[ovs-dev] [PATCH 1/2] Documentation: update IPsec tutorial for F32

Mark Gray mark.d.gray at redhat.com
Fri Oct 23 14:24:00 UTC 2020


On 21/10/2020 16:07, Stokes, Ian wrote:
>> F32 requires the "python3-openvswitch" package now. Also, the
>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
>>
> 
> Hi Mark, thanks for the patch, some minor comments below.
> 
>> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
>> ---
>>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>>  1 file changed, 12 insertions(+), 15 deletions(-)
>>
>> diff --git a/Documentation/tutorials/ipsec.rst
>> b/Documentation/tutorials/ipsec.rst
>> index b4c323513..ea0b6a63f 100644
>> --- a/Documentation/tutorials/ipsec.rst
>> +++ b/Documentation/tutorials/ipsec.rst
>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>>  ---------------------------------
>>
>>  OVS IPsec has .deb and .rpm packages. You should use the right package
>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>>  as examples.
> 
> Given that the instructions change between Fedora versions, is it worth adding a note that for Fedora versions older than Fedora 32, users should consult the previous OVS release tutorial?

This is just a tutorial so I am not making any statement about
availability of the IPsec feature in different distros only that, as of
F32, the instructions are correct.

The main difference is regarding the iptables instructions below. I
think Eric has cleared that up and I will update the documentation to
reflect as that seems to be the most generic way to enable the firewall
across multiple Fedora releases.


> 
> The alternative would be to maintain another section here for fedora 27 but that seems like a pain and TBH I'm not sure if Fedora 27 is still active? As such a note might suffice.
> 
>>
>>  Ubuntu
>> @@ -71,21 +71,18 @@ Ubuntu
>>  Fedora
>>  ~~~~~~
>>
>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
>> +1. Install the related packages. Fedora 32 does not require installation of
>> +   the out-of-tree kernel module::
>>
>> -2. Install the related packages::
>> -
>> -       $ dnf install python2-openvswitch libreswan \
>> -                     "kernel-devel-uname-r == $(uname -r)"
>> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
>> -                openvswitch-openvswitch-ipsec-*.rpm
>> +       $ dnf install python3-openvswitch libreswan \
>> +                     openvswitch openvswitch-ipsec
>>
>> -3. Install firewall rules to allow ESP and IKE traffic::
>> +2. Install firewall rules to allow ESP and IKE traffic::
>>
>> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
>> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
>> +       $ iptables -A INPUT -p esp -j ACCEPT
>> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
> 
> Same as above, again maybe a line at the beginning the tutorial would help point people in the right direction depending on the version they are using?

Will update as per Eric's comments
>  
>>
>> -4. Run the openvswitch-ipsec service::
>> +3. Run the openvswitch-ipsec service::
>>
>>         $ systemctl start openvswitch-ipsec.service
>>
>> @@ -97,7 +94,7 @@ Fedora
>>  Configuring IPsec tunnel
>>  ------------------------
>>
>> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
>> +Suppose you want to build an IPsec tunnel between two hosts. Assume
>> `host_1`'s
>>  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>>  `host_1` and `host_2` can ping each other via these external IPs.
>>
>> @@ -123,8 +120,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is
>> 2.2.2.2. Make sure
>>
>>  2. Set up IPsec tunnel.
>>
>> -   There are three authentication methods. You can choose one to set up your
>> -   IPsec tunnel.
>> +   There are three authentication methods.  Choose one method to set up your
>> +   IPsec tunnel and follow the steps below.
>>
>>     a) Using pre-shared key:
>>
> 
> Other than that LGTM. Did you have any thoughts on requirements for backporting it? 

No need for the documentation - 2/2 is a bug though so probably should be.
> 
> Regards
> Ian
>> --
>> 2.26.2
>>
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> 



More information about the dev mailing list