[ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.

Ansis Atteka ansisatteka at gmail.com
Thu Aug 9 19:40:39 UTC 2018


On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com> wrote:
>
> Added rules and files to create debian and rpm ovs-ipsec packages.
>
> Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
> Signed-off-by: Ansis Atteka <aatteka at ovn.org>
> Co-authored-by: Ansis Atteka <aatteka at ovn.org>

Did you test this patch on Fedora with SElinux enabled?
ovs-monitor-ipsec daemon fails to start. You need to create SElinux
policy too:

[root at fedoraubuilder vagrant]# systemctl restart openvswitch-ipsec
[root at fedoraubuilder vagrant]# ps -Af | grep ipsec
root      1799   880  0 19:37 pts/0    00:00:00 grep --color=auto ipsec
[root at fedoraubuilder vagrant]# journalctl -xe| tail -n20
-- Unit openvswitch-ipsec.service has begun starting up.
Aug 09 19:37:16 fedoraubuilder.dev audit[1769]: AVC avc:  denied  {
execute } for  pid=1769 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1776]: AVC avc:  denied  {
execute } for  pid=1776 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1781]: AVC avc:  denied  {
execute } for  pid=1781 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1788]: AVC avc:  denied  {
execute } for  pid=1788 comm="python" name="ipsec" dev="vda1"
ino=149908 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file
permissive=0
Aug 09 19:37:16 fedoraubuilder.dev python[1768]: ovs|  0  |
ovs-monitor-ipsec | ERR | [Errno 13] Permission denied
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1760]: 2018-08-09T19:37:16Z
|  0  | ovs-monitor-ipsec | ERR | [Errno 13] Permission denied
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]:
2018-08-09T19:37:16Z|00001|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid:
open: No such file or directory
Aug 09 19:37:16 fedoraubuilder.dev ovs-appctl[1797]:
ovs|00001|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid:
open: No such file or directory
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]: ovs-appctl: cannot
read pidfile "/var/run/openvswitch/ovs-monitor-ipsec.pid" (No such
file or directory)
Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=openvswitch-ipsec comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=openvswitch-ipsec comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Aug 09 19:37:16 fedoraubuilder.dev systemd[1]: Started OVS IPsec daemon.
-- Subject: Unit openvswitch-ipsec.service has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit openvswitch-ipsec.service has finished starting up.
-- 
-- The start-up result is done.



> ---
>  debian/automake.mk                            |   3 +
>  debian/control                                |  21 ++
>  debian/openvswitch-ipsec.dirs                 |   1 +
>  debian/openvswitch-ipsec.init                 | 181 ++++++++++++++++++
>  debian/openvswitch-ipsec.install              |   1 +
>  rhel/automake.mk                              |   1 +
>  rhel/openvswitch-fedora.spec.in               |  19 +-
>  ...b_systemd_system_openvswitch-ipsec.service |  12 ++
>  utilities/ovs-ctl.in                          |  18 ++
>  9 files changed, 256 insertions(+), 1 deletion(-)
>  create mode 100644 debian/openvswitch-ipsec.dirs
>  create mode 100644 debian/openvswitch-ipsec.init
>  create mode 100644 debian/openvswitch-ipsec.install
>  create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service
>
> diff --git a/debian/automake.mk b/debian/automake.mk
> index 4d8e204bb..8a8d43c9f 100644
> --- a/debian/automake.mk
> +++ b/debian/automake.mk
> @@ -20,6 +20,9 @@ EXTRA_DIST += \
>         debian/openvswitch-datapath-source.copyright \
>         debian/openvswitch-datapath-source.dirs \
>         debian/openvswitch-datapath-source.install \
> +       debian/openvswitch-ipsec.dirs \
> +       debian/openvswitch-ipsec.init \
> +       debian/openvswitch-ipsec.install \
>         debian/openvswitch-pki.dirs \
>         debian/openvswitch-pki.postinst \
>         debian/openvswitch-pki.postrm \
> diff --git a/debian/control b/debian/control
> index 9ae248f27..cde93f20e 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -322,3 +322,24 @@ Description: Open vSwitch development package
>   1000V.
>   .
>   This package provides openvswitch headers and libopenvswitch for developers.
> +
> +Package: openvswitch-ipsec
> +Architecture: linux-any
> +Depends: iproute2,
> +         openvswitch-common (= ${binary:Version}),
> +         openvswitch-switch (= ${binary:Version}),
> +         python,
> +         python-openvswitch (= ${source:Version}),
> +         strongswan,
> +         ${misc:Depends},
> +         ${shlibs:Depends}
> +Description: Open vSwitch IPsec tunneling support
> + Open vSwitch is a production quality, multilayer, software-based,
> + Ethernet virtual switch. It is designed to enable massive network
> + automation through programmatic extension, while still supporting
> + standard management interfaces and protocols (e.g. NetFlow, IPFIX,
> + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
> + to support distribution across multiple physical servers similar to
> + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
> + .
> + This package provides IPsec tunneling support for OVS tunnels.
> diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs
> new file mode 100644
> index 000000000..fca44aa7b
> --- /dev/null
> +++ b/debian/openvswitch-ipsec.dirs
> @@ -0,0 +1 @@
> +usr/share/openvswitch/scripts
> \ No newline at end of file
> diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
> new file mode 100644
> index 000000000..8488beccf
> --- /dev/null
> +++ b/debian/openvswitch-ipsec.init
> @@ -0,0 +1,181 @@
> +#!/bin/sh
> +#
> +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs at debian.org>
> +#
> +# This is free software; you may redistribute it and/or modify
> +# it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2,
> +# or (at your option) any later version.
> +#
> +# This is distributed in the hope that it will be useful, but
> +# WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License with
> +# the Debian operating system, in /usr/share/common-licenses/GPL;  if
> +# not, write to the Free Software Foundation, Inc., 59 Temple Place,
> +# Suite 330, Boston, MA 02111-1307 USA
> +#
> +### BEGIN INIT INFO
> +# Provides:          openvswitch-ipsec
> +# Required-Start:    $network $local_fs $remote_fs openvswitch-switch
> +# Required-Stop:     $remote_fs
> +# Default-Start:     2 3 4 5
> +# Default-Stop:      0 1 6
> +# Short-Description: Open vSwitch GRE-over-IPsec daemon
> +# Description:       The ovs-monitor-ipsec script provides support for
> +#                    encrypting GRE tunnels with IPsec.
> +### END INIT INFO
> +
> +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> +
> +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
> +NAME=ovs-monitor-ipsec          # Introduce the short server's name here
> +LOGDIR=/var/log/openvswitch     # Log directory to use
> +DATADIR=/usr/share/openvswitch
> +
> +PIDFILE=/var/run/openvswitch/$NAME.pid
> +
> +test -x $DAEMON || exit 0
> +
> +. /lib/lsb/init-functions
> +
> +DODTIME=10              # Time to wait for the server to die, in seconds
> +                        # If this value is set too low you might not
> +                        # let some servers to die gracefully and
> +                        # 'restart' will not work
> +
> +set -e
> +
> +running_pid() {
> +# Check if a given process pid's cmdline matches a given name
> +    pid=$1
> +    name=$2
> +    [ -z "$pid" ] && return 1
> +    [ ! -d /proc/$pid ] &&  return 1
> +    cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
> +    # Is this the expected server
> +    [ "$cmd" != "$name" ] &&  return 1
> +    return 0
> +}
> +
> +running() {
> +# Check if the process is running looking at /proc
> +# (works for all users)
> +
> +    # No pidfile, probably no daemon present
> +    [ ! -f "$PIDFILE" ] && return 1
> +    pid=`cat $PIDFILE`
> +    running_pid $pid $DAEMON || return 1
> +    return 0
> +}
> +
> +start_server() {
> +    ${DATADIR}/scripts/ovs-ctl start-ovs-ipsec
> +    return 0
> +}
> +
> +stop_server() {
> +    ${DATADIR}/scripts/ovs-ctl stop-ovs-ipsec
> +    return 0
> +}
> +
> +force_stop() {
> +# Force the process to die killing it manually
> +    [ ! -e "$PIDFILE" ] && return
> +    if running ; then
> +        kill -15 $pid
> +        # Is it really dead?
> +        sleep "$DODTIME"
> +        if running ; then
> +            kill -9 $pid
> +            sleep "$DODTIME"
> +            if running ; then
> +                echo "Cannot kill $NAME (pid=$pid)!"
> +                exit 1
> +            fi
> +        fi
> +    fi
> +    rm -f $PIDFILE
> +}
> +
> +
> +case "$1" in
> +  start)
> +        log_daemon_msg "Starting $NAME"
> +        # Check if it's running first
> +        if running ;  then
> +            log_progress_msg "apparently already running"
> +            log_end_msg 0
> +            exit 0
> +        fi
> +        if start_server && running ;  then
> +            # It's ok, the server started and is running
> +            log_end_msg 0
> +        else
> +            # Either we could not start it or it is not running
> +            # after we did
> +            # NOTE: Some servers might die some time after they start,
> +            # this code does not try to detect this and might give
> +            # a false positive (use 'status' for that)
> +            log_end_msg 1
> +        fi
> +        ;;
> +  stop)
> +        log_daemon_msg "Stopping $NAME"
> +        if running ; then
> +            # Only stop the server if we see it running
> +            stop_server
> +            log_end_msg $?
> +        else
> +            # If it's not running don't do anything
> +            log_progress_msg "apparently not running"
> +            log_end_msg 0
> +            exit 0
> +        fi
> +        ;;
> +  force-stop)
> +        # First try to stop gracefully the program
> +        $0 stop
> +        if running; then
> +            # If it's still running try to kill it more forcefully
> +            log_daemon_msg "Stopping (force) $NAME"
> +            force_stop
> +            log_end_msg $?
> +        fi
> +        ;;
> +  restart|force-reload)
> +        log_daemon_msg "Restarting $NAME"
> +        stop_server
> +        # Wait some sensible amount, some server need this
> +        [ -n "$DODTIME" ] && sleep $DODTIME
> +        start_server
> +        running
> +        log_end_msg $?
> +        ;;
> +  status)
> +        log_daemon_msg "Checking status of $NAME"
> +        if running ;  then
> +            log_progress_msg "running"
> +            log_end_msg 0
> +        else
> +            log_progress_msg "apparently not running"
> +            log_end_msg 1
> +            exit 1
> +        fi
> +        ;;
> +  # Use this if the daemon cannot reload
> +  reload)
> +        log_warning_msg "Reloading $NAME daemon: not implemented, as the"
> +        log_warning_msg "deamon cannot re-read the config file (use restart)."
> +        ;;
> +  *)
> +        N=/etc/init.d/openvswitch-ipsec
> +        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" \
> +             >&2
> +        exit 1
> +        ;;
> +esac
> +
> +exit 0
> diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install
> new file mode 100644
> index 000000000..8fe665cb3
> --- /dev/null
> +++ b/debian/openvswitch-ipsec.install
> @@ -0,0 +1 @@
> +ipsec/ovs-monitor-ipsec usr/share/openvswitch/scripts
> diff --git a/rhel/automake.mk b/rhel/automake.mk
> index 7b6c78fd7..bc65d83e5 100644
> --- a/rhel/automake.mk
> +++ b/rhel/automake.mk
> @@ -35,6 +35,7 @@ EXTRA_DIST += \
>         rhel/usr_lib_systemd_system_ovn-controller.service \
>         rhel/usr_lib_systemd_system_ovn-controller-vtep.service \
>         rhel/usr_lib_systemd_system_ovn-northd.service \
> +       rhel/usr_lib_systemd_system_openvswitch-ipsec.service \
>         rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
>         rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml
>
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
> index 9f8664e95..ca2b5bc85 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -210,6 +210,14 @@ Requires: openvswitch openvswitch-ovn-common %{_py2}-openvswitch
>  %description ovn-docker
>  Docker network plugins for OVN.
>
> +%package openvswitch-ipsec
> +Summary: Open vSwitch IPsec tunneling support
> +License: ASL 2.0
> +Requires: openvswitch %{_py2}-openvswitch libreswan
> +
> +%description openvswitch-ipsec
> +This package provides IPsec tunneling support for OVS tunnels.
> +
>  %prep
>  %setup -q
>
> @@ -261,7 +269,8 @@ install -p -D -m 0644 \
>          rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \
>          $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch
>  for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \
> -                ovn-controller ovn-controller-vtep ovn-northd; do
> +                ovn-controller ovn-controller-vtep ovn-northd \
> +                openvswitch-ipsec; do
>          install -p -D -m 0644 \
>                          rhel/usr_lib_systemd_system_${service}.service \
>                          $RPM_BUILD_ROOT%{_unitdir}/${service}.service
> @@ -319,6 +328,10 @@ install -p -D -m 0755 \
>          rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \
>          $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload
>
> +install -m 0755 \
> +        ipsec/ovs-monitor-ipsec \
> +        $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
> +
>  # remove unpackaged files
>  rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>          $RPM_BUILD_ROOT%{_sbindir}/ovs-vlan-bug-workaround \
> @@ -647,6 +660,10 @@ fi
>  %{_mandir}/man8/ovn-controller-vtep.8*
>  %{_unitdir}/ovn-controller-vtep.service
>
> +%files openvswitch-ipsec
> +%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
> +%{_unitdir}/openvswitch-ipsec.service
> +
>  %changelog
>  * Wed Jan 12 2011 Ralf Spenneberg <ralf at os-s.net>
>  - First build on F14
> diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
> new file mode 100644
> index 000000000..813844e51
> --- /dev/null
> +++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
> @@ -0,0 +1,12 @@
> +[Unit]
> +Description=OVS IPsec daemon
> +Requires=openvswitch.service
> +After=openvswitch.service
> +
> +[Service]
> +Type=forking
> +ExecStart=/usr/share/openvswitch/scripts/ovs-ctl start-ovs-ipsec
> +ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
> index 43c8f32b7..d9b6ed943 100755
> --- a/utilities/ovs-ctl.in
> +++ b/utilities/ovs-ctl.in
> @@ -222,6 +222,13 @@ start_forwarding () {
>      return 0
>  }
>
> +start_ovs_ipsec () {
> +    ${datadir}/scripts/ovs-monitor-ipsec \
> +        --pidfile=${rundir}/ovs-monitor-ipsec.pid \
> +        --log-file --detach --monitor unix:${rundir}/db.sock
> +    return 0
> +}
> +
>  ## ---- ##
>  ## stop ##
>  ## ---- ##
> @@ -238,6 +245,11 @@ stop_forwarding () {
>      fi
>  }
>
> +stop_ovs_ipsec () {
> +    ${bindir}/ovs-appctl -t ovs-monitor-ipsec exit
> +    return 0
> +}
> +
>  ## --------------- ##
>  ## enable-protocol ##
>  ## --------------- ##
> @@ -522,6 +534,12 @@ case $command in
>      delete-transient-ports)
>          del_transient_ports
>          ;;
> +    start-ovs-ipsec)
> +        start_ovs_ipsec
> +        ;;
> +    stop-ovs-ipsec)
> +        stop_ovs_ipsec
> +        ;;
>      help)
>          usage
>          ;;
> --
> 2.18.0
>


More information about the dev mailing list