Re: [ovs-dev] [PATCH v2 3/3] ovs-ctl: Fix inability to set custom options for ovs-monitor-ipsec.

Wed, 15 Jan 2025 01:20:42 -0800 

On Wed, Jan 15, 2025 at 12:30 AM Ilya Maximets <[email protected]> wrote:
>
> Commit in the fixes tag added support for using custom ipsec.conf with
> ovs-monitor-ipsec, but it didn't provide a way to use those options
> via ovs-ctl.  This makes it not possible to use these options from a
> systemd unit, for example.
>
> Fix that by adding --ovs-monitor-ipsec-options knob to ovs-ctl and
> allowing OPTIONS to be passed via sysconfig.
>
> Our Debian units are using StrongSwan, so they do not need these
> Libreswan-specific options, however, it's better to keep systemd
> integration similar to Fedora/RHEL.  There is at least one other
> option that can be used with StrongSwan.
>
> Only the Debian init file is updated, because we don't have IPsec
> support for init in Fedora/RHEL.
>
> There is a line length warning in the example, but it's hard to split
> it into multiple lines, and I think, it's a good configuration example
> to provide.
>
> Fixes: 09d7c5ac0054 ("ipsec: Add support for using non-root ipsec.conf.")
> Signed-off-by: Ilya Maximets <[email protected]>
> ---
>  NEWS                                          |  2 ++
>  debian/openvswitch-ipsec.init                 |  5 ++++-
>  debian/openvswitch-ipsec.service              |  3 ++-
>  ...b_systemd_system_openvswitch-ipsec.service |  4 +++-
>  ...vswitch_scripts_systemd_sysconfig.template |  3 +++
>  utilities/ovs-ctl.in                          | 22 ++++++++++++-------
>  6 files changed, 28 insertions(+), 11 deletions(-)
>
> diff --git a/NEWS b/NEWS
> index 83f051379..1aedbbe44 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -55,6 +55,8 @@ Post-v3.4.0
>         to make it not configure any crypto options (ike/esp) for connections.
>         Most useful in combination with '--root-ipsec-conf' where system-wide
>         crypto-policy is included from the root ipsec.conf.
> +     * New option '--ovs-monitor-ipsec-options' for 'ovs-ctl start-ovs-ipsec'
> +       to pass above new options to ovs-monitor-ipsec.
>
>
>  v3.4.0 - 15 Aug 2024
> diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
> index aa6838454..f66058b8a 100755
> --- a/debian/openvswitch-ipsec.init
> +++ b/debian/openvswitch-ipsec.init
> @@ -41,6 +41,8 @@ test -x $DAEMON || exit 0
>
>  . /lib/lsb/init-functions
>
> +test -e /etc/default/openvswitch-switch && . /etc/default/openvswitch-switch
> +

In Debian, each "binary" package has its own defaults file, so we
would need to create a new shell fragment that can double as a systemd
environment file named /etc/default/openvswitch-ipsec.

>  DODTIME=10              # Time to wait for the server to die, in seconds
>                          # If this value is set too low you might not
>                          # let some servers to die gracefully and
> @@ -72,7 +74,8 @@ running() {
>  }
>
>  start_server() {
> -    ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec
> +    ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan \
> +        start-ovs-ipsec $OVS_CTL_OPTS
>      return 0
>  }
>
> diff --git a/debian/openvswitch-ipsec.service 
> b/debian/openvswitch-ipsec.service
> index 51b9b315a..3bc2e489b 100644
> --- a/debian/openvswitch-ipsec.service
> +++ b/debian/openvswitch-ipsec.service
> @@ -7,8 +7,9 @@ After=openvswitch-switch.service
>  Type=forking
>  PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
>  Restart=on-failure
> +EnvironmentFile=-/etc/default/openvswitch-switch

See comment above about per "binary" package defaults file.

>  ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \
> -                    --ike-daemon=strongswan start-ovs-ipsec
> +                    --ike-daemon=strongswan start-ovs-ipsec $OVS_CTL_OPTS
>  ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
>
>  [Install]
> diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service 
> b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
> index a4bf475d0..913598f08 100644
> --- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
> +++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
> @@ -7,8 +7,10 @@ After=openvswitch.service
>  Type=forking
>  PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
>  Restart=on-failure
> +EnvironmentFile=/etc/openvswitch/default.conf
> +EnvironmentFile=-/etc/sysconfig/openvswitch
>  ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \
> -                    --ike-daemon=libreswan start-ovs-ipsec
> +                    --ike-daemon=libreswan start-ovs-ipsec $OPTIONS
>  ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
>
>  [Install]
> diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template 
> b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
> index c467d02db..63833c4d8 100644
> --- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
> +++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
> @@ -25,6 +25,9 @@
>  #   --ovs-vswitchd-options='-vconsole:dbg -vfile:dbg'
>  #   --ovsdb-server-options='-vconsole:dbg -vfile:dbg'
>  #
> +# Or to start with non-root IPsec config file:
> +#   --ovs-monitor-ipsec-options='--ipsec-conf=/etc/ipsec.d/ovs.conf 
> --root-ipsec-conf=/etc/ipsec.conf'
> +#
>  OPTIONS=""
>
>  # Uncomment and set the OVS User/Group value
> diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
> index 1f9ce1e6e..03a39337f 100644
> --- a/utilities/ovs-ctl.in
> +++ b/utilities/ovs-ctl.in
> @@ -242,18 +242,20 @@ start_forwarding () {
>  }
>
>  start_ovs_ipsec () {
> +    set ${datadir}/scripts/ovs-monitor-ipsec unix:"$DB_SOCK"
> +    set "$@" --log-file=${logdir}/ovs-monitor-ipsec.log
> +    set "$@" --pidfile=${rundir}/ovs-monitor-ipsec.pid
> +    set "$@" --detach
> +    test X"$MONITOR" = Xno || set "$@" --monitor
> +    set "$@" --ike-daemon=$IKE_DAEMON
>      if test X$RESTART_IKE_DAEMON = Xno; then
> -        no_restart="--no-restart-ike-daemon"
> +        set "$@" --no-restart-ike-daemon
>      fi
> -    if test X"$MONITOR" != Xno; then
> -        monitor_arg="--monitor"
> +    if test X"$OVS_MONITOR_IPSEC_OPTIONS" != X; then
> +        set "$@" $OVS_MONITOR_IPSEC_OPTIONS
>      fi
>
> -    ${datadir}/scripts/ovs-monitor-ipsec \
> -        --pidfile=${rundir}/ovs-monitor-ipsec.pid \
> -        --ike-daemon=$IKE_DAEMON \
> -        $no_restart $monitor_arg \
> -        --log-file --detach unix:${rundir}/db.sock || return 1
> +    action "Starting ovs-monitor-ipsec" "$@" || return 1
>      return 0
>  }
>
> @@ -351,6 +353,7 @@ set_defaults () {
>      OVS_VSWITCHD_WRAPPER=
>      OVSDB_SERVER_OPTIONS=
>      OVS_VSWITCHD_OPTIONS=
> +    OVS_MONITOR_IPSEC_OPTIONS=
>      OVSDB_SERVER_UMASK=
>      OVS_VSWITCHD_UMASK=
>
> @@ -466,6 +469,9 @@ Option for "start-ovs-ipsec":
>        the IKE daemon for ipsec tunnels (either libreswan or strongswan)
>    --no-restart-ike-daemon
>        do not restart the IKE daemon on startup
> +  --ovs-monitor-ipsec-options=OPTIONS
> +      additional options for ovs-monitor-ipsec (example:
> +      '--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf')
>
>  Other options:
>    -h, --help                  display this help message
> --
> 2.47.0

Apart from the defaults file naming I took this for a spin and it LGTM.

--
Frode Nordahl

> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to