[ovs-dev] [PATCH 1/2] Documentation: update IPsec tutorial for F32
Kevin Traynor
ktraynor at redhat.com
Fri Oct 23 18:01:59 UTC 2020
On 23/10/2020 15:24, Mark Gray wrote:
> On 21/10/2020 16:07, Stokes, Ian wrote:
>>> F32 requires the "python3-openvswitch" package now. Also, the
>>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
>>>
>>
>> Hi Mark, thanks for the patch, some minor comments below.
>>
>>> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
>>> ---
>>> Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>>> 1 file changed, 12 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/Documentation/tutorials/ipsec.rst
>>> b/Documentation/tutorials/ipsec.rst
>>> index b4c323513..ea0b6a63f 100644
>>> --- a/Documentation/tutorials/ipsec.rst
>>> +++ b/Documentation/tutorials/ipsec.rst
>>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>>> ---------------------------------
>>>
>>> OVS IPsec has .deb and .rpm packages. You should use the right package
>>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
>>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>>> as examples.
>>
>> Given that the instructions change between Fedora versions, is it worth adding a note that for Fedora versions older than Fedora 32, users should consult the previous OVS release tutorial?
>
> This is just a tutorial so I am not making any statement about
> availability of the IPsec feature in different distros only that, as of
> F32, the instructions are correct.
>
Fedora 31 will be EOL next month. For Fedora in particular, I don't
think there's any point in writing anything for older releases.
> The main difference is regarding the iptables instructions below. I
> think Eric has cleared that up and I will update the documentation to
> reflect as that seems to be the most generic way to enable the firewall
> across multiple Fedora releases.
>
>
>>
>> The alternative would be to maintain another section here for fedora 27 but that seems like a pain and TBH I'm not sure if Fedora 27 is still active? As such a note might suffice.
>>
>>>
>>> Ubuntu
>>> @@ -71,21 +71,18 @@ Ubuntu
>>> Fedora
>>> ~~~~~~
>>>
>>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
>>> +1. Install the related packages. Fedora 32 does not require installation of
>>> + the out-of-tree kernel module::
>>>
>>> -2. Install the related packages::
>>> -
>>> - $ dnf install python2-openvswitch libreswan \
>>> - "kernel-devel-uname-r == $(uname -r)"
>>> - $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
>>> - openvswitch-openvswitch-ipsec-*.rpm
>>> + $ dnf install python3-openvswitch libreswan \
>>> + openvswitch openvswitch-ipsec
>>>
>>> -3. Install firewall rules to allow ESP and IKE traffic::
>>> +2. Install firewall rules to allow ESP and IKE traffic::
>>>
>>> - $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
>>> - $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
>>> + $ iptables -A INPUT -p esp -j ACCEPT
>>> + $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
>>
>> Same as above, again maybe a line at the beginning the tutorial would help point people in the right direction depending on the version they are using?
>
> Will update as per Eric's comments
>>
>>>
>>> -4. Run the openvswitch-ipsec service::
>>> +3. Run the openvswitch-ipsec service::
>>>
>>> $ systemctl start openvswitch-ipsec.service
>>>
>>> @@ -97,7 +94,7 @@ Fedora
>>> Configuring IPsec tunnel
>>> ------------------------
>>>
>>> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
>>> +Suppose you want to build an IPsec tunnel between two hosts. Assume
>>> `host_1`'s
>>> external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>>> `host_1` and `host_2` can ping each other via these external IPs.
>>>
>>> @@ -123,8 +120,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is
>>> 2.2.2.2. Make sure
>>>
>>> 2. Set up IPsec tunnel.
>>>
>>> - There are three authentication methods. You can choose one to set up your
>>> - IPsec tunnel.
>>> + There are three authentication methods. Choose one method to set up your
>>> + IPsec tunnel and follow the steps below.
>>>
>>> a) Using pre-shared key:
>>>
>>
>> Other than that LGTM. Did you have any thoughts on requirements for backporting it?
>
> No need for the documentation - 2/2 is a bug though so probably should be.
>>
>> Regards
>> Ian
>>> --
>>> 2.26.2
>>>
>>> _______________________________________________
>>> dev mailing list
>>> dev at openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
More information about the dev
mailing list