Add a connection table to the southbound db schema, similar
to the Open_vSwitch "Manager" table.
Add tests for pssl: and ptcp: read-only connection types.
Add support to ovn-sbctl for listing the SB Connection table.
Potential future work:
- Test cases for other connection types (punix, ssl, tcp, unix).
- SSL configuration table for southbound db.
- Connection table for NB schema.
Signed-off-by: Lance Richardson <lrich...@redhat.com>
---
ovn/ovn-sb.ovsschema | 37 ++++++-
ovn/ovn-sb.xml | 245 ++++++++++++++++++++++++++++++++++++++++++++++
ovn/utilities/ovn-sbctl.c | 4 +
tests/ovn.at | 94 ++++++++++++++++++
4 files changed, 377 insertions(+), 3 deletions(-)
diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema
index 8604b4e..c143be0 100644
--- a/ovn/ovn-sb.ovsschema
+++ b/ovn/ovn-sb.ovsschema
@@ -1,14 +1,19 @@
{
"name": "OVN_Southbound",
"version": "1.8.0",
- "cksum": "59582657 7376",
+ "cksum": "2126446681 9019",
"tables": {
"SB_Global": {
"columns": {
"nb_cfg": {"type": {"key": "integer"}},
"external_ids": {
"type": {"key": "string", "value": "string",
- "min": 0, "max": "unlimited"}}},
+ "min": 0, "max": "unlimited"}},
+ "connection_options": {
+ "type": {"key": {"type": "uuid",
+ "refTable": "Connection"},
+ "min": 0,
+ "max": "unlimited"}}},
"maxRows": 1,
"isRoot": true},
"Chassis": {
@@ -152,4 +157,30 @@
"type": {"key": {
"type": "string",
"enum": ["set", ["ipv6", "str", "mac"]]}}}},
- "isRoot": true}}}
+ "isRoot": true},
+ "Connection": {
+ "columns": {
+ "target": {"type": "string"},
+ "max_backoff": {"type": {"key": {"type": "integer",
+ "minInteger": 1000},
+ "min": 0,
+ "max": 1}},
+ "inactivity_probe": {"type": {"key": "integer",
+ "min": 0,
+ "max": 1}},
+ "read_only": {"type": "boolean"},
+ "other_config": {"type": {"key": "string",
+ "value": "string",
+ "min": 0,
+ "max": "unlimited"}},
+ "external_ids": {"type": {"key": "string",
+ "value": "string",
+ "min": 0,
+ "max": "unlimited"}},
+ "is_connected": {"type": "boolean", "ephemeral": true},
+ "status": {"type": {"key": "string",
+ "value": "string",
+ "min": 0,
+ "max": "unlimited"},
+ "ephemeral": true}},
+ "indexes": [["target"]]}}}
diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml
index b484f59..b96622d 100644
--- a/ovn/ovn-sb.xml
+++ b/ovn/ovn-sb.xml
@@ -162,6 +162,14 @@
See <em>External IDs</em> at the beginning of this document.
</column>
</group>
+ <group title="Connection Options">
+ <column name="connection_options">
+ Database of client connections to which the Open vSwitch database
server
+ should connect or on which it should listen, along with options for
how these
+ connections should be configured. See the <ref table="Connection"/>
table
+ for more information.
+ </column>
+ </group>
</table>
<table name="Chassis" title="Physical Network Hypervisor and Gateway
Information">
@@ -2257,4 +2265,241 @@ tcp.flags = RST;
</dl>
</column>
</table>
+ <table name="Connection" title="OVSDB client connections.">
+ <p>
+ Configuration for a database connection to an Open vSwitch database
+ (OVSDB) client.
+ </p>
+
+ <p>
+ This table primarily configures the Open vSwitch database server
+ (<code>ovsdb-server</code>).
+ </p>
+
+ <p>
+ The Open vSwitch database server can initiate and maintain active
+ connections to remote clients. It can also listen for database
+ connections.
+ </p>
+
+ <group title="Core Features">
+ <column name="target">
+ <p>Connection methods for clients.</p>
+ <p>
+ The following connection methods are currently supported:
+ </p>
+ <dl>
+
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dd>
+ <p>
+ The specified SSL <var>port</var> on the host at the given
+ <var>ip</var>, which must be expressed as an IP address
+ (not a DNS name).
+ </p>
+ <p>
+ If <var>port</var> is not specified, it defaults to 6640.
+ </p>
+ <p>
+ SSL support is an optional feature that is not always
+ built as part of Open vSwitch.
+ </p>
+ </dd>
+
+
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dd>
+ <p>
+ The specified TCP <var>port</var> on the host at the given
+ <var>ip</var>, which must be expressed as an IP address (not a
+ DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
+ <var>ip</var> is an IPv6 address, wrap it in square brackets,
+ e.g. <code>tcp:[::1]:6640</code>.
+ </p>
+ <p>
+ If <var>port</var> is not specified, it defaults to 6640.
+ </p>
+ </dd>
+
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dd>
+ <p>
+ Listens for SSL connections on the specified TCP <var>port</var>.
+ Specify 0 for <var>port</var> to have the kernel automatically
+ choose an available port. If <var>ip</var>, which must be
+ expressed as an IP address (not a DNS name), is specified, then
+ connections are restricted to the specified local IP address
+ (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
+ address, wrap in square brackets,
+ e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
+ specified then it listens only on IPv4 (but not IPv6) addresses.
+ </p>
+ <p>
+ If <var>port</var> is not specified, it defaults to 6640.
+ </p>
+ <p>
+ SSL support is an optional feature that is not always built as
+ part of Open vSwitch.
+ </p>
+ </dd>
+
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dd>
+ <p>
+ Listens for connections on the specified TCP <var>port</var>.
+ Specify 0 for <var>port</var> to have the kernel automatically
+ choose an available port. If <var>ip</var>, which must be
+ expressed as an IP address (not a DNS name), is specified, then
+ connections are restricted to the specified local IP address
+ (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
+ address, wrap it in square brackets,
+ e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
+ specified then it listens only on IPv4 addresses.
+ </p>
+ <p>
+ If <var>port</var> is not specified, it defaults to 6640.
+ </p>
+ </dd>
+ </dl>
+ <p>When multiple clients are configured, the <ref column="target"/>
+ values must be unique. Duplicate <ref column="target"/> values yield
+ unspecified results.</p>
+ </column>
+ </group>
+
+ <group title="Client Failure Detection and Handling">
+ <column name="max_backoff">
+ Maximum number of milliseconds to wait between connection attempts.
+ Default is implementation-specific.
+ </column>
+
+ <column name="inactivity_probe">
+ Maximum number of milliseconds of idle time on connection to the client
+ before sending an inactivity probe message. If Open vSwitch does not
+ communicate with the client for the specified number of seconds, it
+ will send a probe. If a response is not received for the same
+ additional amount of time, Open vSwitch assumes the connection has been
+ broken and attempts to reconnect. Default is implementation-specific.
+ A value of 0 disables inactivity probes.
+ </column>
+
+ <column name="read_only">
+ <code>true</code> if this connection is restricted to read-only
+ transactions, <code>false</code> otherwise.
+ </column>
+ </group>
+
+ <group title="Status">
+ <p>
+ Key-value pair of <ref column="is_connected"/> is always updated.
+ Other key-value pairs in the status columns may be updated depends
+ on the <ref column="target"/> type.
+ </p>
+
+ <p>
+ When <ref column="target"/> specifies a connection method that
+ listens for inbound connections (e.g. <code>ptcp:</code> or
+ <code>punix:</code>), both <ref column="n_connections"/> and
+ <ref column="is_connected"/> may also be updated while the
+ remaining key-value pairs are omitted.
+ </p>
+
+ <p>
+ On the other hand, when <ref column="target"/> specifies an
+ outbound connection, all key-value pairs may be updated, except
+ the above-mentioned two key-value pairs associated with inbound
+ connection targets. They are omitted.
+ </p>
+
+ <column name="is_connected">
+ <code>true</code> if currently connected to this client,
+ <code>false</code> otherwise.
+ </column>
+
+ <column name="status" key="last_error">
+ A human-readable description of the last error on the connection
+ to the manager; i.e. <code>strerror(errno)</code>. This key
+ will exist only if an error has occurred.
+ </column>
+
+ <column name="status" key="state"
+ type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF",
"CONNECTING", "ACTIVE", "IDLE"]]}'>
+ <p>
+ The state of the connection to the manager:
+ </p>
+ <dl>
+ <dt><code>VOID</code></dt>
+ <dd>Connection is disabled.</dd>
+
+ <dt><code>BACKOFF</code></dt>
+ <dd>Attempting to reconnect at an increasing period.</dd>
+
+ <dt><code>CONNECTING</code></dt>
+ <dd>Attempting to connect.</dd>
+
+ <dt><code>ACTIVE</code></dt>
+ <dd>Connected, remote host responsive.</dd>
+
+ <dt><code>IDLE</code></dt>
+ <dd>Connection is idle. Waiting for response to keep-alive.</dd>
+ </dl>
+ <p>
+ These values may change in the future. They are provided only for
+ human consumption.
+ </p>
+ </column>
+
+ <column name="status" key="sec_since_connect"
+ type='{"type": "integer", "minInteger": 0}'>
+ The amount of time since this client last successfully connected
+ to the database (in seconds). Value is empty if client has never
+ successfully been connected.
+ </column>
+
+ <column name="status" key="sec_since_disconnect"
+ type='{"type": "integer", "minInteger": 0}'>
+ The amount of time since this client last disconnected from the
+ database (in seconds). Value is empty if client has never
+ disconnected.
+ </column>
+
+ <column name="status" key="locks_held">
+ Space-separated list of the names of OVSDB locks that the connection
+ holds. Omitted if the connection does not hold any locks.
+ </column>
+
+ <column name="status" key="locks_waiting">
+ Space-separated list of the names of OVSDB locks that the connection is
+ currently waiting to acquire. Omitted if the connection is not waiting
+ for any locks.
+ </column>
+
+ <column name="status" key="locks_lost">
+ Space-separated list of the names of OVSDB locks that the connection
+ has had stolen by another OVSDB client. Omitted if no locks have been
+ stolen from this connection.
+ </column>
+
+ <column name="status" key="n_connections"
+ type='{"type": "integer", "minInteger": 2}'>
+ When <ref column="target"/> specifies a connection method that
+ listens for inbound connections (e.g. <code>ptcp:</code> or
+ <code>pssl:</code>) and more than one connection is actually active,
+ the value is the number of active connections. Otherwise, this
+ key-value pair is omitted.
+ </column>
+
+ <column name="status" key="bound_port" type='{"type": "integer"}'>
+ When <ref column="target"/> is <code>ptcp:</code> or
+ <code>pssl:</code>, this is the TCP port on which the OVSDB server is
+ listening. (This is particularly useful when <ref
+ column="target"/> specifies a port of 0, allowing the kernel to
+ choose any available port.)
+ </column>
+ </group>
+
+ <group title="Common Columns">
+ The overall purpose of these columns is described under <code>Common
+ Columns</code> at the beginning of this document.
+
+ <column name="external_ids"/>
+ <column name="other_config"/>
+ </group>
+ </table>
</database>
diff --git a/ovn/utilities/ovn-sbctl.c b/ovn/utilities/ovn-sbctl.c
index afc350a..b72d554 100644
--- a/ovn/utilities/ovn-sbctl.c
+++ b/ovn/utilities/ovn-sbctl.c
@@ -777,6 +777,10 @@ static const struct ctl_table_class tables[] = {
{{&sbrec_table_address_set, &sbrec_address_set_col_name, NULL},
{NULL, NULL, NULL}}},
+ {&sbrec_table_connection,
+ {{&sbrec_table_connection, NULL, NULL},
+ {NULL, NULL, NULL}}},
+
{NULL, {{NULL, NULL, NULL}, {NULL, NULL, NULL}}}
};
diff --git a/tests/ovn.at b/tests/ovn.at
index da0291f..15256f0 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -5457,3 +5457,97 @@ check_tos 0
OVN_CLEANUP([hv])
AT_CLEANUP
+
+AT_SETUP([ovn -- read-only sb db:ptcp access])
+AT_SKIP_IF([test $HAVE_PYTHON = no])
+
+: > .$1.db.~lock~
+ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn/ovn-sb.ovsschema
+
+# Add read-only remote to sb ovsdb-server
+AT_CHECK(
+ [ovsdb-tool transact ovn-sb.db \
+ ['["OVN_Southbound",
+ {"op": "insert",
+ "table": "SB_Global",
+ "row": {
+ "connection_options": ["set", [["named-uuid", "xyz"]]]}},
+ {"op": "insert",
+ "table": "Connection",
+ "uuid-name": "xyz",
+ "row": {"target": "ptcp:0:127.0.0.1",
+ "read_only": true}}]']], [0], [ignore], [ignore])
+
+start_daemon ovsdb-server --remote=punix:ovn-sb.sock
--remote=db:OVN_Southbound,SB_Global,connection_options ovn-sb.db
+
+PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+# read-only accesses should succeed
+AT_CHECK([ovn-sbctl --db=tcp:127.0.0.1:$TCP_PORT list SB_Global], [0],
[stdout], [ignore])
+AT_CHECK([ovn-sbctl --db=tcp:127.0.0.1:$TCP_PORT list Connection], [0],
[stdout], [ignore])
+
+# write access should fail
+AT_CHECK([ovn-sbctl --db=tcp:127.0.0.1:$TCP_PORT chassis-add ch vxlan
1.2.4.8], [1], [ignore],
+[ovn-sbctl: transaction error: {"details":"insert operation not allowed when
database server is in read only mode","error":"not allowed"}
+])
+
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+AT_CLEANUP
+
+AT_SETUP([ovn -- read-only sb db:pssl access])
+AT_SKIP_IF([test $HAVE_PYTHON = no])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[ '\"
+\\]"])
+
+: > .$1.db.~lock~
+ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn/ovn-sb.ovsschema
+
+# Add read-only remote to sb ovsdb-server
+AT_CHECK(
+ [ovsdb-tool transact ovn-sb.db \
+ ['["OVN_Southbound",
+ {"op": "insert",
+ "table": "SB_Global",
+ "row": {
+ "connection_options": ["set", [["named-uuid", "xyz"]]]}},
+ {"op": "insert",
+ "table": "Connection",
+ "uuid-name": "xyz",
+ "row": {"target": "pssl:0:127.0.0.1",
+ "read_only": true}}]']], [0], [ignore], [ignore])
+
+start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
+
--remote=db:OVN_Southbound,SB_Global,connection_options \
+ --private-key="$PKIDIR/testpki-privkey2.pem" \
+ --certificate="$PKIDIR/testpki-cert2.pem" \
+ --ca-cert="$PKIDIR/testpki-cacert.pem" \
+ ovn-sb.db
+
+PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+# read-only accesses should succeed
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+ --private-key=$PKIDIR/testpki-privkey.pem \
+ --certificate=$PKIDIR/testpki-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list SB_Global], [0], [stdout], [ignore])
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+ --private-key=$PKIDIR/testpki-privkey.pem \
+ --certificate=$PKIDIR/testpki-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ list Connection], [0], [stdout], [ignore])
+
+# write access should fail
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+ --private-key=$PKIDIR/testpki-privkey.pem \
+ --certificate=$PKIDIR/testpki-cert.pem \
+ --ca-cert=$PKIDIR/testpki-cacert.pem \
+ chassis-add ch vxlan 1.2.4.8], [1], [ignore],
+[ovn-sbctl: transaction error: {"details":"insert operation not allowed when
database server is in read only mode","error":"not allowed"}
+])
+
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+AT_CLEANUP
+
--
2.5.5
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
