[ovs-dev] [PATCH 6/6] vswitch: Add support for IPsec certificate authentication.
Ben Pfaff
blp at nicira.com
Thu Dec 23 17:28:34 UTC 2010
On Wed, Dec 22, 2010 at 06:21:24PM -0800, Justin Pettit wrote:
> On Dec 22, 2010, at 1:20 PM, Ben Pfaff wrote:
> > It seems to me undesirable that this daemon prevents modifying a host
> > in-place ("configuration changed for %s, need to delete interface
> > first"). In contrast, ovs-vswitchd is designed so that it can it can
> > transition from any current state to any new state. Otherwise, it makes
> > life difficult for the database client: it means that, to change
> > something, the client must commit a deletion, then commit an insertion,
> > in two separate commits. And if ovs-monitor-ipsec's connection to the
> > database goes down in the middle, so that it only sees the initial and
> > final states without observing the deletion itself, then it will never
> > update the interface at all, at least not until the next time it is
> > killed and restarted. In short, this doesn't look very robust.
>
> Yes, this is a weakness. I had already checked with our controller
> team, and it's not a problem with how they set up ports. I have it on
> my to-do list to fix, so I'll try to get that cleaned up before too
> long.
Isn't it an easy fix? Change:
# Configuration for this host already exists. If
# it has changed, this is an error.
if vals != orig_vals:
s_log.warning("configuration changed for %s, need to delete "
"interface first" % name)
continue
to:
ipsec.del_entry(vals["local_ip"], vals["remote_ip"])
Maybe there's more to it than that?
More information about the dev
mailing list