Bug#1030113: bullseye-pu: package openvswitch/2.15.0+ds1-2+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Stable release team,
We would like to fix https://bugs.debian.org/1008684.
Michael Prokop found the matching patch, and we would like to
apply it to Bullseye.
[ Reason ]
As per #1008684, restarting OVS in Bullseye makes the computer
loose network.
[ Impact ]
Any further update to OVS may be very annoying for OVS users,
as a reboot may be necessary to restore network connectivity.
[ Tests ]
The package runs unit tests at build time, for both the normal
and the DPDK flavor of OVS.
[ Risks ]
The patch is minimalistic, and the issue well understood upstream.
The patch is also present in all subsequent version of OVS released
by upstream, so it's rather safe, IMO.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Just the patch as per:
https://github.com/openvswitch/ovs/commit/bc0aa785a83c11dab482b3e20736b969174d9f86
* Blacklisting one unit test (on all arch) that failed during
the build. That's the changes inside debian/rules, removing
527 from the list. Note that this is very common with OVS, as many
tests are time sensitive, and often are flacky and unreliable. I've
already blacklisted a lot of unit tests, this is just one more...
If the stable release team feels like it's best to leave d/rules
as-is, I can revert that, and we can give-back the package to the
buildd if that unit test fails, but I'd prefer blacklisting it.
Cheers,
Thomas Goirand (zigo)
diff -Nru openvswitch-2.15.0+ds1/debian/changelog openvswitch-2.15.0+ds1/debian/changelog
--- openvswitch-2.15.0+ds1/debian/changelog 2022-10-03 12:59:27.000000000 +0200
+++ openvswitch-2.15.0+ds1/debian/changelog 2023-01-31 08:47:53.000000000 +0100
@@ -1,3 +1,15 @@
+openvswitch (2.15.0+ds1-2+deb11u3) bullseye; urgency=medium
+
+ [ Thomas Goirand ]
+ * Blacklist flacky test on all arch: 526: tcp vconn - refuse connection.
+
+ [ Michael Prokop ]
+ * Fix "openvswitch-switch update leaves interfaces down" by applying upstream
+ fix: https://github.com/openvswitch/ovs/commit/bc0aa785a83c1
+ (Closes: #1008684).
+
+ -- Thomas Goirand <zigo@debian.org> Tue, 31 Jan 2023 08:47:53 +0100
+
openvswitch (2.15.0+ds1-2+deb11u2) bullseye-security; urgency=medium
* Fix ovs-dpctl-top by removing 3 wrong hunks in py3-compat.patch.
diff -Nru openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch
--- openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch 1970-01-01 01:00:00.000000000 +0100
+++ openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch 2023-01-31 08:47:53.000000000 +0100
@@ -0,0 +1,102 @@
+From: Ilya Maximets <i.maximets@ovn.org>
+Subject: ovsdb-idl: Fix the database update signaling if it has never been connected
+ The symptom of this issue is that OVS bridge looses its IP address on
+ restart.
+ .
+ Simple reproducer:
+ 0. start ovsdb-server and ovs-vswitchd
+ 1. ovs-vsctl add-br br0
+ 2. ifconfig br0 10.0.0.1 up
+ 3. ovs-appctl -t ovs-vswitchd exit
+ 4. start ovs-vswitchd back.
+ .
+ After step #3 ovs-vswitchd is down, but br0 interface exists and
+ has configured IP address. After step #4 there is no IP address
+ on the port br0.
+ .
+ What happened:
+ 1. ovsdb-cs connects to the database via ovsdb-idl and requests
+ database lock.
+ --> get_schema for _Server database
+ --> lock request
+ .
+ 2. ovsdb-cs receives schema for the _Server database. And sends
+ monitor request.
+ <-- schema for _Server
+ --> monitor_cond for _Server
+ .
+ 3. ovsdb-cs receives lock reply.
+ <-- locked
+ At this point ovsdb-cs generates OVSDB_CS_EVENT_TYPE_LOCKED
+ event and passes it to ovsdb-idl. ovsdb-idl increases change_seqno.
+ .
+ 4. ovsdb_idl_has_ever_connected() is 'true' now, because change_seqno
+ is not zero.
+ .
+ 5. ovs-vswitchd decides that it has connection with database and
+ all the initial data, therefore initiates configuration of bridges.
+ bridge_run():ovsdb_idl_has_ever_connected() --> true
+ .
+ 6. Since monitor request for the Open_vSwitch database is not even
+ sent yet, the database is empty. This leads to removal of all the
+ ports and all other resources.
+ .
+ 7. When data finally received, ovs-vswitchd re-creates bridges and
+ ports, but IP addresses can not be restored.
+ .
+ While splitting out ovsdb-cs from ovsdb-idl one part of the logic
+ was lost. Particularly, before the split, ovsdb-idl updated
+ change_seqno only in MONITORING state.
+ .
+ Restoring the logic by updating the change_seqno only if may send
+ transaction, i.e. lock is ours and ovsdb-cs is in the MONITORING
+ state. This matches with the main purpose of increasing change_seqno
+ at this point, i.e. to force the client to re-try the transaction.
+ With this change ovsdb_idl_has_ever_connected() remains 'false'
+ until the first monitor reply with the actual data received.
+ .
+ This issue was reported several times during the last couple of weeks.
+ .
+ Reported-at: https://bugzilla.redhat.com/1968445
+ Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2021-June/383512.html
+ Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-June/051222.html
+ Fixes: 1c337c43ac1c ("ovsdb-idl: Break into two layers.")
+ Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+ Acked-by: Dumitru Ceara <dceara@redhat.com>
+ Author: Ilya Maximets <i.maximets@ovn.org>
+ Date: Tue, 8 Jun 2021 15:17:23 +0200
+Origin: upstream, https://github.com/openvswitch/ovs/commit/bc0aa785a83c11dab482b3e20736b969174d9f86.patch
+Applied-Upstream: 2.15.1
+Bug-Debian: https://bugs.debian.org/1008684
+Last-Update: 2023-01-26
+
+---
+ lib/ovsdb-idl.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git lib/ovsdb-idl.c lib/ovsdb-idl.c
+index 2c8a0c9..6241fb4 100644
+--- a/lib/ovsdb-idl.c
++++ b/lib/ovsdb-idl.c
+@@ -401,9 +401,15 @@ ovsdb_idl_run(struct ovsdb_idl *idl)
+ break;
+
+ case OVSDB_CS_EVENT_TYPE_LOCKED:
+- /* If the client couldn't run a transaction because it didn't have
+- * the lock, this will encourage it to try again. */
+- idl->change_seqno++;
++ if (ovsdb_cs_may_send_transaction(idl->cs)) {
++ /* If the client couldn't run a transaction because it didn't
++ * have the lock, this will encourage it to try again. */
++ idl->change_seqno++;
++ } else {
++ /* We're setting up a session, so don't signal that the
++ * database changed. Finalizing the session will increment
++ * change_seqno anyhow. */
++ }
+ break;
+
+ case OVSDB_CS_EVENT_TYPE_UPDATE:
+--
+2.30.2
+
diff -Nru openvswitch-2.15.0+ds1/debian/patches/series openvswitch-2.15.0+ds1/debian/patches/series
--- openvswitch-2.15.0+ds1/debian/patches/series 2022-10-03 12:59:27.000000000 +0200
+++ openvswitch-2.15.0+ds1/debian/patches/series 2023-01-31 08:47:53.000000000 +0100
@@ -3,3 +3,4 @@
CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch
CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch
+fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch
diff -Nru openvswitch-2.15.0+ds1/debian/rules openvswitch-2.15.0+ds1/debian/rules
--- openvswitch-2.15.0+ds1/debian/rules 2022-10-03 12:59:27.000000000 +0200
+++ openvswitch-2.15.0+ds1/debian/rules 2023-01-31 08:47:53.000000000 +0100
@@ -42,7 +42,7 @@
# that one doesn't feel like deterministic.
# 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535)
# 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893)
-TEST_LIST = 1-19 21-531 533-1020 1022-1056 1058-
+TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058-
TEST_LIST_DPDK = $(TEST_LIST)
# armhf:
@@ -53,7 +53,7 @@
# 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535)
# 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893)
ifneq (,$(filter armhf, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 21-23 28-531 533-917 919-1020 1022-1056 1058-
+TEST_LIST = 1-19 21-23 28-525 527-531 533-917 919-1020 1022-1056 1058-
TEST_LIST_DPDK = $(TEST_LIST)
endif # armhf
@@ -71,7 +71,7 @@
# 1071: ofproto-dpif - controller action without megaflows
# 1136: ofproto-dpif - sFlow packet sampling - LACP structures
ifneq (,$(filter mipsel, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 22-531 533-916 920-926 928-1020 1022-1034 1036-1056 1058-1068 1070 1072-1101 1103-1135 1137-
+TEST_LIST = 1-19 22-525 527-531 533-916 920-926 928-1020 1022-1034 1036-1056 1058-1068 1070 1072-1101 1103-1135 1137-
TEST_LIST_DPDK = $(TEST_LIST)
endif # mipsel
@@ -82,7 +82,7 @@
# 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535)
# 1069: ofproto-dpif - controller action without megaflows
ifneq (,$(filter mips64el, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 22-531 533-1020 1022-1032 1034-1056 1058-1068 1070 1072-1120 1122-
+TEST_LIST = 1-19 22-525 527-531 533-1020 1022-1032 1034-1056 1058-1068 1070 1072-1120 1122-
TEST_LIST_DPDK = $(TEST_LIST)
endif # mips64el
@@ -90,7 +90,7 @@
# 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535)
# 1123: ofproto-dpif - sFlow packet sampling - LACP structures FAILED (ofproto-dpif.at:6643)
ifneq (,$(filter armel, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 21-531 533-1020 1022-1056 1058-1122 1124-
+TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058-1122 1124-
TEST_LIST_DPDK = $(TEST_LIST)
endif #armel
@@ -99,7 +99,7 @@
# 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535)
# 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893)
ifneq (,$(filter arm64, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 21-158 160-531 533-1020 1022-1056 1058-
+TEST_LIST = 1-19 21-158 160-525 527-531 533-1020 1022-1056 1058-
TEST_LIST_DPDK = $(TEST_LIST)
endif #arm64
@@ -108,7 +108,7 @@
# 2728: ovn -- vlan traffic for external network with distributed router gateway port FAILED (ovn.at:8563)
# 2737: ovn -- IPv6 periodic RA FAILED (ovn.at:9916)
ifneq (,$(filter alpha, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 21-531 533-2723 2725-2727 2729-2736 2738-
+TEST_LIST = 1-19 21-525 527-531 533-2723 2725-2727 2729-2736 2738-
TEST_LIST_DPDK = $(TEST_LIST)
endif #alpha
@@ -132,7 +132,7 @@
# 1735: ovsdb-server combines updates on backlogged connections FAILED (ovsdb-server.at:1205)
# 2193: RSTP - dummy interface FAILED (rstp.at:210)
ifneq (,$(filter hppa, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 21-531 533-846 848-849 851-915 920-941 943-1020 1022-1056 1058-1101 1103-1104 1106-1122 1124-1180 1182-1208 1210-1734 1736-2192 2194-
+TEST_LIST = 1-19 21-525 527-531 533-846 848-849 851-915 920-941 943-1020 1022-1056 1058-1101 1103-1104 1106-1122 1124-1180 1182-1208 1210-1734 1736-2192 2194-
TEST_LIST_DPDK = $(TEST_LIST)
endif #hppa
@@ -149,7 +149,7 @@
# 2185: STP - flush the fdb and mdb when topology changed FAILED (stp.at:529)
# 2249: auto-attach - packets FAILED (auto-attach.at:5)
ifneq (,$(filter sparc64, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 21-25 27-465 467-531 533-899 901-917 919-941 943-997 999-1056 1058-2183 2186-2248 2250-
+TEST_LIST = 1-19 21-25 27-465 467-525 527-531 533-899 901-917 919-941 943-997 999-1056 1058-2183 2186-2248 2250-
TEST_LIST_DPDK = $(TEST_LIST)
endif #sparc64
@@ -158,7 +158,7 @@
# 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535)
# 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893)
ifneq (,$(filter ia64, $(DEB_HOST_ARCH)))
-TEST_LIST = 1-19 21-531 533-1020 1022-1056 1058-
+TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058-
TEST_LIST_DPDK = $(TEST_LIST)
endif #ia64
Reply to: