c1095 ("rhel: don't drop capabilities when running as root")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Fixes: ee4776b8bce1 ("netdev: New function netdev_get_ip_by_name().")
Suggested-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
