[ovs-discuss] Inserting and using the compiled OVS kernel modules

Levente Csikor csikor at tmit.bme.hu
Thu Jan 10 10:19:33 UTC 2019


Signing issue has been resolved by creating signing keys and name them
as openvswitch wants to have them

Creating a key:
$ sudo openssl req -new -x509 -sha512 -newkey rsa:4096 -nodes -keyout
key.pem -days 36500 -out certificate.pem
$ sudo cp key.pem /usr/src/linux-headers-$(uname
-r)/certs/signing_key.pem
$ sudo cp certificate.pem /usr/src/linux-headers-$(uname
-r)/certs/signing_key.x509

Now, sudo make modules_install has no issues:
cd datapath/linux && make modules_install
make[1]: Entering directory '/home/csikor/openvswitch-
2.10.0/datapath/linux'
make -C /lib/modules/4.15.0-32-generic/build
M=/home/csikor/openvswitch-2.10.0/datapath/linux modules_install
make[2]: Entering directory '/usr/src/linux-headers-4.15.0-32-generic'
  INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/openvswitch.ko
  INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-
geneve.ko
  INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-gre.ko
  INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-lisp.ko
  INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-stt.ko
  INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-vxlan.ko
  DEPMOD  4.15.0-32-generic
make[2]: Leaving directory '/usr/src/linux-headers-4.15.0-32-generic'
depmod `sed -n 's/#define UTS_RELEASE "\([^"]*\)"/\1/p'
/lib/modules/4.15.0-32-generic/build/include/generated/utsrelease.h`
make[1]: Leaving directory '/home/csikor/openvswitch-
2.10.0/datapath/linux'


Other issues mentioned before still apply :(

cheers,
levi

On Thu, 2019-01-10 at 11:06 +0100, Levente Csikor wrote:
> Hi, 
> I have updated the compiler, and tried gcc 7.3 and even 8.2 (lates
> gcc-
> 7 and gcc-8 packages in Ubuntu 16.04).
> I have just gotten to know that gcc 7.3 is with retpoline so it
> should
> not have any issue.
> However, after the compilation is finished with no errors, insmod or
> more precisely dmesh still says the same:
> [ 6092.123271] Spectre V2 : System may be vulnerable to spectre v2
> [ 6092.123280] openvswitch: loading module not compiled with
> retpoline
> compiler.
> [ 6092.128378] openvswitch: Open vSwitch switching datapath 2.10.0
> 
> And lsmod|grep openvswitch still gives nothing back.
> This also implies that there is nothing in the /sys/modules/ named as
> openvswitch :(
> 
> When I call sudo make modules_install in openvswitch source, it seems
> it succeeds but there are sigining issues:
> cd datapath/linux && make modules_install
> make[1]: Entering directory '/home/csikor/openvswitch-
> 2.10.0/datapath/linux'
> make -C /lib/modules/4.15.0-32-generic/build
> M=/home/csikor/openvswitch-2.10.0/datapath/linux modules_install
> make[2]: Entering directory '/usr/src/linux-headers-4.15.0-32-
> generic'
>   INSTALL /home/csikor/openvswitch-
> 2.10.0/datapath/linux/openvswitch.ko
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory:
> ../crypto/bio/bss_file.c:74
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> ../crypto/bio/bss_file.c:81
> sign-file: certs/signing_key.pem: No such file or directory
>   INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-
> geneve.ko
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory:
> ../crypto/bio/bss_file.c:74
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> ../crypto/bio/bss_file.c:81
> sign-file: certs/signing_key.pem: No such file or directory
>   INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-gre.ko
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory:
> ../crypto/bio/bss_file.c:74
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> ../crypto/bio/bss_file.c:81
> sign-file: certs/signing_key.pem: No such file or directory
>   INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-
> lisp.ko
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory:
> ../crypto/bio/bss_file.c:74
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> ../crypto/bio/bss_file.c:81
> sign-file: certs/signing_key.pem: No such file or directory
>   INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-stt.ko
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory:
> ../crypto/bio/bss_file.c:74
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> ../crypto/bio/bss_file.c:81
> sign-file: certs/signing_key.pem: No such file or directory
>   INSTALL /home/csikor/openvswitch-2.10.0/datapath/linux/vport-
> vxlan.ko
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory:
> ../crypto/bio/bss_file.c:74
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> ../crypto/bio/bss_file.c:81
> sign-file: certs/signing_key.pem: No such file or directory
>   DEPMOD  4.15.0-32-generic
> make[2]: Leaving directory '/usr/src/linux-headers-4.15.0-32-generic'
> depmod `sed -n 's/#define UTS_RELEASE "\([^"]*\)"/\1/p'
> /lib/modules/4.15.0-32-generic/build/include/generated/utsrelease.h`
> make[1]: Leaving directory '/home/csikor/openvswitch-
> 2.10.0/datapath/linux'
> 
> Should i somehow resolve this?
> If yes, how can I resolve this? Should I generate a signing_key.pem
> and
>  put it into somewhere (e.g., /usr/src/linux-headers-$(uname
> -r)/certs)?
> 
> On the other hand, an openvswitch.ko module now can be found at:
> lib/modules/4.15.0-32-generic/extra/openvswitch.ko
> 
> which has a 'last accessed timestamp' for today, so it has just been
> made by the make modules_install command.
> However, modprobe openvswitch still loads the original, standard
> linux
> kernel-provided module.
> How can I force modprobe to use the one in the .../extra/ folder?
> I did not want to do any symlink tricks for the first sight, but
> maybe
> I will need to do that (?)
> 
> Thanks,
> levi
> 
> 
> 
> 
> On Sat, 2019-01-05 at 08:34 -0800, Gregory Rose wrote:
> > 
> > On 1/5/2019 2:34 AM, Levente Csikor wrote:
> > > Yes, I thought so, however I don't see anything:
> > > 
> > > # modprobe openvswitch
> > > # dmesg |tail -n 8
> > > [250423.894258] PKCS#7 signature not signed with a trusted key
> > > [250423.894271] Spectre V2 : System may be vulnerable to spectre
> > > v2
> > > [250423.894273] openvswitch: loading module not compiled with
> > > retpoline
> > > compiler.
> > 
> > You need to upgrade your compiler.
> > 
> > > [250423.896970] openvswitch: Open vSwitch switching datapath
> > > 2.10.0
> > > [250423.897064] openvswitch: LISP tunneling driver
> > > [250423.897064] GRE over IPv4 demultiplexor driver
> > > [250423.898141] openvswitch: GRE over IPv4 tunneling driver
> > > [250423.898488] openvswitch: GRE over IPv6 tunneling driver
> > > # lsmod |grep openv
> > > #
> > 
> > That's truly odd, I've never seen it start to load like that and
> > then 
> > just disappear.  However, the compiler
> > issue should be addressed.  Upgrade your compiler to one with
> > retpoline 
> > support and then see if
> > that fixes the problem.
> > 
> > - Greg
> > 
> > > 
> > > I have never encountered such a thing. When I used insmod, at
> > > least
> > > the
> > > module itself was definitely loaded.
> > > Any other thoughts on tracing what is happening and why the
> > > module
> > > is
> > > not loaded?
> > > 
> > > Cheers,
> > > levi
> > > 
> > > On Fri, 2019-01-04 at 09:25 -0800, Gregory Rose wrote:
> > > > On 1/3/2019 11:48 PM, Levente Csikor wrote:
> > > > > I do not have any openvswitch in /sys/module.
> > > > > I guess I need to have the module inserted correctly to have
> > > > > it,
> > > > > don't
> > > > > I?
> > > > 
> > > > If there is no openvswitch directory under /sys/modules then
> > > > the
> > > > module
> > > > isn't loaded.
> > > > 
> > > > > On the other hand, I have made the modules_install as well,
> > > > > and
> > > > > now
> > > > > when I say modprobe openvswitch, dmesg says the version
> > > > > 2.10.0
> > > > > has
> > > > > been
> > > > > loaded and no errors have been raised during insertion.
> > > > > However, lsmod|grep openvswitch returns nothing...strange.
> > > > > I guess the latter is the main cause of not having
> > > > > openvswitch
> > > > > in
> > > > > /sys/module/ :S
> > > > 
> > > > Correct.
> > > > 
> > > > > Any thoughts?
> > > > 
> > > > You should see something like this in your dmesg output:
> > > > 
> > > > [167126.796728] openvswitch: Open vSwitch switching datapath
> > > > 2.10.90
> > > > [167126.796869] openvswitch: LISP tunneling driver
> > > > [167126.796870] GRE over IPv4 demultiplexor driver
> > > > [167126.797172] openvswitch: GRE over IPv4 tunneling driver
> > > > [167126.797406] openvswitch: GRE over IPv6 tunneling driver
> > > > [167126.797526] openvswitch: Geneve tunneling driver
> > > > [167126.797528] openvswitch: VxLAN tunneling driver
> > > > [167126.797529] openvswitch: STT tunneling driver
> > > > 
> > > > - Greg
> > > > > Cheers
> > > > > 
> > > > > On Thu, 2019-01-03 at 08:47 -0800, Gregory Rose wrote:
> > > > > > Run 'cat /sys/module/openvswitch/version' and that should
> > > > > > give
> > > > > > you
> > > > > > output like this:
> > > > > > 
> > > > > > # cat /sys/module/openvswitch/version
> > > > > > 2.10.1
> > 
> > 
> 
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss


More information about the discuss mailing list