On 1/15/25 10:20, Frode Nordahl wrote:
> On Wed, Jan 15, 2025 at 12:30 AM Ilya Maximets <[email protected]> wrote:
>>
>> Commit in the fixes tag added support for using custom ipsec.conf with
>> ovs-monitor-ipsec, but it didn't provide a way to use those options
>> via ovs-ctl. This makes it not possible to use these options from a
>> systemd unit, for example.
>>
>> Fix that by adding --ovs-monitor-ipsec-options knob to ovs-ctl and
>> allowing OPTIONS to be passed via sysconfig.
>>
>> Our Debian units are using StrongSwan, so they do not need these
>> Libreswan-specific options, however, it's better to keep systemd
>> integration similar to Fedora/RHEL. There is at least one other
>> option that can be used with StrongSwan.
>>
>> Only the Debian init file is updated, because we don't have IPsec
>> support for init in Fedora/RHEL.
>>
>> There is a line length warning in the example, but it's hard to split
>> it into multiple lines, and I think, it's a good configuration example
>> to provide.
>>
>> Fixes: 09d7c5ac0054 ("ipsec: Add support for using non-root ipsec.conf.")
>> Signed-off-by: Ilya Maximets <[email protected]>
>> ---
>> NEWS | 2 ++
>> debian/openvswitch-ipsec.init | 5 ++++-
>> debian/openvswitch-ipsec.service | 3 ++-
>> ...b_systemd_system_openvswitch-ipsec.service | 4 +++-
>> ...vswitch_scripts_systemd_sysconfig.template | 3 +++
>> utilities/ovs-ctl.in | 22 ++++++++++++-------
>> 6 files changed, 28 insertions(+), 11 deletions(-)
>>
>> diff --git a/NEWS b/NEWS
>> index 83f051379..1aedbbe44 100644
>> --- a/NEWS
>> +++ b/NEWS
>> @@ -55,6 +55,8 @@ Post-v3.4.0
>> to make it not configure any crypto options (ike/esp) for
>> connections.
>> Most useful in combination with '--root-ipsec-conf' where system-wide
>> crypto-policy is included from the root ipsec.conf.
>> + * New option '--ovs-monitor-ipsec-options' for 'ovs-ctl
>> start-ovs-ipsec'
>> + to pass above new options to ovs-monitor-ipsec.
>>
>>
>> v3.4.0 - 15 Aug 2024
>> diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
>> index aa6838454..f66058b8a 100755
>> --- a/debian/openvswitch-ipsec.init
>> +++ b/debian/openvswitch-ipsec.init
>> @@ -41,6 +41,8 @@ test -x $DAEMON || exit 0
>>
>> . /lib/lsb/init-functions
>>
>> +test -e /etc/default/openvswitch-switch && . /etc/default/openvswitch-switch
>> +
>
> In Debian, each "binary" package has its own defaults file, so we
> would need to create a new shell fragment that can double as a systemd
> environment file named /etc/default/openvswitch-ipsec.
Ack. Good to know. Will try and add one.
>
>> DODTIME=10 # Time to wait for the server to die, in seconds
>> # If this value is set too low you might not
>> # let some servers to die gracefully and
>> @@ -72,7 +74,8 @@ running() {
>> }
>>
>> start_server() {
>> - ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec
>> + ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan \
>> + start-ovs-ipsec $OVS_CTL_OPTS
>> return 0
>> }
>>
>> diff --git a/debian/openvswitch-ipsec.service
>> b/debian/openvswitch-ipsec.service
>> index 51b9b315a..3bc2e489b 100644
>> --- a/debian/openvswitch-ipsec.service
>> +++ b/debian/openvswitch-ipsec.service
>> @@ -7,8 +7,9 @@ After=openvswitch-switch.service
>> Type=forking
>> PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
>> Restart=on-failure
>> +EnvironmentFile=-/etc/default/openvswitch-switch
>
> See comment above about per "binary" package defaults file.
>
>> ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \
>> - --ike-daemon=strongswan start-ovs-ipsec
>> + --ike-daemon=strongswan start-ovs-ipsec $OVS_CTL_OPTS
>> ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
>>
>> [Install]
>> diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
>> b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
>> index a4bf475d0..913598f08 100644
>> --- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
>> +++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
>> @@ -7,8 +7,10 @@ After=openvswitch.service
>> Type=forking
>> PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
>> Restart=on-failure
>> +EnvironmentFile=/etc/openvswitch/default.conf
>> +EnvironmentFile=-/etc/sysconfig/openvswitch
>> ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \
>> - --ike-daemon=libreswan start-ovs-ipsec
>> + --ike-daemon=libreswan start-ovs-ipsec $OPTIONS
>> ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
>>
>> [Install]
>> diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
>> b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
>> index c467d02db..63833c4d8 100644
>> --- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
>> +++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
>> @@ -25,6 +25,9 @@
>> # --ovs-vswitchd-options='-vconsole:dbg -vfile:dbg'
>> # --ovsdb-server-options='-vconsole:dbg -vfile:dbg'
>> #
>> +# Or to start with non-root IPsec config file:
>> +# --ovs-monitor-ipsec-options='--ipsec-conf=/etc/ipsec.d/ovs.conf
>> --root-ipsec-conf=/etc/ipsec.conf'
>> +#
>> OPTIONS=""
>>
>> # Uncomment and set the OVS User/Group value
>> diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
>> index 1f9ce1e6e..03a39337f 100644
>> --- a/utilities/ovs-ctl.in
>> +++ b/utilities/ovs-ctl.in
>> @@ -242,18 +242,20 @@ start_forwarding () {
>> }
>>
>> start_ovs_ipsec () {
>> + set ${datadir}/scripts/ovs-monitor-ipsec unix:"$DB_SOCK"
>> + set "$@" --log-file=${logdir}/ovs-monitor-ipsec.log
>> + set "$@" --pidfile=${rundir}/ovs-monitor-ipsec.pid
>> + set "$@" --detach
>> + test X"$MONITOR" = Xno || set "$@" --monitor
>> + set "$@" --ike-daemon=$IKE_DAEMON
>> if test X$RESTART_IKE_DAEMON = Xno; then
>> - no_restart="--no-restart-ike-daemon"
>> + set "$@" --no-restart-ike-daemon
>> fi
>> - if test X"$MONITOR" != Xno; then
>> - monitor_arg="--monitor"
>> + if test X"$OVS_MONITOR_IPSEC_OPTIONS" != X; then
>> + set "$@" $OVS_MONITOR_IPSEC_OPTIONS
>> fi
>>
>> - ${datadir}/scripts/ovs-monitor-ipsec \
>> - --pidfile=${rundir}/ovs-monitor-ipsec.pid \
>> - --ike-daemon=$IKE_DAEMON \
>> - $no_restart $monitor_arg \
>> - --log-file --detach unix:${rundir}/db.sock || return 1
>> + action "Starting ovs-monitor-ipsec" "$@" || return 1
>> return 0
>> }
>>
>> @@ -351,6 +353,7 @@ set_defaults () {
>> OVS_VSWITCHD_WRAPPER=
>> OVSDB_SERVER_OPTIONS=
>> OVS_VSWITCHD_OPTIONS=
>> + OVS_MONITOR_IPSEC_OPTIONS=
>> OVSDB_SERVER_UMASK=
>> OVS_VSWITCHD_UMASK=
>>
>> @@ -466,6 +469,9 @@ Option for "start-ovs-ipsec":
>> the IKE daemon for ipsec tunnels (either libreswan or strongswan)
>> --no-restart-ike-daemon
>> do not restart the IKE daemon on startup
>> + --ovs-monitor-ipsec-options=OPTIONS
>> + additional options for ovs-monitor-ipsec (example:
>> + '--ipsec-conf=/etc/ipsec.d/ovs.conf
>> --root-ipsec-conf=/etc/ipsec.conf')
>>
>> Other options:
>> -h, --help display this help message
>> --
>> 2.47.0
>
> Apart from the defaults file naming I took this for a spin and it LGTM.
Thanks!
Best regards, Ilya Maximets.
>
> --
> Frode Nordahl
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
