* [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
@ 2019-03-28 23:47 Si-Wei Liu
2019-03-29 5:55 ` Samudrala, Sridhar
` (4 more replies)
0 siblings, 5 replies; 14+ messages in thread
From: Si-Wei Liu @ 2019-03-28 23:47 UTC (permalink / raw)
To: mst, sridhar.samudrala, stephen, davem, kubakici,
alexander.duyck, jiri, netdev, virtualization
Cc: liran.alon, boris.ostrovsky, vijay.balakrishna, si-wei liu
When a netdev appears through hot plug then gets enslaved by a failover
master that is already up and running, the slave will be opened
right away after getting enslaved. Today there's a race that userspace
(udev) may fail to rename the slave if the kernel (net_failover)
opens the slave earlier than when the userspace rename happens.
Unlike bond or team, the primary slave of failover can't be renamed by
userspace ahead of time, since the kernel initiated auto-enslavement is
unable to, or rather, is never meant to be synchronized with the rename
request from userspace.
As the failover slave interfaces are not designed to be operated
directly by userspace apps: IP configuration, filter rules with
regard to network traffic passing and etc., should all be done on master
interface. In general, userspace apps only care about the
name of master interface, while slave names are less important as long
as admin users can see reliable names that may carry
other information describing the netdev. For e.g., they can infer that
"ens3nsby" is a standby slave of "ens3", while for a
name like "eth0" they can't tell which master it belongs to.
Historically the name of IFF_UP interface can't be changed because
there might be admin script or management software that is already
relying on such behavior and assumes that the slave name can't be
changed once UP. But failover is special: with the in-kernel
auto-enslavement mechanism, the userspace expectation for device
enumeration and bring-up order is already broken. Previously initramfs
and various userspace config tools were modified to bypass failover
slaves because of auto-enslavement and duplicate MAC address. Similarly,
in case that users care about seeing reliable slave name, the new type
of failover slaves needs to be taken care of specifically in userspace
anyway.
It's less risky to lift up the rename restriction on failover slave
which is already UP. Although it's possible this change may potentially
break userspace component (most likely configuration scripts or
management software) that assumes slave name can't be changed while
UP, it's relatively a limited and controllable set among all userspace
components, which can be fixed specifically to listen for the rename
and/or link down/up events on failover slaves. Userspace component
interacting with slaves is expected to be changed to operate on failover
master interface instead, as the failover slave is dynamic in nature
which may come and go at any point. The goal is to make the role of
failover slaves less relevant, and userspace components should only
deal with failover master in the long run.
Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
--
v1 -> v2:
- Drop configurable module parameter (Sridhar)
v2 -> v3:
- Drop additional IFF_SLAVE_RENAME_OK flag (Sridhar)
- Send down and up events around rename (Michael S. Tsirkin)
v3 -> v4:
- Simplify notification to be sent (Stephen Hemminger)
---
net/core/dev.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 722d50d..6ae5874 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev, const char *newname)
BUG_ON(!dev_net(dev));
net = dev_net(dev);
- if (dev->flags & IFF_UP)
+
+ /* Allow failover slave to rename even when
+ * it is up and running.
+ *
+ * Failover slaves are special, since userspace
+ * might rename the slave after the interface
+ * has been brought up and running due to
+ * auto-enslavement.
+ *
+ * Failover users don't actually care about slave
+ * name change, as they are only expected to operate
+ * on master interface directly.
+ */
+ if (dev->flags & IFF_UP &&
+ likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
return -EBUSY;
write_seqcount_begin(&devnet_rename_seq);
@@ -1227,6 +1241,14 @@ int dev_change_name(struct net_device *dev, const char *newname)
hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net, dev->name));
write_unlock_bh(&dev_base_lock);
+ if (unlikely(dev->flags & IFF_UP)) {
+ struct netdev_notifier_change_info change_info;
+
+ change_info.flags_changed = 0;
+ call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
+ &change_info.info);
+ }
+
ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
ret = notifier_to_errno(ret);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-28 23:47 [PATCH net v4] failover: allow name change on IFF_UP slave interfaces Si-Wei Liu
@ 2019-03-29 5:55 ` Samudrala, Sridhar
2019-03-29 13:45 ` kbuild test robot
` (3 subsequent siblings)
4 siblings, 0 replies; 14+ messages in thread
From: Samudrala, Sridhar @ 2019-03-29 5:55 UTC (permalink / raw)
To: Si-Wei Liu, mst, stephen, davem, kubakici, alexander.duyck, jiri,
netdev, virtualization
Cc: liran.alon, boris.ostrovsky, vijay.balakrishna
On 3/28/2019 4:47 PM, Si-Wei Liu wrote:
> When a netdev appears through hot plug then gets enslaved by a failover
> master that is already up and running, the slave will be opened
> right away after getting enslaved. Today there's a race that userspace
> (udev) may fail to rename the slave if the kernel (net_failover)
> opens the slave earlier than when the userspace rename happens.
> Unlike bond or team, the primary slave of failover can't be renamed by
> userspace ahead of time, since the kernel initiated auto-enslavement is
> unable to, or rather, is never meant to be synchronized with the rename
> request from userspace.
>
> As the failover slave interfaces are not designed to be operated
> directly by userspace apps: IP configuration, filter rules with
> regard to network traffic passing and etc., should all be done on master
> interface. In general, userspace apps only care about the
> name of master interface, while slave names are less important as long
> as admin users can see reliable names that may carry
> other information describing the netdev. For e.g., they can infer that
> "ens3nsby" is a standby slave of "ens3", while for a
> name like "eth0" they can't tell which master it belongs to.
>
> Historically the name of IFF_UP interface can't be changed because
> there might be admin script or management software that is already
> relying on such behavior and assumes that the slave name can't be
> changed once UP. But failover is special: with the in-kernel
> auto-enslavement mechanism, the userspace expectation for device
> enumeration and bring-up order is already broken. Previously initramfs
> and various userspace config tools were modified to bypass failover
> slaves because of auto-enslavement and duplicate MAC address. Similarly,
> in case that users care about seeing reliable slave name, the new type
> of failover slaves needs to be taken care of specifically in userspace
> anyway.
>
> It's less risky to lift up the rename restriction on failover slave
> which is already UP. Although it's possible this change may potentially
> break userspace component (most likely configuration scripts or
> management software) that assumes slave name can't be changed while
> UP, it's relatively a limited and controllable set among all userspace
> components, which can be fixed specifically to listen for the rename
> and/or link down/up events on failover slaves. Userspace component
> interacting with slaves is expected to be changed to operate on failover
> master interface instead, as the failover slave is dynamic in nature
> which may come and go at any point. The goal is to make the role of
> failover slaves less relevant, and userspace components should only
> deal with failover master in the long run.
>
> Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
> Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
> Reviewed-by: Liran Alon <liran.alon@oracle.com>
>
> --
> v1 -> v2:
> - Drop configurable module parameter (Sridhar)
>
> v2 -> v3:
> - Drop additional IFF_SLAVE_RENAME_OK flag (Sridhar)
> - Send down and up events around rename (Michael S. Tsirkin)
>
> v3 -> v4:
> - Simplify notification to be sent (Stephen Hemminger)
> ---
> net/core/dev.c | 24 +++++++++++++++++++++++-
> 1 file changed, 23 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 722d50d..6ae5874 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev, const char *newname)
> BUG_ON(!dev_net(dev));
>
> net = dev_net(dev);
> - if (dev->flags & IFF_UP)
> +
> + /* Allow failover slave to rename even when
> + * it is up and running.
> + *
> + * Failover slaves are special, since userspace
> + * might rename the slave after the interface
> + * has been brought up and running due to
> + * auto-enslavement.
> + *
> + * Failover users don't actually care about slave
> + * name change, as they are only expected to operate
> + * on master interface directly.
> + */
> + if (dev->flags & IFF_UP &&
> + likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
> return -EBUSY;
>
> write_seqcount_begin(&devnet_rename_seq);
> @@ -1227,6 +1241,14 @@ int dev_change_name(struct net_device *dev, const char *newname)
> hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net, dev->name));
> write_unlock_bh(&dev_base_lock);
>
> + if (unlikely(dev->flags & IFF_UP)) {
> + struct netdev_notifier_change_info change_info;
> +
> + change_info.flags_changed = 0;
> + call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
> + &change_info.info);
This function no longer takes the dev parameter in the net-next kernel.
Did you consider calling netdev_state_change() although it does send a
RTM_NEWLINK message too. May be just fixing the notifier call should be
fine.
> + }
> +
> ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
> ret = notifier_to_errno(ret);
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
@ 2019-03-29 5:55 ` Samudrala, Sridhar
0 siblings, 0 replies; 14+ messages in thread
From: Samudrala, Sridhar @ 2019-03-29 5:55 UTC (permalink / raw)
To: Si-Wei Liu, mst, stephen, davem, kubakici, alexander.duyck, jiri,
netdev, virtualization
Cc: boris.ostrovsky, liran.alon
On 3/28/2019 4:47 PM, Si-Wei Liu wrote:
> When a netdev appears through hot plug then gets enslaved by a failover
> master that is already up and running, the slave will be opened
> right away after getting enslaved. Today there's a race that userspace
> (udev) may fail to rename the slave if the kernel (net_failover)
> opens the slave earlier than when the userspace rename happens.
> Unlike bond or team, the primary slave of failover can't be renamed by
> userspace ahead of time, since the kernel initiated auto-enslavement is
> unable to, or rather, is never meant to be synchronized with the rename
> request from userspace.
>
> As the failover slave interfaces are not designed to be operated
> directly by userspace apps: IP configuration, filter rules with
> regard to network traffic passing and etc., should all be done on master
> interface. In general, userspace apps only care about the
> name of master interface, while slave names are less important as long
> as admin users can see reliable names that may carry
> other information describing the netdev. For e.g., they can infer that
> "ens3nsby" is a standby slave of "ens3", while for a
> name like "eth0" they can't tell which master it belongs to.
>
> Historically the name of IFF_UP interface can't be changed because
> there might be admin script or management software that is already
> relying on such behavior and assumes that the slave name can't be
> changed once UP. But failover is special: with the in-kernel
> auto-enslavement mechanism, the userspace expectation for device
> enumeration and bring-up order is already broken. Previously initramfs
> and various userspace config tools were modified to bypass failover
> slaves because of auto-enslavement and duplicate MAC address. Similarly,
> in case that users care about seeing reliable slave name, the new type
> of failover slaves needs to be taken care of specifically in userspace
> anyway.
>
> It's less risky to lift up the rename restriction on failover slave
> which is already UP. Although it's possible this change may potentially
> break userspace component (most likely configuration scripts or
> management software) that assumes slave name can't be changed while
> UP, it's relatively a limited and controllable set among all userspace
> components, which can be fixed specifically to listen for the rename
> and/or link down/up events on failover slaves. Userspace component
> interacting with slaves is expected to be changed to operate on failover
> master interface instead, as the failover slave is dynamic in nature
> which may come and go at any point. The goal is to make the role of
> failover slaves less relevant, and userspace components should only
> deal with failover master in the long run.
>
> Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
> Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
> Reviewed-by: Liran Alon <liran.alon@oracle.com>
>
> --
> v1 -> v2:
> - Drop configurable module parameter (Sridhar)
>
> v2 -> v3:
> - Drop additional IFF_SLAVE_RENAME_OK flag (Sridhar)
> - Send down and up events around rename (Michael S. Tsirkin)
>
> v3 -> v4:
> - Simplify notification to be sent (Stephen Hemminger)
> ---
> net/core/dev.c | 24 +++++++++++++++++++++++-
> 1 file changed, 23 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 722d50d..6ae5874 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev, const char *newname)
> BUG_ON(!dev_net(dev));
>
> net = dev_net(dev);
> - if (dev->flags & IFF_UP)
> +
> + /* Allow failover slave to rename even when
> + * it is up and running.
> + *
> + * Failover slaves are special, since userspace
> + * might rename the slave after the interface
> + * has been brought up and running due to
> + * auto-enslavement.
> + *
> + * Failover users don't actually care about slave
> + * name change, as they are only expected to operate
> + * on master interface directly.
> + */
> + if (dev->flags & IFF_UP &&
> + likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
> return -EBUSY;
>
> write_seqcount_begin(&devnet_rename_seq);
> @@ -1227,6 +1241,14 @@ int dev_change_name(struct net_device *dev, const char *newname)
> hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net, dev->name));
> write_unlock_bh(&dev_base_lock);
>
> + if (unlikely(dev->flags & IFF_UP)) {
> + struct netdev_notifier_change_info change_info;
> +
> + change_info.flags_changed = 0;
> + call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
> + &change_info.info);
This function no longer takes the dev parameter in the net-next kernel.
Did you consider calling netdev_state_change() although it does send a
RTM_NEWLINK message too. May be just fixing the notifier call should be
fine.
> + }
> +
> ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
> ret = notifier_to_errno(ret);
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-28 23:47 [PATCH net v4] failover: allow name change on IFF_UP slave interfaces Si-Wei Liu
2019-03-29 5:55 ` Samudrala, Sridhar
@ 2019-03-29 13:45 ` kbuild test robot
2019-03-29 13:45 ` kbuild test robot
` (2 subsequent siblings)
4 siblings, 0 replies; 14+ messages in thread
From: kbuild test robot @ 2019-03-29 13:45 UTC (permalink / raw)
To: Si-Wei Liu
Cc: kbuild-all, mst, sridhar.samudrala, stephen, davem, kubakici,
alexander.duyck, jiri, netdev, virtualization, liran.alon,
boris.ostrovsky, vijay.balakrishna, si-wei liu
[-- Attachment #1: Type: text/plain, Size: 5112 bytes --]
Hi Si-Wei,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on net/master]
url: https://github.com/0day-ci/linux/commits/Si-Wei-Liu/failover-allow-name-change-on-IFF_UP-slave-interfaces/20190329-195445
config: x86_64-lkp (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All errors (new ones prefixed by >>):
net/core/dev.c: In function 'dev_change_name':
>> net/core/dev.c:1252:48: error: passing argument 2 of 'call_netdevice_notifiers_info' from incompatible pointer type [-Werror=incompatible-pointer-types]
call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
^~~
net/core/dev.c:164:12: note: expected 'struct netdev_notifier_info *' but argument is of type 'struct net_device *'
static int call_netdevice_notifiers_info(unsigned long val,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> net/core/dev.c:1252:3: error: too many arguments to function 'call_netdevice_notifiers_info'
call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/core/dev.c:164:12: note: declared here
static int call_netdevice_notifiers_info(unsigned long val,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/call_netdevice_notifiers_info +1252 net/core/dev.c
1166
1167 /**
1168 * dev_change_name - change name of a device
1169 * @dev: device
1170 * @newname: name (or format string) must be at least IFNAMSIZ
1171 *
1172 * Change name of a device, can pass format strings "eth%d".
1173 * for wildcarding.
1174 */
1175 int dev_change_name(struct net_device *dev, const char *newname)
1176 {
1177 unsigned char old_assign_type;
1178 char oldname[IFNAMSIZ];
1179 int err = 0;
1180 int ret;
1181 struct net *net;
1182
1183 ASSERT_RTNL();
1184 BUG_ON(!dev_net(dev));
1185
1186 net = dev_net(dev);
1187
1188 /* Allow failover slave to rename even when
1189 * it is up and running.
1190 *
1191 * Failover slaves are special, since userspace
1192 * might rename the slave after the interface
1193 * has been brought up and running due to
1194 * auto-enslavement.
1195 *
1196 * Failover users don't actually care about slave
1197 * name change, as they are only expected to operate
1198 * on master interface directly.
1199 */
1200 if (dev->flags & IFF_UP &&
1201 likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
1202 return -EBUSY;
1203
1204 write_seqcount_begin(&devnet_rename_seq);
1205
1206 if (strncmp(newname, dev->name, IFNAMSIZ) == 0) {
1207 write_seqcount_end(&devnet_rename_seq);
1208 return 0;
1209 }
1210
1211 memcpy(oldname, dev->name, IFNAMSIZ);
1212
1213 err = dev_get_valid_name(net, dev, newname);
1214 if (err < 0) {
1215 write_seqcount_end(&devnet_rename_seq);
1216 return err;
1217 }
1218
1219 if (oldname[0] && !strchr(oldname, '%'))
1220 netdev_info(dev, "renamed from %s\n", oldname);
1221
1222 old_assign_type = dev->name_assign_type;
1223 dev->name_assign_type = NET_NAME_RENAMED;
1224
1225 rollback:
1226 ret = device_rename(&dev->dev, dev->name);
1227 if (ret) {
1228 memcpy(dev->name, oldname, IFNAMSIZ);
1229 dev->name_assign_type = old_assign_type;
1230 write_seqcount_end(&devnet_rename_seq);
1231 return ret;
1232 }
1233
1234 write_seqcount_end(&devnet_rename_seq);
1235
1236 netdev_adjacent_rename_links(dev, oldname);
1237
1238 write_lock_bh(&dev_base_lock);
1239 hlist_del_rcu(&dev->name_hlist);
1240 write_unlock_bh(&dev_base_lock);
1241
1242 synchronize_rcu();
1243
1244 write_lock_bh(&dev_base_lock);
1245 hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net, dev->name));
1246 write_unlock_bh(&dev_base_lock);
1247
1248 if (unlikely(dev->flags & IFF_UP)) {
1249 struct netdev_notifier_change_info change_info;
1250
1251 change_info.flags_changed = 0;
> 1252 call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
1253 &change_info.info);
1254 }
1255
1256 ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
1257 ret = notifier_to_errno(ret);
1258
1259 if (ret) {
1260 /* err >= 0 after dev_alloc_name() or stores the first errno */
1261 if (err >= 0) {
1262 err = ret;
1263 write_seqcount_begin(&devnet_rename_seq);
1264 memcpy(dev->name, oldname, IFNAMSIZ);
1265 memcpy(oldname, newname, IFNAMSIZ);
1266 dev->name_assign_type = old_assign_type;
1267 old_assign_type = NET_NAME_RENAMED;
1268 goto rollback;
1269 } else {
1270 pr_err("%s: name change rollback failed: %d\n",
1271 dev->name, ret);
1272 }
1273 }
1274
1275 return err;
1276 }
1277
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 26574 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-28 23:47 [PATCH net v4] failover: allow name change on IFF_UP slave interfaces Si-Wei Liu
2019-03-29 5:55 ` Samudrala, Sridhar
2019-03-29 13:45 ` kbuild test robot
@ 2019-03-29 13:45 ` kbuild test robot
2019-03-29 15:15 ` Stephen Hemminger
2019-03-29 15:15 ` Stephen Hemminger
4 siblings, 0 replies; 14+ messages in thread
From: kbuild test robot @ 2019-03-29 13:45 UTC (permalink / raw)
Cc: jiri, mst, kubakici, sridhar.samudrala, alexander.duyck,
virtualization, liran.alon, kbuild-all, netdev, si-wei liu,
boris.ostrovsky, davem
[-- Attachment #1: Type: text/plain, Size: 5112 bytes --]
Hi Si-Wei,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on net/master]
url: https://github.com/0day-ci/linux/commits/Si-Wei-Liu/failover-allow-name-change-on-IFF_UP-slave-interfaces/20190329-195445
config: x86_64-lkp (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All errors (new ones prefixed by >>):
net/core/dev.c: In function 'dev_change_name':
>> net/core/dev.c:1252:48: error: passing argument 2 of 'call_netdevice_notifiers_info' from incompatible pointer type [-Werror=incompatible-pointer-types]
call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
^~~
net/core/dev.c:164:12: note: expected 'struct netdev_notifier_info *' but argument is of type 'struct net_device *'
static int call_netdevice_notifiers_info(unsigned long val,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> net/core/dev.c:1252:3: error: too many arguments to function 'call_netdevice_notifiers_info'
call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/core/dev.c:164:12: note: declared here
static int call_netdevice_notifiers_info(unsigned long val,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/call_netdevice_notifiers_info +1252 net/core/dev.c
1166
1167 /**
1168 * dev_change_name - change name of a device
1169 * @dev: device
1170 * @newname: name (or format string) must be at least IFNAMSIZ
1171 *
1172 * Change name of a device, can pass format strings "eth%d".
1173 * for wildcarding.
1174 */
1175 int dev_change_name(struct net_device *dev, const char *newname)
1176 {
1177 unsigned char old_assign_type;
1178 char oldname[IFNAMSIZ];
1179 int err = 0;
1180 int ret;
1181 struct net *net;
1182
1183 ASSERT_RTNL();
1184 BUG_ON(!dev_net(dev));
1185
1186 net = dev_net(dev);
1187
1188 /* Allow failover slave to rename even when
1189 * it is up and running.
1190 *
1191 * Failover slaves are special, since userspace
1192 * might rename the slave after the interface
1193 * has been brought up and running due to
1194 * auto-enslavement.
1195 *
1196 * Failover users don't actually care about slave
1197 * name change, as they are only expected to operate
1198 * on master interface directly.
1199 */
1200 if (dev->flags & IFF_UP &&
1201 likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
1202 return -EBUSY;
1203
1204 write_seqcount_begin(&devnet_rename_seq);
1205
1206 if (strncmp(newname, dev->name, IFNAMSIZ) == 0) {
1207 write_seqcount_end(&devnet_rename_seq);
1208 return 0;
1209 }
1210
1211 memcpy(oldname, dev->name, IFNAMSIZ);
1212
1213 err = dev_get_valid_name(net, dev, newname);
1214 if (err < 0) {
1215 write_seqcount_end(&devnet_rename_seq);
1216 return err;
1217 }
1218
1219 if (oldname[0] && !strchr(oldname, '%'))
1220 netdev_info(dev, "renamed from %s\n", oldname);
1221
1222 old_assign_type = dev->name_assign_type;
1223 dev->name_assign_type = NET_NAME_RENAMED;
1224
1225 rollback:
1226 ret = device_rename(&dev->dev, dev->name);
1227 if (ret) {
1228 memcpy(dev->name, oldname, IFNAMSIZ);
1229 dev->name_assign_type = old_assign_type;
1230 write_seqcount_end(&devnet_rename_seq);
1231 return ret;
1232 }
1233
1234 write_seqcount_end(&devnet_rename_seq);
1235
1236 netdev_adjacent_rename_links(dev, oldname);
1237
1238 write_lock_bh(&dev_base_lock);
1239 hlist_del_rcu(&dev->name_hlist);
1240 write_unlock_bh(&dev_base_lock);
1241
1242 synchronize_rcu();
1243
1244 write_lock_bh(&dev_base_lock);
1245 hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net, dev->name));
1246 write_unlock_bh(&dev_base_lock);
1247
1248 if (unlikely(dev->flags & IFF_UP)) {
1249 struct netdev_notifier_change_info change_info;
1250
1251 change_info.flags_changed = 0;
> 1252 call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
1253 &change_info.info);
1254 }
1255
1256 ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
1257 ret = notifier_to_errno(ret);
1258
1259 if (ret) {
1260 /* err >= 0 after dev_alloc_name() or stores the first errno */
1261 if (err >= 0) {
1262 err = ret;
1263 write_seqcount_begin(&devnet_rename_seq);
1264 memcpy(dev->name, oldname, IFNAMSIZ);
1265 memcpy(oldname, newname, IFNAMSIZ);
1266 dev->name_assign_type = old_assign_type;
1267 old_assign_type = NET_NAME_RENAMED;
1268 goto rollback;
1269 } else {
1270 pr_err("%s: name change rollback failed: %d\n",
1271 dev->name, ret);
1272 }
1273 }
1274
1275 return err;
1276 }
1277
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 26574 bytes --]
[-- Attachment #3: Type: text/plain, Size: 183 bytes --]
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-28 23:47 [PATCH net v4] failover: allow name change on IFF_UP slave interfaces Si-Wei Liu
` (2 preceding siblings ...)
2019-03-29 13:45 ` kbuild test robot
@ 2019-03-29 15:15 ` Stephen Hemminger
2019-03-29 15:34 ` Jiri Pirko
2019-03-29 15:34 ` Jiri Pirko
2019-03-29 15:15 ` Stephen Hemminger
4 siblings, 2 replies; 14+ messages in thread
From: Stephen Hemminger @ 2019-03-29 15:15 UTC (permalink / raw)
To: Si-Wei Liu
Cc: mst, sridhar.samudrala, davem, kubakici, alexander.duyck, jiri,
netdev, virtualization, liran.alon, boris.ostrovsky,
vijay.balakrishna
On Thu, 28 Mar 2019 19:47:27 -0400
Si-Wei Liu <si-wei.liu@oracle.com> wrote:
> + if (unlikely(dev->flags & IFF_UP)) {
> + struct netdev_notifier_change_info change_info;
> +
> + change_info.flags_changed = 0;
Simpler to use structure initialization, which also avoid any chance
of unititialized fields.
struct netdev_notifier_change_info change_info
= { .flags_changed = 0 };
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-28 23:47 [PATCH net v4] failover: allow name change on IFF_UP slave interfaces Si-Wei Liu
` (3 preceding siblings ...)
2019-03-29 15:15 ` Stephen Hemminger
@ 2019-03-29 15:15 ` Stephen Hemminger
4 siblings, 0 replies; 14+ messages in thread
From: Stephen Hemminger @ 2019-03-29 15:15 UTC (permalink / raw)
To: Si-Wei Liu
Cc: jiri, mst, kubakici, sridhar.samudrala, alexander.duyck,
virtualization, liran.alon, netdev, boris.ostrovsky, davem
On Thu, 28 Mar 2019 19:47:27 -0400
Si-Wei Liu <si-wei.liu@oracle.com> wrote:
> + if (unlikely(dev->flags & IFF_UP)) {
> + struct netdev_notifier_change_info change_info;
> +
> + change_info.flags_changed = 0;
Simpler to use structure initialization, which also avoid any chance
of unititialized fields.
struct netdev_notifier_change_info change_info
= { .flags_changed = 0 };
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-29 15:15 ` Stephen Hemminger
2019-03-29 15:34 ` Jiri Pirko
@ 2019-03-29 15:34 ` Jiri Pirko
2019-03-29 20:01 ` si-wei liu
1 sibling, 1 reply; 14+ messages in thread
From: Jiri Pirko @ 2019-03-29 15:34 UTC (permalink / raw)
To: Stephen Hemminger
Cc: Si-Wei Liu, mst, sridhar.samudrala, davem, kubakici,
alexander.duyck, netdev, virtualization, liran.alon,
boris.ostrovsky, vijay.balakrishna
Fri, Mar 29, 2019 at 04:15:12PM CET, stephen@networkplumber.org wrote:
>On Thu, 28 Mar 2019 19:47:27 -0400
>Si-Wei Liu <si-wei.liu@oracle.com> wrote:
>
>> + if (unlikely(dev->flags & IFF_UP)) {
>> + struct netdev_notifier_change_info change_info;
>> +
>> + change_info.flags_changed = 0;
>
>Simpler to use structure initialization, which also avoid any chance
>of unititialized fields.
>
> struct netdev_notifier_change_info change_info
> = { .flags_changed = 0 };
In fact, you can do just:
struct netdev_notifier_change_info change_info = {};
to achieve the same.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-29 15:15 ` Stephen Hemminger
@ 2019-03-29 15:34 ` Jiri Pirko
2019-03-29 15:34 ` Jiri Pirko
1 sibling, 0 replies; 14+ messages in thread
From: Jiri Pirko @ 2019-03-29 15:34 UTC (permalink / raw)
To: Stephen Hemminger
Cc: mst, kubakici, sridhar.samudrala, alexander.duyck,
virtualization, liran.alon, netdev, Si-Wei Liu, boris.ostrovsky,
davem
Fri, Mar 29, 2019 at 04:15:12PM CET, stephen@networkplumber.org wrote:
>On Thu, 28 Mar 2019 19:47:27 -0400
>Si-Wei Liu <si-wei.liu@oracle.com> wrote:
>
>> + if (unlikely(dev->flags & IFF_UP)) {
>> + struct netdev_notifier_change_info change_info;
>> +
>> + change_info.flags_changed = 0;
>
>Simpler to use structure initialization, which also avoid any chance
>of unititialized fields.
>
> struct netdev_notifier_change_info change_info
> = { .flags_changed = 0 };
In fact, you can do just:
struct netdev_notifier_change_info change_info = {};
to achieve the same.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-29 5:55 ` Samudrala, Sridhar
(?)
@ 2019-03-29 19:50 ` si-wei liu
2019-03-29 22:31 ` Michael S. Tsirkin
2019-03-29 22:31 ` Michael S. Tsirkin
-1 siblings, 2 replies; 14+ messages in thread
From: si-wei liu @ 2019-03-29 19:50 UTC (permalink / raw)
To: Samudrala, Sridhar, mst, stephen, davem, kubakici,
alexander.duyck, jiri, netdev, virtualization
Cc: liran.alon, boris.ostrovsky, vijay.balakrishna
On 3/28/2019 10:55 PM, Samudrala, Sridhar wrote:
>
>
> On 3/28/2019 4:47 PM, Si-Wei Liu wrote:
>> When a netdev appears through hot plug then gets enslaved by a failover
>> master that is already up and running, the slave will be opened
>> right away after getting enslaved. Today there's a race that userspace
>> (udev) may fail to rename the slave if the kernel (net_failover)
>> opens the slave earlier than when the userspace rename happens.
>> Unlike bond or team, the primary slave of failover can't be renamed by
>> userspace ahead of time, since the kernel initiated auto-enslavement is
>> unable to, or rather, is never meant to be synchronized with the rename
>> request from userspace.
>>
>> As the failover slave interfaces are not designed to be operated
>> directly by userspace apps: IP configuration, filter rules with
>> regard to network traffic passing and etc., should all be done on master
>> interface. In general, userspace apps only care about the
>> name of master interface, while slave names are less important as long
>> as admin users can see reliable names that may carry
>> other information describing the netdev. For e.g., they can infer that
>> "ens3nsby" is a standby slave of "ens3", while for a
>> name like "eth0" they can't tell which master it belongs to.
>>
>> Historically the name of IFF_UP interface can't be changed because
>> there might be admin script or management software that is already
>> relying on such behavior and assumes that the slave name can't be
>> changed once UP. But failover is special: with the in-kernel
>> auto-enslavement mechanism, the userspace expectation for device
>> enumeration and bring-up order is already broken. Previously initramfs
>> and various userspace config tools were modified to bypass failover
>> slaves because of auto-enslavement and duplicate MAC address. Similarly,
>> in case that users care about seeing reliable slave name, the new type
>> of failover slaves needs to be taken care of specifically in userspace
>> anyway.
>>
>> It's less risky to lift up the rename restriction on failover slave
>> which is already UP. Although it's possible this change may potentially
>> break userspace component (most likely configuration scripts or
>> management software) that assumes slave name can't be changed while
>> UP, it's relatively a limited and controllable set among all userspace
>> components, which can be fixed specifically to listen for the rename
>> and/or link down/up events on failover slaves. Userspace component
>> interacting with slaves is expected to be changed to operate on failover
>> master interface instead, as the failover slave is dynamic in nature
>> which may come and go at any point. The goal is to make the role of
>> failover slaves less relevant, and userspace components should only
>> deal with failover master in the long run.
>>
>> Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
>> Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
>> Reviewed-by: Liran Alon <liran.alon@oracle.com>
>>
>> --
>> v1 -> v2:
>> - Drop configurable module parameter (Sridhar)
>>
>> v2 -> v3:
>> - Drop additional IFF_SLAVE_RENAME_OK flag (Sridhar)
>> - Send down and up events around rename (Michael S. Tsirkin)
>>
>> v3 -> v4:
>> - Simplify notification to be sent (Stephen Hemminger)
>> ---
>> net/core/dev.c | 24 +++++++++++++++++++++++-
>> 1 file changed, 23 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/core/dev.c b/net/core/dev.c
>> index 722d50d..6ae5874 100644
>> --- a/net/core/dev.c
>> +++ b/net/core/dev.c
>> @@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev,
>> const char *newname)
>> BUG_ON(!dev_net(dev));
>> net = dev_net(dev);
>> - if (dev->flags & IFF_UP)
>> +
>> + /* Allow failover slave to rename even when
>> + * it is up and running.
>> + *
>> + * Failover slaves are special, since userspace
>> + * might rename the slave after the interface
>> + * has been brought up and running due to
>> + * auto-enslavement.
>> + *
>> + * Failover users don't actually care about slave
>> + * name change, as they are only expected to operate
>> + * on master interface directly.
>> + */
>> + if (dev->flags & IFF_UP &&
>> + likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
>> return -EBUSY;
>> write_seqcount_begin(&devnet_rename_seq);
>> @@ -1227,6 +1241,14 @@ int dev_change_name(struct net_device *dev,
>> const char *newname)
>> hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net,
>> dev->name));
>> write_unlock_bh(&dev_base_lock);
>> + if (unlikely(dev->flags & IFF_UP)) {
>> + struct netdev_notifier_change_info change_info;
>> +
>> + change_info.flags_changed = 0;
>> + call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
>> + &change_info.info);
>
> This function no longer takes the dev parameter in the net-next kernel.
OK. Will get my patch updated with the latest net-next tree.
>
> Did you consider calling netdev_state_change() although it does send a
> RTM_NEWLINK message too. May be just fixing the notifier call should
> be fine.
I did look at it and the extra RTM_NEWLINK message was indeed the reason
I got it rewritten. You see, how the way of initialization is inherited.
Thanks,
-Siwei
>
>> + }
>> +
>> ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
>> ret = notifier_to_errno(ret);
>>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-29 15:34 ` Jiri Pirko
@ 2019-03-29 20:01 ` si-wei liu
0 siblings, 0 replies; 14+ messages in thread
From: si-wei liu @ 2019-03-29 20:01 UTC (permalink / raw)
To: Jiri Pirko, Stephen Hemminger
Cc: mst, sridhar.samudrala, davem, kubakici, alexander.duyck, netdev,
virtualization, liran.alon, boris.ostrovsky, vijay.balakrishna
On 3/29/2019 8:34 AM, Jiri Pirko wrote:
> Fri, Mar 29, 2019 at 04:15:12PM CET, stephen@networkplumber.org wrote:
>> On Thu, 28 Mar 2019 19:47:27 -0400
>> Si-Wei Liu <si-wei.liu@oracle.com> wrote:
>>
>>> + if (unlikely(dev->flags & IFF_UP)) {
>>> + struct netdev_notifier_change_info change_info;
>>> +
>>> + change_info.flags_changed = 0;
>> Simpler to use structure initialization, which also avoid any chance
>> of unititialized fields.
>>
>> struct netdev_notifier_change_info change_info
>> = { .flags_changed = 0 };
>
> In fact, you can do just:
> struct netdev_notifier_change_info change_info = {};
> to achieve the same.
Hmm, although it's same in effect, I'd opt for keeping explicit
initialization around flags_changed, which has the benefit in terms of
cscope/tags referencing. Just very minor point though.
Let me if you think it otherwise...
-Siwei
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-29 19:50 ` si-wei liu
@ 2019-03-29 22:31 ` Michael S. Tsirkin
2019-03-29 22:58 ` si-wei liu
2019-03-29 22:31 ` Michael S. Tsirkin
1 sibling, 1 reply; 14+ messages in thread
From: Michael S. Tsirkin @ 2019-03-29 22:31 UTC (permalink / raw)
To: si-wei liu
Cc: Samudrala, Sridhar, stephen, davem, kubakici, alexander.duyck,
jiri, netdev, virtualization, liran.alon, boris.ostrovsky,
vijay.balakrishna
On Fri, Mar 29, 2019 at 12:50:25PM -0700, si-wei liu wrote:
>
>
> On 3/28/2019 10:55 PM, Samudrala, Sridhar wrote:
> >
> >
> > On 3/28/2019 4:47 PM, Si-Wei Liu wrote:
> > > When a netdev appears through hot plug then gets enslaved by a failover
> > > master that is already up and running, the slave will be opened
> > > right away after getting enslaved. Today there's a race that userspace
> > > (udev) may fail to rename the slave if the kernel (net_failover)
> > > opens the slave earlier than when the userspace rename happens.
> > > Unlike bond or team, the primary slave of failover can't be renamed by
> > > userspace ahead of time, since the kernel initiated auto-enslavement is
> > > unable to, or rather, is never meant to be synchronized with the rename
> > > request from userspace.
> > >
> > > As the failover slave interfaces are not designed to be operated
> > > directly by userspace apps: IP configuration, filter rules with
> > > regard to network traffic passing and etc., should all be done on master
> > > interface. In general, userspace apps only care about the
> > > name of master interface, while slave names are less important as long
> > > as admin users can see reliable names that may carry
> > > other information describing the netdev. For e.g., they can infer that
> > > "ens3nsby" is a standby slave of "ens3", while for a
> > > name like "eth0" they can't tell which master it belongs to.
> > >
> > > Historically the name of IFF_UP interface can't be changed because
> > > there might be admin script or management software that is already
> > > relying on such behavior and assumes that the slave name can't be
> > > changed once UP. But failover is special: with the in-kernel
> > > auto-enslavement mechanism, the userspace expectation for device
> > > enumeration and bring-up order is already broken. Previously initramfs
> > > and various userspace config tools were modified to bypass failover
> > > slaves because of auto-enslavement and duplicate MAC address. Similarly,
> > > in case that users care about seeing reliable slave name, the new type
> > > of failover slaves needs to be taken care of specifically in userspace
> > > anyway.
> > >
> > > It's less risky to lift up the rename restriction on failover slave
> > > which is already UP. Although it's possible this change may potentially
> > > break userspace component (most likely configuration scripts or
> > > management software) that assumes slave name can't be changed while
> > > UP, it's relatively a limited and controllable set among all userspace
> > > components, which can be fixed specifically to listen for the rename
> > > and/or link down/up events on failover slaves. Userspace component
> > > interacting with slaves is expected to be changed to operate on failover
> > > master interface instead, as the failover slave is dynamic in nature
> > > which may come and go at any point. The goal is to make the role of
> > > failover slaves less relevant, and userspace components should only
> > > deal with failover master in the long run.
> > >
> > > Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
> > > Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
> > > Reviewed-by: Liran Alon <liran.alon@oracle.com>
> > >
> > > --
> > > v1 -> v2:
> > > - Drop configurable module parameter (Sridhar)
> > >
> > > v2 -> v3:
> > > - Drop additional IFF_SLAVE_RENAME_OK flag (Sridhar)
> > > - Send down and up events around rename (Michael S. Tsirkin)
> > >
> > > v3 -> v4:
> > > - Simplify notification to be sent (Stephen Hemminger)
> > > ---
> > > net/core/dev.c | 24 +++++++++++++++++++++++-
> > > 1 file changed, 23 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/core/dev.c b/net/core/dev.c
> > > index 722d50d..6ae5874 100644
> > > --- a/net/core/dev.c
> > > +++ b/net/core/dev.c
> > > @@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev,
> > > const char *newname)
> > > BUG_ON(!dev_net(dev));
> > > net = dev_net(dev);
> > > - if (dev->flags & IFF_UP)
> > > +
> > > + /* Allow failover slave to rename even when
> > > + * it is up and running.
> > > + *
> > > + * Failover slaves are special, since userspace
> > > + * might rename the slave after the interface
> > > + * has been brought up and running due to
> > > + * auto-enslavement.
> > > + *
> > > + * Failover users don't actually care about slave
> > > + * name change, as they are only expected to operate
> > > + * on master interface directly.
> > > + */
> > > + if (dev->flags & IFF_UP &&
> > > + likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
> > > return -EBUSY;
> > > write_seqcount_begin(&devnet_rename_seq);
> > > @@ -1227,6 +1241,14 @@ int dev_change_name(struct net_device *dev,
> > > const char *newname)
> > > hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net,
> > > dev->name));
> > > write_unlock_bh(&dev_base_lock);
> > > + if (unlikely(dev->flags & IFF_UP)) {
> > > + struct netdev_notifier_change_info change_info;
> > > +
> > > + change_info.flags_changed = 0;
> > > + call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
> > > + &change_info.info);
> >
> > This function no longer takes the dev parameter in the net-next kernel.
> OK. Will get my patch updated with the latest net-next tree.
>
> >
> > Did you consider calling netdev_state_change() although it does send a
> > RTM_NEWLINK message too. May be just fixing the notifier call should be
> > fine.
> I did look at it and the extra RTM_NEWLINK message was indeed the reason I
> got it rewritten. You see, how the way of initialization is inherited.
>
> Thanks,
> -Siwei
More messages just increase the chance existing scripts will work.
Don't see what the harm is.
> >
> > > + }
> > > +
> > > ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
> > > ret = notifier_to_errno(ret);
> > >
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-29 19:50 ` si-wei liu
2019-03-29 22:31 ` Michael S. Tsirkin
@ 2019-03-29 22:31 ` Michael S. Tsirkin
1 sibling, 0 replies; 14+ messages in thread
From: Michael S. Tsirkin @ 2019-03-29 22:31 UTC (permalink / raw)
To: si-wei liu
Cc: jiri, kubakici, Samudrala, Sridhar, alexander.duyck,
virtualization, liran.alon, netdev, boris.ostrovsky, davem
On Fri, Mar 29, 2019 at 12:50:25PM -0700, si-wei liu wrote:
>
>
> On 3/28/2019 10:55 PM, Samudrala, Sridhar wrote:
> >
> >
> > On 3/28/2019 4:47 PM, Si-Wei Liu wrote:
> > > When a netdev appears through hot plug then gets enslaved by a failover
> > > master that is already up and running, the slave will be opened
> > > right away after getting enslaved. Today there's a race that userspace
> > > (udev) may fail to rename the slave if the kernel (net_failover)
> > > opens the slave earlier than when the userspace rename happens.
> > > Unlike bond or team, the primary slave of failover can't be renamed by
> > > userspace ahead of time, since the kernel initiated auto-enslavement is
> > > unable to, or rather, is never meant to be synchronized with the rename
> > > request from userspace.
> > >
> > > As the failover slave interfaces are not designed to be operated
> > > directly by userspace apps: IP configuration, filter rules with
> > > regard to network traffic passing and etc., should all be done on master
> > > interface. In general, userspace apps only care about the
> > > name of master interface, while slave names are less important as long
> > > as admin users can see reliable names that may carry
> > > other information describing the netdev. For e.g., they can infer that
> > > "ens3nsby" is a standby slave of "ens3", while for a
> > > name like "eth0" they can't tell which master it belongs to.
> > >
> > > Historically the name of IFF_UP interface can't be changed because
> > > there might be admin script or management software that is already
> > > relying on such behavior and assumes that the slave name can't be
> > > changed once UP. But failover is special: with the in-kernel
> > > auto-enslavement mechanism, the userspace expectation for device
> > > enumeration and bring-up order is already broken. Previously initramfs
> > > and various userspace config tools were modified to bypass failover
> > > slaves because of auto-enslavement and duplicate MAC address. Similarly,
> > > in case that users care about seeing reliable slave name, the new type
> > > of failover slaves needs to be taken care of specifically in userspace
> > > anyway.
> > >
> > > It's less risky to lift up the rename restriction on failover slave
> > > which is already UP. Although it's possible this change may potentially
> > > break userspace component (most likely configuration scripts or
> > > management software) that assumes slave name can't be changed while
> > > UP, it's relatively a limited and controllable set among all userspace
> > > components, which can be fixed specifically to listen for the rename
> > > and/or link down/up events on failover slaves. Userspace component
> > > interacting with slaves is expected to be changed to operate on failover
> > > master interface instead, as the failover slave is dynamic in nature
> > > which may come and go at any point. The goal is to make the role of
> > > failover slaves less relevant, and userspace components should only
> > > deal with failover master in the long run.
> > >
> > > Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
> > > Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
> > > Reviewed-by: Liran Alon <liran.alon@oracle.com>
> > >
> > > --
> > > v1 -> v2:
> > > - Drop configurable module parameter (Sridhar)
> > >
> > > v2 -> v3:
> > > - Drop additional IFF_SLAVE_RENAME_OK flag (Sridhar)
> > > - Send down and up events around rename (Michael S. Tsirkin)
> > >
> > > v3 -> v4:
> > > - Simplify notification to be sent (Stephen Hemminger)
> > > ---
> > > net/core/dev.c | 24 +++++++++++++++++++++++-
> > > 1 file changed, 23 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/core/dev.c b/net/core/dev.c
> > > index 722d50d..6ae5874 100644
> > > --- a/net/core/dev.c
> > > +++ b/net/core/dev.c
> > > @@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev,
> > > const char *newname)
> > > BUG_ON(!dev_net(dev));
> > > net = dev_net(dev);
> > > - if (dev->flags & IFF_UP)
> > > +
> > > + /* Allow failover slave to rename even when
> > > + * it is up and running.
> > > + *
> > > + * Failover slaves are special, since userspace
> > > + * might rename the slave after the interface
> > > + * has been brought up and running due to
> > > + * auto-enslavement.
> > > + *
> > > + * Failover users don't actually care about slave
> > > + * name change, as they are only expected to operate
> > > + * on master interface directly.
> > > + */
> > > + if (dev->flags & IFF_UP &&
> > > + likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
> > > return -EBUSY;
> > > write_seqcount_begin(&devnet_rename_seq);
> > > @@ -1227,6 +1241,14 @@ int dev_change_name(struct net_device *dev,
> > > const char *newname)
> > > hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net,
> > > dev->name));
> > > write_unlock_bh(&dev_base_lock);
> > > + if (unlikely(dev->flags & IFF_UP)) {
> > > + struct netdev_notifier_change_info change_info;
> > > +
> > > + change_info.flags_changed = 0;
> > > + call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
> > > + &change_info.info);
> >
> > This function no longer takes the dev parameter in the net-next kernel.
> OK. Will get my patch updated with the latest net-next tree.
>
> >
> > Did you consider calling netdev_state_change() although it does send a
> > RTM_NEWLINK message too. May be just fixing the notifier call should be
> > fine.
> I did look at it and the extra RTM_NEWLINK message was indeed the reason I
> got it rewritten. You see, how the way of initialization is inherited.
>
> Thanks,
> -Siwei
More messages just increase the chance existing scripts will work.
Don't see what the harm is.
> >
> > > + }
> > > +
> > > ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
> > > ret = notifier_to_errno(ret);
> > >
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH net v4] failover: allow name change on IFF_UP slave interfaces
2019-03-29 22:31 ` Michael S. Tsirkin
@ 2019-03-29 22:58 ` si-wei liu
0 siblings, 0 replies; 14+ messages in thread
From: si-wei liu @ 2019-03-29 22:58 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: Samudrala, Sridhar, stephen, davem, kubakici, alexander.duyck,
jiri, netdev, virtualization, liran.alon, boris.ostrovsky,
vijay.balakrishna
On 3/29/2019 3:31 PM, Michael S. Tsirkin wrote:
> On Fri, Mar 29, 2019 at 12:50:25PM -0700, si-wei liu wrote:
>>
>> On 3/28/2019 10:55 PM, Samudrala, Sridhar wrote:
>>>
>>> On 3/28/2019 4:47 PM, Si-Wei Liu wrote:
>>>> When a netdev appears through hot plug then gets enslaved by a failover
>>>> master that is already up and running, the slave will be opened
>>>> right away after getting enslaved. Today there's a race that userspace
>>>> (udev) may fail to rename the slave if the kernel (net_failover)
>>>> opens the slave earlier than when the userspace rename happens.
>>>> Unlike bond or team, the primary slave of failover can't be renamed by
>>>> userspace ahead of time, since the kernel initiated auto-enslavement is
>>>> unable to, or rather, is never meant to be synchronized with the rename
>>>> request from userspace.
>>>>
>>>> As the failover slave interfaces are not designed to be operated
>>>> directly by userspace apps: IP configuration, filter rules with
>>>> regard to network traffic passing and etc., should all be done on master
>>>> interface. In general, userspace apps only care about the
>>>> name of master interface, while slave names are less important as long
>>>> as admin users can see reliable names that may carry
>>>> other information describing the netdev. For e.g., they can infer that
>>>> "ens3nsby" is a standby slave of "ens3", while for a
>>>> name like "eth0" they can't tell which master it belongs to.
>>>>
>>>> Historically the name of IFF_UP interface can't be changed because
>>>> there might be admin script or management software that is already
>>>> relying on such behavior and assumes that the slave name can't be
>>>> changed once UP. But failover is special: with the in-kernel
>>>> auto-enslavement mechanism, the userspace expectation for device
>>>> enumeration and bring-up order is already broken. Previously initramfs
>>>> and various userspace config tools were modified to bypass failover
>>>> slaves because of auto-enslavement and duplicate MAC address. Similarly,
>>>> in case that users care about seeing reliable slave name, the new type
>>>> of failover slaves needs to be taken care of specifically in userspace
>>>> anyway.
>>>>
>>>> It's less risky to lift up the rename restriction on failover slave
>>>> which is already UP. Although it's possible this change may potentially
>>>> break userspace component (most likely configuration scripts or
>>>> management software) that assumes slave name can't be changed while
>>>> UP, it's relatively a limited and controllable set among all userspace
>>>> components, which can be fixed specifically to listen for the rename
>>>> and/or link down/up events on failover slaves. Userspace component
>>>> interacting with slaves is expected to be changed to operate on failover
>>>> master interface instead, as the failover slave is dynamic in nature
>>>> which may come and go at any point. The goal is to make the role of
>>>> failover slaves less relevant, and userspace components should only
>>>> deal with failover master in the long run.
>>>>
>>>> Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
>>>> Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
>>>> Reviewed-by: Liran Alon <liran.alon@oracle.com>
>>>>
>>>> --
>>>> v1 -> v2:
>>>> - Drop configurable module parameter (Sridhar)
>>>>
>>>> v2 -> v3:
>>>> - Drop additional IFF_SLAVE_RENAME_OK flag (Sridhar)
>>>> - Send down and up events around rename (Michael S. Tsirkin)
>>>>
>>>> v3 -> v4:
>>>> - Simplify notification to be sent (Stephen Hemminger)
>>>> ---
>>>> net/core/dev.c | 24 +++++++++++++++++++++++-
>>>> 1 file changed, 23 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/net/core/dev.c b/net/core/dev.c
>>>> index 722d50d..6ae5874 100644
>>>> --- a/net/core/dev.c
>>>> +++ b/net/core/dev.c
>>>> @@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev,
>>>> const char *newname)
>>>> BUG_ON(!dev_net(dev));
>>>> net = dev_net(dev);
>>>> - if (dev->flags & IFF_UP)
>>>> +
>>>> + /* Allow failover slave to rename even when
>>>> + * it is up and running.
>>>> + *
>>>> + * Failover slaves are special, since userspace
>>>> + * might rename the slave after the interface
>>>> + * has been brought up and running due to
>>>> + * auto-enslavement.
>>>> + *
>>>> + * Failover users don't actually care about slave
>>>> + * name change, as they are only expected to operate
>>>> + * on master interface directly.
>>>> + */
>>>> + if (dev->flags & IFF_UP &&
>>>> + likely(!(dev->priv_flags & IFF_FAILOVER_SLAVE)))
>>>> return -EBUSY;
>>>> write_seqcount_begin(&devnet_rename_seq);
>>>> @@ -1227,6 +1241,14 @@ int dev_change_name(struct net_device *dev,
>>>> const char *newname)
>>>> hlist_add_head_rcu(&dev->name_hlist, dev_name_hash(net,
>>>> dev->name));
>>>> write_unlock_bh(&dev_base_lock);
>>>> + if (unlikely(dev->flags & IFF_UP)) {
>>>> + struct netdev_notifier_change_info change_info;
>>>> +
>>>> + change_info.flags_changed = 0;
>>>> + call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
>>>> + &change_info.info);
>>> This function no longer takes the dev parameter in the net-next kernel.
>> OK. Will get my patch updated with the latest net-next tree.
>>
>>> Did you consider calling netdev_state_change() although it does send a
>>> RTM_NEWLINK message too. May be just fixing the notifier call should be
>>> fine.
>> I did look at it and the extra RTM_NEWLINK message was indeed the reason I
>> got it rewritten. You see, how the way of initialization is inherited.
>>
>> Thanks,
>> -Siwei
> More messages just increase the chance existing scripts will work.
> Don't see what the harm is.
The NETDEV_CHANGENAME notifier right after could fail which would
trigger the rollback to its original name. This may save an unnecessary
(incorrect) message delivered to the userspace which could be confused
by a name that doesn't exist.
I am not sure I understand why extra message is able to increase the
chance script works. Once succeeds rtnetlink deliver the same message
with exact same device state after getting notified by
NETDEV_CHANGENAME. See rtnetlink_event().
-Siwei
>
>>>> + }
>>>> +
>>>> ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
>>>> ret = notifier_to_errno(ret);
>>>>
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-03-29 22:59 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-28 23:47 [PATCH net v4] failover: allow name change on IFF_UP slave interfaces Si-Wei Liu
2019-03-29 5:55 ` Samudrala, Sridhar
2019-03-29 5:55 ` Samudrala, Sridhar
2019-03-29 19:50 ` si-wei liu
2019-03-29 22:31 ` Michael S. Tsirkin
2019-03-29 22:58 ` si-wei liu
2019-03-29 22:31 ` Michael S. Tsirkin
2019-03-29 13:45 ` kbuild test robot
2019-03-29 13:45 ` kbuild test robot
2019-03-29 15:15 ` Stephen Hemminger
2019-03-29 15:34 ` Jiri Pirko
2019-03-29 15:34 ` Jiri Pirko
2019-03-29 20:01 ` si-wei liu
2019-03-29 15:15 ` Stephen Hemminger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.