On Wed, Jan 15, 2025 at 3:01 PM Ilya Maximets <[email protected]> wrote: > > Commit in the fixes tag added support for using custom ipsec.conf with > ovs-monitor-ipsec, but it didn't provide a way to use those options > via ovs-ctl. This makes it not possible to use these options from a > systemd unit, for example. > > Fix that by adding --ovs-monitor-ipsec-options knob to ovs-ctl and > allowing OPTIONS to be passed via sysconfig. > > Our Debian units are using StrongSwan, so they do not need these > Libreswan-specific options, however, it's better to keep systemd > integration similar to Fedora/RHEL. There is at least one other > option that can be used with StrongSwan. > > Only the Debian init file is updated, because we don't have IPsec > support for init in Fedora/RHEL. > > There is a line length warning in the example, but it's hard to split > it into multiple lines, and I think, it's a good configuration example > to provide. > > Fixes: 09d7c5ac0054 ("ipsec: Add support for using non-root ipsec.conf.") > Signed-off-by: Ilya Maximets <[email protected]>
Thanks! Acked-by: Frode Nordahl <[email protected]> > --- > NEWS | 2 ++ > debian/automake.mk | 2 ++ > debian/openvswitch-ipsec.default | 5 +++++ > debian/openvswitch-ipsec.dirs | 1 + > debian/openvswitch-ipsec.init | 5 ++++- > debian/openvswitch-ipsec.install | 2 ++ > debian/openvswitch-ipsec.service | 3 ++- > ...b_systemd_system_openvswitch-ipsec.service | 4 +++- > ...vswitch_scripts_systemd_sysconfig.template | 3 +++ > utilities/ovs-ctl.in | 22 ++++++++++++------- > 10 files changed, 38 insertions(+), 11 deletions(-) > create mode 100644 debian/openvswitch-ipsec.default > create mode 100644 debian/openvswitch-ipsec.dirs > mode change 100644 => 100755 debian/openvswitch-ipsec.install > > diff --git a/NEWS b/NEWS > index 83f051379..1aedbbe44 100644 > --- a/NEWS > +++ b/NEWS > @@ -55,6 +55,8 @@ Post-v3.4.0 > to make it not configure any crypto options (ike/esp) for connections. > Most useful in combination with '--root-ipsec-conf' where system-wide > crypto-policy is included from the root ipsec.conf. > + * New option '--ovs-monitor-ipsec-options' for 'ovs-ctl start-ovs-ipsec' > + to pass above new options to ovs-monitor-ipsec. > > > v3.4.0 - 15 Aug 2024 > diff --git a/debian/automake.mk b/debian/automake.mk > index b86003f56..7ae4e00e5 100644 > --- a/debian/automake.mk > +++ b/debian/automake.mk > @@ -14,6 +14,8 @@ EXTRA_DIST += \ > debian/openvswitch-common.lintian-overrides \ > debian/openvswitch-doc.doc-base \ > debian/openvswitch-doc.install \ > + debian/openvswitch-ipsec.default \ > + debian/openvswitch-ipsec.dirs \ > debian/openvswitch-ipsec.init \ > debian/openvswitch-ipsec.install \ > debian/openvswitch-ipsec.service \ > diff --git a/debian/openvswitch-ipsec.default > b/debian/openvswitch-ipsec.default > new file mode 100644 > index 000000000..a07494859 > --- /dev/null > +++ b/debian/openvswitch-ipsec.default > @@ -0,0 +1,5 @@ > +# This is a POSIX shell fragment -*- sh -*- > + > +# OVS_CTL_OPTS: Extra options to pass to ovs-ctl. This is, for example, > +# a suitable place to specify --no-restart-ike-daemon. > +# OVS_CTL_OPTS= > diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs > new file mode 100644 > index 000000000..4b83f2966 > --- /dev/null > +++ b/debian/openvswitch-ipsec.dirs > @@ -0,0 +1 @@ > +/usr/share/openvswitch/ipsec > diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init > index aa6838454..4fc7701b8 100755 > --- a/debian/openvswitch-ipsec.init > +++ b/debian/openvswitch-ipsec.init > @@ -41,6 +41,8 @@ test -x $DAEMON || exit 0 > > . /lib/lsb/init-functions > > +test -e /etc/default/openvswitch-ipsec && . /etc/default/openvswitch-ipsec > + > DODTIME=10 # Time to wait for the server to die, in seconds > # If this value is set too low you might not > # let some servers to die gracefully and > @@ -72,7 +74,8 @@ running() { > } > > start_server() { > - ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec > + ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan \ > + start-ovs-ipsec $OVS_CTL_OPTS > return 0 > } > > diff --git a/debian/openvswitch-ipsec.install > b/debian/openvswitch-ipsec.install > old mode 100644 > new mode 100755 > index 31a8945e2..ae127e2d4 > --- a/debian/openvswitch-ipsec.install > +++ b/debian/openvswitch-ipsec.install > @@ -1 +1,3 @@ > +#!/usr/bin/dh-exec > +debian/openvswitch-ipsec.default => > /usr/share/openvswitch/ipsec/default.template > usr/share/openvswitch/scripts/ovs-monitor-ipsec > diff --git a/debian/openvswitch-ipsec.service > b/debian/openvswitch-ipsec.service > index 51b9b315a..2f92def51 100644 > --- a/debian/openvswitch-ipsec.service > +++ b/debian/openvswitch-ipsec.service > @@ -7,8 +7,9 @@ After=openvswitch-switch.service > Type=forking > PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid > Restart=on-failure > +EnvironmentFile=-/etc/default/openvswitch-ipsec > ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \ > - --ike-daemon=strongswan start-ovs-ipsec > + --ike-daemon=strongswan start-ovs-ipsec $OVS_CTL_OPTS > ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec > > [Install] > diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service > b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service > index a4bf475d0..913598f08 100644 > --- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service > +++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service > @@ -7,8 +7,10 @@ After=openvswitch.service > Type=forking > PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid > Restart=on-failure > +EnvironmentFile=/etc/openvswitch/default.conf > +EnvironmentFile=-/etc/sysconfig/openvswitch > ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \ > - --ike-daemon=libreswan start-ovs-ipsec > + --ike-daemon=libreswan start-ovs-ipsec $OPTIONS > ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec > > [Install] > diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template > b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template > index c467d02db..63833c4d8 100644 > --- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template > +++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template > @@ -25,6 +25,9 @@ > # --ovs-vswitchd-options='-vconsole:dbg -vfile:dbg' > # --ovsdb-server-options='-vconsole:dbg -vfile:dbg' > # > +# Or to start with non-root IPsec config file: > +# --ovs-monitor-ipsec-options='--ipsec-conf=/etc/ipsec.d/ovs.conf > --root-ipsec-conf=/etc/ipsec.conf' > +# > OPTIONS="" > > # Uncomment and set the OVS User/Group value > diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in > index 1f9ce1e6e..03a39337f 100644 > --- a/utilities/ovs-ctl.in > +++ b/utilities/ovs-ctl.in > @@ -242,18 +242,20 @@ start_forwarding () { > } > > start_ovs_ipsec () { > + set ${datadir}/scripts/ovs-monitor-ipsec unix:"$DB_SOCK" > + set "$@" --log-file=${logdir}/ovs-monitor-ipsec.log > + set "$@" --pidfile=${rundir}/ovs-monitor-ipsec.pid > + set "$@" --detach > + test X"$MONITOR" = Xno || set "$@" --monitor > + set "$@" --ike-daemon=$IKE_DAEMON > if test X$RESTART_IKE_DAEMON = Xno; then > - no_restart="--no-restart-ike-daemon" > + set "$@" --no-restart-ike-daemon > fi > - if test X"$MONITOR" != Xno; then > - monitor_arg="--monitor" > + if test X"$OVS_MONITOR_IPSEC_OPTIONS" != X; then > + set "$@" $OVS_MONITOR_IPSEC_OPTIONS > fi > > - ${datadir}/scripts/ovs-monitor-ipsec \ > - --pidfile=${rundir}/ovs-monitor-ipsec.pid \ > - --ike-daemon=$IKE_DAEMON \ > - $no_restart $monitor_arg \ > - --log-file --detach unix:${rundir}/db.sock || return 1 > + action "Starting ovs-monitor-ipsec" "$@" || return 1 > return 0 > } > > @@ -351,6 +353,7 @@ set_defaults () { > OVS_VSWITCHD_WRAPPER= > OVSDB_SERVER_OPTIONS= > OVS_VSWITCHD_OPTIONS= > + OVS_MONITOR_IPSEC_OPTIONS= > OVSDB_SERVER_UMASK= > OVS_VSWITCHD_UMASK= > > @@ -466,6 +469,9 @@ Option for "start-ovs-ipsec": > the IKE daemon for ipsec tunnels (either libreswan or strongswan) > --no-restart-ike-daemon > do not restart the IKE daemon on startup > + --ovs-monitor-ipsec-options=OPTIONS > + additional options for ovs-monitor-ipsec (example: > + '--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf') > > Other options: > -h, --help display this help message > -- > 2.47.0 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
