diff --git a/0000-openvswitch-add-stack-protector-strong.patch b/0000-openvswitch-add-stack-protector-strong.patch index 36dbe8c96245b7cbd1e7bdff67320f6101e60459..a7b728b4bb0c8d21327c2e23e6b411b9b07bed02 100644 --- a/0000-openvswitch-add-stack-protector-strong.patch +++ b/0000-openvswitch-add-stack-protector-strong.patch @@ -1,5 +1,5 @@ diff --git a/Makefile.am b/Makefile.am -index ff1f94b..cca6cf0 100644 +index cb8076433..9807d6345 100644 --- a/Makefile.am +++ b/Makefile.am @@ -30,7 +30,7 @@ AM_CPPFLAGS += -I $(top_builddir)/lib diff --git a/0002-Remove-unsupported-permission-names.patch b/0002-Remove-unsupported-permission-names.patch index 661015ef36d368649b4fa9f9136c08cb46c559d5..2957b35fccf60536715bb67c04a39afd930ea6a0 100644 --- a/0002-Remove-unsupported-permission-names.patch +++ b/0002-Remove-unsupported-permission-names.patch @@ -1,15 +1,15 @@ diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in -index 2adaf23..b2c63ab 100644 +index beb0ab0d6..9f51f604e 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in -@@ -78,8 +78,8 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load - - #============= openvswitch_t ============== - allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; --allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; --allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; -+allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; -+allow openvswitch_t self:netlink_netfilter_socket { create read write }; +@@ -49,8 +49,8 @@ require { + class fifo_file { getattr read write append ioctl lock open }; + class filesystem getattr; + class lnk_file { read open }; +- class netlink_audit_socket { create nlmsg_relay audit_write read write }; +- class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; ++ class netlink_audit_socket { create nlmsg_relay read write }; ++ class netlink_netfilter_socket { create read write }; @begin_dpdk@ - allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; + class netlink_rdma_socket { setopt bind create }; @end_dpdk@ diff --git a/0003-Fallback-to-read-proc-net-dev-on-linux.patch b/0003-Fallback-to-read-proc-net-dev-on-linux.patch deleted file mode 100644 index 12b0b0761d0d218d0b17163d1694352ff608b5e6..0000000000000000000000000000000000000000 --- a/0003-Fallback-to-read-proc-net-dev-on-linux.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/utilities/ovs-tcpdump.in b/utilities/ovs-tcpdump.in -index 11624c5..cdba1d5 100755 ---- a/utilities/ovs-tcpdump.in -+++ b/utilities/ovs-tcpdump.in -@@ -24,7 +24,21 @@ import subprocess - import sys - import time - --import netifaces -+try: -+ from netifaces import interfaces -+except ImportError: -+ if sys.platform in ['linux', 'linux2']: -+ def interfaces(): -+ devices = [] -+ with open("/proc/net/dev", "r") as f_netdev: -+ for line in f_netdev: -+ if ":" not in line: -+ continue -+ devices.append(line.split(":")[0].strip()) -+ return devices -+ else: -+ print("ERROR: Please install netifaces Python library.") -+ sys.exit(1) - - try: - from ovs.db import idl -@@ -438,11 +452,11 @@ def main(): - mirror_interface = _make_mirror_name[sys.platform](interface) - - if sys.platform in _make_taps and \ -- mirror_interface not in netifaces.interfaces(): -+ mirror_interface not in interfaces(): - _make_taps[sys.platform](mirror_interface, - ovsdb.interface_mtu(interface)) - -- if mirror_interface not in netifaces.interfaces(): -+ if mirror_interface not in interfaces(): - print("ERROR: Please create an interface called `%s`" % - mirror_interface) - print("See your OS guide for how to do this.") diff --git a/backport-CVE-2022-4338.patch b/backport-CVE-2022-4338.patch deleted file mode 100644 index b5b7ba5d8832cc47ac5e1ab2afbfcf94135f4961..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-4338.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 -From: Qian Chen -Date: Tue, 20 Dec 2022 09:36:08 -0500 -Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. - -The OVS LLDP implementation includes support for AutoAttach standard, which -the 'upstream' lldpd project does not include. As part of adding this -support, the message parsing for these TLVs did not include proper length -checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the -LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message -without a proper boundary will cause an overread of memory, and lead to -undefined results, including crashes or other unidentified behavior. - -The fix is to introduce proper bounds checking for these elements. Introduce -a unit test to ensure that we have some proper rejection in this code -base in the future. - -Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") -Signed-off-by: Qian Chen -Co-authored-by: Aaron Conole -Signed-off-by: Aaron Conole -Signed-off-by: Ilya Maximets ---- - lib/lldp/lldp.c | 2 ++ - tests/ofproto-dpif.at | 19 +++++++++++++++++++ - 2 files changed, 21 insertions(+) - -diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c -index 18afbab..f668dc7 100644 ---- a/lib/lldp/lldp.c -+++ b/lib/lldp/lldp.c -@@ -581,6 +581,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, - - switch(tlv_subtype) { - case LLDP_TLV_AA_ELEMENT_SUBTYPE: -+ CHECK_TLV_SIZE(50, "ELEMENT"); - PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); - - aa_element_dword = PEEK_UINT32; -@@ -627,6 +628,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, - break; - - case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: -+ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); - PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); - - /* Subtract off tlv type and length (2Bytes) + OUI (3B) + -diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at -index f9ffc9f..d4f27ed 100644 ---- a/tests/ofproto-dpif.at -+++ b/tests/ofproto-dpif.at -@@ -29,6 +29,25 @@ AT_CHECK([ovs-appctl revalidator/wait]) - OVS_VSWITCHD_STOP - AT_CLEANUP - -+AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) -+OVS_VSWITCHD_START() -+add_of_ports br0 1 -+ -+dnl Enable lldp -+AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) -+ -+dnl Send a malformed lldp packet -+packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl -+"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl -+"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl -+"4445414442454546fe0500040d0c010000" -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) -+ -+OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) -+ -+OVS_VSWITCHD_STOP(["/|WARN|ISID_VLAN_ASGNS TLV too short received on/d"]) -+AT_CLEANUP -+ - AT_SETUP([ofproto-dpif - active-backup bonding]) - # Create br0 with interfaces p1, p2 and p7, creating bond0 with p1 and p2 - # and br1 with interfaces p3, p4 and p8. --- -2.33.0 - diff --git a/fix-selinux-err.patch b/fix-selinux-err.patch index 40be456cb3c092f2c41d9615a3e28a4d5f52b52d..7d2948e3ee49a0de2ba41e605f906f7b5c895057 100644 --- a/fix-selinux-err.patch +++ b/fix-selinux-err.patch @@ -1,29 +1,16 @@ -From 3b35964c7da2a4000486c57e2c347c8cc67ac393 Mon Sep 17 00:00:00 2001 -Date: Wed, 1 Sep 2021 16:54:34 +0800 -Subject: [PATCH] openvswitch-2 - ---- - selinux/openvswitch-custom.te.in | 4 ++++ - 1 file changed, 4 insertions(+) - diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in -index b2c63ab..8f76c14 100644 +index 9f51f604e..77b0bd98f 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in -@@ -15,10 +15,12 @@ require { +@@ -15,6 +15,7 @@ require { type ifconfig_exec_t; type init_t; type init_var_run_t; -+ type initrc_t; ++ type initrc_t; type insmod_exec_t; type kernel_t; type hostname_exec_t; - type modules_conf_t; -+ type modules_dep_t; - type modules_object_t; - type passwd_file_t; - type plymouth_exec_t; -@@ -117,10 +119,12 @@ allow openvswitch_t openvswitch_load_module_t:process transition; +@@ -118,6 +119,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition; allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; @@ -31,11 +18,3 @@ index b2c63ab..8f76c14 100644 allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; allow openvswitch_load_module_t kernel_t:system module_request; allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; - allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; -+allow openvswitch_load_module_t modules_dep_t:file { getattr map open read }; - allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; - allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; - allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; --- -2.27.0 - diff --git a/openvswitch-2.12.4.tar.gz b/openvswitch-2.17.5.tar.gz similarity index 51% rename from openvswitch-2.12.4.tar.gz rename to openvswitch-2.17.5.tar.gz index 37e2bba9b12f4c4a1731c066f4a24e6eff0faad4..bebe967830130ae36a7b794be89ee5fa6c133c63 100644 Binary files a/openvswitch-2.12.4.tar.gz and b/openvswitch-2.17.5.tar.gz differ diff --git a/openvswitch.spec b/openvswitch.spec index 77effa1c7dba3f35b14cda9fb39bc08df27a9895..0716dacf75d604851f63b0cf1604707c38f8c3b2 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -1,152 +1,233 @@ -# This is enabled by default for versions of the distribution that -# have Python 3 by default. - -Name: openvswitch -Summary: Production Quality, Multilayer Open Virtual Switch -URL: http://www.openvswitch.org/ -Version: 2.12.4 -License: ASL 2.0 and ISC -Release: 2 -Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz -Buildroot: /tmp/openvswitch-rpm +%bcond_with dpdk + +%ifarch x86_64 +%bcond_without check +%else +%bcond_with check +%endif + +%bcond_with check_datapath_kernel +%bcond_without libcapng + +Name: openvswitch +Summary: Open vSwitch daemon/database/utilities +URL: https://www.openvswitch.org/ +Version: 2.17.5 +Release: 1 +License: ASL 2.0 and LGPLv2+ and SISSL + +Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz +Source1: openvswitch.sysusers + Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0002: 0002-Remove-unsupported-permission-names.patch -Patch0003: 0003-Fallback-to-read-proc-net-dev-on-linux.patch -Patch0004: backport-CVE-2022-4338.patch +Patch0003: fix-selinux-err.patch + +BuildRequires: gcc gcc-c++ make +BuildRequires: autoconf automake libtool +BuildRequires: openssl openssl-devel +BuildRequires: python3-devel python3-six python3-setuptools +BuildRequires: python3-sphinx +BuildRequires: desktop-file-utils +BuildRequires: groff-base graphviz +BuildRequires: unbound-devel +# make check dependencies +BuildRequires: procps-ng + +%if %{with check_datapath_kernel} +BuildRequires: nmap-ncat +%endif + +%if %{with libcapng} +BuildRequires: libcap-ng libcap-ng-devel +%endif + +%if %{with dpdk} +BuildRequires: dpdk-devel libpcap-devel numactl-devel +%endif -Patch9000: fix-selinux-err.patch +Requires: openssl iproute module-init-tools -Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted -BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel -BuildRequires: python3-devel -Provides: openvswitch-selinux-policy = %{version}-%{release} -Obsoletes: openvswitch-selinux-policy < %{version}-%{release} +%{?systemd_requires} +%{?sysusers_requires_compat} -%bcond_without check -%bcond_with check_datapath_kernel +Requires(post): /bin/sed +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Obsoletes: openvswitch-controller <= 0:2.1.0-1 %description -Open vSwitch is a production quality, multilayer virtual switch licensed under -the open source Apache 2.0 license. +Open vSwitch provides standard network bridging functions and +support for the OpenFlow protocol for remote per-flow control of +traffic. + +%package -n python3-openvswitch +Summary: Open vSwitch python3 bindings +License: ASL 2.0 +Requires: python3 python3-six +Obsoletes: python-openvswitch < 2.10.0-6 +Provides: python-openvswitch = %{version}-%{release} + +%description -n python3-openvswitch +Python bindings for the Open vSwitch database + +%package test +Summary: Open vSwitch testing utilities +License: ASL 2.0 +BuildArch: noarch +Requires: python3-openvswitch = %{version}-%{release} + +%description test +Utilities that are useful to diagnose performance and connectivity +issues in Open vSwitch setup. + +%package testcontroller +Summary: Simple controller for testing OpenFlow setups +License: ASL 2.0 +Requires: openvswitch = %{version}-%{release} + +%description testcontroller +This controller enables OpenFlow switches that connect to it to act as +MAC-learning Ethernet switches. +It can be used for initial testing of OpenFlow networks. +It is not a necessary or desirable part of a production OpenFlow deployment. %package devel -Summary: Development tools for Open vSwitch +Summary: Open vSwitch OpenFlow development package (library, headers) +License: ASL 2.0 %description devel -Libraries, header files, and other development tools for Open vSwitch. +This provides shared library, libopenswitch.so and the openvswitch header +files needed to build an external application. -%package help -Summary: Helpful information for Open vSwitch +%package -n network-scripts-%{name} +Summary: Open vSwitch legacy network service support +License: ASL 2.0 +Requires: network-scripts +Supplements: (%{name} and network-scripts) + +%description -n network-scripts-%{name} +This provides the ifup and ifdown scripts for use with the legacy network +service. +%package ipsec +Summary: Open vSwitch IPsec tunneling support +License: ASL 2.0 +Requires: openvswitch libreswan +Requires: python3-openvswitch = %{version}-%{release} -%description help -Documents and helpful information for Open vSwitch. +%description ipsec +This package provides IPsec tunneling support for OVS tunnels. -%package -n python3-openvswitch -Summary: Open vSwitch python3 bindings -Provides: python3-ovs +%if %{with dpdk} +%package dpdk +Summary: Open vSwitch OpenFlow development package (switch, linked with DPDK) License: ASL 2.0 -BuildArch: noarch -Requires: python3 -Requires: python3-six -%{?python_provide:%python_provide python3-openvswitch = %{version}-%{release}} +Supplements: %{name} -%description -n python3-openvswitch -Python bindings for the Open vSwitch database +%description dpdk +This provides ovs-vswitchd linked with DPDK library. +%endif %prep -%autosetup -p1 +%autosetup -p 1 +export PKG_CONFIG_PATH=/usr/lib64/pkgconfig %build +rm -f python/ovs/dirs.py autoreconf -./configure \ - --prefix=/usr \ - --sysconfdir=/etc \ - --localstatedir=%{_localstatedir} \ - --libdir=%{_libdir} \ + +./boot.sh +mkdir build build-dpdk +pushd build +ln -s ../configure +%configure \ + --disable-libcapng \ + --disable-static \ + --enable-shared \ --enable-ssl \ + --with-pkidir=%{_sharedstatedir}/openvswitch/pki +make %{?_smp_mflags} +popd +%if %{with dpdk} +pushd build-dpdk +ln -s ../configure +%configure \ + --disable-libcapng \ + --disable-static \ --enable-shared \ + --enable-ssl \ + --with-dpdk=shared \ --with-pkidir=%{_sharedstatedir}/openvswitch/pki \ - PYTHON=%{__python3} - -sed -i '1s/python/python3/g' build-aux/dpdkstrip.py - -build-aux/dpdkstrip.py \ - --nodpdk \ + --libdir=%{_libdir}/openvswitch-dpdk \ + --program-suffix=.dpdk +make %{?_smp_mflags} +popd +%endif +/usr/bin/python3 build-aux/dpdkstrip.py \ + --dpdk \ < rhel/usr_lib_systemd_system_ovs-vswitchd.service.in \ > rhel/usr_lib_systemd_system_ovs-vswitchd.service -%make_build -make selinux-policy %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT +%if %{with dpdk} +make -C build-dpdk install-exec DESTDIR=$RPM_BUILD_ROOT + +# We only need ovs-vswitchd-dpdk and some libraries for dpdk subpackage +rm -rf $RPM_BUILD_ROOT%{_bindir} +find $RPM_BUILD_ROOT%{_sbindir} -mindepth 1 -maxdepth 1 -not -name ovs-vswitchd.dpdk -delete +find $RPM_BUILD_ROOT%{_libdir}/openvswitch-dpdk -mindepth 1 -maxdepth 1 -not -name "libofproto*.so.*" -not -name "libopenvswitch*.so.*" -delete +%endif + +make -C build install DESTDIR=$RPM_BUILD_ROOT +mv $RPM_BUILD_ROOT%{_sbindir}/ovs-vswitchd $RPM_BUILD_ROOT%{_sbindir}/ovs-vswitchd.nodpdk +touch $RPM_BUILD_ROOT%{_sbindir}/ovs-vswitchd + +install -d -m 0755 $RPM_BUILD_ROOT/run/openvswitch +install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch +install -p -D -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysusersdir}/openvswitch.conf + +install -p -D -m 0644 rhel/usr_lib_udev_rules.d_91-vfio.rules \ + $RPM_BUILD_ROOT%{_udevrulesdir}/91-vfio.rules + install -p -D -m 0644 \ rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \ $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch -for service in openvswitch ovsdb-server ovs-vswitchd; do + +for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \ + openvswitch-ipsec; do install -p -D -m 0644 \ rhel/usr_lib_systemd_system_${service}.service \ $RPM_BUILD_ROOT%{_unitdir}/${service}.service done -install -m 0755 rhel/etc_init.d_openvswitch $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/openvswitch.init -install -D -m 0644 rhel/etc_logrotate.d_openvswitch $RPM_BUILD_ROOT/etc/logrotate.d/openvswitch -install -D -m 0644 rhel/etc_openvswitch_default.conf $RPM_BUILD_ROOT/%{_sysconfdir}/openvswitch/default.conf -install -D -m 0755 rhel/etc_sysconfig_network-scripts_ifup-ovs $RPM_BUILD_ROOT/etc/sysconfig/network-scripts/ifup-ovs -install -D -m 0755 rhel/etc_sysconfig_network-scripts_ifdown-ovs $RPM_BUILD_ROOT/etc/sysconfig/network-scripts/ifdown-ovs -install -D -m 0644 rhel/usr_share_openvswitch_scripts_sysconfig.template $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/sysconfig.template - -install -p -m 644 -D selinux/openvswitch-custom.pp \ - $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp - -rm \ - $RPM_BUILD_ROOT/usr/bin/ovs-testcontroller \ - $RPM_BUILD_ROOT/usr/share/man/man8/ovs-testcontroller.8 \ - $RPM_BUILD_ROOT/usr/share/man/man8/ovs-test.8 \ - $RPM_BUILD_ROOT/usr/share/man/man8/ovs-l3ping.8 \ - $RPM_BUILD_ROOT/usr/sbin/ovs-vlan-bug-workaround \ - $RPM_BUILD_ROOT/usr/share/man/man8/ovs-vlan-bug-workaround.8 \ - $RPM_BUILD_ROOT/usr/bin/ovn-* \ - $RPM_BUILD_ROOT/usr/share/man/man?/ovn-* \ - $RPM_BUILD_ROOT/usr/share/openvswitch/ovn-* \ - $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/ovn* -(cd "$RPM_BUILD_ROOT" && rm -rf usr/%{_lib}/*.la) -(cd "$RPM_BUILD_ROOT" && rm -rf usr/include) - -install -d -m 0755 $RPM_BUILD_ROOT%{_rundir}/openvswitch -install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch -install -d -m 0755 $RPM_BUILD_ROOT/var/lib/openvswitch - -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch/openflow -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch/openvswitch -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse/arpa -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse/netinet -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse/sys -install -d -m 0755 $RPM_BUILD_ROOT/%{_includedir}/openvswitch/lib -install -m 0644 include/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch -install -m 0644 include/openflow/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch/openflow -install -m 0644 include/openvswitch/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch/openvswitch -install -m 0644 include/sparse/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse -install -m 0644 include/sparse/arpa/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse/arpa -install -m 0644 include/sparse/netinet/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse/netinet -install -m 0644 include/sparse/sys/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch/sparse/sys -install -m 0644 lib/*.h $RPM_BUILD_ROOT/%{_includedir}/openvswitch/lib - -install -D -m 0644 lib/.libs/libopenvswitch.a \ - $RPM_BUILD_ROOT/%{_libdir}/libopenvswitch.a +install -m 0755 rhel/etc_init.d_openvswitch \ + $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/openvswitch.init -install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch +install -p -D -m 0644 rhel/etc_openvswitch_default.conf \ + $RPM_BUILD_ROOT/%{_sysconfdir}/openvswitch/default.conf + +install -p -D -m 0644 rhel/etc_logrotate.d_openvswitch \ + $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/openvswitch +install -m 0644 vswitchd/vswitch.ovsschema \ + $RPM_BUILD_ROOT/%{_datadir}/openvswitch/vswitch.ovsschema + +install -d -m 0755 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/network-scripts/ +install -p -m 0755 rhel/etc_sysconfig_network-scripts_ifdown-ovs \ + $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs +install -p -m 0755 rhel/etc_sysconfig_network-scripts_ifup-ovs \ + $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/network-scripts/ifup-ovs + install -d -m 0755 $RPM_BUILD_ROOT%{python3_sitelib} -cp -a $RPM_BUILD_ROOT/%{_datadir}/openvswitch/python/* \ - $RPM_BUILD_ROOT%{python3_sitelib} +cp -a $RPM_BUILD_ROOT/%{_datadir}/openvswitch/python/ovstest \ + $RPM_BUILD_ROOT%{python3_sitelib} +# Build the JSON C extension for the Python lib (#1417738) pushd python ( export CPPFLAGS="-I ../include" @@ -159,36 +240,87 @@ popd rm -rf $RPM_BUILD_ROOT/%{_datadir}/openvswitch/python/ -touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db -touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/.conf.db.~lock~ -touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf +install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch -install -d $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ +install -d -m 0755 $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ install -p -D -m 0755 \ rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \ - $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/ovs-systemd-reload + $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload -%clean -rm -rf $RPM_BUILD_ROOT - -%pre -%selinux_relabel_pre -s targeted +touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf +# remove unpackaged files +rm -f $RPM_BUILD_ROOT/%{_bindir}/ovs-benchmark \ + $RPM_BUILD_ROOT/%{_bindir}/ovs-docker \ + $RPM_BUILD_ROOT/%{_bindir}/ovs-parse-backtrace \ + $RPM_BUILD_ROOT/%{_sbindir}/ovs-vlan-bug-workaround + +rm -rf $RPM_BUILD_ROOT/%{_mandir}/* + +# remove ovn unpackages files +rm -f $RPM_BUILD_ROOT%{_bindir}/ovn* +rm -f $RPM_BUILD_ROOT%{_datadir}/openvswitch/ovn* +rm -f $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovn* +rm -f $RPM_BUILD_ROOT%{_includedir}/ovn/* + +%check +for dir in build \ +%if %{with dpdk} +%ifarch %{dpdkarches} +build-dpdk \ +%endif +%endif +; do +pushd $dir +%if %{with check} + touch resolv.conf + export OVS_RESOLV_CONF=$(pwd)/resolv.conf + if make check TESTSUITEFLAGS='%{_smp_mflags}' || + make check TESTSUITEFLAGS='--recheck' || + make check TESTSUITEFLAGS='--recheck'; then :; + else + cat tests/testsuite.log + exit 1 + fi +%endif +%if %{with check_datapath_kernel} + if make check-kernel RECHECK=yes; then :; + else + cat tests/system-kmod-testsuite.log + exit 1 + fi +%endif +popd +done + %preun %if 0%{?systemd_preun:1} %systemd_preun %{name}.service %else if [ $1 -eq 0 ] ; then - # Package removal, not upgrade + # Package removal, not upgrade /bin/systemctl --no-reload disable %{name}.service >/dev/null 2>&1 || : /bin/systemctl stop %{name}.service >/dev/null 2>&1 || : fi %endif +%pre + %post +%{_sbindir}/update-alternatives --install %{_sbindir}/ovs-vswitchd \ + ovs-vswitchd %{_sbindir}/ovs-vswitchd.nodpdk 10 +if [ $1 -eq 1 ]; then + sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch + + sed -i \ + 's@OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\ + /etc/sysconfig/openvswitch +fi +chown -R openvswitch:openvswitch /etc/openvswitch + %if 0%{?systemd_post:1} - # This may not enable openvswitch service or do daemon-reload. %systemd_post %{name}.service %else # Package install, not upgrade @@ -197,94 +329,128 @@ rm -rf $RPM_BUILD_ROOT fi %endif -%selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp - %postun +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove ovs-vswitchd %{_sbindir}/ovs-vswitchd.nodpdk +fi %if 0%{?systemd_postun:1} %systemd_postun %{name}.service %else /bin/systemctl daemon-reload >/dev/null 2>&1 || : %endif +%if %{with dpdk} +%post dpdk +if fgrep -qw sse4_1 /proc/cpuinfo; then + priority=20 +else + echo "Warning: the CPU doesn't support SSE 4.1, dpdk support is not enabled." >&2 + priority=5 +fi +%{_sbindir}/update-alternatives --install %{_sbindir}/ovs-vswitchd \ + ovs-vswitchd %{_sbindir}/ovs-vswitchd.dpdk $priority + +%postun dpdk if [ $1 -eq 0 ] ; then - %selinux_modules_uninstall -s targeted openvswitch-custom + %{_sbindir}/update-alternatives --remove ovs-vswitchd %{_sbindir}/ovs-vswitchd.dpdk fi -exit 0 +%endif -%posttrans -%selinux_relabel_post -s targeted +%files -n python3-openvswitch +%{python3_sitearch}/ovs +%{python3_sitearch}/ovs-*.egg-info +%{_datadir}/openvswitch/bugtool-plugins/ +%{_datadir}/openvswitch/scripts/ovs-bugtool-* +%{_datadir}/openvswitch/scripts/ovs-check-dead-ifs +%{_datadir}/openvswitch/scripts/ovs-vtep +%{_bindir}/ovs-dpctl-top +%{_sbindir}/ovs-bugtool +%doc LICENSE -%files -%defattr(-,root,root) -%dir /etc/openvswitch -/etc/bash_completion.d/ovs-appctl-bashcomp.bash -/etc/bash_completion.d/ovs-vsctl-bashcomp.bash -%config(noreplace) /etc/logrotate.d/openvswitch -/etc/sysconfig/network-scripts/ifup-ovs -/etc/sysconfig/network-scripts/ifdown-ovs -/usr/bin/ovs-appctl -/usr/bin/ovs-dpctl -/usr/bin/ovs-docker -/usr/bin/ovs-ofctl -/usr/bin/ovs-pcap -/usr/bin/ovs-pki -/usr/bin/ovs-tcpdump -/usr/bin/ovs-tcpundump -/usr/bin/ovs-vsctl -/usr/bin/ovsdb-client -/usr/bin/ovsdb-tool -/usr/bin/vtep-ctl -%{_libdir}/lib*.so.* -/usr/sbin/ovs-vswitchd -/usr/sbin/ovsdb-server -%{python3_sitelib}/ovs +%files test +%{_bindir}/ovs-pcap +%{_bindir}/ovs-tcpdump +%{_bindir}/ovs-tcpundump +%{_bindir}/ovs-test +%{_bindir}/ovs-vlan-test +%{_bindir}/ovs-l3ping %{python3_sitelib}/ovstest -%{python3_sitearch}/ovs -/usr/share/openvswitch/scripts/ovs-check-dead-ifs -/usr/share/openvswitch/scripts/ovs-ctl -/usr/share/openvswitch/scripts/ovs-kmod-ctl -/usr/share/openvswitch/scripts/ovs-lib -/usr/share/openvswitch/scripts/ovs-save -/usr/share/openvswitch/scripts/ovs-vtep -/usr/share/openvswitch/scripts/sysconfig.template -/usr/share/openvswitch/scripts/ovs-monitor-ipsec + +%files testcontroller +%{_bindir}/ovs-testcontroller + +%files devel +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/openvswitch/* +%{_includedir}/openflow/* +%exclude %{_libdir}/*.a +%exclude %{_libdir}/*.la + +%files -n network-scripts-%{name} +%{_sysconfdir}/sysconfig/network-scripts/ifup-ovs +%{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs +%files ipsec +%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec +%{_unitdir}/openvswitch-ipsec.service + +%if %{with dpdk} +%files dpdk +%{_libdir}/openvswitch-dpdk/ +%ghost %{_sbindir}/ovs-vswitchd +%{_sbindir}/ovs-vswitchd.dpdk +%endif + +%files +%defattr(-,openvswitch,openvswitch) +%dir %{_sysconfdir}/openvswitch %{_sysconfdir}/openvswitch/default.conf -%config %ghost %{_sysconfdir}/openvswitch/conf.db -%ghost %{_sysconfdir}/openvswitch/.conf.db.~lock~ +%config %ghost %verify(not owner group md5 size mtime) %{_sysconfdir}/openvswitch/conf.db +%ghost %attr(0600,-,-) %verify(not owner group md5 size mtime) %{_sysconfdir}/openvswitch/.conf.db.~lock~ %config %ghost %{_sysconfdir}/openvswitch/system-id.conf -%config(noreplace) %{_sysconfdir}/sysconfig/openvswitch %defattr(-,root,root) +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/openvswitch +%{_sysconfdir}/bash_completion.d/ovs-appctl-bashcomp.bash +%{_sysconfdir}/bash_completion.d/ovs-vsctl-bashcomp.bash +%config(noreplace) %{_sysconfdir}/logrotate.d/openvswitch %{_unitdir}/openvswitch.service %{_unitdir}/ovsdb-server.service %{_unitdir}/ovs-vswitchd.service -/usr/share/openvswitch/scripts/openvswitch.init -/usr/share/openvswitch/scripts/ovs-systemd-reload -/usr/share/openvswitch/vswitch.ovsschema -/usr/share/openvswitch/vtep.ovsschema -%doc NOTICE +%{_unitdir}/ovs-delete-transient-ports.service +%{_datadir}/openvswitch/scripts/openvswitch.init +%{_datadir}/openvswitch/scripts/ovs-lib +%{_datadir}/openvswitch/scripts/ovs-save +%{_datadir}/openvswitch/scripts/ovs-ctl +%{_datadir}/openvswitch/scripts/ovs-kmod-ctl +%{_datadir}/openvswitch/scripts/ovs-systemd-reload +%config %{_datadir}/openvswitch/local-config.ovsschema +%config %{_datadir}/openvswitch/vswitch.ovsschema +%config %{_datadir}/openvswitch/vtep.ovsschema +%{_bindir}/ovs-appctl +%{_bindir}/ovs-dpctl +%{_bindir}/ovs-ofctl +%{_bindir}/ovs-vsctl +%{_bindir}/ovsdb-client +%{_bindir}/ovsdb-tool +%{_bindir}/ovs-pki +%{_bindir}/vtep-ctl +%{_libdir}/*.so.* +%ghost %{_sbindir}/ovs-vswitchd +%{_sbindir}/ovs-vswitchd.nodpdk +%{_sbindir}/ovsdb-server +%{_udevrulesdir}/91-vfio.rules +%doc LICENSE NOTICE README.rst NEWS rhel/README.RHEL.rst /var/lib/openvswitch -/var/log/openvswitch -%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp - -%files -n python3-openvswitch -%{python3_sitelib}/ovs -%{python3_sitearch}/ovs-*.egg-info -%doc LICENSE - -%files devel -%{_libdir}/lib*.so -%{_libdir}/lib*.a -%{_libdir}/pkgconfig -%{_includedir}/openvswitch/* - -%files help -/usr/share/man/man1/* -/usr/share/man/man5/* -/usr/share/man/man7/* -/usr/share/man/man8/* -%doc README.rst NEWS rhel/README.RHEL.rst +%attr(750,openvswitch,openvswitch) %verify(not owner group) /var/log/openvswitch +%ghost %attr(755,root,root) %verify(not owner group) /run/openvswitch +%{_sysconfdir}/sysconfig/network-scripts/ifup-ovs +%{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs +%{_sysusersdir}/openvswitch.conf %changelog +* Tue Jan 03 2023 wanglimin - 2.17.5-1 +- upgrade to 2.17.5-1 + * Thu Dec 29 2022 zhouwenpei - 2.12.4-2 - fix CVE-2022-4338 diff --git a/openvswitch.sysusers b/openvswitch.sysusers new file mode 100644 index 0000000000000000000000000000000000000000..9a464c21ad56dea14628a57bd50b60e1104c7bef --- /dev/null +++ b/openvswitch.sysusers @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +u openvswitch - "Open vSwitch Daemons" / /sbin/nologin +m openvswitch hugetlbfs