[ovs-dev] [PATCH 6/6] vswitch: Add support for IPsec certificate authentication.

Ben Pfaff blp at nicira.com
Thu Dec 23 17:28:34 UTC 2010


On Wed, Dec 22, 2010 at 06:21:24PM -0800, Justin Pettit wrote:
> On Dec 22, 2010, at 1:20 PM, Ben Pfaff wrote:
> > It seems to me undesirable that this daemon prevents modifying a host
> > in-place ("configuration changed for %s, need to delete interface
> > first").  In contrast, ovs-vswitchd is designed so that it can it can
> > transition from any current state to any new state.  Otherwise, it makes
> > life difficult for the database client: it means that, to change
> > something, the client must commit a deletion, then commit an insertion,
> > in two separate commits.  And if ovs-monitor-ipsec's connection to the
> > database goes down in the middle, so that it only sees the initial and
> > final states without observing the deletion itself, then it will never
> > update the interface at all, at least not until the next time it is
> > killed and restarted.  In short, this doesn't look very robust.
> 
> Yes, this is a weakness.  I had already checked with our controller
> team, and it's not a problem with how they set up ports.  I have it on
> my to-do list to fix, so I'll try to get that cleaned up before too
> long.

Isn't it an easy fix?  Change:
            # Configuration for this host already exists.  If
            # it has changed, this is an error.
            if vals != orig_vals:
                s_log.warning("configuration changed for %s, need to delete "
                        "interface first" % name)
            continue
to:
            ipsec.del_entry(vals["local_ip"], vals["remote_ip"])

Maybe there's more to it than that?




More information about the dev mailing list