[ovs-dev,v4,5/9] debian and rhel: Create IPsec package.
diff mbox series

Message ID 20180731210854.31682-6-qiuyu.xiao.qyx@gmail.com
State Changes Requested
Headers show
Series
  • IPsec support for tunneling
Related show

Commit Message

Qiuyu Xiao July 31, 2018, 9:08 p.m. UTC
Added rules and files to create debian and rpm ovs-ipsec packages.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Ansis Atteka <aatteka@ovn.org>
---
 debian/automake.mk                            |   3 +
 debian/control                                |  21 ++
 debian/openvswitch-ipsec.dirs                 |   1 +
 debian/openvswitch-ipsec.init                 | 181 ++++++++++++++++++
 debian/openvswitch-ipsec.install              |   1 +
 rhel/automake.mk                              |   1 +
 rhel/openvswitch-fedora.spec.in               |  19 +-
 ...b_systemd_system_openvswitch-ipsec.service |  12 ++
 utilities/ovs-ctl.in                          |  18 ++
 9 files changed, 256 insertions(+), 1 deletion(-)
 create mode 100644 debian/openvswitch-ipsec.dirs
 create mode 100644 debian/openvswitch-ipsec.init
 create mode 100644 debian/openvswitch-ipsec.install
 create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service

Comments

Ben Pfaff July 31, 2018, 10:33 p.m. UTC | #1
On Tue, Jul 31, 2018 at 02:08:50PM -0700, Qiuyu Xiao wrote:
> Added rules and files to create debian and rpm ovs-ipsec packages.
> 
> Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
> Signed-off-by: Ansis Atteka <aatteka@ovn.org>
> Co-authored-by: Ansis Atteka <aatteka@ovn.org>

Do you or Ansis test the packaging?  (Or, for the Debian packaging, is
it similar enough to the packaging we previously had that it is
"probably" correct?)

Thanks,

Ben.
Qiuyu Xiao July 31, 2018, 11:13 p.m. UTC | #2
The debian packaging is the same as the packaging we previously had.
For debian package, I tested it by installing it in ubuntu 16.04 with
'dpkg -i'. For rpm package, I tested it by installing it in Fedora 27
with 'rpm -i'. Is there any standard method to test packaging?

Thanks,
Qiuyu

On Tue, Jul 31, 2018 at 3:33 PM, Ben Pfaff <blp@ovn.org> wrote:
> On Tue, Jul 31, 2018 at 02:08:50PM -0700, Qiuyu Xiao wrote:
>> Added rules and files to create debian and rpm ovs-ipsec packages.
>>
>> Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
>> Signed-off-by: Ansis Atteka <aatteka@ovn.org>
>> Co-authored-by: Ansis Atteka <aatteka@ovn.org>
>
> Do you or Ansis test the packaging?  (Or, for the Debian packaging, is
> it similar enough to the packaging we previously had that it is
> "probably" correct?)
>
> Thanks,
>
> Ben.
Ben Pfaff Aug. 1, 2018, 5:19 p.m. UTC | #3
Those sound to me like reasonable ways to test.  Thank you.

On Tue, Jul 31, 2018 at 04:13:44PM -0700, Qiuyu Xiao wrote:
> The debian packaging is the same as the packaging we previously had.
> For debian package, I tested it by installing it in ubuntu 16.04 with
> 'dpkg -i'. For rpm package, I tested it by installing it in Fedora 27
> with 'rpm -i'. Is there any standard method to test packaging?
> 
> Thanks,
> Qiuyu
> 
> On Tue, Jul 31, 2018 at 3:33 PM, Ben Pfaff <blp@ovn.org> wrote:
> > On Tue, Jul 31, 2018 at 02:08:50PM -0700, Qiuyu Xiao wrote:
> >> Added rules and files to create debian and rpm ovs-ipsec packages.
> >>
> >> Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
> >> Signed-off-by: Ansis Atteka <aatteka@ovn.org>
> >> Co-authored-by: Ansis Atteka <aatteka@ovn.org>
> >
> > Do you or Ansis test the packaging?  (Or, for the Debian packaging, is
> > it similar enough to the packaging we previously had that it is
> > "probably" correct?)
> >
> > Thanks,
> >
> > Ben.

Patch
diff mbox series

diff --git a/debian/automake.mk b/debian/automake.mk
index 4d8e204bb..8a8d43c9f 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -20,6 +20,9 @@  EXTRA_DIST += \
 	debian/openvswitch-datapath-source.copyright \
 	debian/openvswitch-datapath-source.dirs \
 	debian/openvswitch-datapath-source.install \
+	debian/openvswitch-ipsec.dirs \
+	debian/openvswitch-ipsec.init \
+	debian/openvswitch-ipsec.install \
 	debian/openvswitch-pki.dirs \
 	debian/openvswitch-pki.postinst \
 	debian/openvswitch-pki.postrm \
diff --git a/debian/control b/debian/control
index 9ae248f27..cde93f20e 100644
--- a/debian/control
+++ b/debian/control
@@ -322,3 +322,24 @@  Description: Open vSwitch development package
  1000V.
  .
  This package provides openvswitch headers and libopenvswitch for developers.
+
+Package: openvswitch-ipsec
+Architecture: linux-any
+Depends: iproute2,
+         openvswitch-common (= ${binary:Version}),
+         openvswitch-switch (= ${binary:Version}),
+         python,
+         python-openvswitch (= ${source:Version}),
+         strongswan,
+         ${misc:Depends},
+         ${shlibs:Depends}
+Description: Open vSwitch IPsec tunneling support
+ Open vSwitch is a production quality, multilayer, software-based,
+ Ethernet virtual switch. It is designed to enable massive network
+ automation through programmatic extension, while still supporting
+ standard management interfaces and protocols (e.g. NetFlow, IPFIX,
+ sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
+ to support distribution across multiple physical servers similar to
+ VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+ .
+ This package provides IPsec tunneling support for OVS tunnels.
diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs
new file mode 100644
index 000000000..fca44aa7b
--- /dev/null
+++ b/debian/openvswitch-ipsec.dirs
@@ -0,0 +1 @@ 
+usr/share/openvswitch/scripts
\ No newline at end of file
diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
new file mode 100644
index 000000000..8488beccf
--- /dev/null
+++ b/debian/openvswitch-ipsec.init
@@ -0,0 +1,181 @@ 
+#!/bin/sh
+#
+# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org>
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL;  if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides:          openvswitch-ipsec
+# Required-Start:    $network $local_fs $remote_fs openvswitch-switch
+# Required-Stop:     $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Open vSwitch GRE-over-IPsec daemon
+# Description:       The ovs-monitor-ipsec script provides support for
+#                    encrypting GRE tunnels with IPsec.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
+NAME=ovs-monitor-ipsec          # Introduce the short server's name here
+LOGDIR=/var/log/openvswitch     # Log directory to use
+DATADIR=/usr/share/openvswitch
+
+PIDFILE=/var/run/openvswitch/$NAME.pid
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+DODTIME=10              # Time to wait for the server to die, in seconds
+                        # If this value is set too low you might not
+                        # let some servers to die gracefully and
+                        # 'restart' will not work
+
+set -e
+
+running_pid() {
+# Check if a given process pid's cmdline matches a given name
+    pid=$1
+    name=$2
+    [ -z "$pid" ] && return 1
+    [ ! -d /proc/$pid ] &&  return 1
+    cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
+    # Is this the expected server
+    [ "$cmd" != "$name" ] &&  return 1
+    return 0
+}
+
+running() {
+# Check if the process is running looking at /proc
+# (works for all users)
+
+    # No pidfile, probably no daemon present
+    [ ! -f "$PIDFILE" ] && return 1
+    pid=`cat $PIDFILE`
+    running_pid $pid $DAEMON || return 1
+    return 0
+}
+
+start_server() {
+    ${DATADIR}/scripts/ovs-ctl start-ovs-ipsec
+    return 0
+}
+
+stop_server() {
+    ${DATADIR}/scripts/ovs-ctl stop-ovs-ipsec
+    return 0
+}
+
+force_stop() {
+# Force the process to die killing it manually
+    [ ! -e "$PIDFILE" ] && return
+    if running ; then
+        kill -15 $pid
+        # Is it really dead?
+        sleep "$DODTIME"
+        if running ; then
+            kill -9 $pid
+            sleep "$DODTIME"
+            if running ; then
+                echo "Cannot kill $NAME (pid=$pid)!"
+                exit 1
+            fi
+        fi
+    fi
+    rm -f $PIDFILE
+}
+
+
+case "$1" in
+  start)
+        log_daemon_msg "Starting $NAME"
+        # Check if it's running first
+        if running ;  then
+            log_progress_msg "apparently already running"
+            log_end_msg 0
+            exit 0
+        fi
+        if start_server && running ;  then
+            # It's ok, the server started and is running
+            log_end_msg 0
+        else
+            # Either we could not start it or it is not running
+            # after we did
+            # NOTE: Some servers might die some time after they start,
+            # this code does not try to detect this and might give
+            # a false positive (use 'status' for that)
+            log_end_msg 1
+        fi
+        ;;
+  stop)
+        log_daemon_msg "Stopping $NAME"
+        if running ; then
+            # Only stop the server if we see it running
+            stop_server
+            log_end_msg $?
+        else
+            # If it's not running don't do anything
+            log_progress_msg "apparently not running"
+            log_end_msg 0
+            exit 0
+        fi
+        ;;
+  force-stop)
+        # First try to stop gracefully the program
+        $0 stop
+        if running; then
+            # If it's still running try to kill it more forcefully
+            log_daemon_msg "Stopping (force) $NAME"
+            force_stop
+            log_end_msg $?
+        fi
+        ;;
+  restart|force-reload)
+        log_daemon_msg "Restarting $NAME"
+        stop_server
+        # Wait some sensible amount, some server need this
+        [ -n "$DODTIME" ] && sleep $DODTIME
+        start_server
+        running
+        log_end_msg $?
+        ;;
+  status)
+        log_daemon_msg "Checking status of $NAME"
+        if running ;  then
+            log_progress_msg "running"
+            log_end_msg 0
+        else
+            log_progress_msg "apparently not running"
+            log_end_msg 1
+            exit 1
+        fi
+        ;;
+  # Use this if the daemon cannot reload
+  reload)
+        log_warning_msg "Reloading $NAME daemon: not implemented, as the"
+        log_warning_msg "deamon cannot re-read the config file (use restart)."
+        ;;
+  *)
+        N=/etc/init.d/openvswitch-ipsec
+        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" \
+             >&2
+        exit 1
+        ;;
+esac
+
+exit 0
diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install
new file mode 100644
index 000000000..8fe665cb3
--- /dev/null
+++ b/debian/openvswitch-ipsec.install
@@ -0,0 +1 @@ 
+ipsec/ovs-monitor-ipsec usr/share/openvswitch/scripts
diff --git a/rhel/automake.mk b/rhel/automake.mk
index 7b6c78fd7..bc65d83e5 100644
--- a/rhel/automake.mk
+++ b/rhel/automake.mk
@@ -35,6 +35,7 @@  EXTRA_DIST += \
 	rhel/usr_lib_systemd_system_ovn-controller.service \
 	rhel/usr_lib_systemd_system_ovn-controller-vtep.service \
 	rhel/usr_lib_systemd_system_ovn-northd.service \
+	rhel/usr_lib_systemd_system_openvswitch-ipsec.service \
 	rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
 	rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml
 
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 8c18d39c2..dacc3ee56 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -209,6 +209,14 @@  Requires: openvswitch openvswitch-ovn-common %{_py2}-openvswitch
 %description ovn-docker
 Docker network plugins for OVN.
 
+%package openvswitch-ipsec
+Summary: Open vSwitch IPsec tunneling support
+License: ASL 2.0
+Requires: openvswitch %{_py2}-openvswitch libreswan
+
+%description openvswitch-ipsec
+This package provides IPsec tunneling support for OVS tunnels.
+
 %prep
 %setup -q
 
@@ -260,7 +268,8 @@  install -p -D -m 0644 \
         rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \
         $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch
 for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \
-                ovn-controller ovn-controller-vtep ovn-northd; do
+                ovn-controller ovn-controller-vtep ovn-northd \
+                openvswitch-ipsec; do
         install -p -D -m 0644 \
                         rhel/usr_lib_systemd_system_${service}.service \
                         $RPM_BUILD_ROOT%{_unitdir}/${service}.service
@@ -318,6 +327,10 @@  install -p -D -m 0755 \
         rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \
         $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload
 
+install -m 0755 \
+        ipsec/ovs-monitor-ipsec \
+        $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+
 # remove unpackaged files
 rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
         $RPM_BUILD_ROOT%{_sbindir}/ovs-vlan-bug-workaround \
@@ -646,6 +659,10 @@  fi
 %{_mandir}/man8/ovn-controller-vtep.8*
 %{_unitdir}/ovn-controller-vtep.service
 
+%files openvswitch-ipsec
+%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+%{_unitdir}/openvswitch-ipsec.service
+
 %changelog
 * Wed Jan 12 2011 Ralf Spenneberg <ralf@os-s.net>
 - First build on F14
diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
new file mode 100644
index 000000000..813844e51
--- /dev/null
+++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
@@ -0,0 +1,12 @@ 
+[Unit]
+Description=OVS IPsec daemon
+Requires=openvswitch.service
+After=openvswitch.service
+
+[Service]
+Type=forking
+ExecStart=/usr/share/openvswitch/scripts/ovs-ctl start-ovs-ipsec
+ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
+
+[Install]
+WantedBy=multi-user.target
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 43c8f32b7..d9b6ed943 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -222,6 +222,13 @@  start_forwarding () {
     return 0
 }
 
+start_ovs_ipsec () {
+    ${datadir}/scripts/ovs-monitor-ipsec \
+        --pidfile=${rundir}/ovs-monitor-ipsec.pid \
+        --log-file --detach --monitor unix:${rundir}/db.sock
+    return 0
+}
+
 ## ---- ##
 ## stop ##
 ## ---- ##
@@ -238,6 +245,11 @@  stop_forwarding () {
     fi
 }
 
+stop_ovs_ipsec () {
+    ${bindir}/ovs-appctl -t ovs-monitor-ipsec exit
+    return 0
+}
+
 ## --------------- ##
 ## enable-protocol ##
 ## --------------- ##
@@ -522,6 +534,12 @@  case $command in
     delete-transient-ports)
         del_transient_ports
         ;;
+    start-ovs-ipsec)
+        start_ovs_ipsec
+        ;;
+    stop-ovs-ipsec)
+        stop_ovs_ipsec
+        ;;
     help)
         usage
         ;;