@@ -1041,17 +1041,12 @@

 		{

 			"ImportPath": "github.com/openshift/openshift-sdn/ovssubnet",

 			"Comment": "v0.1-110-gcdd9955",

-			"Rev": "cdd9955dc602abe8ef2d934a3c39417375c486c6"

-		},

-		{

-			"ImportPath": "github.com/openshift/openshift-sdn/pkg/api",

-			"Comment": "v0.1-110-gcdd9955",

-			"Rev": "cdd9955dc602abe8ef2d934a3c39417375c486c6"

+			"Rev": "74738c359b670c6e12435c1af10ee2802a4b0b64"

 		},

 		{

 			"ImportPath": "github.com/openshift/openshift-sdn/pkg/netutils",

 			"Comment": "v0.1-110-gcdd9955",

-			"Rev": "cdd9955dc602abe8ef2d934a3c39417375c486c6"

+			"Rev": "a15dc76526039229cfb0c93a4c0389d226550bc9"

 		},

 		{

 			"ImportPath": "github.com/openshift/source-to-image/pkg/api",

new file mode 100644

@@ -0,0 +1,66 @@

+package api

+

+type EventType string

+

+const (

+	Added   EventType = "ADDED"

+	Deleted EventType = "DELETED"

+)

+

+type SubnetRegistry interface {

+	InitSubnets() error

+	GetSubnets() (*[]Subnet, error)

+	GetSubnet(minion string) (*Subnet, error)

+	DeleteSubnet(minion string) error

+	CreateSubnet(sn string, sub *Subnet) error

+	WatchSubnets(receiver chan *SubnetEvent, stop chan bool) error

+

+	InitMinions() error

+	GetMinions() (*[]string, error)

+	CreateMinion(minion string, data string) error

+	WatchMinions(receiver chan *MinionEvent, stop chan bool) error

+

+	WriteNetworkConfig(network string, subnetLength uint) error

+	GetContainerNetwork() (string, error)

+	GetSubnetLength() (uint64, error)

+	CheckEtcdIsAlive(seconds uint64) bool

+

+	WatchNamespaces(receiver chan *NamespaceEvent, stop chan bool) error

+	WatchNetNamespaces(receiver chan *NetNamespaceEvent, stop chan bool) error

+	GetNetNamespaces() ([]NetNamespace, error)

+	GetNetNamespace(name string) (NetNamespace, error)

+	WriteNetNamespace(name string, id uint) error

+	DeleteNetNamespace(name string) error

+}

+

+type SubnetEvent struct {

+	Type   EventType

+	Minion string

+	Sub    Subnet

+}

+

+type MinionEvent struct {

+	Type   EventType

+	Minion string

+}

+

+type Subnet struct {

+	Minion string

+	Sub    string

+}

+

+type NetNamespace struct {

+	Name  string

+	NetID uint

+}

+

+type NetNamespaceEvent struct {

+	Type  EventType

+	Name  string

+	NetID uint

+}

+

+type NamespaceEvent struct {

+	Type EventType

+	Name string

+}

deleted file mode 100644

@@ -1,82 +0,0 @@

-#!/bin/bash

-set -ex

-

-lock_file=/var/lock/openshift-sdn.lock

-

-action=$1

-pod_namespace=$2

-pod_name=$3

-net_container=$4

-

-lockwrap() {

-    (

-    flock 200

-    "$@"

-    ) 200>${lock_file}

-}

-

-Init() {

-    true

-}

-

-Setup() {

-    source /etc/openshift-sdn/config.env

-    cluster_subnet=${OPENSHIFT_CLUSTER_SUBNET}

-    tap_ip=${OPENSHIFT_SDN_TAP1_ADDR}

-

-    pid=$(docker inspect --format "{{.State.Pid}}" ${net_container})

-    network_mode=$(docker inspect --format "{{.HostConfig.NetworkMode}}" ${net_container})

-    if [ "${network_mode}" == "host" ]; then

-      # quit, nothing for the SDN here

-      exit 0

-    fi

-    ipaddr=$(docker inspect --format "{{.NetworkSettings.IPAddress}}" ${net_container})

-    new_ip=$ipaddr

-    ipaddr_sub=$(docker inspect --format "{{.NetworkSettings.IPPrefixLen}}" ${net_container})

-    docker_gateway=$(docker inspect --format "{{.NetworkSettings.Gateway}}" ${net_container})

-    veth_ifindex=$(nsenter -n -t $pid -- ethtool -S eth0 | sed -n -e 's/.*peer_ifindex: //p')

-    veth_host=$(ip link show | sed -ne "s/^$veth_ifindex: \([^:]*\).*/\1/p")

-

-    brctl delif lbr0 $veth_host

-    ovs-vsctl add-port br0 ${veth_host} 

-    ovs_port=$(ovs-ofctl -O OpenFlow13 dump-ports-desc br0  | grep ${veth_host} | cut -d "(" -f 1 | tr -d ' ')

-    ovs-ofctl -O OpenFlow13 add-flow br0 "table=0,cookie=0x${ovs_port},priority=100,ip,nw_dst=${new_ip},actions=output:${ovs_port}"

-    ovs-ofctl -O OpenFlow13 add-flow br0 "table=0,cookie=0x${ovs_port},priority=100,arp,nw_dst=${new_ip},actions=output:${ovs_port}"

-

-    add_subnet_route="ip route add ${cluster_subnet} dev eth0 proto kernel scope link src $ipaddr"

-    nsenter -n -t $pid -- $add_subnet_route

-}

-

-Teardown() {

-    source /etc/openshift-sdn/config.env

-    cluster_subnet=${OPENSHIFT_CLUSTER_SUBNET}

-    tap_ip=${OPENSHIFT_SDN_TAP1_ADDR}

-

-    pid=$(docker inspect --format "{{.State.Pid}}" ${net_container})

-    network_mode=$(docker inspect --format "{{.HostConfig.NetworkMode}}" ${net_container})

-    if [ "${network_mode}" == "host" ]; then

-      # quit, nothing for the SDN here

-      exit 0

-    fi

-    veth_ifindex=$(nsenter -n -t $pid -- ethtool -S eth0 | sed -n -e 's/.*peer_ifindex: //p')

-    veth_host=$(ip link show | sed -ne "s/^$veth_ifindex: \([^:]*\).*/\1/p")

-    ovs_port=$(ovs-ofctl -O OpenFlow13 dump-ports-desc br0  | grep ${veth_host} | cut -d "(" -f 1 | tr -d ' ')

-    ovs-vsctl del-port $veth_host

-    ovs-ofctl -O OpenFlow13 del-flows br0 "table=0,cookie=0x${ovs_port}/0xffffffff"

-}

-

-case "$action" in

-    init)

-	lockwrap Init

-	;;

-    setup)

-	lockwrap Setup

-	;;

-    teardown)

-	lockwrap Teardown

-	;;

-    *)

-        echo "Bad input: $@"

-        exit 1

-esac

-

deleted file mode 100644

@@ -1,120 +0,0 @@

-#!/bin/bash

-

-set -ex

-

-lock_file=/var/lock/openshift-sdn.lock

-subnet_gateway=$1

-subnet=$2

-cluster_subnet=$3

-subnet_mask_len=$4

-tun_gateway=$5

-printf 'Container network is "%s"; local host has subnet "%s" and gateway "%s".\n' "${cluster_subnet}" "${subnet}" "${subnet_gateway}"

-TUN=tun0

-

-# Synchronize code execution with a file lock.

-function lockwrap() {

-    (

-    flock 200

-    "$@"

-    ) 200>${lock_file}

-}

-

-function setup_required() {

-    ip=$(echo `ip a s lbr0 2>/dev/null|awk '/inet / {print $2}'`)

-    if [ "$ip" != "${subnet_gateway}/${subnet_mask_len}" ]; then

-        return 0

-    fi

-    if ! grep -q lbr0 /run/openshift-sdn/docker-network; then

-        return 0

-    fi

-    return 1

-}

-

-function setup() {

-    # clear config file

-    rm -f /etc/openshift-sdn/config.env

-

-    ## openvswitch

-    ovs-vsctl del-br br0 || true

-    ovs-vsctl add-br br0 -- set Bridge br0 fail-mode=secure

-    ovs-vsctl set bridge br0 protocols=OpenFlow13

-    ovs-vsctl del-port br0 vxlan0 || true

-    ovs-vsctl add-port br0 vxlan0 -- set Interface vxlan0 type=vxlan options:remote_ip="flow" options:key="flow" ofport_request=1

-    ovs-vsctl add-port br0 ${TUN} -- set Interface ${TUN} type=internal ofport_request=2

-

-    ip link del vlinuxbr || true

-    ip link add vlinuxbr type veth peer name vovsbr

-    ip link set vlinuxbr up

-    ip link set vovsbr up

-    ip link set vlinuxbr txqueuelen 0

-    ip link set vovsbr txqueuelen 0

-

-    ovs-vsctl del-port br0 vovsbr || true

-    ovs-vsctl add-port br0 vovsbr -- set Interface vovsbr ofport_request=9

-

-    ## linux bridge

-    ip link set lbr0 down || true

-    brctl delbr lbr0 || true

-    brctl addbr lbr0

-    ip addr add ${subnet_gateway}/${subnet_mask_len} dev lbr0

-    ip link set lbr0 up

-    brctl addif lbr0 vlinuxbr

-

-    # setup tun address

-    ip addr add ${tun_gateway}/${subnet_mask_len} dev ${TUN}

-    ip link set ${TUN} up

-    ip route add ${cluster_subnet} dev ${TUN} proto kernel scope link

-

-    ## iptables

-    iptables -t nat -D POSTROUTING -s ${cluster_subnet} ! -d ${cluster_subnet} -j MASQUERADE || true

-    iptables -t nat -A POSTROUTING -s ${cluster_subnet} ! -d ${cluster_subnet} -j MASQUERADE

-    iptables -D INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT || true

-    iptables -D INPUT -i ${TUN} -m comment --comment "traffic from docker for internet" -j ACCEPT || true

-    lineno=$(iptables -nvL INPUT --line-numbers | grep "state RELATED,ESTABLISHED" | awk '{print $1}')

-    iptables -I INPUT $lineno -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT

-    iptables -I INPUT $((lineno+1)) -i ${TUN} -m comment --comment "traffic from docker for internet" -j ACCEPT

-    fwd_lineno=$(iptables -nvL FORWARD --line-numbers | grep "reject-with icmp-host-prohibited" | tail -n 1 | awk '{print $1}')

-    iptables -I FORWARD $fwd_lineno -d ${cluster_subnet} -j ACCEPT

-    iptables -I FORWARD $fwd_lineno -s ${cluster_subnet} -j ACCEPT

-

-    ## docker

-    if [[ -z "${DOCKER_NETWORK_OPTIONS}" ]]

-    then

-        DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450'

-    fi

-

-    mkdir -p /run/openshift-sdn

-    cat <<EOF > /run/openshift-sdn/docker-network

-# This file has been modified by openshift-sdn. Please modify the

-# DOCKER_NETWORK_OPTIONS variable in /etc/sysconfig/openshift-node if this

-# is an integrated install or /etc/sysconfig/openshift-sdn-node if this is a

-# standalone install.

-

-DOCKER_NETWORK_OPTIONS='${DOCKER_NETWORK_OPTIONS}'

-EOF

-

-    systemctl daemon-reload

-    systemctl restart docker.service

-

-    # disable iptables for lbr0

-    # for kernel version 3.18+, module br_netfilter needs to be loaded upfront

-    # for older ones, br_netfilter may not exist, but is covered by bridge (bridge-utils)

-    modprobe br_netfilter || true 

-    sysctl -w net.bridge.bridge-nf-call-iptables=0

-

-    # delete the subnet routing entry created because of lbr0

-    ip route del ${subnet} dev lbr0 proto kernel scope link src ${subnet_gateway} || true

-

-    mkdir -p /etc/openshift-sdn

-    echo "export OPENSHIFT_SDN_TAP1_ADDR=${tun_gateway}" >& "/etc/openshift-sdn/config.env"

-    echo "export OPENSHIFT_CLUSTER_SUBNET=${cluster_subnet}" >> "/etc/openshift-sdn/config.env"

-}

-

-set +e

-if ! setup_required; then

-    echo "SDN setup not required."

-    exit 140

-fi

-set -e

-

-lockwrap setup

deleted file mode 100644

@@ -1,68 +0,0 @@

-#!/bin/bash

-

-set -ex

-

-subnet_gateway=$1

-subnet=$2

-container_network=$3

-subnet_mask_len=$4

-printf 'Container network is "%s"; local host has subnet "%s" and gateway "%s".\n' "${container_network}" "${subnet}" "${subnet_gateway}"

-

-## openvswitch

-ovs-vsctl del-br br0 || true

-ovs-vsctl add-br br0 -- set Bridge br0 fail-mode=secure

-ovs-vsctl set bridge br0 protocols=OpenFlow13

-ovs-vsctl del-port br0 vxlan0 || true

-ovs-vsctl add-port br0 vxlan0 -- set Interface vxlan0 type=vxlan options:remote_ip="flow" options:key="flow" ofport_request=10

-ip link del vlinuxbr || true

-ip link add vlinuxbr type veth peer name vovsbr

-ip link set vlinuxbr up

-ip link set vovsbr up

-ip link set vlinuxbr txqueuelen 0

-ip link set vovsbr txqueuelen 0

-

-ovs-vsctl del-port br0 vovsbr || true

-ovs-vsctl add-port br0 vovsbr -- set Interface vovsbr ofport_request=9

-

-## linux bridge

-ip link set lbr0 down || true

-brctl delbr lbr0 || true

-brctl addbr lbr0

-ip addr add ${subnet_gateway}/${subnet_mask_len} dev lbr0

-ip link set lbr0 up

-brctl addif lbr0 vlinuxbr

-ip route del ${subnet} dev lbr0 proto kernel scope link src ${subnet_gateway} || true

-ip route add ${container_network} dev lbr0 proto kernel scope link src ${subnet_gateway}

-

-

-## iptables

-iptables -t nat -D POSTROUTING -s ${container_network} ! -d ${container_network} -j MASQUERADE || true

-iptables -t nat -A POSTROUTING -s ${container_network} ! -d ${container_network} -j MASQUERADE

-iptables -D INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT || true

-iptables -D INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT || true

-lineno=$(iptables -nvL INPUT --line-numbers | grep "state RELATED,ESTABLISHED" | awk '{print $1}')

-iptables -I INPUT $lineno -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT

-iptables -I INPUT $((lineno+1)) -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT

-fwd_lineno=$(iptables -nvL FORWARD --line-numbers | grep "reject-with icmp-host-prohibited" | tail -n 1 | awk '{print $1}')

-iptables -I FORWARD $fwd_lineno -d ${container_network} -j ACCEPT

-iptables -I FORWARD $fwd_lineno -s ${container_network} -j ACCEPT

-

-

-## docker

-if [[ -z "${DOCKER_NETWORK_OPTIONS}" ]]

-then

-    DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450'

-fi

-

-mkdir -p /run/openshift-sdn

-cat <<EOF > /run/openshift-sdn/docker-network

-# This file has been modified by openshift-sdn. Please modify the

-# DOCKER_NETWORK_OPTIONS variable in /etc/sysconfig/openshift-node if this

-# is an integrated install or /etc/sysconfig/openshift-sdn-node if this is a

-# standalone install.

-

-DOCKER_NETWORK_OPTIONS='${DOCKER_NETWORK_OPTIONS}'

-EOF

-

-systemctl daemon-reload

-systemctl restart docker.service

@@ -7,12 +7,17 @@ import (

 	"net"

 	"time"

+	"github.com/openshift/openshift-sdn/ovssubnet/api"

 	"github.com/openshift/openshift-sdn/ovssubnet/controller/kube"

 	"github.com/openshift/openshift-sdn/ovssubnet/controller/lbr"

-	"github.com/openshift/openshift-sdn/pkg/api"

+	"github.com/openshift/openshift-sdn/ovssubnet/controller/multitenant"

 	"github.com/openshift/openshift-sdn/pkg/netutils"

 )

+const (

+	MaxUint = ^uint(0)

+)

+

 type OvsController struct {

 	subnetRegistry  api.SubnetRegistry

 	localIP         string

@@ -22,6 +27,8 @@ type OvsController struct {

 	sig             chan struct{}

 	ready           chan struct{}

 	flowController  FlowController

+	VnidMap         map[string]uint

+	netIDManager    *netutils.NetIDAllocator

 }

 type FlowController interface {

@@ -38,6 +45,14 @@ func NewKubeController(sub api.SubnetRegistry, hostname string, selfIP string, r

 	return kubeController, err

 }

+func NewMultitenantController(sub api.SubnetRegistry, hostname string, selfIP string, ready chan struct{}) (*OvsController, error) {

+	mtController, err := NewController(sub, hostname, selfIP, ready)

+	if err == nil {

+		mtController.flowController = multitenant.NewFlowController()

+	}

+	return mtController, err

+}

+

 func NewDefaultController(sub api.SubnetRegistry, hostname string, selfIP string, ready chan struct{}) (*OvsController, error) {

 	defaultController, err := NewController(sub, hostname, selfIP, ready)

 	if err == nil {

@@ -70,6 +85,7 @@ func NewController(sub api.SubnetRegistry, hostname string, selfIP string, ready

 		hostName:        hostname,

 		localSubnet:     nil,

 		subnetAllocator: nil,

+		VnidMap:         make(map[string]uint),

 		sig:             make(chan struct{}),

 		ready:           ready,

 	}, nil

@@ -116,10 +132,66 @@ func (oc *OvsController) StartMaster(sync bool, containerNetwork string, contain

 		log.Warningf("Error initializing existing minions: %v", err)

 		// no worry, we can still keep watching it.

 	}

+	if _, is_mt := oc.flowController.(*multitenant.FlowController); is_mt {

+		nets, err := oc.subnetRegistry.GetNetNamespaces()

+		if err != nil {

+			return err

+		}

+		inUse := make([]uint, 0)

+		for _, net := range nets {

+			inUse = append(inUse, net.NetID)

+			oc.VnidMap[net.Name] = net.NetID

+		}

+		oc.netIDManager, err = netutils.NewNetIDAllocator(10, MaxUint, inUse)

+		if err != nil {

+			return err

+		}

+		go oc.watchNetworks()

+	}

 	go oc.watchMinions()

 	return nil

 }

+func (oc *OvsController) watchNetworks() {

+	nsevent := make(chan *api.NamespaceEvent)

+	stop := make(chan bool)

+	go oc.subnetRegistry.WatchNamespaces(nsevent, stop)

+	for {

+		select {

+		case ev := <-nsevent:

+			switch ev.Type {

+			case api.Added:

+				_, err := oc.subnetRegistry.GetNetNamespace(ev.Name)

+				if err != nil {

+					netid, err := oc.netIDManager.GetNetID()

+					if err != nil {

+						log.Error("Error getting new network IDS: %v", err)

+						continue

+					}

+					err = oc.subnetRegistry.WriteNetNamespace(ev.Name, netid)

+					if err != nil {

+						log.Error("Error writing new network ID: %v", err)

+						continue

+					}

+					oc.VnidMap[ev.Name] = netid

+				}

+			case api.Deleted:

+				err := oc.subnetRegistry.DeleteNetNamespace(ev.Name)

+				if err != nil {

+					log.Error("Error while deleting Net Id: %v", err)

+				}

+				netid := oc.VnidMap[ev.Name]

+				oc.netIDManager.ReleaseNetID(netid)

+				delete(oc.VnidMap, ev.Name)

+			}

+		case <-oc.sig:

+			log.Error("Signal received. Stopping watching of minions.")

+			stop <- true

+			return

+		}

+	}

+}

+

 func (oc *OvsController) ServeExistingMinions() error {

 	minions, err := oc.subnetRegistry.GetMinions()

 	if err != nil {

@@ -226,6 +298,16 @@ func (oc *OvsController) StartNode(sync, skipsetup bool) error {

 	for _, s := range *subnets {

 		oc.flowController.AddOFRules(s.Minion, s.Sub, oc.localIP)

 	}

+	if _, ok := oc.flowController.(*multitenant.FlowController); ok {

+		nslist, err := oc.subnetRegistry.GetNetNamespaces()

+		if err != nil {

+			return err

+		}

+		for _, ns := range nslist {

+			oc.VnidMap[ns.Name] = ns.NetID

+		}

+		go oc.watchVnids()

+	}

 	go oc.watchCluster()

 	if oc.ready != nil {

@@ -235,6 +317,27 @@ func (oc *OvsController) StartNode(sync, skipsetup bool) error {

 	return err

 }

+func (oc *OvsController) watchVnids() {

+	netNsEvent := make(chan *api.NetNamespaceEvent)

+	stop := make(chan bool)

+	go oc.subnetRegistry.WatchNetNamespaces(netNsEvent, stop)

+	for {

+		select {

+		case ev := <-netNsEvent:

+			switch ev.Type {

+			case api.Added:

+				oc.VnidMap[ev.Name] = ev.NetID

+			case api.Deleted:

+				delete(oc.VnidMap, ev.Name)

+			}

+		case <-oc.sig:

+			log.Error("Signal received. Stopping watching of NetNamespaces.")

+			stop <- true

+			return

+		}

+	}

+}

+

 func (oc *OvsController) initSelfSubnet() error {

 	// get subnet for self

 	for {

new file mode 100644

@@ -0,0 +1,82 @@

+#!/bin/bash

+set -ex

+

+lock_file=/var/lock/openshift-sdn.lock

+

+action=$1

+pod_namespace=$2

+pod_name=$3

+net_container=$4

+

+lockwrap() {

+    (

+    flock 200

+    "$@"

+    ) 200>${lock_file}

+}

+

+Init() {

+    true

+}

+

+Setup() {

+    source /etc/openshift-sdn/config.env

+    cluster_subnet=${OPENSHIFT_CLUSTER_SUBNET}

+    tap_ip=${OPENSHIFT_SDN_TAP1_ADDR}

+

+    pid=$(docker inspect --format "{{.State.Pid}}" ${net_container})

+    network_mode=$(docker inspect --format "{{.HostConfig.NetworkMode}}" ${net_container})

+    if [ "${network_mode}" == "host" ]; then

+      # quit, nothing for the SDN here

+      exit 0

+    fi

+    ipaddr=$(docker inspect --format "{{.NetworkSettings.IPAddress}}" ${net_container})

+    new_ip=$ipaddr

+    ipaddr_sub=$(docker inspect --format "{{.NetworkSettings.IPPrefixLen}}" ${net_container})

+    docker_gateway=$(docker inspect --format "{{.NetworkSettings.Gateway}}" ${net_container})

+    veth_ifindex=$(nsenter -n -t $pid -- ethtool -S eth0 | sed -n -e 's/.*peer_ifindex: //p')

+    veth_host=$(ip link show | sed -ne "s/^$veth_ifindex: \([^:]*\).*/\1/p")

+

+    brctl delif lbr0 $veth_host

+    ovs-vsctl add-port br0 ${veth_host} 

+    ovs_port=$(ovs-ofctl -O OpenFlow13 dump-ports-desc br0  | grep ${veth_host} | cut -d "(" -f 1 | tr -d ' ')

+    ovs-ofctl -O OpenFlow13 add-flow br0 "table=0,cookie=0x${ovs_port},priority=100,ip,nw_dst=${new_ip},actions=output:${ovs_port}"

+    ovs-ofctl -O OpenFlow13 add-flow br0 "table=0,cookie=0x${ovs_port},priority=100,arp,nw_dst=${new_ip},actions=output:${ovs_port}"

+

+    add_subnet_route="ip route add ${cluster_subnet} dev eth0 proto kernel scope link src $ipaddr"

+    nsenter -n -t $pid -- $add_subnet_route

+}

+

+Teardown() {

+    source /etc/openshift-sdn/config.env

+    cluster_subnet=${OPENSHIFT_CLUSTER_SUBNET}

+    tap_ip=${OPENSHIFT_SDN_TAP1_ADDR}

+

+    pid=$(docker inspect --format "{{.State.Pid}}" ${net_container})

+    network_mode=$(docker inspect --format "{{.HostConfig.NetworkMode}}" ${net_container})

+    if [ "${network_mode}" == "host" ]; then

+      # quit, nothing for the SDN here

+      exit 0

+    fi

+    veth_ifindex=$(nsenter -n -t $pid -- ethtool -S eth0 | sed -n -e 's/.*peer_ifindex: //p')

+    veth_host=$(ip link show | sed -ne "s/^$veth_ifindex: \([^:]*\).*/\1/p")

+    ovs_port=$(ovs-ofctl -O OpenFlow13 dump-ports-desc br0  | grep ${veth_host} | cut -d "(" -f 1 | tr -d ' ')

+    ovs-vsctl del-port $veth_host

+    ovs-ofctl -O OpenFlow13 del-flows br0 "table=0,cookie=0x${ovs_port}/0xffffffff"

+}

+

+case "$action" in

+    init)

+	lockwrap Init

+	;;

+    setup)

+	lockwrap Setup

+	;;

+    teardown)

+	lockwrap Teardown

+	;;

+    *)

+        echo "Bad input: $@"

+        exit 1

+esac

+

new file mode 100644

@@ -0,0 +1,120 @@

+#!/bin/bash

+

+set -ex

+

+lock_file=/var/lock/openshift-sdn.lock

+subnet_gateway=$1

+subnet=$2

+cluster_subnet=$3

+subnet_mask_len=$4

+tun_gateway=$5

+printf 'Container network is "%s"; local host has subnet "%s" and gateway "%s".\n' "${cluster_subnet}" "${subnet}" "${subnet_gateway}"

+TUN=tun0

+

+# Synchronize code execution with a file lock.

+function lockwrap() {

+    (

+    flock 200

+    "$@"

+    ) 200>${lock_file}

+}

+

+function setup_required() {

+    ip=$(echo `ip a s lbr0 2>/dev/null|awk '/inet / {print $2}'`)

+    if [ "$ip" != "${subnet_gateway}/${subnet_mask_len}" ]; then

+        return 0

+    fi

+    if ! grep -q lbr0 /run/openshift-sdn/docker-network; then

+        return 0

+    fi

+    return 1

+}

+

+function setup() {

+    # clear config file

+    rm -f /etc/openshift-sdn/config.env

+

+    ## openvswitch

+    ovs-vsctl del-br br0 || true

+    ovs-vsctl add-br br0 -- set Bridge br0 fail-mode=secure

+    ovs-vsctl set bridge br0 protocols=OpenFlow13

+    ovs-vsctl del-port br0 vxlan0 || true

+    ovs-vsctl add-port br0 vxlan0 -- set Interface vxlan0 type=vxlan options:remote_ip="flow" options:key="flow" ofport_request=1

+    ovs-vsctl add-port br0 ${TUN} -- set Interface ${TUN} type=internal ofport_request=2

+

+    ip link del vlinuxbr || true

+    ip link add vlinuxbr type veth peer name vovsbr

+    ip link set vlinuxbr up

+    ip link set vovsbr up

+    ip link set vlinuxbr txqueuelen 0

+    ip link set vovsbr txqueuelen 0

+

+    ovs-vsctl del-port br0 vovsbr || true

+    ovs-vsctl add-port br0 vovsbr -- set Interface vovsbr ofport_request=9

+

+    ## linux bridge

+    ip link set lbr0 down || true

+    brctl delbr lbr0 || true

+    brctl addbr lbr0

+    ip addr add ${subnet_gateway}/${subnet_mask_len} dev lbr0

+    ip link set lbr0 up

+    brctl addif lbr0 vlinuxbr

+

+    # setup tun address

+    ip addr add ${tun_gateway}/${subnet_mask_len} dev ${TUN}

+    ip link set ${TUN} up

+    ip route add ${cluster_subnet} dev ${TUN} proto kernel scope link

+

+    ## iptables

+    iptables -t nat -D POSTROUTING -s ${cluster_subnet} ! -d ${cluster_subnet} -j MASQUERADE || true

+    iptables -t nat -A POSTROUTING -s ${cluster_subnet} ! -d ${cluster_subnet} -j MASQUERADE

+    iptables -D INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT || true

+    iptables -D INPUT -i ${TUN} -m comment --comment "traffic from docker for internet" -j ACCEPT || true

+    lineno=$(iptables -nvL INPUT --line-numbers | grep "state RELATED,ESTABLISHED" | awk '{print $1}')

+    iptables -I INPUT $lineno -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT

+    iptables -I INPUT $((lineno+1)) -i ${TUN} -m comment --comment "traffic from docker for internet" -j ACCEPT

+    fwd_lineno=$(iptables -nvL FORWARD --line-numbers | grep "reject-with icmp-host-prohibited" | tail -n 1 | awk '{print $1}')

+    iptables -I FORWARD $fwd_lineno -d ${cluster_subnet} -j ACCEPT

+    iptables -I FORWARD $fwd_lineno -s ${cluster_subnet} -j ACCEPT

+

+    ## docker

+    if [[ -z "${DOCKER_NETWORK_OPTIONS}" ]]

+    then

+        DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450'

+    fi

+

+    mkdir -p /run/openshift-sdn

+    cat <<EOF > /run/openshift-sdn/docker-network

+# This file has been modified by openshift-sdn. Please modify the

+# DOCKER_NETWORK_OPTIONS variable in /etc/sysconfig/openshift-node if this

+# is an integrated install or /etc/sysconfig/openshift-sdn-node if this is a

+# standalone install.

+

+DOCKER_NETWORK_OPTIONS='${DOCKER_NETWORK_OPTIONS}'

+EOF

+

+    systemctl daemon-reload

+    systemctl restart docker.service

+

+    # disable iptables for lbr0

+    # for kernel version 3.18+, module br_netfilter needs to be loaded upfront

+    # for older ones, br_netfilter may not exist, but is covered by bridge (bridge-utils)

+    modprobe br_netfilter || true 

+    sysctl -w net.bridge.bridge-nf-call-iptables=0

+

+    # delete the subnet routing entry created because of lbr0

+    ip route del ${subnet} dev lbr0 proto kernel scope link src ${subnet_gateway} || true

+

+    mkdir -p /etc/openshift-sdn

+    echo "export OPENSHIFT_SDN_TAP1_ADDR=${tun_gateway}" >& "/etc/openshift-sdn/config.env"

+    echo "export OPENSHIFT_CLUSTER_SUBNET=${cluster_subnet}" >> "/etc/openshift-sdn/config.env"

+}

+

+set +e

+if ! setup_required; then

+    echo "SDN setup not required."

+    exit 140

+fi

+set -e

+

+lockwrap setup

new file mode 100644

@@ -0,0 +1,68 @@

+#!/bin/bash

+

+set -ex

+

+subnet_gateway=$1

+subnet=$2

+container_network=$3

+subnet_mask_len=$4

+printf 'Container network is "%s"; local host has subnet "%s" and gateway "%s".\n' "${container_network}" "${subnet}" "${subnet_gateway}"

+

+## openvswitch

+ovs-vsctl del-br br0 || true

+ovs-vsctl add-br br0 -- set Bridge br0 fail-mode=secure

+ovs-vsctl set bridge br0 protocols=OpenFlow13

+ovs-vsctl del-port br0 vxlan0 || true

+ovs-vsctl add-port br0 vxlan0 -- set Interface vxlan0 type=vxlan options:remote_ip="flow" options:key="flow" ofport_request=10

+ip link del vlinuxbr || true

+ip link add vlinuxbr type veth peer name vovsbr

+ip link set vlinuxbr up

+ip link set vovsbr up

+ip link set vlinuxbr txqueuelen 0

+ip link set vovsbr txqueuelen 0

+

+ovs-vsctl del-port br0 vovsbr || true

+ovs-vsctl add-port br0 vovsbr -- set Interface vovsbr ofport_request=9

+

+## linux bridge

+ip link set lbr0 down || true

+brctl delbr lbr0 || true

+brctl addbr lbr0

+ip addr add ${subnet_gateway}/${subnet_mask_len} dev lbr0

+ip link set lbr0 up

+brctl addif lbr0 vlinuxbr

+ip route del ${subnet} dev lbr0 proto kernel scope link src ${subnet_gateway} || true

+ip route add ${container_network} dev lbr0 proto kernel scope link src ${subnet_gateway}

+

+

+## iptables

+iptables -t nat -D POSTROUTING -s ${container_network} ! -d ${container_network} -j MASQUERADE || true

+iptables -t nat -A POSTROUTING -s ${container_network} ! -d ${container_network} -j MASQUERADE

+iptables -D INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT || true

+iptables -D INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT || true

+lineno=$(iptables -nvL INPUT --line-numbers | grep "state RELATED,ESTABLISHED" | awk '{print $1}')

+iptables -I INPUT $lineno -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT

+iptables -I INPUT $((lineno+1)) -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT

+fwd_lineno=$(iptables -nvL FORWARD --line-numbers | grep "reject-with icmp-host-prohibited" | tail -n 1 | awk '{print $1}')

+iptables -I FORWARD $fwd_lineno -d ${container_network} -j ACCEPT

+iptables -I FORWARD $fwd_lineno -s ${container_network} -j ACCEPT

+

+

+## docker

+if [[ -z "${DOCKER_NETWORK_OPTIONS}" ]]

+then

+    DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450'

+fi

+

+mkdir -p /run/openshift-sdn

+cat <<EOF > /run/openshift-sdn/docker-network

+# This file has been modified by openshift-sdn. Please modify the

+# DOCKER_NETWORK_OPTIONS variable in /etc/sysconfig/openshift-node if this

+# is an integrated install or /etc/sysconfig/openshift-sdn-node if this is a

+# standalone install.

+

+DOCKER_NETWORK_OPTIONS='${DOCKER_NETWORK_OPTIONS}'

+EOF

+

+systemctl daemon-reload

+systemctl restart docker.service

new file mode 100755

@@ -0,0 +1,89 @@

+#!/bin/bash

+set -ex

+

+lock_file=/var/lock/openshift-sdn.lock

+

+action=$1

+pod_namespace=$2

+pod_name=$3

+net_container=$4

+tenant_id=$5

+

+lockwrap() {

+    (

+    flock 200

+    "$@"

+    ) 200>${lock_file}

+}

+

+Init() {

+    true

+}

+

+Setup() {

+    source /etc/openshift-sdn/config.env

+    cluster_subnet=${OPENSHIFT_CLUSTER_SUBNET}

+

+    pid=$(docker inspect --format "{{.State.Pid}}" ${net_container})

+    network_mode=$(docker inspect --format "{{.HostConfig.NetworkMode}}" ${net_container})

+    if [ "${network_mode}" == "host" ]; then

+      # quit, nothing for the SDN here

+      exit 0

+    fi

+    ipaddr=$(docker inspect --format "{{.NetworkSettings.IPAddress}}" ${net_container})

+    veth_ifindex=$(nsenter -n -t $pid -- ethtool -S eth0 | sed -n -e 's/.*peer_ifindex: //p')

+    veth_host=$(ip link show | sed -ne "s/^$veth_ifindex: \([^:]*\).*/\1/p")

+

+    # If the caller didn't pass a tenant ID, we make one up based on

+    # the first two letters of the pod name.

+    # FIXME: remove this when it's no longer needed for testing

+    if [ -z "$tenant_id" ]; then

+       tenant_id=$(echo $pod_name | perl -ne 'print unpack("S", $_)')

+    fi

+

+    brctl delif lbr0 $veth_host

+    ovs-vsctl add-port br0 ${veth_host} 

+    ovs_port=$(ovs-ofctl -O OpenFlow13 dump-ports-desc br0  | grep ${veth_host} | cut -d "(" -f 1 | tr -d ' ')