Merge pull request #5284 from lindig/private/christianlin/CP-46140

PVS Setup

Makefile

@@ -181,7 +181,8 @@ install: build doc sdk doc-json
 	install -D ./ocaml/xenopsd/scripts/tap $(DESTDIR)/$(XENOPSD_LIBEXECDIR)/tap
 	install -D ./ocaml/xenopsd/scripts/qemu-vif-script $(DESTDIR)/$(XENOPSD_LIBEXECDIR)/qemu-vif-script
 	install -D ./ocaml/xenopsd/scripts/setup-vif-rules $(DESTDIR)/$(XENOPSD_LIBEXECDIR)/setup-vif-rules
-	install -D ./ocaml/xenopsd/scripts/setup-pvs-proxy-rules $(DESTDIR)/$(XENOPSD_LIBEXECDIR)/setup-pvs-proxy-rules
+	install -D ./_build/install/default/bin/pvs-proxy-ovs-setup $(DESTDIR)/$(XENOPSD_LIBEXECDIR)/pvs-proxy-ovs-setup
+	(cd $(DESTDIR)/$(XENOPSD_LIBEXECDIR) && ln -s pvs-proxy-ovs-setup setup-pvs-proxy-rules)
 	install -D ./ocaml/xenopsd/scripts/common.py $(DESTDIR)/$(XENOPSD_LIBEXECDIR)/common.py
 	install -D ./ocaml/xenopsd/scripts/igmp_query_injector.py $(DESTDIR)/$(XENOPSD_LIBEXECDIR)/igmp_query_injector.py
 	install -D ./ocaml/xenopsd/scripts/qemu-wrapper $(DESTDIR)/$(QEMU_WRAPPER_DIR)/qemu-wrapper

doc/content/xenopsd/design/pvs-proxy-ovs.md

@@ -0,0 +1,50 @@
++++
+title = "PVS Proxy OVS Rules"
++++
+
+# Rule Design
+
+The Open vSwitch (OVS) daemon implements a programmable switch.
+XenServer uses it to re-direct traffic between three entities:
+
+  * PVS server - identified by its IP address
+  * a local VM - identified by its MAC address
+  * a local Proxy - identified by its MAC address
+
+VM and PVS server are unaware of the Proxy; xapi configures OVS to
+redirect traffic between PVS and VM to pass through the proxy. 
+
+OVS uses rules that match packets. Rules are organised in sets called
+tables. A rule can be used to match a packet and to inject it into
+another rule set/table table such that a packet can be matched again.
+
+Furthermore, a rule can set registers associated with a packet which that
+can be matched in subsequent rules. In that way, a packet can be tagged
+such that it will only match specific rules downstream that match the
+tag.
+
+Xapi configures 3 rule sets:
+
+## Table 0 - Entry Rules
+
+Rules match UDP traffic between VM/PVS, Proxy/VM, and PVS/VM where the
+PVS server is identified by its IP and all other components by their MAC
+address. All packets are tagged with the direction they are going and
+re-submitted into Table 101 which handles ports.
+
+## Table 101 - Port Rules
+
+Rules match UDP traffic going to a specific port of the PVS server and
+re-submit it into Table 102.
+
+## Table 102 - Exit Rules
+
+These rules implement the redirection: 
+
+* Rules matching packets coming from VM to PVS are directed to the Proxy.
+* Rules matching packets coming from PVS to VM are directed to the Proxy.
+* Rules matching packets coming from the Proxy are already addressed
+  properly (to the VM) are handled normally.
+
+
+

ocaml/idl/datamodel.ml

@@ -7298,7 +7298,7 @@ module PVS_server = struct
       ~result:(Ref _pvs_server, "the new PVS server")
       ~params:
         [
-          (Set String, "addresses", "IPv4 addresses of the server")
+          (Set String, "addresses", "IPv4/IPv6 addresses of the server")
         ; (Int, "first_port", "first UDP port accepted by this server")
         ; (Int, "last_port", "last UDP port accepted by this server")
         ; (Ref _pvs_site, "site", "PVS site this server is a part of")

ocaml/tests/test_helpers.ml

@@ -258,17 +258,19 @@ end)
 
 module IPCheckers = Generic.MakeStateless (struct
   module Io = struct
-    type input_t = [`ipv4 | `ipv6] * string * string
+    type input_t = [`ipv4 | `ipv6 | `ipv4or6] * string * string
 
     type output_t = (unit, exn) result
 
     let string_of_input_t =
       let open Test_printers in
-      let kind : [`ipv4 | `ipv6] printer = function
+      let kind : [`ipv4 | `ipv6 | `ipv4or6] printer = function
         | `ipv4 ->
             "IPv4"
         | `ipv6 ->
             "IPv6"
+        | `ipv4or6 ->
+            "IP*"
       in
       tuple3 kind string string
 
@@ -323,17 +325,19 @@ end)
 
 module CIDRCheckers = Generic.MakeStateless (struct
   module Io = struct
-    type input_t = [`ipv4 | `ipv6] * string * string
+    type input_t = [`ipv4 | `ipv6 | `ipv4or6] * string * string
 
     type output_t = (unit, exn) result
 
     let string_of_input_t =
       let open Test_printers in
-      let kind : [`ipv4 | `ipv6] printer = function
+      let kind : [`ipv4 | `ipv6 | `ipv4or6] printer = function
         | `ipv4 ->
             "IPv4"
         | `ipv6 ->
             "IPv6"
+        | `ipv4or6 ->
+            "IP*"
       in
       tuple3 kind string string
 

ocaml/xapi/helpers.ml

@@ -1097,6 +1097,8 @@ let assert_is_valid_tcp_udp_port_range ~first_port ~first_name ~last_port
 
 let is_valid_ip kind address =
   match (Unixext.domain_of_addr address, kind) with
+  | Some x, `ipv4or6 when x = Unix.PF_INET || x = Unix.PF_INET6 ->
+      true
   | Some x, `ipv4 when x = Unix.PF_INET ->
       true
   | Some x, `ipv6 when x = Unix.PF_INET6 ->

ocaml/xapi/xapi_pvs_server.ml

@@ -22,7 +22,7 @@ let introduce ~__context ~addresses ~first_port ~last_port ~site =
   Pool_features.assert_enabled ~__context ~f:Features.PVS_proxy ;
   Helpers.assert_using_vswitch ~__context ;
   List.iter
-    (fun address -> Helpers.assert_is_valid_ip `ipv4 "addresses" address)
+    (fun address -> Helpers.assert_is_valid_ip `ipv4or6 "addresses" address)
     addresses ;
   let current = Db.PVS_server.get_all_records ~__context in
   let current_addresses =

ocaml/xenopsd/pvs/dune

@@ -0,0 +1,7 @@
+(executable
+ (name pvs_proxy_setup)
+ (public_name pvs-proxy-ovs-setup)
+ (package xapi-xenopsd-xc)
+ (libraries ezxenstore.core bos xapi-consts.xapi_version xapi-idl cmdliner)
+)
+