The _Server database recently added to ovsdb-server can be used to dump out
information about databases, but monitoring updates to _Server is not yet
very useful because for historical reasons ovsdb-server drops all of its
OVSDB connections whenever databases are added or removed or otherwise
change in some major way. It is not a good idea to change this behavior
for all clients, because some of them rely on it, but this commit
introduces a new RPC that allows clients that understand _Server to
suppress the connection-closing behavior.
Signed-off-by: Ben Pfaff <blp@ovn.org>
The _Server database is valuable primarily because it provides database
clients a way to find out the details of changes to databases, schemas,
etc. in a granular, natural way. Until now, the only way that the server
could notify clients about these kinds of changes was to close the session;
when the client reconnects, it is expected to reassess the server's state.
One way to provide this kind of granular information would be to add
specific JSON-RPC requests to obtain notifications for different kinds of
changes, but since ovsdb-server already provides granular and flexible
notification support for databases, using a database for the purpose is
convenient and avoids duplicating functionality.
Initially this database only reports databases' names and schemas, but
when clustering support is added in a later commit it will also report
important aspects of clustering and cluster status. Thus, this database
also reduces the need to add JSON-RPC calls to retrieve information about
new features.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Most of the OVS database-manipulation utilities (ovn-sbctl, ovn-nbctl,
ovs-vsctl, vtep-ctl) don't retry their connections by default because
they assume that the database is either up or down and likely to stay
that way. The OVN southbound database, however, is a likely candidate
for high availability clustering, so that even if it appears to be
down for a moment it will be available again soon. So, prepare for
the clustering implementation by enabling retry by default in
ovn-sbctl.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Until now, a given ovsdb-idl instances has only monitored a single
database. In an upcoming commit, it will grow to also monitor a second
database that represents the state of the database server itself. Much of
the work is the same for both databases, so this commit breaks the common
code and data out into new data structures and functions.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
The code in jsonrpc-server conflated two different kinds of functionality.
It makes sense for the client to be able to change whether a particular
server is read-only. It also makes sense for the client to tell a server
to reconnect. The code in jsonrpc-server only provided a single function
that does both, which is weird. This commit breaks these apart.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Until now, OVSDB distinguished "monitors", which are associated with OVSDB
JSON-RPC client sessions and allow clients to find out about database
changes, from "replicas", which are associated with databases and also find
out about database changes and act on them in some way. Now that
committing to disk has been broken into a separate concept, there is a
one-to-one and "onto" relationship between monitors and replicas: every
monitor M has a replica R and R is associated with M as well. It's easier
if we just treat them as a single entity, and that's what this commit
implements.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Until now, ovsdb-server has internally chained a list of replicas from each
database. Whenever ovsdb_txn_commit() commits a transaction, it passes the
transaction to each replica. The first replica, which is always the disk
file that stores the database, is special because it is the only replica
that can report an error and thereby abort the transaction. This is a very
special property that genuinely distinguishes this first replica from the
others on the chain. This commit breaks that first replica out as a
separate kind of entity that is not on the list of replicas. When later
commits add support for clustering, there will only be more and more
special cases for the "first replica", so it makes sense to distinguish it
this way.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
The implementation cycles through the remotes in random order. This allows
clients to perform some load balancing across alternative implementations
of a service.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Russell Bryant <russell@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
This is aimed at an upcoming database clustering implementation, where it's
desirable to try all of the cluster members quickly before backing off to
retry them again in sequence.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Russell Bryant <russell@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
The OVSDB log code has always had the ability to commit the log to disk and
wait for the commit to finish. This patch introduces a new feature that
allows the client to start a commit in the background and then to determine
asynchronously that the commit has completed. This will be especially
useful later for the distributed database feature.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
DPDK could produce huge amount of logs. For example, in case of
exhausting of a mempool in vhost-user port, following message will be
printed on each call to 'rte_vhost_dequeue_burst()':
|ERR|VHOST_DATA: Failed to allocate memory for mbuf.
These messages are increasing ovs-vswitchd.log size extremely fast
making it unreadable and non-parsable by a common linux utils like
grep, less etc. Moreover continuously growing log could exhaust the
HDD space in a few hours breaking normal operation of the whole system.
To avoid such issues, DPDK log rate limited to 600 messages per minute.
This value is high, because we still want to see many big logs like
vhost-user configuration sequence. The debug messages are treated
separately to avoid looss of errors/warnings in case of intensive debug
enabled in DPDK.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Presently, if OVS tries to setup more queues than
are allowed by a specific NIC, OVS will handle
this case by retrying with a lower amount of queues.
Rather than reporting initial failed queue setups
in the logs as ERROR, they are reported as INFO but
contain the word 'error'. Unless a user has detailed
knowledge of OVS-DPDK workings, this is confusing.
Let's remove 'error' from the INFO log.
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Since 17.11 release DPDK uses uint16 for port_id. Format
strings for printing functions must be updated accordingly.
CC: Mark Kavanagh <mark.b.kavanagh@intel.com>
Fixes: 5e925ccc2a ("netdev-dpdk: DPDK v17.11 upgrade")
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Modify docs and travis linux build script to use the DPDK 17.11.1
release branch to benefit from most recent bug fixes.
There are no new features introduced in the DPDK release, only back
ported bug fixes. For completeness these bug fixes have been documented
under the 17.11.1 section in the link below.
http://dpdk.org/doc/guides-17.11/rel_notes/release_17_11.html#id1
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
The docs describe IOMMU support for dpdkvhostuserclient ports,
but it is not mentioned in the section about dpdkvhostuser
ports. Add an explicit note to say IOMMU is not supported for
dpdkvhostuser ports.
CC: Maxime Coquelin <maxime.coquelin@redhat.com>
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Raise the error up instead of ignoring it.
Before this commit beside an error an incorrect rule was also printed.
Signed-off-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
OVS datapaths have two different ways to indicate what kind of packet a
flow matches. One way, used by the userspace datapath, is
OVS_KEY_ATTR_PACKET_TYPE. Another way, used by the kernel datapath, is
OVS_KEY_ATTR_ETHERTYPE when used in the absence of OVS_KEY_ATTR_ETHERNET;
when the latter is present, the packet is always an Ethernet packet. The
code to print datapath flows wasn't paying attention to this distinction
and always omitted eth() from the output when OVS_KEY_ATTR_ETHERNET was
fully wildcarded, which meant that upon later re-parsing the
OVS_KEY_ATTR_ETHERNET key was omitted, which made it look like a
non-Ethernet match was being described.
This commit makes odp_util_format() add eth() to the output when
OVS_KEY_ATTR_ETHERNET is present and OVS_KEY_ATTR_PACKET_TYPE is absent,
avoiding the problem.
Reported-by: Amar Padmanabhan <amarpadmanabhan@fb.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2017-December/045817.html
Reported-by: Su Wang <suwang@vmware.com>
VMWare-BZ: #2070488
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Yi-Hung Wei <yihung.wei@gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
Since OVS 2.8 OVN provides L3HA capabilities via BFD monitoring,
but checking the status of BFD is not obvious, and we provide
a simple way to visualize the status with this simple patch.
Signed-off-by: Miguel Angel Ajo <majopela@redhat.com>
Tested-by: Miguel Angel Ajo <majopela@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
We want to compact database file if it has been over 24 hours since we
last compacted it and there's more than 100 commits regardless of the
size of the database. This patch fixes the previous comparisson which
checked if 24 hours was elapsed since the next scheduled compaction.
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Until now, the ofp-print code has had a lot of logic specific to
individual messages. This code is better put with the other code specific
to those messages, so this commit starts to migrate it.
There is more work of a similar type to do, but this is a reasonable start.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
This function was left behind by accident in the patch that split up
ofp-parse.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
This commit relieves the caller of code that deals with the format of
packet-in messages from some of the burden of understanding the packet
format. It also renames the constants to appear to be at a higher level of
abstraction.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
The previous interface here required the client to understand, to some
extent, the low-level NXFF_* values and the encoding format for the
NXT_SET_FLOW_FORMAT and NXT_SET_FLOW_MOD_TABLE_ID messages. This commit
changes the interface so that the client only has to understand the
ofputil_protocol type used elsewhere and none of the encoding otherwise.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Long ago, a <monitor-requests> object in the OVSDB protocol mapped a table
name to a single <monitor-request>. Since then, it has mapped a table name
to an *array of* <monitor-request> objects, but the OVSDB IDL has never
been updated to use the modern form. This commit makes that change.
Reported-by: Anil Jangam <anilj.mailing@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
This interface type was deprecated in 2013, so it is time to remove it.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jjpettit@ovn.org>
On Python 3 hasattr only intercepts AttributeError exception.
On Python2, instead, hasattr intercepts all the exceptions.
This means __getattr__ shouldn't return KeyError when the attribute
doesn't exists, but it should raise AttributeError instead.
Fixes: 2d54d8011e ("Python-IDL: getattr after mutate fix")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
Replace "print f" with "print(f)" and "xrange" with "range".
The changes are backward compatibile with Python 2.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
When the Load_Balancer is added to the logical_switch,
the VIP has to be in a different subnet than the one used
for the logical_switch. Since VIP is in a different subnet,
you should connect your logical switch to either a OVN
logical router or a real router (this is because the client
can now send a packet with VIP as the destination IP address
and router's mac address as the destination MAC address).
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
The priority 34000 DHCP and DNS flows are added to the
S_SWITCH_OUT_ACL table and not S_SWITCH_OUT_STATEFUL table.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Whenever the acl reject rule is hit send back an ICMPv4 destination
unreachable packet and do not handle reject rule as drop one.
Treat TCP connections as DROP for the moment since tcp_reset{} action
has not been implemented yet.
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
icmp4 action is used to replace the IPv4 packet been processed with
an ICMPv4 packet initialized based on incoming IPv4 one.
Ethernet and IPv4 fields not listed are not changed:
- ip.proto = 1 (ICMPv4)
- ip.frag = 0 (not a fragment)
- ip.ttl = 255
- icmp4.type = 3 (destination unreachable)
- icmp4.code = 1 (host unreachable)
Prerequisite: ip4
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-By: Mark Michelson <mmichels@redhat.com>
It can only receive 4096 bytes of data each time in jsonrpc,
when there are similar and Chinese characters occupy multiple bytes,
it may receive half a character, this time the decoding will be abnormal.
We need to receive the completed character to decode.
Signed-off-by: Guoshuai Li <ligs@dtdream.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Before this patch, the databases were automatically compacted when a
transaction is logged when:
* It's been > 10 minutes after last compaction AND
* At least 100 commits have occurred AND
* Database has grown at least 4x since last compaction (and it's > 10M)
This patch changes the conditions as follows:
* It's been > 10 minutes after last compaction AND
* At least 100 commits have occurred AND either
- It's been > 24 hours after the last compaction OR
- Database has grown at least 2x since last compaction (and it's > 10M)
Reported-by: Daniel Alvarez <dalvarez@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-March/046309.html
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
A clone action saves the action_set prior to performing the clone, then
restores it afterwards. However when xlating the actions it neglects to
consider the action_set so any write_action() inside a clone() are
ignored. Unfortunately patch ports are internally implemented via
clone(). So a frame traversing to a second bridge via patch port will
never be affected by write_action() in the second bridge's flow table.
Lets make clone() aware of the action_set.
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch tries to find Python 2 as "python2", then "python2.7" and finally
"python".
This is needed since "/usr/bin/python" is used as Python 3 on some Linux
distributions (for example on Arch Linux) and on Fedora 28
"/usr/bin/python" will be deprecated [1]:
"All scripts shall explicitly use /usr/bin/python2."
[1] https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Running OpenSSL unit tests without it already being included in library path
revealed a problem: the AUTOTEST_PATH does not include it.
This patch adds a new variable `SSL_DIR` which will be added in AUTOTEST_PATH.
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
+Traceback (most recent call last):
+ File "../.././flowgen.py", line 204, in <module>
+ flows = os.fdopen(3, 'wb')
+OSError: [Errno 9] Bad file descriptor
./library.at:4: exit code was 1, expected 0
Unfortunately 3/4/5/.. FDs don't work on Windows. Switch to a filename open
instead of opening the FDs.
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>
Previously ipfragment module would drop any fragments less than
MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the
vulnerability CVE-2000-0305. This check is incorrect, since minimum size
of the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of
L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not
guranted to be malformed or illegal.
To guard against security vulnerability CVE-2000-0305, for a given ip
datagram, ipfragments should be dropped only when number of smallest
fragments recieved reaches a certain threshold.
Signed-off-by: Anand Kumar <kumaranand@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Fix two $PYTHON leftovers.
One in JSONRPC_REQ_REPLY_SUCCESS_PYN and the other in JSONRPC_REQ_REPLY_ERROR_PYN
Fixes: 58bed3df48 ("jsonrpc-py.at: Run tests with Python 2 and 3.")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
