diff -Nru ovn-20.12.0/debian/changelog ovn-20.12.0/debian/changelog --- ovn-20.12.0/debian/changelog 2021-03-09 13:28:55.000000000 +0000 +++ ovn-20.12.0/debian/changelog 2021-10-06 06:26:47.000000000 +0000 @@ -1,8 +1,28 @@ -ovn (20.12.0-0ubuntu2~cloud0) focal-wallaby; urgency=medium +ovn (20.12.0-0ubuntu3~cloud0) focal-wallaby; urgency=medium - * New upstream release for the Ubuntu Cloud Archive. + * New update for the Ubuntu Cloud Archive. - -- Openstack Ubuntu Testing Bot Tue, 09 Mar 2021 13:28:55 +0000 + -- Openstack Ubuntu Testing Bot Wed, 06 Oct 2021 06:26:47 +0000 + +ovn (20.12.0-0ubuntu3) hirsute; urgency=medium + + * Add RBAC rules for IGMP_Group table (LP: #1914988): + - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch + - d/p/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch + - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch + - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch + - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch + - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch + - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch + - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch + * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: + Do not forward traffic from localport to localnet ports (LP: #1943266). + * d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch + Update RBAC rules for Chassis_Private table (LP: #1913024). + * d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch + Update RBAC rules for Port_Binding table (LP: #1917475). + + -- Frode Nordahl Fri, 01 Oct 2021 09:42:00 +0200 ovn (20.12.0-0ubuntu2) hirsute; urgency=medium diff -Nru ovn-20.12.0/debian/gbp.conf ovn-20.12.0/debian/gbp.conf --- ovn-20.12.0/debian/gbp.conf 2021-01-04 16:55:16.000000000 +0000 +++ ovn-20.12.0/debian/gbp.conf 2021-10-01 07:42:00.000000000 +0000 @@ -1,3 +1,3 @@ [DEFAULT] -debian-branch = master +debian-branch = ubuntu/hirsute pristine-tar = True diff -Nru ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch --- ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,42 @@ +Origin: upstream, https://github.com/ovn-org/ovn/commit/f653d627100c91fb169009de44add746beb23769 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024 +Last-Update: 2021-09-23 + +From f653d627100c91fb169009de44add746beb23769 Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Mon, 25 Jan 2021 21:34:04 +0100 +Subject: [PATCH] northd: Add Chassis_Private "external_ids" column to RBAC + +After introduction of the Chassis_Private table in OVN 20.09, CMS'es do +expect data plane components that may be subject to the +`ovn-controller` RBAC role to be able to write to the external_ids +column. An example being the OpenStack metadata agent [0]. + +[0]: https://github.com/openstack/neutron/blob/master/neutron/agent/ovn/metadata/agent.py#L175-L191 +Reported-at: https://bugs.launchpad.net/bugs/1913024 +Fixes: 4adc10f58127 ("Avoid nb_cfg update notification flooding") +Signed-off-by: Frode Nordahl +Acked-by: Dumitru Ceara +Signed-off-by: Numan Siddique + +(cherry-picked from master commit a798e2cfb6dd97c1603b7b758464afb8b897c9ed) +--- + northd/ovn-northd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c +index 7ead3f6b8..89f7dc362 100644 +--- a/northd/ovn-northd.c ++++ b/northd/ovn-northd.c +@@ -12729,7 +12729,7 @@ static const char *rbac_chassis_update[] = + static const char *rbac_chassis_private_auth[] = + {"name"}; + static const char *rbac_chassis_private_update[] = +- {"nb_cfg", "nb_cfg_timestamp", "chassis"}; ++ {"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"}; + + static const char *rbac_encap_auth[] = + {"chassis_name"}; +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch --- ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,100 @@ +Origin: upstream, https://github.com/ovn-org/ovn/commit/6aab727db39dcdcfd859aa617e0d9f1ab0bcac98 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-09-23 + +From 6aab727db39dcdcfd859aa617e0d9f1ab0bcac98 Mon Sep 17 00:00:00 2001 +From: Pedro Guimaraes +Date: Sun, 7 Feb 2021 16:07:08 +0100 +Subject: [PATCH] Add IGMP_Group to ovn-controller RBAC + +If RBAC and IGMP snooping are enabled, ovn-controllers need to +be able to register new entries to table IGMP_Group as requests +are detected. + +For that, ovn-controllers need to have read/write access to +IGMP_Group table. + +Signed-off-by: Pedro Guimaraes +Reported-at: https://github.com/ovn-org/ovn/issues/77 +Acked-by: Frode Nordahl +Signed-off-by: Numan Siddique + +(cherry-picked from master commit e92d8cb838d407aac7d44c9d27f862df42fbb8d2) +--- + AUTHORS.rst | 1 + + northd/ovn-northd.c | 12 ++++++++++++ + ovn-architecture.7.xml | 16 ++++++++++++++++ + 3 files changed, 29 insertions(+) + +diff --git a/AUTHORS.rst b/AUTHORS.rst +index 5d926c11f..ba0a4eb1e 100644 +--- a/AUTHORS.rst ++++ b/AUTHORS.rst +@@ -290,6 +290,7 @@ Paul Fazzone pfazzone@vmware.com + Paul Ingram + Paul-Emmanuel Raoul skyper@skyplabs.net + Pavithra Ramesh paramesh@vmware.com ++Pedro Guimaraes pedro.guimaraes@canonical.com + Peter Downs padowns@gmail.com + Philippe Jung phil.jung@free.fr + Pim van den Berg pim@nethuis.nl +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c +index 89f7dc362..cb6bbb74d 100644 +--- a/northd/ovn-northd.c ++++ b/northd/ovn-northd.c +@@ -12750,6 +12750,10 @@ static const char *rbac_svc_monitor_auth[] = + {""}; + static const char *rbac_svc_monitor_auth_update[] = + {"status"}; ++static const char *rbac_igmp_group_auth[] = ++ {""}; ++static const char *rbac_igmp_group_update[] = ++ {"address", "chassis", "datapath", "ports"}; + + static struct rbac_perm_cfg { + const char *table; +@@ -12808,6 +12812,14 @@ static struct rbac_perm_cfg { + .update = rbac_svc_monitor_auth_update, + .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update), + .row = NULL ++ },{ ++ .table = "IGMP_Group", ++ .auth = rbac_igmp_group_auth, ++ .n_auth = ARRAY_SIZE(rbac_igmp_group_auth), ++ .insdel = true, ++ .update = rbac_igmp_group_update, ++ .n_update = ARRAY_SIZE(rbac_igmp_group_update), ++ .row = NULL + },{ + .table = NULL, + .auth = NULL, +diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml +index d00af36b4..e5b70ca20 100644 +--- a/ovn-architecture.7.xml ++++ b/ovn-architecture.7.xml +@@ -2597,6 +2597,22 @@ + modified by ovn-controller. +

+ ++ ++
IGMP_Group
++
++

++ Authorization: disabled (all clients are considered ++ to be authorized). ++

++

++ Insert/Delete: row insertion/deletion are permitted. ++

++

++ Update: The columns address, ++ chassis, datapath, and ++ ports may be modified by ovn-controller. ++

++
+ + +

+-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch --- ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,55 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/51f2629cda614d0712ca13f4b51e30c9c2290bc1 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-10-01 + +From fa05fdfea81486b6d2faa8c542150e807e2feba9 Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:26 +0100 +Subject: [PATCH 06/10] northd: Add Controller_Event RBAC rules + +The use of the Controller_Event table does currently not work +when RBAC is enabled. + +Fixes: be1eeb09d ("OVN: introduce Controller_Event table") +Signed-off-by: Frode Nordahl +Signed-off-by: Numan Siddique +(cherry picked from commit 51f2629cda614d0712ca13f4b51e30c9c2290bc1) +--- + northd/ovn-northd.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c +index d78c065ce..6b4584f73 100644 +--- a/northd/ovn-northd.c ++++ b/northd/ovn-northd.c +@@ -12687,6 +12687,12 @@ static const char *rbac_encap_auth[] = + static const char *rbac_encap_update[] = + {"type", "options", "ip"}; + ++static const char *rbac_controller_event_auth[] = ++ {""}; ++static const char *rbac_controller_event_update[] = ++ {"chassis", "event_info", "event_type", "seq_num"}; ++ ++ + static const char *rbac_fdb_auth[] = + {""}; + static const char *rbac_fdb_update[] = +@@ -12736,6 +12742,14 @@ static struct rbac_perm_cfg { + .update = rbac_chassis_private_update, + .n_update = ARRAY_SIZE(rbac_chassis_private_update), + .row = NULL ++ },{ ++ .table = "Controller_Event", ++ .auth = rbac_controller_event_auth, ++ .n_auth = ARRAY_SIZE(rbac_controller_event_auth), ++ .insdel = true, ++ .update = rbac_controller_event_update, ++ .n_update = ARRAY_SIZE(rbac_controller_event_update), ++ .row = NULL + },{ + .table = "Encap", + .auth = rbac_encap_auth, +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch --- ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,55 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-10-01 +o +From fcae229fab5dce42ad216aef872675c03b60fc5e Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:24 +0100 +Subject: [PATCH 04/10] northd: Add missing RBAC rules for FDB table + +The recently added FDB table did not get its RBAC rules which +would prohibit a `ovn-controller` from updating it with RBAC +enabled. + +Fixes: 6ec3b1259 ("MAC learning: Add a new FDB table in southbound db") +Signed-off-by: Frode Nordahl +Signed-off-by: Numan Siddique +(cherry picked from commit a6008b68bb70e99a9191eb9c6c98532816fa4307) +--- + northd/ovn-northd.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c +index 718ed831a..42c1aa677 100644 +--- a/northd/ovn-northd.c ++++ b/northd/ovn-northd.c +@@ -12687,6 +12687,11 @@ static const char *rbac_encap_auth[] = + static const char *rbac_encap_update[] = + {"type", "options", "ip"}; + ++static const char *rbac_fdb_auth[] = ++ {""}; ++static const char *rbac_fdb_update[] = ++ {"dp_key", "mac", "port_key"}; ++ + static const char *rbac_port_binding_auth[] = + {""}; + static const char *rbac_port_binding_update[] = +@@ -12739,6 +12744,14 @@ static struct rbac_perm_cfg { + .update = rbac_encap_update, + .n_update = ARRAY_SIZE(rbac_encap_update), + .row = NULL ++ },{ ++ .table = "FDB", ++ .auth = rbac_fdb_auth, ++ .n_auth = ARRAY_SIZE(rbac_fdb_auth), ++ .insdel = true, ++ .update = rbac_fdb_update, ++ .n_update = ARRAY_SIZE(rbac_fdb_update), ++ .row = NULL + },{ + .table = "Port_Binding", + .auth = rbac_port_binding_auth, +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch --- ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,36 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/b865e502293b8504812b062321be442805f46d4a +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-10-01 + +From 0b44305ea11f5ecf3a5ba43de5f62fd1dcc3f912 Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:25 +0100 +Subject: [PATCH 4/8] northd: Amend Chassis RBAC rules + +The Transport Zones support does currently not work when RBAC is +enabled. + +Fixes: 07d0d258d ("OVN: Add support for Transport Zones") +Signed-off-by: Frode Nordahl +Signed-off-by: Numan Siddique +(cherry picked from commit b865e502293b8504812b062321be442805f46d4a) +--- + northd/ovn-northd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c +index 718ed831a..ad84c52be 100644 +--- a/northd/ovn-northd.c ++++ b/northd/ovn-northd.c +@@ -12675,7 +12675,7 @@ static const char *rbac_chassis_auth[] = + {"name"}; + static const char *rbac_chassis_update[] = + {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches", +- "other_config"}; ++ "other_config", "transport_zones"}; + + static const char *rbac_chassis_private_auth[] = + {"name"}; +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch --- ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,47 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-10-01 + +From d6e9c4f2b74ead49b65a4aedb464a87631d9d329 Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:28 +0100 +Subject: [PATCH 5/8] tests: Amend release stale port binding test for RBAC + +The current version of the test attempts to simulate chassis +registration prior to starting `ovn-controller`, however it does +not set the `hostname` field. + +The RBAC role for `ovn-controller` does not allow for a chassis to +change its own name or hostname, which makes sense as this is used +for authentication. + +Update the test to set the `hostname` field when simulating chassis +registration so that `ovn-controller` does not attempt to update it +and subsequently make the test fail. + +Fixes b6b3823d4 ("ovn-controller: Fix I-P for SB Port_Binding and OVS Interface") + +Signed-off-by: Frode Nordahl +Acked-by: Mark Michelson +Signed-off-by: Numan Siddique +(cherry picked from commit b92823f0e94e760c3e4b60ef132b513c3411ed2d) +--- + tests/ovn.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/ovn.at b/tests/ovn.at +index 2e0bc9c53..aae4c06be 100644 +--- a/tests/ovn.at ++++ b/tests/ovn.at +@@ -20871,7 +20871,7 @@ ovn-nbctl --wait=sb lsp-add ls1 lsp1 + + # Simulate the fact that lsp1 had been previously bound on hv1. + ovn-sbctl --id=@e create encap chassis_name=hv1 ip="192.168.0.1" type="geneve" \ +- -- --id=@c create chassis name=hv1 encaps=@e \ ++ -- --id=@c create chassis hostname=hv1 name=hv1 encaps=@e \ + -- set Port_Binding lsp1 chassis=@c + + as hv1 +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch --- ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,213 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-10-01 + +From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:30 +0100 +Subject: [PATCH 2/3] tests: Make certificate generation extendable + +In preparation for enabling testing with SSL and RBAC enabled by +default, rework the certificate generation so that we can easily +add generation of more certificates/CN on demand. + +A side erffect of the change is a more generic naming scheme for +the certificate files so the patch also contains an update to +existing tests so that they use the new filenames. + +Signed-off-by: Frode Nordahl +Acked-by: Mark Michelson +Signed-off-by: Numan Siddique +(cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7) +--- + tests/automake.mk | 48 ++++++++++++++++++++++------------------------- + tests/ovn.at | 48 +++++++++++++++++++++++------------------------ + 2 files changed, 46 insertions(+), 50 deletions(-) + +diff --git a/tests/automake.mk b/tests/automake.mk +index 9740f085a..6eabb97e6 100644 +--- a/tests/automake.mk ++++ b/tests/automake.mk +@@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage + FLAKE8_PYFILES += $(CHECK_PYFILES) + + if HAVE_OPENSSL +-TESTPKI_FILES = \ +- tests/testpki-cacert.pem \ +- tests/testpki-cert.pem \ +- tests/testpki-privkey.pem \ +- tests/testpki-req.pem \ +- tests/testpki-cert2.pem \ +- tests/testpki-privkey2.pem \ +- tests/testpki-req2.pem ++OVS_PKI_DIR = $(CURDIR)/tests/pki ++TESTPKI_CNS = test test2 ++TESTPKI_FILES = $(shell \ ++ for cn in $(TESTPKI_CNS); do \ ++ echo tests/testpki-$$cn-cert.pem ; \ ++ echo tests/testpki-$$cn-privkey.pem ; \ ++ echo tests/testpki-$$cn-req.pem ; \ ++ done) ++ ++tests/testpki-cacert.pem: tests/pki/stamp ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ ++ ++$(TESTPKI_FILES): tests/pki/stamp ++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ ++ ++check_DATA += tests/testpki-cacert.pem + check_DATA += $(TESTPKI_FILES) ++CLEANFILES += tests/testpki-cacert.pem + CLEANFILES += $(TESTPKI_FILES) + +-tests/testpki-cacert.pem: tests/pki/stamp +- $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ +-tests/testpki-cert.pem: tests/pki/stamp +- $(AM_V_GEN)cp tests/pki/test-cert.pem $@ +-tests/testpki-req.pem: tests/pki/stamp +- $(AM_V_GEN)cp tests/pki/test-req.pem $@ +-tests/testpki-privkey.pem: tests/pki/stamp +- $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ +-tests/testpki-cert2.pem: tests/pki/stamp +- $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ +-tests/testpki-req2.pem: tests/pki/stamp +- $(AM_V_GEN)cp tests/pki/test2-req.pem $@ +-tests/testpki-privkey2.pem: tests/pki/stamp +- $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ +- +-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log ++ ++OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log + tests/pki/stamp: + $(AM_V_at)rm -f tests/pki/stamp + $(AM_V_at)rm -rf tests/pki + $(AM_V_GEN)$(OVS_PKI) init && \ +- $(OVS_PKI) req+sign tests/pki/test && \ +- $(OVS_PKI) req+sign tests/pki/test2 && \ ++ for cn in $(TESTPKI_CNS); do \ ++ $(OVS_PKI) req+sign tests/pki/$$cn; \ ++ done && \ + : > tests/pki/stamp + CLEANFILES += tests/ovs-pki.log + +diff --git a/tests/ovn.at b/tests/ovn.at +index 4d9ee1256..6de5a6d3f 100644 +--- a/tests/ovn.at ++++ b/tests/ovn.at +@@ -7701,8 +7701,8 @@ AT_CHECK( + + start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ + --remote=db:OVN_Southbound,SB_Global,connections \ +- --private-key="$PKIDIR/testpki-privkey2.pem" \ +- --certificate="$PKIDIR/testpki-cert2.pem" \ ++ --private-key="$PKIDIR/testpki-test2-privkey.pem" \ ++ --certificate="$PKIDIR/testpki-test2-cert.pem" \ + --ca-cert="$PKIDIR/testpki-cacert.pem" \ + ovn-sb.db + +@@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + + # read-only accesses should succeed + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + list SB_Global], [0], [stdout], [ignore]) + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + list Connection], [0], [stdout], [ignore]) + + # write access should fail + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + chassis-add ch vxlan 1.2.4.8], [1], [ignore], + [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} +@@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ + + # Populate SSL configuration entries in nb db + AT_CHECK( +- [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ +- $PKIDIR/testpki-cert.pem \ ++ [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ ++ $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + + # Populate a passive SSL connection in nb db +@@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + + # Verify SSL connetivity to nb db server + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + list NB_Global], + [0], [stdout], [ignore]) + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + list Connection], + [0], [stdout], [ignore]) + AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + get-connection], + [0], [stdout], [ignore]) +@@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ + + # Populate SSL configuration entries in sb db + AT_CHECK( +- [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ +- $PKIDIR/testpki-cert.pem \ ++ [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ ++ $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + + # Populate a passive SSL connection in sb db +@@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + + # Verify SSL connetivity to sb db server + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + list SB_Global], + [0], [stdout], [ignore]) + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + list Connection], + [0], [stdout], [ignore]) + AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ +- --private-key=$PKIDIR/testpki-privkey.pem \ +- --certificate=$PKIDIR/testpki-cert.pem \ ++ --private-key=$PKIDIR/testpki-test-privkey.pem \ ++ --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + get-connection], + [0], [stdout], [ignore]) +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch --- ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,153 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-10-01 + +From ef220e364c01af319eb378a7b6b508cc1a49266a Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:31 +0100 +Subject: [PATCH] tests: Test with SSL and RBAC for controller by default + +To help ourself to not forget updating RBAC rules when we land +changes to existing functionality and new features we must enable +SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds +with OpenSSL enabled. + +Signed-off-by: Frode Nordahl +Acked-by: Mark Michelson +Signed-off-by: Numan Siddique +(cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4) +--- + tests/automake.mk | 9 +++++++-- + tests/ofproto-macros.at | 12 ++++++++++++ + tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- + 3 files changed, 55 insertions(+), 4 deletions(-) + +diff --git a/tests/automake.mk b/tests/automake.mk +index 7fab972ab..785a6e5a6 100644 +--- a/tests/automake.mk ++++ b/tests/automake.mk +@@ -220,7 +220,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) + + if HAVE_OPENSSL + OVS_PKI_DIR = $(CURDIR)/tests/pki +-TESTPKI_CNS = test test2 ++# NOTE: Certificate generation has to be done serially, and each one adds a few ++# seconds to the test run. Please try to re-use one of the many CNs already ++# used in the existing tests. ++TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 + TESTPKI_FILES = $(shell \ + for cn in $(TESTPKI_CNS); do \ + echo tests/testpki-$$cn-cert.pem ; \ +@@ -245,9 +248,11 @@ tests/pki/stamp: + $(AM_V_at)rm -f tests/pki/stamp + $(AM_V_at)rm -rf tests/pki + $(AM_V_GEN)$(OVS_PKI) init && \ ++ cd tests/pki && \ + for cn in $(TESTPKI_CNS); do \ +- $(OVS_PKI) req+sign tests/pki/$$cn; \ ++ $(OVS_PKI) -u req+sign $$cn; \ + done && \ ++ cd ../../ && \ + : > tests/pki/stamp + CLEANFILES += tests/ovs-pki.log + +diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at +index dd5d3848d..9e8c4f051 100644 +--- a/tests/ofproto-macros.at ++++ b/tests/ofproto-macros.at +@@ -101,6 +101,7 @@ start_daemon () { + # + # sim_add hv0 + # as hv0 ovs-vsctl add-br br0 ++PKIDIR="$(cd $abs_top_builddir/tests && pwd)" + sims= + sim_add () { + echo "adding simulator '$1'" +@@ -123,6 +124,17 @@ sim_add () { + # Start ovs-vswitchd + as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl + as $1 ovs-appctl vlog/disable-rate-limit vconn ++ if test X$HAVE_OPENSSL = Xyes; then ++ if test -f $PKIDIR/testpki-$1-privkey.pem; then ++ as $1 ovs-vsctl set-ssl \ ++ $PKIDIR/testpki-$1-privkey.pem \ ++ $PKIDIR/testpki-$1-cert.pem \ ++ $PKIDIR/testpki-cacert.pem \ ++ || return 1 ++ else ++ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" ++ fi ++ fi + } + + # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. +diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at +index ff71f02d0..902ff1115 100644 +--- a/tests/ovn-macros.at ++++ b/tests/ovn-macros.at +@@ -120,7 +120,18 @@ ovn_init_db () { + mkdir "$d" || return 1 + : > "$d"/.$1.db.~lock~ + as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema +- as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db ++ ++ local remote_in_db= ++ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then ++ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" ++ fi ++ ++ as $as_d start_daemon ovsdb-server \ ++ -vjsonrpc \ ++ --remote=punix:"$d"/$1.sock \ ++ $remote_in_db \ ++ "$d"/$1.db ++ + local var=`echo $1_db | tr a-z- A-Z_` + AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var + } +@@ -173,6 +184,24 @@ ovn_start () { + --ovnnb-db=$ovn_nb_db \ + --ovnsb-db=$ovn_sb_db + ++ if test X$HAVE_OPENSSL = Xyes; then ++ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create ++ # SB_Global and Connection with ovsdb-tool transact at DB creation ++ # time, but unfortunately that does not work, northd-ddlog will replace ++ # the SB_Global record on startup. ++ ovn-sbctl \ ++ -- --id=@c create connection \ ++ target=\"pssl:0:127.0.0.1\" role=ovn-controller \ ++ -- add SB_Global . connections @c ++ local d=$ovs_base ++ if test -n "$1"; then ++ d=$d/$1 ++ fi ++ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) ++ var="SSL_OVN_SB_DB" ++ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var ++ fi ++ + if test -n "$1"; then + as_d=$1/ic + echo "starting ovn-ic" +@@ -237,11 +266,16 @@ ovn_az_attach() { + + local ovn_remote + if test X"$az" = XNONE; then +- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock ++ if test X$HAVE_OPENSSL = Xyes; then ++ ovn_remote=$SSL_OVN_SB_DB ++ else ++ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock ++ fi + else + ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock + fi + ovs-vsctl \ ++ -- set Open_vSwitch . external-ids:hostname=$sandbox \ + -- set Open_vSwitch . external-ids:system-id=$sandbox \ + -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ + -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \ +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch --- ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,188 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 +Last-Update: 2021-10-01 + +From cb1560a02e968c84ef8ea1c90f894610f88db8df Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:29 +0100 +Subject: [PATCH] tests: Use ovn_start in tests/ovn-controller.at + +The current version of the tests only initializes the SB DB and +instruments it directly. This does not work with SSL+RBAC as +northd must run to program the RBAC rules into the SB DB. + +Run tests both for C and ddlog version of northd. + +Add workaround for ovn-controller not re-reading certificates to +'ovn-controller - Chassis other_config' test. + +Signed-off-by: Frode Nordahl +Acked-by: Mark Michelson +Signed-off-by: Numan Siddique +(cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f) +--- + tests/ovn-controller.at | 67 +++++++++++++++++++++++++++++++++++++---- + 1 file changed, 61 insertions(+), 6 deletions(-) + +diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at +index 1b4679963..3e06032ca 100644 +--- a/tests/ovn-controller.at ++++ b/tests/ovn-controller.at +@@ -1,8 +1,9 @@ + AT_BANNER([ovn-controller]) + ++OVN_FOR_EACH_NORTHD([ + AT_SETUP([ovn-controller - ovn-bridge-mappings]) + AT_KEYWORDS([ovn]) +-ovn_init_db ovn-sb ++ovn_start + net_add n1 + sim_add hv + as hv +@@ -54,6 +55,14 @@ check_bridge_mappings () { + OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} other_config:ovn-bridge-mappings | sed -e 's/\"//g')]) + } + ++# NOTE: This test originally ran with only the SB-DB and no northd. For the ++# test to be successfull with SSL+RBAC we need to initially run northd to get ++# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB ++# directly and we need to stop northd to avoid overwriting the instrumentation. ++kill `cat northd/ovn-northd.pid` ++kill `cat northd-backup/ovn-northd.pid` ++kill `cat ovn-nb/ovsdb-server.pid` ++ + # Initially there should be no patch ports. + check_patches + +@@ -116,12 +125,14 @@ as ovn-sb + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + + AT_CLEANUP ++]) + + # Checks that ovn-controller populates datapath-type and iface-types + # correctly in the Chassis other_config column. ++OVN_FOR_EACH_NORTHD([ + AT_SETUP([ovn-controller - Chassis other_config]) + AT_KEYWORDS([ovn]) +-ovn_init_db ovn-sb ++ovn_start + + net_add n1 + sim_add hv +@@ -192,7 +203,21 @@ OVS_WAIT_UNTIL([ + # chassis_private records. Until that happens ovn-controller fails to + # create the records due to constraint violation on the Encap table. + sysid=${sysid}-foo +-ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}" ++current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote` ++if test X$HAVE_OPENSSL = Xyes; then ++ # To change chassis name we need to change certificate with matching CN ++ ovs-vsctl set-ssl \ ++ $PKIDIR/testpki-${sysid}-privkey.pem \ ++ $PKIDIR/testpki-${sysid}-cert.pem \ ++ $PKIDIR/testpki-cacert.pem ++ # force reconnect which makes OVN controller read the new certificates ++ # TODO implement check for change of certificates in ovn-controller ++ # and remove this workaround. ++ ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null ++fi ++ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \ ++ -- set Open_vSwitch . external-ids:system-id="${sysid}" \ ++ -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}" + + OVS_WAIT_UNTIL([ + grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log +@@ -216,12 +241,14 @@ as ovn-sb + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + + AT_CLEANUP ++]) + + # Checks that ovn-controller correctly maintains the mapping from the Encap + # table in the Southbound database to OVS in the face of changes on both sides ++OVN_FOR_EACH_NORTHD([ + AT_SETUP([ovn-controller - change Encap properties]) + AT_KEYWORDS([ovn]) +-ovn_init_db ovn-sb ++ovn_start + + net_add n1 + sim_add hv +@@ -271,11 +298,13 @@ as ovn-sb + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + + AT_CLEANUP ++]) + + # Check ovn-controller connection status to Southbound database ++OVN_FOR_EACH_NORTHD([ + AT_SETUP([ovn-controller - check sbdb connection]) + AT_KEYWORDS([ovn]) +-ovn_init_db ovn-sb ++ovn_start + + net_add n1 + sim_add hv +@@ -305,11 +334,13 @@ as ovn-sb + OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + + AT_CLEANUP ++]) + + # Checks that ovn-controller recreates its chassis record when deleted externally. ++OVN_FOR_EACH_NORTHD([ + AT_SETUP([ovn-controller - Chassis self record]) + AT_KEYWORDS([ovn]) +-ovn_init_db ovn-sb ++ovn_start + + net_add n1 + sim_add hv +@@ -360,8 +391,10 @@ OVS_WAIT_UNTIL([test x0 = x`ovn-sbctl --columns nb_cfg --bare find chassis`]) + + OVN_CLEANUP([hv]) + AT_CLEANUP ++]) + + # Test unix command: debug/delay-nb-cfg-report ++OVN_FOR_EACH_NORTHD([ + AT_SETUP([ovn-controller - debug/delay-nb-cfg-report]) + AT_KEYWORDS([ovn]) + ovn_start +@@ -393,7 +426,9 @@ AT_CHECK([ovn-nbctl --timeout=1 --wait=hv sync]) + + OVN_CLEANUP([hv]) + AT_CLEANUP ++]) + ++OVN_FOR_EACH_NORTHD([ + AT_SETUP([ovn -- nb_cfg sync to OVS]) + ovn_start + +@@ -414,3 +449,23 @@ OVS_WAIT_UNTIL([ovs-vsctl get Bridge br-int external_ids:ovn-nb-cfg], [0], [1]) + + OVN_CLEANUP([hv1]) + AT_CLEANUP ++]) ++ ++OVN_FOR_EACH_NORTHD([ ++AT_SETUP([ovn -- features]) ++AT_KEYWORDS([features]) ++ovn_start ++ ++net_add n1 ++sim_add hv1 ++ovs-vsctl add-br br-phys ++ovn_attach n1 br-phys 192.168.0.1 ++ ++# Wait for ovn-controller to register in the SB. ++OVS_WAIT_UNTIL([ ++ test "$(ovn-sbctl get chassis hv1 other_config:port-up-notif)" = '"true"' ++]) ++ ++OVN_CLEANUP([hv1]) ++AT_CLEANUP ++]) +-- +2.32.0 diff -Nru ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch --- ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,48 @@ +Origin: upstream, https://github.com/ovn-org/ovn/commit/291d88b787a66741810950a5b1b74f82e53ec9a4 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475 +Last-Update: 2021-09-23 + +From 291d88b787a66741810950a5b1b74f82e53ec9a4 Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Fri, 5 Mar 2021 13:16:23 +0100 +Subject: [PATCH] northd: Amend RBAC rules for Port_Binding table + +When `ovn-controller` claims a virtual lport it will update the +Port_Binding table with which chassis currently has claimed the +port as well as recording information about the virtual parent +lport [0]. + +When `ovn-controller` claims a lport it will also update the +encap field of the Port_Binding table if set and an update is +needed. + +The current RBAC rules does not allow for these updates. + +0: https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150 +Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'") +Fixes: 6c8b9a132 (" ovn-controller: Store the local port bindings in the runtime data I-P state") +Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475 +Signed-off-by: Frode Nordahl +Signed-off-by: Numan Siddique + +(cherry-picked from master commit 525d78946e6db29430fc2f946b9348eda6356fc6) +--- + northd/ovn-northd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c +index 13288a31c..893b55bed 100644 +--- a/northd/ovn-northd.c ++++ b/northd/ovn-northd.c +@@ -12745,7 +12745,7 @@ static const char *rbac_encap_update[] = + static const char *rbac_port_binding_auth[] = + {""}; + static const char *rbac_port_binding_update[] = +- {"chassis"}; ++ {"chassis", "encap", "virtual_parent"}; + + static const char *rbac_mac_binding_auth[] = + {""}; +-- +2.32.0 + diff -Nru ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch --- ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,145 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/96959e56d634c8d888af9e3ee340602593c7e4fa +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 +Last-Update: 2021-10-01 + +From 1cdc8ce5b4373b2169129f53e4a060b75522b286 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Tue, 4 May 2021 19:59:00 +0200 +Subject: [PATCH 2/2] physical: do not forward traffic from localport to a + localnet one + +Since the localnet port is available on each hv, do not forward traffic +to the localnet port if it is present in order to avoid switch fdb +misconfiguration. +Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877 + +Signed-off-by: Lorenzo Bianconi +Acked-by: Mark Michelson +Signed-off-by: Numan Siddique +(cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa) +--- + controller/physical.c | 23 +++++++++++++++++++++++ + include/ovn/logical-fields.h | 13 +++++++++++++ + tests/ovn.at | 17 +++++++++++++++++ + 3 files changed, 53 insertions(+) + +diff --git a/controller/physical.c b/controller/physical.c +index fa5d0d692..f41010a2b 100644 +--- a/controller/physical.c ++++ b/controller/physical.c +@@ -1160,6 +1160,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, + + load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p); + ++ if (!strcmp(binding->type, "localport")) { ++ /* mark the packet as incoming from a localport */ ++ put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p); ++ } ++ + /* Resubmit to first logical ingress pipeline table. */ + put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p); + ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG, +@@ -1219,6 +1224,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name, + ofport, flow_table); + } + ++ /* Table 39, priority 160. ++ * ======================= ++ * ++ * Do not forward local traffic from a localport to a localnet port. ++ */ ++ if (!strcmp(binding->type, "localnet")) { ++ /* do not forward traffic from localport to localnet port */ ++ match_init_catchall(&match); ++ ofpbuf_clear(ofpacts_p); ++ match_set_metadata(&match, htonll(dp_key)); ++ match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key); ++ match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, ++ MLF_LOCALPORT, MLF_LOCALPORT); ++ ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160, ++ binding->header_.uuid.parts[0], &match, ++ ofpacts_p, &binding->header_.uuid); ++ } ++ + } else if (!tun && !is_ha_remote) { + /* Remote port connected by localnet port */ + /* Table 33, priority 100. +diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h +index aee474856..ebc4d82e3 100644 +--- a/include/ovn/logical-fields.h ++++ b/include/ovn/logical-fields.h +@@ -59,6 +59,9 @@ enum mff_log_flags_bits { + MLF_NESTED_CONTAINER_BIT = 5, + MLF_LOOKUP_MAC_BIT = 6, + MLF_LOOKUP_LB_HAIRPIN_BIT = 7, ++ MLF_LOOKUP_FDB_BIT = 8, ++ MLF_SKIP_SNAT_FOR_LB_BIT = 9, ++ MLF_LOCALPORT_BIT = 10, + }; + + /* MFF_LOG_FLAGS_REG flag assignments */ +@@ -92,6 +95,16 @@ enum mff_log_flags { + MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT), + + MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT), ++ ++ /* Indicate that the lookup in the fdb table was successful. */ ++ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT), ++ ++ /* Indicate that a packet must not SNAT in the gateway router when ++ * load-balancing has taken place. */ ++ MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT), ++ ++ /* Indicate the packet has been received from a localport */ ++ MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT), + }; + + /* OVN logical fields +diff --git a/tests/ovn.at b/tests/ovn.at +index ce5e9fded..914f9b949 100644 +--- a/tests/ovn.at ++++ b/tests/ovn.at +@@ -11490,10 +11490,17 @@ AT_CLEANUP + AT_SETUP([ovn -- localport suppress gARP]) + ovn_start + ++send_garp() { ++ local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5 ++ local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa} ++ as hv1 ovs-appctl netdev-dummy/receive vif$inport $request ++} ++ + net_add n1 + sim_add hv1 + as hv1 + check ovs-vsctl add-br br-phys ++ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys + ovn_attach n1 br-phys 192.168.0.1 + + check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys +@@ -11504,6 +11511,7 @@ check ovn-nbctl ls-add ls \ + -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ + -- lsp-add ls ln \ + -- lsp-set-type ln localnet \ ++ -- lsp-set-addresses ln unknown \ + -- lsp-set-options ln network_name=phys \ + -- lsp-add ls lsp \ + -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" +@@ -11537,6 +11545,15 @@ AT_CHECK([ + test 0 -eq $pkts + ]) + ++spa=$(ip_to_hex 10 0 0 1) ++tpa=$(ip_to_hex 10 0 0 100) ++send_garp 1 000000000001 ffffffffffff $spa $tpa ++ ++dnl traffic from localport should not be sent to localnet ++AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl ++0 ++],[ignore]) ++ + OVN_CLEANUP([hv1]) + AT_CLEANUP + +-- +2.32.0 diff -Nru ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch --- ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,111 @@ +Origin: backport, https://github.com/ovn-org/ovn/commit/578238b36073256c524a4c2b6ed7521f73aa0019 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266 +Last-Update: 2021-10-01 + +From aefe7053eb3d9750d552eb342caed9faaaf9365a Mon Sep 17 00:00:00 2001 +From: Daniel Alvarez Sanchez +Date: Wed, 24 Mar 2021 18:23:47 +0100 +Subject: [PATCH 1/2] pinctrl: Don't send gARPs for localports + +Ports of type 'localport' are present on every hypervisor and +ovn-controller is sending gARPs for them which makes upstream +switches to see its MAC address flapping. + +In order to avoid this behavior, the current patch is skipping +localports when sending gARP/RARP packets. + +Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1939470 + +Signed-off-by: Daniel Alvarez Sanchez +Co-authored-by: Dumitru Ceara +Signed-off-by: Dumitru Ceara +Signed-off-by: Numan Siddique +(cherry picked from commit 578238b36073256c524a4c2b6ed7521f73aa0019) +--- + controller/pinctrl.c | 6 +++++ + tests/ovn.at | 53 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+) + +diff --git a/controller/pinctrl.c b/controller/pinctrl.c +index 7e3abf0a4..f20c24f0e 100644 +--- a/controller/pinctrl.c ++++ b/controller/pinctrl.c +@@ -4102,6 +4102,12 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn, + struct shash *nat_addresses) + { + volatile struct garp_rarp_data *garp_rarp = NULL; ++ ++ /* Skip localports as they don't need to be announced */ ++ if (!strcmp(binding_rec->type, "localport")) { ++ return; ++ } ++ + /* Update GARP for NAT IP if it exists. Consider port bindings with type + * "l3gateway" for logical switch ports attached to gateway routers, and + * port bindings with type "patch" for logical switch ports attached to +diff --git a/tests/ovn.at b/tests/ovn.at +index 9dcb0772e..ce5e9fded 100644 +--- a/tests/ovn.at ++++ b/tests/ovn.at +@@ -11487,6 +11487,59 @@ OVN_CLEANUP([hv1],[hv2]) + + AT_CLEANUP + ++AT_SETUP([ovn -- localport suppress gARP]) ++ovn_start ++ ++net_add n1 ++sim_add hv1 ++as hv1 ++check ovs-vsctl add-br br-phys ++ovn_attach n1 br-phys 192.168.0.1 ++ ++check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys ++ ++check ovn-nbctl ls-add ls \ ++ -- lsp-add ls lp \ ++ -- lsp-set-type lp localport \ ++ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \ ++ -- lsp-add ls ln \ ++ -- lsp-set-type ln localnet \ ++ -- lsp-set-options ln network_name=phys \ ++ -- lsp-add ls lsp \ ++ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2" ++ ++dnl First bind the localport. ++check ovs-vsctl add-port br-int vif1 \ ++ -- set Interface vif1 external-ids:iface-id=lp ++check ovn-nbctl --wait=hv sync ++ ++dnl Then bind the regular vif. ++check ovs-vsctl add-port br-int vif2 \ ++ -- set Interface vif2 external-ids:iface-id=lsp \ ++ options:tx_pcap=hv1/vif2-tx.pcap \ ++ options:rxq_pcap=hv1/vif2-rx.pcap ++ ++wait_row_count nb:Logical_Switch_Port 1 name=lsp up=true ++check ovn-nbctl --wait=hv sync ++ ++dnl Wait for at least two gARPs from lsp (10.0.0.2). ++lsp_garp=ffffffffffff000000000002080600010800060400010000000000020a0000020000000000000a000002 ++OVS_WAIT_UNTIL([ ++ garps=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep ${lsp_garp} -c` ++ test $garps -ge 2 ++]) ++ ++dnl At this point it's safe to assume that ovn-controller skipped sending gARP ++dnl for the localport. Check that there are no other packets than the gARPs ++dnl for the regular vif. ++AT_CHECK([ ++ pkts=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep -v ${lsp_garp} -c` ++ test 0 -eq $pkts ++]) ++ ++OVN_CLEANUP([hv1]) ++AT_CLEANUP ++ + AT_SETUP([ovn -- 1 LR with HA distributed router gateway port]) + ovn_start + +-- +2.32.0 diff -Nru ovn-20.12.0/debian/patches/series ovn-20.12.0/debian/patches/series --- ovn-20.12.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ ovn-20.12.0/debian/patches/series 2021-10-01 07:42:00.000000000 +0000 @@ -0,0 +1,12 @@ +lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch +lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch +lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch +lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch +lp-1914988-northd-Amend-Chassis-RBAC-rules.patch +lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch +lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch +lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch +lp-1914988-tests-Make-certificate-generation-extendable.patch +lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch +lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch +lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch