linux/meta-virtualization.git/recipes-networking, branch hardknott-next

cni: add SRCREV_FORMAT

2021-10-20T03:29:35+00:00

recipes that use multiple SCMs in the SRC_URI, must supply SRCREV_FORMAT or SRCPV triggers an expansion error. While this isn't fatal during the build, it can cause issues with setscene (and possibly) other tasks failing, which then leads to no sstate re-use, etc. Signed-off-by: Bruce Ashfield

openvswitch: Security fix for CVE-2021-36980

2021-10-01T02:49:18+00:00

Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-36980 Patches from: format-patch from ovs v2.15.1 Signed-off-by: Yanfei Xu Signed-off-by: Bruce Ashfield

cni: inhibit go.mod build for main cni

2021-06-16T02:49:09+00:00

The cni plugins already have mod=vendor, but we also need to ensure that the main CNI build is not using go module based builds. To avoid inconsistent vendoring messages, we switch all plugins to no module builds as well. Signed-off-by: Bruce Ashfield

ipset: drop recipe

2021-04-09T19:07:50+00:00

In the time between the k3s work starting and ending, meta-networking picked up the support we need for ipset. Now that the recipe is in a layer we already depend on, we don't need our own copy. Signed-off-by: Bruce Ashfield

openvswitch: fix clobbered SRC_URI

2021-04-09T13:47:14+00:00

commit 1b83c21436b2 [openvswitch: Fix build with musl libc] mistakenly copies common files and then clobbers the SRC_URI. While we could drop the SRC_URI components from the .inc now that we only have one active version in master (_git), we avoid that for now, since it is possible that a LTS version will be introduced in future cycles. So to fix the oddity, we drop the common components from the _git SRC_URI and append versus clobber. Signed-off-by: Bruce Ashfield

cni: add ca-certifcates dependency

2021-03-16T03:15:42+00:00

Many of the CNI plugins require authenticated connections, as such they are looking for elements of ca-certificates. CNI isn't small, so we add this as a general rdepends. If we need to slim things down in the future, we can split the CNI into specific implementations and add the dependency to those packages. Signed-off-by: Bruce Ashfield

ipset: warning fix, use BPN instead of PN in SRC_URI

2021-03-16T03:15:42+00:00

Signed-off-by: Bruce Ashfield

k3s: import version locked ipset dependency

2021-03-16T03:15:42+00:00

Signed-off-by: Bruce Ashfield

openvswitch: uprev from 2.13 to 2.15

2021-03-12T03:33:29+00:00

- OVSDB: * Changed format in which ovsdb transactions are stored in database files. Now each transaction contains diff of data instead of the whole new value of a column. New ovsdb-server process will be able to read old database format, but old processes will *fail* to read database created by the new one. For cluster and active-backup service models follow upgrade instructions in 'Upgrading from version 2.14 and earlier to 2.15 and later' section of ovsdb(7). * New unixctl command 'ovsdb-server/get-db-storage-status' to show the status of the storage that's backing a database. * New unixctl command 'ovsdb-server/memory-trim-on-compaction on|off'. If turned on, ovsdb-server will try to reclaim all the unused memory after every DB compaction back to OS. Disabled by default. * Maximum backlog on RAFT connections limited to 500 messages or 4GB. Once threshold reached, connection is dropped (and re-established). Use the 'cluster/set-backlog-threshold' command to change limits. - DPDK: * Removed support for vhost-user dequeue zero-copy. * Add support for DPDK 20.11. - Userspace datapath: * Add the 'pmd' option to "ovs-appctl dpctl/dump-flows", which restricts a flow dump to a single PMD thread if set. * New 'options:dpdk-vf-mac' field for DPDK interface of VF ports, that allows configuring the MAC address of a VF representor. * Add generic IP protocol support to conntrack. With this change, all none UDP, TCP, and ICMP traffic will be treated as general L3 traffic, i.e. using 3 tupples. * Add parameters 'pmd-auto-lb-load-threshold' and 'pmd-auto-lb-improvement-threshold' to configure PMD auto load balance behaviour. - The environment variable OVS_UNBOUND_CONF, if set, is now used as the DNS resolver's (unbound) configuration file. - Linux datapath: * Support for kernel versions up to 5.8.x. - Terminology: * The terms "master" and "slave" have been replaced by "primary" and "secondary", respectively, for OpenFlow connection roles. * The term "slave" has been replaced by "member", for bonds, LACP, and OpenFlow bundle actions. - Support for GitHub Actions based continuous integration builds has been added. - Bareudp Tunnel * Bareudp device support is present in linux kernel from version 5.7 * Kernel bareudp device is not backported to ovs tree. * Userspace datapath support is not added - ovs-dpctl and 'ovs-appctl dpctl/': * New commands '{add,mod,del}-flows' where added, which allow adding, deleting, or modifying flows based on information read from a file. - IPsec: * Add option '--no-cleanup' to allow ovs-monitor-ipsec to stop without tearing down IPsec tunnels. * Add option '--no-restart-ike-daemon' to allow ovs-monitor-ipsec to start without restarting ipsec daemon. - Building the Linux kernel module from the OVS source tree is deprecated * Support for the Linux kernel is capped at version 5.8 * Only bug fixes for the Linux OOT kernel module will be accepted. * The Linux kernel module will be fully removed from the OVS source tree in OVS branch 2.18 fix some do_patch error about local patch. Signed-off-by: Zqiang Signed-off-by: Bruce Ashfield

openvswitch: set CVE_VERSION

2021-03-05T03:45:17+00:00

CVE entries are using version 2.xx.xx, our PV is 2.13+xxx, this causes problem for CVE detection. So we need to set a CVE_VERSION for better CVE scanning. Signed-off-by: Chen Qi Signed-off-by: Bruce Ashfield