Allow tenant networks to be shared with domain 0.

If domain 0 has an IP address on a given bridge, then add a flow rule to allow traffic to leave that port. This allows for the case where domain 0 and the tenant network are sharing a bridge, which is useful in non-production environments. At the same time, simplify the interface to ovs_configure_base_rules.py. There is no need to pass the bridge in, because it's implicit in the selection of the physical interface, and can be obtained using ovs-vsctl iface-to-br. Having made these two changes, it's now reasonable to apply flow rules to all interfaces as a default (if not overridden in the sysconfig file). Change-Id: I2a33ed55246d49b0e4f57db909e1b40351d27602
2011-09-24 23:46:23 -07:00 · 2011-09-24 23:46:23 -07:00 · 0a56ae6fa2
commit 0a56ae6fa2
parent 16e3f2effc
3 changed files with 40 additions and 13 deletions
--- a/plugins/xenserver/networking/etc/init.d/openvswitch-nova
+++ b/plugins/xenserver/networking/etc/init.d/openvswitch-nova
@ -5,6 +5,7 @@
 # chkconfig: 2345 96 89
 # description: Apply initial OVS flows for Nova

+# Copyright 2011 Citrix Systems, Inc.
 # Copyright 2011 OpenStack LLC.
 # Copyright (C) 2009, 2010, 2011 Nicira Networks, Inc.
 # All Rights Reserved.
@ -59,11 +60,11 @@ case ${NETWORK_MODE:=openvswitch} in
 esac

 function run_ovs_conf_base_flows {
-    # expected format: DEVICE_BRIDGES="eth0:xenbr0 eth1:xenbr1"
-    for pair in $DEVICE_BRIDGES; do
-	# below in $info, physical device is [0], bridge name is [1]
-	info=${pair//:/ }
-	/usr/bin/python $OVS_CONFIGURE_BASE_FLOWS $1 ${info[0]} ${info[1]}
+    local action="$1"
+    local all_interfaces=$(cd /sys/class/net/; /bin/ls -d eth*)
+    local interfaces="${INTERFACES-$all_interfaces}"
+    for interface in $interfaces; do
+	/usr/bin/python $OVS_CONFIGURE_BASE_FLOWS $action $interface
    done
 }

--- a/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova
+++ b/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova
@ -1 +1,15 @@
-#DEVICE_BRIDGES="eth0:xenbr0 eth1:xenbr1"
+# The interfaces that you want to apply base OVS rules to.  If this is
+# unspecified then rules are applied to all eth* interfaces, which is a good
+# default.
+#
+# If you are worried about the performance of having rules on interfaces
+# that aren't carrying tenant traffic, or you want to do something
+# custom, then here you can explicitly choose the interfaces that should have
+# rules applied.
+#
+# Note that if there is an IP address on the bridge in domain 0 (i.e. the
+# xenbrX interface) then a rule will be applied that allows traffic to it.
+# Make sure that this is what you want.  If you don't want tenant traffic
+# to be able to reach domain 0 -- the usual case -- then you should have
+# tenant traffic and domain 0 on entirely separate bridges.
+#INTERFACES="eth0 eth1"
--- a/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py
+++ b/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py
@ -1,6 +1,7 @@
 #!/usr/bin/env python
 # vim: tabstop=4 shiftwidth=4 softtabstop=4

+# Copyright 2011 Citrix Systems, Inc.
 # Copyright 2011 OpenStack LLC.
 # All Rights Reserved.
 #
@ -27,9 +28,12 @@ import sys
 from novalib import execute, execute_get_output


-def main(command, phys_dev_name, bridge_name):
+def main(command, phys_dev_name):
    ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)

+    bridge_name = \
+        execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', phys_dev_name)
+
    # always clear all flows first
    ovs_ofctl('del-flows', bridge_name)

@ -44,19 +48,27 @@ def main(command, phys_dev_name, bridge_name):
        ovs_ofctl('add-flow', bridge_name,
                  "priority=2,in_port=%s,actions=normal" % pnic_ofport)

+        # Allow traffic from dom0 if there is a management interface
+        # present (its IP address is on the bridge itself)
+        bridge_addr = \
+            execute_get_output('/sbin/ip', '-o', '-f', 'inet', 'addr', 'show',
+                               bridge_name)
+        if bridge_addr != '':
+            ovs_ofctl('add-flow', bridge_name,
+                      "priority=2,in_port=LOCAL,actions=normal")
+
        # default drop
        ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')


 if __name__ == "__main__":
-    if len(sys.argv) != 4 or sys.argv[1] not in ('online', 'offline', 'reset'):
+    if len(sys.argv) != 3 or sys.argv[1] not in ('online', 'offline', 'reset'):
        print sys.argv
        script_name = os.path.basename(sys.argv[0])
        print "This script configures base ovs flows."
-        print "usage: %s [online|offline|reset] phys-dev-name bridge-name" \
-                % script_name
-        print "   ex: %s online eth0 xenbr0" % script_name
+        print "usage: %s [online|offline|reset] phys-dev-name" % script_name
+        print "   ex: %s online eth0" % script_name
        sys.exit(1)
    else:
-        command, phys_dev_name, bridge_name = sys.argv[1:4]
-        main(command, phys_dev_name, bridge_name)
+        command, phys_dev_name = sys.argv[1:3]
+        main(command, phys_dev_name)