-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds port security for external OVS bridge for OVN MAC address #3984
Commits on Dec 5, 2023
-
Implement port security for OVN patch port and GR
There can be a case where the MAC address might change of the physical interface attached to OVS. One common way this can happen is with a bond. The MAC address of the bond may change depending on which slave comes up first. When this scenario happens, the host will now be using a new MAC, while the OVN GR has the old MAC. This can cause hosts outside of the cluster to constantly update their IP neighbor table with the wrong MAC for the node, and cause traffic outage. In order to prevent such a scenario, ensure that OVNK does not allow traffic sent by OVN GR that does not match the current MAC address. Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for b40ff65 - Browse repository at this point
Copy the full SHA b40ff65View commit details -
Ensure required flows are present at node start
In the scenario where an OVN GR may have the wrong mac, and traffic disruption is present, the OVNK node process may stall at trying to start the watch factory and wait for informer caches to sync. At this point in time, ovnkube node is not able to start its OpenFlow manager and program the needed flows to block the OVN GR from poisoning external ip neighbor entries. This commit adds a boostrap function which attempts to install basic flows before anything else is done on the node during boot time. This is a temporary flow installation that is only done when there is just a single NORMAL flow in the external bridge and is overriden once OF Manager starts. Note this intentionally does not write the bootstrap flows if OVNK has been killed, but the OVS flows from the previous run remain. It is only for cases where OVS has no previously programmed flows, like on node boot up. Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 16dc318 - Browse repository at this point
Copy the full SHA 16dc318View commit details -
Exposes link manager to track MAC address changes
While OVNK is running a user could modify system settings so that the MAC of the shared gw bridge may change. If this happens, OVNK needs to detect it and update the node annotation so that the GR can be reconfigured with the right MAC. This commit takes the link manager that was added for egress IP and abstracts it out of the egress IP controller. It also introduces passing a handler function to link manager which gets executed during normal runtime. This function will check to see if the MAC has changed on the shared gw bridge and if so, update the the l3 gateway annotation. Note, the link manager currently does not subscribe to netlink events for links, but instead runs periodically and lists all interfaces. Since changing a MAC address on the bridge is a disruptive action anyway, I figured it is OK to leave our detection on a 30 second interval. MAC changing on the bridge should be an extremely rare occurrence. However, in the future we could add netlink subscriber and receive events when the link changes. Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 1e53aea - Browse repository at this point
Copy the full SHA 1e53aeaView commit details
Commits on Dec 18, 2023
-
Clean up OFM locking, encapsulation, etc
Changes-Include: - Move all ofm receiver functions to the proper file. - Ensure proper locking of the bridges. - Use proper encapsulation and expose functions in ofm to get bridge info. Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 815d6f8 - Browse repository at this point
Copy the full SHA 815d6f8View commit details -
Add netlink subscriber for link manager
Now link manager will react to events for links, rather than just running every so often. Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 5f2fef3 - Browse repository at this point
Copy the full SHA 5f2fef3View commit details
Commits on Dec 19, 2023
-
Ensures service flows are updated when node IP/MAC updates
Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for d5c62be - Browse repository at this point
Copy the full SHA d5c62beView commit details
Commits on Dec 20, 2023
-
Updates node ip migration e2e test
Added an additional test that will check to make sure the openflow flows for services are updated correctly when the IP address changes. Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 32490b3 - Browse repository at this point
Copy the full SHA 32490b3View commit details -
Signed-off-by: Tim Rozet <trozet@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 6ed5d48 - Browse repository at this point
Copy the full SHA 6ed5d48View commit details