It is inconvenient to type the whole path to the Unix daemon socket when
using ovs-appctl. Allow the name of the daemon to be used instead when
a pidfile exists in the default location, and contact ovs-vswitchd by
default.
Also, the various options for manipulating vlog were invented before the
general-purpose command mechanism existed. Get rid of all of the action
options in favor of just specifying the command to be executed as
non-option arguments.
Finally, there simply wasn't much value in allowing multiple targets or
options to be specified; these variations were never used in practice. So
simplify the interface by making it one target, one action per invocation.
Also, make ovs-vsctl use the same syntax for its --target option.
Based on work by Justin Pettit.
This reverts commit cae7a4b90a55cbfd4cfd23c06f9f09cd429ab4c0.
This commit forced the user to specify an action when deleting a flow,
which is not desirable. The change was not actually needed, as the
buffer is never passed to str_to_flow() in the original code.
This merge took a little bit of care due to two issues:
- Crossport of "interface-reconfigure" fixes from master back to
citrix that had happened and needed to be canceled out of the merge.
- New script "refresh-xs-network-uuids" added on citrix branch that
needed to be moved from /root/vswitch/scripts to
/usr/share/vswitch/scripts.
This changes the interface of each of the command implementations, making
them take the configuration as an argument and return the output. This
will make it easier to support alternate output formats and to execute more
than one command per invocation (both happening in upcoming commits).
The 'bridge' argument to ovs-vsctl's del-port command is only supplied as
a form of error checking. Sometimes the name of the bridge isn't readily
available, so for such situations this commit allows the user to omit the
name of the bridge entirely.
CC: Ian Campbell <Ian.Campbell@citrix.com>
This feature, which has been in ovs-cfg-mod for some time as the "-c"
option, makes it much easier to see what changes ovs-vsctl actually makes
to ovs-vswitchd.conf.
CC: <Ian.Campbell@citrix.com>
The synopsis section of the man page for ovs-appctl incorrectly stated
that the target option takes "pid" as an argument. This commit corrects
that to say "socket".
When the switch is configured to connect to a controller that accepts
connections, waits a few seconds, and then disconnects without setting up
flows, currently this causes "fail-open" to flush the flow table and
stop setting up new flows during the connection duration. This is OK if
it happens once, but it can easily happen every 8 seconds with typical
backoff settings, and that isn't so great.
This commit changes fail-open to only flush the flow table once the switch
appears to have been admitted by the controller, which prevents these
frequent network interruptions.
Thanks to Jesse Gross for especially valuable feedback.
QA notes: Behavior in fail-open and especially behavior with a controller
that rejects the switch after it connects needs to be re-tested. The
ovs-controller --mute switch added by this commit is one simple way to
create such a controller.
CC: Peter Balland <peter@nicira.com>
Bug #1695. Bug #2055.
Dan requested this change to make it less likely that a user encounter a
CA certificate expiring.
For the "citrix" branch instead of "master" in case a customer upgrades
(without generating new CA certificates) away from the beta.
CC: Dan Wendlandt <dan@nicira.com>
Currently ov-vsctl tries to treat /var/run/ovs-vswitchd.*.ctl as a
file/pipe when it is actually a Unix domain socket:
# ovs-vsctl add-br TEST
Traceback (most recent call last):
File "/usr/bin/ovs-vsctl", line 498, in ?
main()
File "/usr/bin/ovs-vsctl", line 493, in main
function(*args)
File "/usr/bin/ovs-vsctl", line 345, in cmd_add_br
cfg_save(cfg, VSWITCHD_CONF)
File "/usr/bin/ovs-vsctl", line 142, in cfg_save
cfg_reload()
File "/usr/bin/ovs-vsctl", line 126, in cfg_reload
f = open(target, "r+")
IOError: [Errno 6] No such device or address: ' '
# ls -l /var/run/ovs-vswitchd.4173.ctl
srw------- 1 root root 0 Sep 14 12:25 /var/run/ovs-vswitchd.4173.ctl
From strace:
open("/var/run/ovs-vswitchd.4173.ctl", O_RDWR|O_LARGEFILE) = -1 ENXIO (No such device or address)
Our test automation needs to be able to validate that a VLAN bridge and
for this I needed two new operations in ovs-vsctl:
* The ability to query the VLAN tag for a bridge.
* The ability to query the 'parent' of a bridge. The parent is the
non-VLAN/untagged bridge with the same physical devices and
could be a bond.
So given xenbr0 (containing eth0) + xapi2 (VLAN 42 on eth0) and xapi1
(containing bond0 == eth2+eth3) + xapi3 (VLAN 23 on the bonded
interface):
[root@warlock ~]# ovs-vsctl br-to-vlan xapi2
42
[root@warlock ~]# ovs-vsctl br-to-vlan xapi3
23
[root@warlock ~]# ovs-vsctl br-to-parent xapi2
xenbr0
[root@warlock ~]# ovs-vsctl br-to-parent xapi3
xapi1
This was a somewhat difficult merge since there was a fair amount of
superficially divergent development on the two branches, especially in the
datapath.
This has been build-tested against XenServer 5.5.0 and XenServer 5.7.0
build 15122. It has been booted and connected to XenCenter on 5.5.0.
The merge revealed a couple of outstanding bugs, which will be fixed on
citrix and then merged back into master.
When ovs-pki is used for CA cert generation, it generates certificates
that are identical except for the public key. If multiple controllers are
their own certificate authorities, the switch will receive multiple CA
certs that are identical other than their key. Unfortunately, OpenSSL
cannot distinguish between them. This is an excerpt of the
SSL_CTX_load_verify_locations function used by vconn-ssl:
Certificate matching is done based on the subject name, the key
identifier (if present), and the serial number as taken from the
certificate to be verified. If these data do not match, the next
certificate will be tried. If a first certificate matching the
parameters is found, the verification process will be performed; no
other certificates for the same parameters will be searched in case of
failure.
To work around this, we add a bit of uniqueness to each certificate. In
this commit, we add the generation time to the subject name. Please note
that the CN field is limited to 64 bytes, so a bit of name compression
needed to take place in order to fit the time.
Bug #1782
When ovs-pki is used for CA cert generation, it generates certificates
that are identical except for the public key. If multiple controllers are
their own certificate authorities, the switch will receive multiple CA
certs that are identical other than their key. Unfortunately, OpenSSL
cannot distinguish between them. This is an excerpt of the
SSL_CTX_load_verify_locations function used by vconn-ssl:
Certificate matching is done based on the subject name, the key
identifier (if present), and the serial number as taken from the
certificate to be verified. If these data do not match, the next
certificate will be tried. If a first certificate matching the
parameters is found, the verification process will be performed; no
other certificates for the same parameters will be searched in case of
failure.
To work around this, we add a bit of uniqueness to each certificate. In
this commit, we add the generation time to the subject name. Please note
that the CN field is limited to 64 bytes, so a bit of name compression
needed to take place in order to fit the time.
Bug #1782
The daemon library provides a few short options, but these then take
away their availability from programs that wish to use the library.
Since the daemon options are generally going to be called from a script
(which doesn't care how much typing is involved), we'll only provide
long options.
A previous checkin added the cfg_init() function, so we now call it. We
also check the return value of the initial call to cfg_read(), since if
it fails, there's not much point in continuing.
This new abstraction layer allows multiple implementations of network
devices in a single running process. This will be useful, for example, to
support network devices that are simulated entirely in the running process
or that communicate with other processes over Unix domain sockets, etc.
The reimplemented tap device support in this commit has not been tested.
Until now, setting a netflow collector to a DNS name would cause
secchan to attempt to resolve that DNS name each time that the set of
netflow collectors is re-set. For the vswitch, this is every time that
the vswitch reconfigures itself.
Unfortunately, DNS lookup within secchan cannot work as currently
implemented, because it needs both an asynchronous DNS resolver library
and in-band control updates. Currently we have neither. Attempting to
look up DNS anyway just hangs.
This commit disables DNS lookup entirely, and updates the documentation to
change user expectations. DNS still won't work, but at least it won't
hang.
Bug #1609.
OpenFlow 0.9 will change the interpretation of a max_len of 0 in an
OFPP_CONTROLLER output action from "send entire packet" to "send 0 bytes
of packet", but ovs-ofctl documents that specifying no argument or "ALL"
as the argument to a CONTROLLER output action sends the whole packet, so
we need to make that happen.
Soon we will allow for multiple datapath implementations. By allowing
the datapath to choose the port numbers, we possibly simplify some datapath
implementations, and the datapath's clients don't have to guess (or to
check) what port numbers are free, so this seems like a better way to go.
This function is easier for callers to use if they do not have to guess
how many ports are in the group. Since it's not performance critical at
all, introduce these easier semantics.
dpif_id() is often used in error messages, e.g. "dp%u: screwed up". But
soon we will be generalizing the concept of a datapath, so it is better
to have a function that returns a full name, e.g. "%s: screwed up".
Accordingly, this commit replaces dpif_id() by a new function dpif_name()
that does so.
With multiple kinds of datapaths, code should not just use
"dp%u" along with dpif_minor() to print a datapath name, because not all
datapaths can sensibly be named that way. We want to use a function
with a name like dpif_get_name() to retrieve a datapath name for printing
to the user, in which case the existing dpif_get_name() function would be
confusing. So rename the existing one to something more explicit.
The TCP and SSL vconn implementations had a lot of common code to make
and accept TCP connections, which this commit factors out into common
functions in socket-util.c.
Also adds the ability to bind ptcp and pssl vconns to a particular IP
address instead of the wildcard address.
The controller discovery code has always had the capability to whitelist
only certain types of controller locations. Until now, we have only taken
advantage of this when SSL is enabled (so that all OpenFlow connections are
authenticated with SSL if SSL is configured).
However, it occurs to me that making the section of connections entirely
unrestricted is too permissive. An attacker could make the vswitch connect
to an arbitrary Unix domain socket, for example. I don't have a
description of how this is an exploitable security vulnerability, but it
seems entirely too lax.
So: this commit changes the default to allowing only TCP connections to
controller in the non-SSL case.
The glibc 2.7 headers contain a bug that causes strtok_r() to segfault
in some circumstances. Until now, we have been working around this
problem at each invocation, but this depends on the programmer to remember
to do so each time.
This commit instead adds a shim that adds a work-around to the string.h
header itself, so that it is much more difficult to miss the workaround.
