diff -Nru ovn-20.12.0/debian/changelog ovn-20.12.0/debian/changelog
--- ovn-20.12.0/debian/changelog 2021-03-09 13:28:55.000000000 +0000
+++ ovn-20.12.0/debian/changelog 2021-10-06 06:26:47.000000000 +0000
@@ -1,8 +1,28 @@
-ovn (20.12.0-0ubuntu2~cloud0) focal-wallaby; urgency=medium
+ovn (20.12.0-0ubuntu3~cloud0) focal-wallaby; urgency=medium
- * New upstream release for the Ubuntu Cloud Archive.
+ * New update for the Ubuntu Cloud Archive.
- -- Openstack Ubuntu Testing Bot Tue, 09 Mar 2021 13:28:55 +0000
+ -- Openstack Ubuntu Testing Bot Wed, 06 Oct 2021 06:26:47 +0000
+
+ovn (20.12.0-0ubuntu3) hirsute; urgency=medium
+
+ * Add RBAC rules for IGMP_Group table (LP: #1914988):
+ - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
+ - d/p/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch
+ - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
+ - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
+ - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
+ - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
+ - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch
+ - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
+ * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch:
+ Do not forward traffic from localport to localnet ports (LP: #1943266).
+ * d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
+ Update RBAC rules for Chassis_Private table (LP: #1913024).
+ * d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
+ Update RBAC rules for Port_Binding table (LP: #1917475).
+
+ -- Frode Nordahl Fri, 01 Oct 2021 09:42:00 +0200
ovn (20.12.0-0ubuntu2) hirsute; urgency=medium
diff -Nru ovn-20.12.0/debian/gbp.conf ovn-20.12.0/debian/gbp.conf
--- ovn-20.12.0/debian/gbp.conf 2021-01-04 16:55:16.000000000 +0000
+++ ovn-20.12.0/debian/gbp.conf 2021-10-01 07:42:00.000000000 +0000
@@ -1,3 +1,3 @@
[DEFAULT]
-debian-branch = master
+debian-branch = ubuntu/hirsute
pristine-tar = True
diff -Nru ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
--- ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,42 @@
+Origin: upstream, https://github.com/ovn-org/ovn/commit/f653d627100c91fb169009de44add746beb23769
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024
+Last-Update: 2021-09-23
+
+From f653d627100c91fb169009de44add746beb23769 Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Mon, 25 Jan 2021 21:34:04 +0100
+Subject: [PATCH] northd: Add Chassis_Private "external_ids" column to RBAC
+
+After introduction of the Chassis_Private table in OVN 20.09, CMS'es do
+expect data plane components that may be subject to the
+`ovn-controller` RBAC role to be able to write to the external_ids
+column. An example being the OpenStack metadata agent [0].
+
+[0]: https://github.com/openstack/neutron/blob/master/neutron/agent/ovn/metadata/agent.py#L175-L191
+Reported-at: https://bugs.launchpad.net/bugs/1913024
+Fixes: 4adc10f58127 ("Avoid nb_cfg update notification flooding")
+Signed-off-by: Frode Nordahl
+Acked-by: Dumitru Ceara
+Signed-off-by: Numan Siddique
+
+(cherry-picked from master commit a798e2cfb6dd97c1603b7b758464afb8b897c9ed)
+---
+ northd/ovn-northd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
+index 7ead3f6b8..89f7dc362 100644
+--- a/northd/ovn-northd.c
++++ b/northd/ovn-northd.c
+@@ -12729,7 +12729,7 @@ static const char *rbac_chassis_update[] =
+ static const char *rbac_chassis_private_auth[] =
+ {"name"};
+ static const char *rbac_chassis_private_update[] =
+- {"nb_cfg", "nb_cfg_timestamp", "chassis"};
++ {"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"};
+
+ static const char *rbac_encap_auth[] =
+ {"chassis_name"};
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
--- ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,100 @@
+Origin: upstream, https://github.com/ovn-org/ovn/commit/6aab727db39dcdcfd859aa617e0d9f1ab0bcac98
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-09-23
+
+From 6aab727db39dcdcfd859aa617e0d9f1ab0bcac98 Mon Sep 17 00:00:00 2001
+From: Pedro Guimaraes
+Date: Sun, 7 Feb 2021 16:07:08 +0100
+Subject: [PATCH] Add IGMP_Group to ovn-controller RBAC
+
+If RBAC and IGMP snooping are enabled, ovn-controllers need to
+be able to register new entries to table IGMP_Group as requests
+are detected.
+
+For that, ovn-controllers need to have read/write access to
+IGMP_Group table.
+
+Signed-off-by: Pedro Guimaraes
+Reported-at: https://github.com/ovn-org/ovn/issues/77
+Acked-by: Frode Nordahl
+Signed-off-by: Numan Siddique
+
+(cherry-picked from master commit e92d8cb838d407aac7d44c9d27f862df42fbb8d2)
+---
+ AUTHORS.rst | 1 +
+ northd/ovn-northd.c | 12 ++++++++++++
+ ovn-architecture.7.xml | 16 ++++++++++++++++
+ 3 files changed, 29 insertions(+)
+
+diff --git a/AUTHORS.rst b/AUTHORS.rst
+index 5d926c11f..ba0a4eb1e 100644
+--- a/AUTHORS.rst
++++ b/AUTHORS.rst
+@@ -290,6 +290,7 @@ Paul Fazzone pfazzone@vmware.com
+ Paul Ingram
+ Paul-Emmanuel Raoul skyper@skyplabs.net
+ Pavithra Ramesh paramesh@vmware.com
++Pedro Guimaraes pedro.guimaraes@canonical.com
+ Peter Downs padowns@gmail.com
+ Philippe Jung phil.jung@free.fr
+ Pim van den Berg pim@nethuis.nl
+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
+index 89f7dc362..cb6bbb74d 100644
+--- a/northd/ovn-northd.c
++++ b/northd/ovn-northd.c
+@@ -12750,6 +12750,10 @@ static const char *rbac_svc_monitor_auth[] =
+ {""};
+ static const char *rbac_svc_monitor_auth_update[] =
+ {"status"};
++static const char *rbac_igmp_group_auth[] =
++ {""};
++static const char *rbac_igmp_group_update[] =
++ {"address", "chassis", "datapath", "ports"};
+
+ static struct rbac_perm_cfg {
+ const char *table;
+@@ -12808,6 +12812,14 @@ static struct rbac_perm_cfg {
+ .update = rbac_svc_monitor_auth_update,
+ .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update),
+ .row = NULL
++ },{
++ .table = "IGMP_Group",
++ .auth = rbac_igmp_group_auth,
++ .n_auth = ARRAY_SIZE(rbac_igmp_group_auth),
++ .insdel = true,
++ .update = rbac_igmp_group_update,
++ .n_update = ARRAY_SIZE(rbac_igmp_group_update),
++ .row = NULL
+ },{
+ .table = NULL,
+ .auth = NULL,
+diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml
+index d00af36b4..e5b70ca20 100644
+--- a/ovn-architecture.7.xml
++++ b/ovn-architecture.7.xml
+@@ -2597,6 +2597,22 @@
+ modified by ovn-controller.
+
+
++
++ IGMP_Group
++
++
++ Authorization
: disabled (all clients are considered
++ to be authorized).
++
++
++ Insert/Delete
: row insertion/deletion are permitted.
++
++
++ Update
: The columns address
,
++ chassis
, datapath
, and
++ ports
may be modified by ovn-controller.
++
++
+
+
+
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
--- ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,55 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/51f2629cda614d0712ca13f4b51e30c9c2290bc1
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-10-01
+
+From fa05fdfea81486b6d2faa8c542150e807e2feba9 Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:26 +0100
+Subject: [PATCH 06/10] northd: Add Controller_Event RBAC rules
+
+The use of the Controller_Event table does currently not work
+when RBAC is enabled.
+
+Fixes: be1eeb09d ("OVN: introduce Controller_Event table")
+Signed-off-by: Frode Nordahl
+Signed-off-by: Numan Siddique
+(cherry picked from commit 51f2629cda614d0712ca13f4b51e30c9c2290bc1)
+---
+ northd/ovn-northd.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
+index d78c065ce..6b4584f73 100644
+--- a/northd/ovn-northd.c
++++ b/northd/ovn-northd.c
+@@ -12687,6 +12687,12 @@ static const char *rbac_encap_auth[] =
+ static const char *rbac_encap_update[] =
+ {"type", "options", "ip"};
+
++static const char *rbac_controller_event_auth[] =
++ {""};
++static const char *rbac_controller_event_update[] =
++ {"chassis", "event_info", "event_type", "seq_num"};
++
++
+ static const char *rbac_fdb_auth[] =
+ {""};
+ static const char *rbac_fdb_update[] =
+@@ -12736,6 +12742,14 @@ static struct rbac_perm_cfg {
+ .update = rbac_chassis_private_update,
+ .n_update = ARRAY_SIZE(rbac_chassis_private_update),
+ .row = NULL
++ },{
++ .table = "Controller_Event",
++ .auth = rbac_controller_event_auth,
++ .n_auth = ARRAY_SIZE(rbac_controller_event_auth),
++ .insdel = true,
++ .update = rbac_controller_event_update,
++ .n_update = ARRAY_SIZE(rbac_controller_event_update),
++ .row = NULL
+ },{
+ .table = "Encap",
+ .auth = rbac_encap_auth,
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch
--- ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,55 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-10-01
+o
+From fcae229fab5dce42ad216aef872675c03b60fc5e Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:24 +0100
+Subject: [PATCH 04/10] northd: Add missing RBAC rules for FDB table
+
+The recently added FDB table did not get its RBAC rules which
+would prohibit a `ovn-controller` from updating it with RBAC
+enabled.
+
+Fixes: 6ec3b1259 ("MAC learning: Add a new FDB table in southbound db")
+Signed-off-by: Frode Nordahl
+Signed-off-by: Numan Siddique
+(cherry picked from commit a6008b68bb70e99a9191eb9c6c98532816fa4307)
+---
+ northd/ovn-northd.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
+index 718ed831a..42c1aa677 100644
+--- a/northd/ovn-northd.c
++++ b/northd/ovn-northd.c
+@@ -12687,6 +12687,11 @@ static const char *rbac_encap_auth[] =
+ static const char *rbac_encap_update[] =
+ {"type", "options", "ip"};
+
++static const char *rbac_fdb_auth[] =
++ {""};
++static const char *rbac_fdb_update[] =
++ {"dp_key", "mac", "port_key"};
++
+ static const char *rbac_port_binding_auth[] =
+ {""};
+ static const char *rbac_port_binding_update[] =
+@@ -12739,6 +12744,14 @@ static struct rbac_perm_cfg {
+ .update = rbac_encap_update,
+ .n_update = ARRAY_SIZE(rbac_encap_update),
+ .row = NULL
++ },{
++ .table = "FDB",
++ .auth = rbac_fdb_auth,
++ .n_auth = ARRAY_SIZE(rbac_fdb_auth),
++ .insdel = true,
++ .update = rbac_fdb_update,
++ .n_update = ARRAY_SIZE(rbac_fdb_update),
++ .row = NULL
+ },{
+ .table = "Port_Binding",
+ .auth = rbac_port_binding_auth,
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
--- ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,36 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/b865e502293b8504812b062321be442805f46d4a
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-10-01
+
+From 0b44305ea11f5ecf3a5ba43de5f62fd1dcc3f912 Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:25 +0100
+Subject: [PATCH 4/8] northd: Amend Chassis RBAC rules
+
+The Transport Zones support does currently not work when RBAC is
+enabled.
+
+Fixes: 07d0d258d ("OVN: Add support for Transport Zones")
+Signed-off-by: Frode Nordahl
+Signed-off-by: Numan Siddique
+(cherry picked from commit b865e502293b8504812b062321be442805f46d4a)
+---
+ northd/ovn-northd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
+index 718ed831a..ad84c52be 100644
+--- a/northd/ovn-northd.c
++++ b/northd/ovn-northd.c
+@@ -12675,7 +12675,7 @@ static const char *rbac_chassis_auth[] =
+ {"name"};
+ static const char *rbac_chassis_update[] =
+ {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches",
+- "other_config"};
++ "other_config", "transport_zones"};
+
+ static const char *rbac_chassis_private_auth[] =
+ {"name"};
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
--- ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,47 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/a6008b68bb70e99a9191eb9c6c98532816fa4307
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-10-01
+
+From d6e9c4f2b74ead49b65a4aedb464a87631d9d329 Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:28 +0100
+Subject: [PATCH 5/8] tests: Amend release stale port binding test for RBAC
+
+The current version of the test attempts to simulate chassis
+registration prior to starting `ovn-controller`, however it does
+not set the `hostname` field.
+
+The RBAC role for `ovn-controller` does not allow for a chassis to
+change its own name or hostname, which makes sense as this is used
+for authentication.
+
+Update the test to set the `hostname` field when simulating chassis
+registration so that `ovn-controller` does not attempt to update it
+and subsequently make the test fail.
+
+Fixes b6b3823d4 ("ovn-controller: Fix I-P for SB Port_Binding and OVS Interface")
+
+Signed-off-by: Frode Nordahl
+Acked-by: Mark Michelson
+Signed-off-by: Numan Siddique
+(cherry picked from commit b92823f0e94e760c3e4b60ef132b513c3411ed2d)
+---
+ tests/ovn.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/ovn.at b/tests/ovn.at
+index 2e0bc9c53..aae4c06be 100644
+--- a/tests/ovn.at
++++ b/tests/ovn.at
+@@ -20871,7 +20871,7 @@ ovn-nbctl --wait=sb lsp-add ls1 lsp1
+
+ # Simulate the fact that lsp1 had been previously bound on hv1.
+ ovn-sbctl --id=@e create encap chassis_name=hv1 ip="192.168.0.1" type="geneve" \
+- -- --id=@c create chassis name=hv1 encaps=@e \
++ -- --id=@c create chassis hostname=hv1 name=hv1 encaps=@e \
+ -- set Port_Binding lsp1 chassis=@c
+
+ as hv1
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch
--- ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,213 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-10-01
+
+From b05ce42d1a6c4ca468b6a5fd1a16a0f6a5867663 Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:30 +0100
+Subject: [PATCH 2/3] tests: Make certificate generation extendable
+
+In preparation for enabling testing with SSL and RBAC enabled by
+default, rework the certificate generation so that we can easily
+add generation of more certificates/CN on demand.
+
+A side erffect of the change is a more generic naming scheme for
+the certificate files so the patch also contains an update to
+existing tests so that they use the new filenames.
+
+Signed-off-by: Frode Nordahl
+Acked-by: Mark Michelson
+Signed-off-by: Numan Siddique
+(cherry picked from commit 2bbb9fc7ed8aa193848fccbdf28437f79f0cd4f7)
+---
+ tests/automake.mk | 48 ++++++++++++++++++++++-------------------------
+ tests/ovn.at | 48 +++++++++++++++++++++++------------------------
+ 2 files changed, 46 insertions(+), 50 deletions(-)
+
+diff --git a/tests/automake.mk b/tests/automake.mk
+index 9740f085a..6eabb97e6 100644
+--- a/tests/automake.mk
++++ b/tests/automake.mk
+@@ -215,39 +215,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage
+ FLAKE8_PYFILES += $(CHECK_PYFILES)
+
+ if HAVE_OPENSSL
+-TESTPKI_FILES = \
+- tests/testpki-cacert.pem \
+- tests/testpki-cert.pem \
+- tests/testpki-privkey.pem \
+- tests/testpki-req.pem \
+- tests/testpki-cert2.pem \
+- tests/testpki-privkey2.pem \
+- tests/testpki-req2.pem
++OVS_PKI_DIR = $(CURDIR)/tests/pki
++TESTPKI_CNS = test test2
++TESTPKI_FILES = $(shell \
++ for cn in $(TESTPKI_CNS); do \
++ echo tests/testpki-$$cn-cert.pem ; \
++ echo tests/testpki-$$cn-privkey.pem ; \
++ echo tests/testpki-$$cn-req.pem ; \
++ done)
++
++tests/testpki-cacert.pem: tests/pki/stamp
++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@
++
++$(TESTPKI_FILES): tests/pki/stamp
++ $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@
++
++check_DATA += tests/testpki-cacert.pem
+ check_DATA += $(TESTPKI_FILES)
++CLEANFILES += tests/testpki-cacert.pem
+ CLEANFILES += $(TESTPKI_FILES)
+
+-tests/testpki-cacert.pem: tests/pki/stamp
+- $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@
+-tests/testpki-cert.pem: tests/pki/stamp
+- $(AM_V_GEN)cp tests/pki/test-cert.pem $@
+-tests/testpki-req.pem: tests/pki/stamp
+- $(AM_V_GEN)cp tests/pki/test-req.pem $@
+-tests/testpki-privkey.pem: tests/pki/stamp
+- $(AM_V_GEN)cp tests/pki/test-privkey.pem $@
+-tests/testpki-cert2.pem: tests/pki/stamp
+- $(AM_V_GEN)cp tests/pki/test2-cert.pem $@
+-tests/testpki-req2.pem: tests/pki/stamp
+- $(AM_V_GEN)cp tests/pki/test2-req.pem $@
+-tests/testpki-privkey2.pem: tests/pki/stamp
+- $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@
+-
+-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log
++
++OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log
+ tests/pki/stamp:
+ $(AM_V_at)rm -f tests/pki/stamp
+ $(AM_V_at)rm -rf tests/pki
+ $(AM_V_GEN)$(OVS_PKI) init && \
+- $(OVS_PKI) req+sign tests/pki/test && \
+- $(OVS_PKI) req+sign tests/pki/test2 && \
++ for cn in $(TESTPKI_CNS); do \
++ $(OVS_PKI) req+sign tests/pki/$$cn; \
++ done && \
+ : > tests/pki/stamp
+ CLEANFILES += tests/ovs-pki.log
+
+diff --git a/tests/ovn.at b/tests/ovn.at
+index 4d9ee1256..6de5a6d3f 100644
+--- a/tests/ovn.at
++++ b/tests/ovn.at
+@@ -7701,8 +7701,8 @@ AT_CHECK(
+
+ start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
+ --remote=db:OVN_Southbound,SB_Global,connections \
+- --private-key="$PKIDIR/testpki-privkey2.pem" \
+- --certificate="$PKIDIR/testpki-cert2.pem" \
++ --private-key="$PKIDIR/testpki-test2-privkey.pem" \
++ --certificate="$PKIDIR/testpki-test2-cert.pem" \
+ --ca-cert="$PKIDIR/testpki-cacert.pem" \
+ ovn-sb.db
+
+@@ -7710,20 +7710,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+ # read-only accesses should succeed
+ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list SB_Global], [0], [stdout], [ignore])
+ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list Connection], [0], [stdout], [ignore])
+
+ # write access should fail
+ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ chassis-add ch vxlan 1.2.4.8], [1], [ignore],
+ [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
+@@ -7751,8 +7751,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
+
+ # Populate SSL configuration entries in nb db
+ AT_CHECK(
+- [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \
+- $PKIDIR/testpki-cert.pem \
++ [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
++ $PKIDIR/testpki-test-cert.pem \
+ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
+
+ # Populate a passive SSL connection in nb db
+@@ -7762,20 +7762,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+ # Verify SSL connetivity to nb db server
+ AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list NB_Global],
+ [0], [stdout], [ignore])
+ AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list Connection],
+ [0], [stdout], [ignore])
+ AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ get-connection],
+ [0], [stdout], [ignore])
+@@ -7802,8 +7802,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
+
+ # Populate SSL configuration entries in sb db
+ AT_CHECK(
+- [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \
+- $PKIDIR/testpki-cert.pem \
++ [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
++ $PKIDIR/testpki-test-cert.pem \
+ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
+
+ # Populate a passive SSL connection in sb db
+@@ -7813,20 +7813,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+ # Verify SSL connetivity to sb db server
+ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list SB_Global],
+ [0], [stdout], [ignore])
+ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list Connection],
+ [0], [stdout], [ignore])
+ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+- --private-key=$PKIDIR/testpki-privkey.pem \
+- --certificate=$PKIDIR/testpki-cert.pem \
++ --private-key=$PKIDIR/testpki-test-privkey.pem \
++ --certificate=$PKIDIR/testpki-test-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ get-connection],
+ [0], [stdout], [ignore])
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
--- ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,153 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-10-01
+
+From ef220e364c01af319eb378a7b6b508cc1a49266a Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:31 +0100
+Subject: [PATCH] tests: Test with SSL and RBAC for controller by default
+
+To help ourself to not forget updating RBAC rules when we land
+changes to existing functionality and new features we must enable
+SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds
+with OpenSSL enabled.
+
+Signed-off-by: Frode Nordahl
+Acked-by: Mark Michelson
+Signed-off-by: Numan Siddique
+(cherry picked from commit c948d6bb05b4d8d34db7a88590eddb4c6de2b3c4)
+---
+ tests/automake.mk | 9 +++++++--
+ tests/ofproto-macros.at | 12 ++++++++++++
+ tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++--
+ 3 files changed, 55 insertions(+), 4 deletions(-)
+
+diff --git a/tests/automake.mk b/tests/automake.mk
+index 7fab972ab..785a6e5a6 100644
+--- a/tests/automake.mk
++++ b/tests/automake.mk
+@@ -220,7 +220,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES)
+
+ if HAVE_OPENSSL
+ OVS_PKI_DIR = $(CURDIR)/tests/pki
+-TESTPKI_CNS = test test2
++# NOTE: Certificate generation has to be done serially, and each one adds a few
++# seconds to the test run. Please try to re-use one of the many CNs already
++# used in the existing tests.
++TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1
+ TESTPKI_FILES = $(shell \
+ for cn in $(TESTPKI_CNS); do \
+ echo tests/testpki-$$cn-cert.pem ; \
+@@ -245,9 +248,11 @@ tests/pki/stamp:
+ $(AM_V_at)rm -f tests/pki/stamp
+ $(AM_V_at)rm -rf tests/pki
+ $(AM_V_GEN)$(OVS_PKI) init && \
++ cd tests/pki && \
+ for cn in $(TESTPKI_CNS); do \
+- $(OVS_PKI) req+sign tests/pki/$$cn; \
++ $(OVS_PKI) -u req+sign $$cn; \
+ done && \
++ cd ../../ && \
+ : > tests/pki/stamp
+ CLEANFILES += tests/ovs-pki.log
+
+diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
+index dd5d3848d..9e8c4f051 100644
+--- a/tests/ofproto-macros.at
++++ b/tests/ofproto-macros.at
+@@ -101,6 +101,7 @@ start_daemon () {
+ #
+ # sim_add hv0
+ # as hv0 ovs-vsctl add-br br0
++PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+ sims=
+ sim_add () {
+ echo "adding simulator '$1'"
+@@ -123,6 +124,17 @@ sim_add () {
+ # Start ovs-vswitchd
+ as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl
+ as $1 ovs-appctl vlog/disable-rate-limit vconn
++ if test X$HAVE_OPENSSL = Xyes; then
++ if test -f $PKIDIR/testpki-$1-privkey.pem; then
++ as $1 ovs-vsctl set-ssl \
++ $PKIDIR/testpki-$1-privkey.pem \
++ $PKIDIR/testpki-$1-cert.pem \
++ $PKIDIR/testpki-cacert.pem \
++ || return 1
++ else
++ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk"
++ fi
++ fi
+ }
+
+ # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1.
+diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at
+index ff71f02d0..902ff1115 100644
+--- a/tests/ovn-macros.at
++++ b/tests/ovn-macros.at
+@@ -120,7 +120,18 @@ ovn_init_db () {
+ mkdir "$d" || return 1
+ : > "$d"/.$1.db.~lock~
+ as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema
+- as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db
++
++ local remote_in_db=
++ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then
++ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem"
++ fi
++
++ as $as_d start_daemon ovsdb-server \
++ -vjsonrpc \
++ --remote=punix:"$d"/$1.sock \
++ $remote_in_db \
++ "$d"/$1.db
++
+ local var=`echo $1_db | tr a-z- A-Z_`
+ AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var
+ }
+@@ -173,6 +184,24 @@ ovn_start () {
+ --ovnnb-db=$ovn_nb_db \
+ --ovnsb-db=$ovn_sb_db
+
++ if test X$HAVE_OPENSSL = Xyes; then
++ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create
++ # SB_Global and Connection with ovsdb-tool transact at DB creation
++ # time, but unfortunately that does not work, northd-ddlog will replace
++ # the SB_Global record on startup.
++ ovn-sbctl \
++ -- --id=@c create connection \
++ target=\"pssl:0:127.0.0.1\" role=ovn-controller \
++ -- add SB_Global . connections @c
++ local d=$ovs_base
++ if test -n "$1"; then
++ d=$d/$1
++ fi
++ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT])
++ var="SSL_OVN_SB_DB"
++ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var
++ fi
++
+ if test -n "$1"; then
+ as_d=$1/ic
+ echo "starting ovn-ic"
+@@ -237,11 +266,16 @@ ovn_az_attach() {
+
+ local ovn_remote
+ if test X"$az" = XNONE; then
+- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock
++ if test X$HAVE_OPENSSL = Xyes; then
++ ovn_remote=$SSL_OVN_SB_DB
++ else
++ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock
++ fi
+ else
+ ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock
+ fi
+ ovs-vsctl \
++ -- set Open_vSwitch . external-ids:hostname=$sandbox \
+ -- set Open_vSwitch . external-ids:system-id=$sandbox \
+ -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \
+ -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
--- ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,188 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/020dab90f725b548a6131c988bd52e96623d3b8f
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
+Last-Update: 2021-10-01
+
+From cb1560a02e968c84ef8ea1c90f894610f88db8df Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:29 +0100
+Subject: [PATCH] tests: Use ovn_start in tests/ovn-controller.at
+
+The current version of the tests only initializes the SB DB and
+instruments it directly. This does not work with SSL+RBAC as
+northd must run to program the RBAC rules into the SB DB.
+
+Run tests both for C and ddlog version of northd.
+
+Add workaround for ovn-controller not re-reading certificates to
+'ovn-controller - Chassis other_config' test.
+
+Signed-off-by: Frode Nordahl
+Acked-by: Mark Michelson
+Signed-off-by: Numan Siddique
+(cherry picked from commit 020dab90f725b548a6131c988bd52e96623d3b8f)
+---
+ tests/ovn-controller.at | 67 +++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 61 insertions(+), 6 deletions(-)
+
+diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
+index 1b4679963..3e06032ca 100644
+--- a/tests/ovn-controller.at
++++ b/tests/ovn-controller.at
+@@ -1,8 +1,9 @@
+ AT_BANNER([ovn-controller])
+
++OVN_FOR_EACH_NORTHD([
+ AT_SETUP([ovn-controller - ovn-bridge-mappings])
+ AT_KEYWORDS([ovn])
+-ovn_init_db ovn-sb
++ovn_start
+ net_add n1
+ sim_add hv
+ as hv
+@@ -54,6 +55,14 @@ check_bridge_mappings () {
+ OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} other_config:ovn-bridge-mappings | sed -e 's/\"//g')])
+ }
+
++# NOTE: This test originally ran with only the SB-DB and no northd. For the
++# test to be successfull with SSL+RBAC we need to initially run northd to get
++# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB
++# directly and we need to stop northd to avoid overwriting the instrumentation.
++kill `cat northd/ovn-northd.pid`
++kill `cat northd-backup/ovn-northd.pid`
++kill `cat ovn-nb/ovsdb-server.pid`
++
+ # Initially there should be no patch ports.
+ check_patches
+
+@@ -116,12 +125,14 @@ as ovn-sb
+ OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+ AT_CLEANUP
++])
+
+ # Checks that ovn-controller populates datapath-type and iface-types
+ # correctly in the Chassis other_config column.
++OVN_FOR_EACH_NORTHD([
+ AT_SETUP([ovn-controller - Chassis other_config])
+ AT_KEYWORDS([ovn])
+-ovn_init_db ovn-sb
++ovn_start
+
+ net_add n1
+ sim_add hv
+@@ -192,7 +203,21 @@ OVS_WAIT_UNTIL([
+ # chassis_private records. Until that happens ovn-controller fails to
+ # create the records due to constraint violation on the Encap table.
+ sysid=${sysid}-foo
+-ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}"
++current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote`
++if test X$HAVE_OPENSSL = Xyes; then
++ # To change chassis name we need to change certificate with matching CN
++ ovs-vsctl set-ssl \
++ $PKIDIR/testpki-${sysid}-privkey.pem \
++ $PKIDIR/testpki-${sysid}-cert.pem \
++ $PKIDIR/testpki-cacert.pem
++ # force reconnect which makes OVN controller read the new certificates
++ # TODO implement check for change of certificates in ovn-controller
++ # and remove this workaround.
++ ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null
++fi
++ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \
++ -- set Open_vSwitch . external-ids:system-id="${sysid}" \
++ -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}"
+
+ OVS_WAIT_UNTIL([
+ grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values (geneve and \\"192.168.0.1\\") for index on columns \\"type\\" and \\"ip\\".' hv/ovn-controller.log
+@@ -216,12 +241,14 @@ as ovn-sb
+ OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+ AT_CLEANUP
++])
+
+ # Checks that ovn-controller correctly maintains the mapping from the Encap
+ # table in the Southbound database to OVS in the face of changes on both sides
++OVN_FOR_EACH_NORTHD([
+ AT_SETUP([ovn-controller - change Encap properties])
+ AT_KEYWORDS([ovn])
+-ovn_init_db ovn-sb
++ovn_start
+
+ net_add n1
+ sim_add hv
+@@ -271,11 +298,13 @@ as ovn-sb
+ OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+ AT_CLEANUP
++])
+
+ # Check ovn-controller connection status to Southbound database
++OVN_FOR_EACH_NORTHD([
+ AT_SETUP([ovn-controller - check sbdb connection])
+ AT_KEYWORDS([ovn])
+-ovn_init_db ovn-sb
++ovn_start
+
+ net_add n1
+ sim_add hv
+@@ -305,11 +334,13 @@ as ovn-sb
+ OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+ AT_CLEANUP
++])
+
+ # Checks that ovn-controller recreates its chassis record when deleted externally.
++OVN_FOR_EACH_NORTHD([
+ AT_SETUP([ovn-controller - Chassis self record])
+ AT_KEYWORDS([ovn])
+-ovn_init_db ovn-sb
++ovn_start
+
+ net_add n1
+ sim_add hv
+@@ -360,8 +391,10 @@ OVS_WAIT_UNTIL([test x0 = x`ovn-sbctl --columns nb_cfg --bare find chassis`])
+
+ OVN_CLEANUP([hv])
+ AT_CLEANUP
++])
+
+ # Test unix command: debug/delay-nb-cfg-report
++OVN_FOR_EACH_NORTHD([
+ AT_SETUP([ovn-controller - debug/delay-nb-cfg-report])
+ AT_KEYWORDS([ovn])
+ ovn_start
+@@ -393,7 +426,9 @@ AT_CHECK([ovn-nbctl --timeout=1 --wait=hv sync])
+
+ OVN_CLEANUP([hv])
+ AT_CLEANUP
++])
+
++OVN_FOR_EACH_NORTHD([
+ AT_SETUP([ovn -- nb_cfg sync to OVS])
+ ovn_start
+
+@@ -414,3 +449,23 @@ OVS_WAIT_UNTIL([ovs-vsctl get Bridge br-int external_ids:ovn-nb-cfg], [0], [1])
+
+ OVN_CLEANUP([hv1])
+ AT_CLEANUP
++])
++
++OVN_FOR_EACH_NORTHD([
++AT_SETUP([ovn -- features])
++AT_KEYWORDS([features])
++ovn_start
++
++net_add n1
++sim_add hv1
++ovs-vsctl add-br br-phys
++ovn_attach n1 br-phys 192.168.0.1
++
++# Wait for ovn-controller to register in the SB.
++OVS_WAIT_UNTIL([
++ test "$(ovn-sbctl get chassis hv1 other_config:port-up-notif)" = '"true"'
++])
++
++OVN_CLEANUP([hv1])
++AT_CLEANUP
++])
+--
+2.32.0
diff -Nru ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
--- ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,48 @@
+Origin: upstream, https://github.com/ovn-org/ovn/commit/291d88b787a66741810950a5b1b74f82e53ec9a4
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
+Last-Update: 2021-09-23
+
+From 291d88b787a66741810950a5b1b74f82e53ec9a4 Mon Sep 17 00:00:00 2001
+From: Frode Nordahl
+Date: Fri, 5 Mar 2021 13:16:23 +0100
+Subject: [PATCH] northd: Amend RBAC rules for Port_Binding table
+
+When `ovn-controller` claims a virtual lport it will update the
+Port_Binding table with which chassis currently has claimed the
+port as well as recording information about the virtual parent
+lport [0].
+
+When `ovn-controller` claims a lport it will also update the
+encap field of the Port_Binding table if set and an update is
+needed.
+
+The current RBAC rules does not allow for these updates.
+
+0: https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150
+Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'")
+Fixes: 6c8b9a132 (" ovn-controller: Store the local port bindings in the runtime data I-P state")
+Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
+Signed-off-by: Frode Nordahl
+Signed-off-by: Numan Siddique
+
+(cherry-picked from master commit 525d78946e6db29430fc2f946b9348eda6356fc6)
+---
+ northd/ovn-northd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
+index 13288a31c..893b55bed 100644
+--- a/northd/ovn-northd.c
++++ b/northd/ovn-northd.c
+@@ -12745,7 +12745,7 @@ static const char *rbac_encap_update[] =
+ static const char *rbac_port_binding_auth[] =
+ {""};
+ static const char *rbac_port_binding_update[] =
+- {"chassis"};
++ {"chassis", "encap", "virtual_parent"};
+
+ static const char *rbac_mac_binding_auth[] =
+ {""};
+--
+2.32.0
+
diff -Nru ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch
--- ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,145 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/96959e56d634c8d888af9e3ee340602593c7e4fa
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266
+Last-Update: 2021-10-01
+
+From 1cdc8ce5b4373b2169129f53e4a060b75522b286 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi
+Date: Tue, 4 May 2021 19:59:00 +0200
+Subject: [PATCH 2/2] physical: do not forward traffic from localport to a
+ localnet one
+
+Since the localnet port is available on each hv, do not forward traffic
+to the localnet port if it is present in order to avoid switch fdb
+misconfiguration.
+Related bz: https://bugzilla.redhat.com/show_bug.cgi?id=1942877
+
+Signed-off-by: Lorenzo Bianconi
+Acked-by: Mark Michelson
+Signed-off-by: Numan Siddique
+(cherry picked from commit 96959e56d634c8d888af9e3ee340602593c7e4fa)
+---
+ controller/physical.c | 23 +++++++++++++++++++++++
+ include/ovn/logical-fields.h | 13 +++++++++++++
+ tests/ovn.at | 17 +++++++++++++++++
+ 3 files changed, 53 insertions(+)
+
+diff --git a/controller/physical.c b/controller/physical.c
+index fa5d0d692..f41010a2b 100644
+--- a/controller/physical.c
++++ b/controller/physical.c
+@@ -1160,6 +1160,11 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name,
+
+ load_logical_ingress_metadata(binding, &zone_ids, ofpacts_p);
+
++ if (!strcmp(binding->type, "localport")) {
++ /* mark the packet as incoming from a localport */
++ put_load(1, MFF_LOG_FLAGS, MLF_LOCALPORT_BIT, 1, ofpacts_p);
++ }
++
+ /* Resubmit to first logical ingress pipeline table. */
+ put_resubmit(OFTABLE_LOG_INGRESS_PIPELINE, ofpacts_p);
+ ofctrl_add_flow(flow_table, OFTABLE_PHY_TO_LOG,
+@@ -1219,6 +1224,24 @@ consider_port_binding(struct ovsdb_idl_index *sbrec_port_binding_by_name,
+ ofport, flow_table);
+ }
+
++ /* Table 39, priority 160.
++ * =======================
++ *
++ * Do not forward local traffic from a localport to a localnet port.
++ */
++ if (!strcmp(binding->type, "localnet")) {
++ /* do not forward traffic from localport to localnet port */
++ match_init_catchall(&match);
++ ofpbuf_clear(ofpacts_p);
++ match_set_metadata(&match, htonll(dp_key));
++ match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, port_key);
++ match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0,
++ MLF_LOCALPORT, MLF_LOCALPORT);
++ ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 160,
++ binding->header_.uuid.parts[0], &match,
++ ofpacts_p, &binding->header_.uuid);
++ }
++
+ } else if (!tun && !is_ha_remote) {
+ /* Remote port connected by localnet port */
+ /* Table 33, priority 100.
+diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
+index aee474856..ebc4d82e3 100644
+--- a/include/ovn/logical-fields.h
++++ b/include/ovn/logical-fields.h
+@@ -59,6 +59,9 @@ enum mff_log_flags_bits {
+ MLF_NESTED_CONTAINER_BIT = 5,
+ MLF_LOOKUP_MAC_BIT = 6,
+ MLF_LOOKUP_LB_HAIRPIN_BIT = 7,
++ MLF_LOOKUP_FDB_BIT = 8,
++ MLF_SKIP_SNAT_FOR_LB_BIT = 9,
++ MLF_LOCALPORT_BIT = 10,
+ };
+
+ /* MFF_LOG_FLAGS_REG flag assignments */
+@@ -92,6 +95,16 @@ enum mff_log_flags {
+ MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT),
+
+ MLF_LOOKUP_LB_HAIRPIN = (1 << MLF_LOOKUP_LB_HAIRPIN_BIT),
++
++ /* Indicate that the lookup in the fdb table was successful. */
++ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT),
++
++ /* Indicate that a packet must not SNAT in the gateway router when
++ * load-balancing has taken place. */
++ MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT),
++
++ /* Indicate the packet has been received from a localport */
++ MLF_LOCALPORT = (1 << MLF_LOCALPORT_BIT),
+ };
+
+ /* OVN logical fields
+diff --git a/tests/ovn.at b/tests/ovn.at
+index ce5e9fded..914f9b949 100644
+--- a/tests/ovn.at
++++ b/tests/ovn.at
+@@ -11490,10 +11490,17 @@ AT_CLEANUP
+ AT_SETUP([ovn -- localport suppress gARP])
+ ovn_start
+
++send_garp() {
++ local inport=$1 eth_src=$2 eth_dst=$3 spa=$4 tpa=$5
++ local request=${eth_dst}${eth_src}08060001080006040001${eth_src}${spa}${eth_dst}${tpa}
++ as hv1 ovs-appctl netdev-dummy/receive vif$inport $request
++}
++
+ net_add n1
+ sim_add hv1
+ as hv1
+ check ovs-vsctl add-br br-phys
++ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
+ ovn_attach n1 br-phys 192.168.0.1
+
+ check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
+@@ -11504,6 +11511,7 @@ check ovn-nbctl ls-add ls \
+ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \
+ -- lsp-add ls ln \
+ -- lsp-set-type ln localnet \
++ -- lsp-set-addresses ln unknown \
+ -- lsp-set-options ln network_name=phys \
+ -- lsp-add ls lsp \
+ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2"
+@@ -11537,6 +11545,15 @@ AT_CHECK([
+ test 0 -eq $pkts
+ ])
+
++spa=$(ip_to_hex 10 0 0 1)
++tpa=$(ip_to_hex 10 0 0 100)
++send_garp 1 000000000001 ffffffffffff $spa $tpa
++
++dnl traffic from localport should not be sent to localnet
++AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl
++0
++],[ignore])
++
+ OVN_CLEANUP([hv1])
+ AT_CLEANUP
+
+--
+2.32.0
diff -Nru ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch
--- ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,111 @@
+Origin: backport, https://github.com/ovn-org/ovn/commit/578238b36073256c524a4c2b6ed7521f73aa0019
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1943266
+Last-Update: 2021-10-01
+
+From aefe7053eb3d9750d552eb342caed9faaaf9365a Mon Sep 17 00:00:00 2001
+From: Daniel Alvarez Sanchez
+Date: Wed, 24 Mar 2021 18:23:47 +0100
+Subject: [PATCH 1/2] pinctrl: Don't send gARPs for localports
+
+Ports of type 'localport' are present on every hypervisor and
+ovn-controller is sending gARPs for them which makes upstream
+switches to see its MAC address flapping.
+
+In order to avoid this behavior, the current patch is skipping
+localports when sending gARP/RARP packets.
+
+Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1939470
+
+Signed-off-by: Daniel Alvarez Sanchez
+Co-authored-by: Dumitru Ceara
+Signed-off-by: Dumitru Ceara
+Signed-off-by: Numan Siddique
+(cherry picked from commit 578238b36073256c524a4c2b6ed7521f73aa0019)
+---
+ controller/pinctrl.c | 6 +++++
+ tests/ovn.at | 53 ++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/controller/pinctrl.c b/controller/pinctrl.c
+index 7e3abf0a4..f20c24f0e 100644
+--- a/controller/pinctrl.c
++++ b/controller/pinctrl.c
+@@ -4102,6 +4102,12 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn,
+ struct shash *nat_addresses)
+ {
+ volatile struct garp_rarp_data *garp_rarp = NULL;
++
++ /* Skip localports as they don't need to be announced */
++ if (!strcmp(binding_rec->type, "localport")) {
++ return;
++ }
++
+ /* Update GARP for NAT IP if it exists. Consider port bindings with type
+ * "l3gateway" for logical switch ports attached to gateway routers, and
+ * port bindings with type "patch" for logical switch ports attached to
+diff --git a/tests/ovn.at b/tests/ovn.at
+index 9dcb0772e..ce5e9fded 100644
+--- a/tests/ovn.at
++++ b/tests/ovn.at
+@@ -11487,6 +11487,59 @@ OVN_CLEANUP([hv1],[hv2])
+
+ AT_CLEANUP
+
++AT_SETUP([ovn -- localport suppress gARP])
++ovn_start
++
++net_add n1
++sim_add hv1
++as hv1
++check ovs-vsctl add-br br-phys
++ovn_attach n1 br-phys 192.168.0.1
++
++check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
++
++check ovn-nbctl ls-add ls \
++ -- lsp-add ls lp \
++ -- lsp-set-type lp localport \
++ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \
++ -- lsp-add ls ln \
++ -- lsp-set-type ln localnet \
++ -- lsp-set-options ln network_name=phys \
++ -- lsp-add ls lsp \
++ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2"
++
++dnl First bind the localport.
++check ovs-vsctl add-port br-int vif1 \
++ -- set Interface vif1 external-ids:iface-id=lp
++check ovn-nbctl --wait=hv sync
++
++dnl Then bind the regular vif.
++check ovs-vsctl add-port br-int vif2 \
++ -- set Interface vif2 external-ids:iface-id=lsp \
++ options:tx_pcap=hv1/vif2-tx.pcap \
++ options:rxq_pcap=hv1/vif2-rx.pcap
++
++wait_row_count nb:Logical_Switch_Port 1 name=lsp up=true
++check ovn-nbctl --wait=hv sync
++
++dnl Wait for at least two gARPs from lsp (10.0.0.2).
++lsp_garp=ffffffffffff000000000002080600010800060400010000000000020a0000020000000000000a000002
++OVS_WAIT_UNTIL([
++ garps=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep ${lsp_garp} -c`
++ test $garps -ge 2
++])
++
++dnl At this point it's safe to assume that ovn-controller skipped sending gARP
++dnl for the localport. Check that there are no other packets than the gARPs
++dnl for the regular vif.
++AT_CHECK([
++ pkts=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep -v ${lsp_garp} -c`
++ test 0 -eq $pkts
++])
++
++OVN_CLEANUP([hv1])
++AT_CLEANUP
++
+ AT_SETUP([ovn -- 1 LR with HA distributed router gateway port])
+ ovn_start
+
+--
+2.32.0
diff -Nru ovn-20.12.0/debian/patches/series ovn-20.12.0/debian/patches/series
--- ovn-20.12.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ ovn-20.12.0/debian/patches/series 2021-10-01 07:42:00.000000000 +0000
@@ -0,0 +1,12 @@
+lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
+lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
+lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
+lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch
+lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
+lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
+lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
+lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
+lp-1914988-tests-Make-certificate-generation-extendable.patch
+lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
+lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch
+lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch