Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Dear Stable release team, We would like to fix https://bugs.debian.org/1008684. Michael Prokop found the matching patch, and we would like to apply it to Bullseye. [ Reason ] As per #1008684, restarting OVS in Bullseye makes the computer loose network. [ Impact ] Any further update to OVS may be very annoying for OVS users, as a reboot may be necessary to restore network connectivity. [ Tests ] The package runs unit tests at build time, for both the normal and the DPDK flavor of OVS. [ Risks ] The patch is minimalistic, and the issue well understood upstream. The patch is also present in all subsequent version of OVS released by upstream, so it's rather safe, IMO. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Just the patch as per: https://github.com/openvswitch/ovs/commit/bc0aa785a83c11dab482b3e20736b969174d9f86 * Blacklisting one unit test (on all arch) that failed during the build. That's the changes inside debian/rules, removing 527 from the list. Note that this is very common with OVS, as many tests are time sensitive, and often are flacky and unreliable. I've already blacklisted a lot of unit tests, this is just one more... If the stable release team feels like it's best to leave d/rules as-is, I can revert that, and we can give-back the package to the buildd if that unit test fails, but I'd prefer blacklisting it. Cheers, Thomas Goirand (zigo)
diff -Nru openvswitch-2.15.0+ds1/debian/changelog openvswitch-2.15.0+ds1/debian/changelog --- openvswitch-2.15.0+ds1/debian/changelog 2022-10-03 12:59:27.000000000 +0200 +++ openvswitch-2.15.0+ds1/debian/changelog 2023-01-31 08:47:53.000000000 +0100 @@ -1,3 +1,15 @@ +openvswitch (2.15.0+ds1-2+deb11u3) bullseye; urgency=medium + + [ Thomas Goirand ] + * Blacklist flacky test on all arch: 526: tcp vconn - refuse connection. + + [ Michael Prokop ] + * Fix "openvswitch-switch update leaves interfaces down" by applying upstream + fix: https://github.com/openvswitch/ovs/commit/bc0aa785a83c1 + (Closes: #1008684). + + -- Thomas Goirand <z...@debian.org> Tue, 31 Jan 2023 08:47:53 +0100 + openvswitch (2.15.0+ds1-2+deb11u2) bullseye-security; urgency=medium * Fix ovs-dpctl-top by removing 3 wrong hunks in py3-compat.patch. diff -Nru openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch --- openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvswitch-2.15.0+ds1/debian/patches/fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch 2023-01-31 08:47:53.000000000 +0100 @@ -0,0 +1,102 @@ +From: Ilya Maximets <i.maxim...@ovn.org> +Subject: ovsdb-idl: Fix the database update signaling if it has never been connected + The symptom of this issue is that OVS bridge looses its IP address on + restart. + . + Simple reproducer: + 0. start ovsdb-server and ovs-vswitchd + 1. ovs-vsctl add-br br0 + 2. ifconfig br0 10.0.0.1 up + 3. ovs-appctl -t ovs-vswitchd exit + 4. start ovs-vswitchd back. + . + After step #3 ovs-vswitchd is down, but br0 interface exists and + has configured IP address. After step #4 there is no IP address + on the port br0. + . + What happened: + 1. ovsdb-cs connects to the database via ovsdb-idl and requests + database lock. + --> get_schema for _Server database + --> lock request + . + 2. ovsdb-cs receives schema for the _Server database. And sends + monitor request. + <-- schema for _Server + --> monitor_cond for _Server + . + 3. ovsdb-cs receives lock reply. + <-- locked + At this point ovsdb-cs generates OVSDB_CS_EVENT_TYPE_LOCKED + event and passes it to ovsdb-idl. ovsdb-idl increases change_seqno. + . + 4. ovsdb_idl_has_ever_connected() is 'true' now, because change_seqno + is not zero. + . + 5. ovs-vswitchd decides that it has connection with database and + all the initial data, therefore initiates configuration of bridges. + bridge_run():ovsdb_idl_has_ever_connected() --> true + . + 6. Since monitor request for the Open_vSwitch database is not even + sent yet, the database is empty. This leads to removal of all the + ports and all other resources. + . + 7. When data finally received, ovs-vswitchd re-creates bridges and + ports, but IP addresses can not be restored. + . + While splitting out ovsdb-cs from ovsdb-idl one part of the logic + was lost. Particularly, before the split, ovsdb-idl updated + change_seqno only in MONITORING state. + . + Restoring the logic by updating the change_seqno only if may send + transaction, i.e. lock is ours and ovsdb-cs is in the MONITORING + state. This matches with the main purpose of increasing change_seqno + at this point, i.e. to force the client to re-try the transaction. + With this change ovsdb_idl_has_ever_connected() remains 'false' + until the first monitor reply with the actual data received. + . + This issue was reported several times during the last couple of weeks. + . + Reported-at: https://bugzilla.redhat.com/1968445 + Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2021-June/383512.html + Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-June/051222.html + Fixes: 1c337c43ac1c ("ovsdb-idl: Break into two layers.") + Signed-off-by: Ilya Maximets <i.maxim...@ovn.org> + Acked-by: Dumitru Ceara <dce...@redhat.com> + Author: Ilya Maximets <i.maxim...@ovn.org> + Date: Tue, 8 Jun 2021 15:17:23 +0200 +Origin: upstream, https://github.com/openvswitch/ovs/commit/bc0aa785a83c11dab482b3e20736b969174d9f86.patch +Applied-Upstream: 2.15.1 +Bug-Debian: https://bugs.debian.org/1008684 +Last-Update: 2023-01-26 + +--- + lib/ovsdb-idl.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git lib/ovsdb-idl.c lib/ovsdb-idl.c +index 2c8a0c9..6241fb4 100644 +--- a/lib/ovsdb-idl.c ++++ b/lib/ovsdb-idl.c +@@ -401,9 +401,15 @@ ovsdb_idl_run(struct ovsdb_idl *idl) + break; + + case OVSDB_CS_EVENT_TYPE_LOCKED: +- /* If the client couldn't run a transaction because it didn't have +- * the lock, this will encourage it to try again. */ +- idl->change_seqno++; ++ if (ovsdb_cs_may_send_transaction(idl->cs)) { ++ /* If the client couldn't run a transaction because it didn't ++ * have the lock, this will encourage it to try again. */ ++ idl->change_seqno++; ++ } else { ++ /* We're setting up a session, so don't signal that the ++ * database changed. Finalizing the session will increment ++ * change_seqno anyhow. */ ++ } + break; + + case OVSDB_CS_EVENT_TYPE_UPDATE: +-- +2.30.2 + diff -Nru openvswitch-2.15.0+ds1/debian/patches/series openvswitch-2.15.0+ds1/debian/patches/series --- openvswitch-2.15.0+ds1/debian/patches/series 2022-10-03 12:59:27.000000000 +0200 +++ openvswitch-2.15.0+ds1/debian/patches/series 2023-01-31 08:47:53.000000000 +0100 @@ -3,3 +3,4 @@ CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch +fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch diff -Nru openvswitch-2.15.0+ds1/debian/rules openvswitch-2.15.0+ds1/debian/rules --- openvswitch-2.15.0+ds1/debian/rules 2022-10-03 12:59:27.000000000 +0200 +++ openvswitch-2.15.0+ds1/debian/rules 2023-01-31 08:47:53.000000000 +0100 @@ -42,7 +42,7 @@ # that one doesn't feel like deterministic. # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) -TEST_LIST = 1-19 21-531 533-1020 1022-1056 1058- +TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) # armhf: @@ -53,7 +53,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) ifneq (,$(filter armhf, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-23 28-531 533-917 919-1020 1022-1056 1058- +TEST_LIST = 1-19 21-23 28-525 527-531 533-917 919-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) endif # armhf @@ -71,7 +71,7 @@ # 1071: ofproto-dpif - controller action without megaflows # 1136: ofproto-dpif - sFlow packet sampling - LACP structures ifneq (,$(filter mipsel, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 22-531 533-916 920-926 928-1020 1022-1034 1036-1056 1058-1068 1070 1072-1101 1103-1135 1137- +TEST_LIST = 1-19 22-525 527-531 533-916 920-926 928-1020 1022-1034 1036-1056 1058-1068 1070 1072-1101 1103-1135 1137- TEST_LIST_DPDK = $(TEST_LIST) endif # mipsel @@ -82,7 +82,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1069: ofproto-dpif - controller action without megaflows ifneq (,$(filter mips64el, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 22-531 533-1020 1022-1032 1034-1056 1058-1068 1070 1072-1120 1122- +TEST_LIST = 1-19 22-525 527-531 533-1020 1022-1032 1034-1056 1058-1068 1070 1072-1120 1122- TEST_LIST_DPDK = $(TEST_LIST) endif # mips64el @@ -90,7 +90,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1123: ofproto-dpif - sFlow packet sampling - LACP structures FAILED (ofproto-dpif.at:6643) ifneq (,$(filter armel, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-531 533-1020 1022-1056 1058-1122 1124- +TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058-1122 1124- TEST_LIST_DPDK = $(TEST_LIST) endif #armel @@ -99,7 +99,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) ifneq (,$(filter arm64, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-158 160-531 533-1020 1022-1056 1058- +TEST_LIST = 1-19 21-158 160-525 527-531 533-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) endif #arm64 @@ -108,7 +108,7 @@ # 2728: ovn -- vlan traffic for external network with distributed router gateway port FAILED (ovn.at:8563) # 2737: ovn -- IPv6 periodic RA FAILED (ovn.at:9916) ifneq (,$(filter alpha, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-531 533-2723 2725-2727 2729-2736 2738- +TEST_LIST = 1-19 21-525 527-531 533-2723 2725-2727 2729-2736 2738- TEST_LIST_DPDK = $(TEST_LIST) endif #alpha @@ -132,7 +132,7 @@ # 1735: ovsdb-server combines updates on backlogged connections FAILED (ovsdb-server.at:1205) # 2193: RSTP - dummy interface FAILED (rstp.at:210) ifneq (,$(filter hppa, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-531 533-846 848-849 851-915 920-941 943-1020 1022-1056 1058-1101 1103-1104 1106-1122 1124-1180 1182-1208 1210-1734 1736-2192 2194- +TEST_LIST = 1-19 21-525 527-531 533-846 848-849 851-915 920-941 943-1020 1022-1056 1058-1101 1103-1104 1106-1122 1124-1180 1182-1208 1210-1734 1736-2192 2194- TEST_LIST_DPDK = $(TEST_LIST) endif #hppa @@ -149,7 +149,7 @@ # 2185: STP - flush the fdb and mdb when topology changed FAILED (stp.at:529) # 2249: auto-attach - packets FAILED (auto-attach.at:5) ifneq (,$(filter sparc64, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-25 27-465 467-531 533-899 901-917 919-941 943-997 999-1056 1058-2183 2186-2248 2250- +TEST_LIST = 1-19 21-25 27-465 467-525 527-531 533-899 901-917 919-941 943-997 999-1056 1058-2183 2186-2248 2250- TEST_LIST_DPDK = $(TEST_LIST) endif #sparc64 @@ -158,7 +158,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) ifneq (,$(filter ia64, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-531 533-1020 1022-1056 1058- +TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) endif #ia64