linux/meta-virtualization.git/recipes-networking/openvswitch/openvswitch_git.bb, branch hardknott-next

openvswitch: Security fix for CVE-2021-36980

2021-10-01T02:49:18+00:00

Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-36980 Patches from: format-patch from ovs v2.15.1 Signed-off-by: Yanfei Xu Signed-off-by: Bruce Ashfield

openvswitch: fix clobbered SRC_URI

2021-04-09T13:47:14+00:00

commit 1b83c21436b2 [openvswitch: Fix build with musl libc] mistakenly copies common files and then clobbers the SRC_URI. While we could drop the SRC_URI components from the .inc now that we only have one active version in master (_git), we avoid that for now, since it is possible that a LTS version will be introduced in future cycles. So to fix the oddity, we drop the common components from the _git SRC_URI and append versus clobber. Signed-off-by: Bruce Ashfield

openvswitch: uprev from 2.13 to 2.15

2021-03-12T03:33:29+00:00

- OVSDB: * Changed format in which ovsdb transactions are stored in database files. Now each transaction contains diff of data instead of the whole new value of a column. New ovsdb-server process will be able to read old database format, but old processes will *fail* to read database created by the new one. For cluster and active-backup service models follow upgrade instructions in 'Upgrading from version 2.14 and earlier to 2.15 and later' section of ovsdb(7). * New unixctl command 'ovsdb-server/get-db-storage-status' to show the status of the storage that's backing a database. * New unixctl command 'ovsdb-server/memory-trim-on-compaction on|off'. If turned on, ovsdb-server will try to reclaim all the unused memory after every DB compaction back to OS. Disabled by default. * Maximum backlog on RAFT connections limited to 500 messages or 4GB. Once threshold reached, connection is dropped (and re-established). Use the 'cluster/set-backlog-threshold' command to change limits. - DPDK: * Removed support for vhost-user dequeue zero-copy. * Add support for DPDK 20.11. - Userspace datapath: * Add the 'pmd' option to "ovs-appctl dpctl/dump-flows", which restricts a flow dump to a single PMD thread if set. * New 'options:dpdk-vf-mac' field for DPDK interface of VF ports, that allows configuring the MAC address of a VF representor. * Add generic IP protocol support to conntrack. With this change, all none UDP, TCP, and ICMP traffic will be treated as general L3 traffic, i.e. using 3 tupples. * Add parameters 'pmd-auto-lb-load-threshold' and 'pmd-auto-lb-improvement-threshold' to configure PMD auto load balance behaviour. - The environment variable OVS_UNBOUND_CONF, if set, is now used as the DNS resolver's (unbound) configuration file. - Linux datapath: * Support for kernel versions up to 5.8.x. - Terminology: * The terms "master" and "slave" have been replaced by "primary" and "secondary", respectively, for OpenFlow connection roles. * The term "slave" has been replaced by "member", for bonds, LACP, and OpenFlow bundle actions. - Support for GitHub Actions based continuous integration builds has been added. - Bareudp Tunnel * Bareudp device support is present in linux kernel from version 5.7 * Kernel bareudp device is not backported to ovs tree. * Userspace datapath support is not added - ovs-dpctl and 'ovs-appctl dpctl/': * New commands '{add,mod,del}-flows' where added, which allow adding, deleting, or modifying flows based on information read from a file. - IPsec: * Add option '--no-cleanup' to allow ovs-monitor-ipsec to stop without tearing down IPsec tunnels. * Add option '--no-restart-ike-daemon' to allow ovs-monitor-ipsec to start without restarting ipsec daemon. - Building the Linux kernel module from the OVS source tree is deprecated * Support for the Linux kernel is capped at version 5.8 * Only bug fixes for the Linux OOT kernel module will be accepted. * The Linux kernel module will be fully removed from the OVS source tree in OVS branch 2.18 fix some do_patch error about local patch. Signed-off-by: Zqiang Signed-off-by: Bruce Ashfield

openvswitch: set CVE_VERSION

2021-03-05T03:45:17+00:00

CVE entries are using version 2.xx.xx, our PV is 2.13+xxx, this causes problem for CVE detection. So we need to set a CVE_VERSION for better CVE scanning. Signed-off-by: Chen Qi Signed-off-by: Bruce Ashfield

openvswitch: use /run instead of /var/run in systemd service file

2020-10-28T03:24:47+00:00

/var/run has been deprecated by systemd, so use /run instead, as suggested by systemd. Signed-off-by: Chen Qi Signed-off-by: Bruce Ashfield

openvswitch: uprev from v2.12 to v2.13

2020-02-20T17:43:14+00:00

Another straightforward uprev with one fairly large change in the changelog. The Open Virtual Network component has now been moved to its own repo (https://github.com/ovn-org/ovn.git). If you were using this functionality a new recipe will need to be created. The ptest results are similar to after the v2.12 uprev ERROR: 2206 tests were run, 28 failed unexpectedly. 62 tests were skipped. The failed tests were in the following areas: checkpatch.at (5) ovs-ofctl.at (1) tunnel.at(1) tunnel-push-pop.at(3) tunnel-push-pop-ipv6.at(3) dpif-netdev.at (1) pmd.at(1) ofproto-dpif.at (7) bridge.at (2) ovsdb-idl.at(1) mcast-snooping.at(1) packet-type-aware.at(2) None of these affect core functionality or usecases and are similar to the results we see with v1.12. If specific usecases are affected by these failures we should address them on a need to fix basis. Signed-off-by: Mark Asselstine Signed-off-by: Bruce Ashfield

openvswitch: uprev from v2.11 to v2.12

2020-02-13T22:21:44+00:00

A mostly straightforward uprev. Unfortunately a required patch for python3 is only available on a non-release branch so we must carry it in order to build (the discussion on the mailing list was that an uprev might have avoided this, but this is not the case). The ptest results are similar to after the v2.11 uprev ERROR: 2413 tests were run, 23 failed unexpectedly. 383 tests were skipped. NOTE, however, that they have now marked many tests as 'skipped', such as the python2 results, so the failed and skipped numbers have essentially swapped with each other. The failed tests were in the following areas: checkpatch.at (5) ovs-ofctl.at (1) dpif-netdev.at (1) ofproto-dpif.at (6) bridge.at (2) ovn.at (2) ovn-controller-vtep.at (6) Most were issues with the test or expectations that source code would be available. There might be an issue around packaging of "/vswitchd/vswitch.ovsschema" but we should be able to overlook this for now, as we have with previous versions. Signed-off-by: Mark Asselstine Signed-off-by: Bruce Ashfield

openvswitch: uprev from v2.10.1 to v2.11

2019-02-03T03:49:55+00:00

The v2.11 version fixed a bug as follow. Error info: ovs|00002|db_ctl_base|ERR|external-ids:hostname=: argument does not end in "=" followed by a value. The result of ptest between v2.11 and v2.10.1 is similar. v2.11: ERROR: 2765 tests were run, 317 failed (1 expected failure). 85 tests were skipped. v2.10.1: ERROR: 2662 tests were run, 311 failed (1 expected failure). 85 tests were skipped. I checked the detailed result. The failed tests were mostly related to python2 as the image only use python3. Signed-off-by: Hongzhi.Song Signed-off-by: Bruce Ashfield

Use SRCPV instead of SRCREV where possible

2019-01-16T15:28:26+00:00

This change reduces the length of ${PV} for several recipes and gives us auto-incrementing version numbers. Signed-off-by: Paul Barker Signed-off-by: Bruce Ashfield

openvswitch: uprev from 2.10.0 to 2.10.1

2018-11-29T17:05:18+00:00

Pickup the latest security and bug fixes for openvswitch. Signed-off-by: Mark Asselstine