From patchwork Wed Aug 29 14:13:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qiuyu Xiao X-Patchwork-Id: 963489 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="sQLO+8Er"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 420nhg3X6Rz9rvt for ; Thu, 30 Aug 2018 00:15:31 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id DF1C2E80; Wed, 29 Aug 2018 14:14:44 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0AF4BE6D for ; Wed, 29 Aug 2018 14:14:44 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qk0-f177.google.com (mail-qk0-f177.google.com [209.85.220.177]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 698997C9 for ; Wed, 29 Aug 2018 14:14:39 +0000 (UTC) Received: by mail-qk0-f177.google.com with SMTP id b19-v6so3425071qkc.6 for ; Wed, 29 Aug 2018 07:14:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=mNq5CDmkFHNeMCuc3uFEcILQmamOydiP6UVFlXc7a0I=; b=sQLO+8Ero8kj30xEIoeww+S2dh0HFjpn2+EaqHeUxKRp/Dm24n7hwF50010st+iJF8 +TD861Pe2AIG4vvT/0hAj/IKOjmQemgJ5l3PBCRl5EhCQ40LU6EzkoMoBlshJZEjmHl8 kaqAAtSrfQINsI3plYLW0XvRSGdBIJzTxqQuPXS2USFJlmIaqJOCFV8688i30tVfKfC3 HoxzDueoJNrvUkzvLBJnZNqRo1LZvA7jtJhyBsyGZ+eDMzEAKEaVp0KhiywTlxbqgME7 dJa/q6YORLZEWQGAGXRPgB9ZRYUSvV1cOD8E/DcRqYbmNSdBz5eoXaVP5zg2A1etwmvu NfMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mNq5CDmkFHNeMCuc3uFEcILQmamOydiP6UVFlXc7a0I=; b=SQ2iO87hf24pG9s1khZWuzsy+O38k3gBKicgMGFjVnbko5MU6xbW5etaUK5tnnJUnO e0ynpEWyxyoTmIk9C9RRQAhx4SAE/Y6TMOXbS5FkCxmKXwbpIsR+245tBXFr6zSA/c3S mz4Gl0dkcogyo0YZPUNAVQ3hYjvP/gpSCJn5au4tMvYo1tq4dTOr+haeOjK1aMFEXElY Il7kP8DyvCpCSVsayx9cXdpSgV3pvpxPrR83fLxF0M24scBD9g6oTsmNt9MBkRdGlu/Q xoG7ztiStNHBlLceqd2bwxOW9H3wgdMSmlLPSVy8ZLXIPPRbulzJLR8PfU5KxUytg6Zi gYcA== X-Gm-Message-State: APzg51D73uyOSFWGG6useduTF9or20ojzoSaWTAHLrHh0SMP50A/ZajR uvWBSbtlQ4g7uXOqW5cc0/rY3PHL X-Google-Smtp-Source: ANB0VdbCXnyjwHQ7ZRjUyz++AVQKsDfqeTwNURAGEFkSUGLP0lx4VX4E9TREQ6d0dBJ7PgNDnRAzrw== X-Received: by 2002:a37:179e:: with SMTP id 30-v6mr6337359qkx.33.1535552078253; Wed, 29 Aug 2018 07:14:38 -0700 (PDT) Received: from localhost.localdomain (cpe-98-27-51-8.nc.res.rr.com. [98.27.51.8]) by smtp.gmail.com with ESMTPSA id p4-v6sm2490128qkl.41.2018.08.29.07.14.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 29 Aug 2018 07:14:37 -0700 (PDT) From: Qiuyu Xiao To: ovs-dev@openvswitch.org Date: Wed, 29 Aug 2018 10:13:31 -0400 Message-Id: <20180829141334.18089-4-qiuyu.xiao.qyx@gmail.com> X-Mailer: git-send-email 2.14.4 In-Reply-To: <20180829141334.18089-1-qiuyu.xiao.qyx@gmail.com> References: <20180829141334.18089-1-qiuyu.xiao.qyx@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ansis Atteka Subject: [ovs-dev] [PATCH v6 3/6] debian and rhel: Create IPsec package. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- debian/automake.mk | 3 + debian/control | 21 +++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 +++++++++++++++++++++ debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 ++- ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 ++ utilities/ovs-ctl.in | 27 +++ 9 files changed, 266 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index 9ae248f27..cde93f20e 100644 --- a/debian/control +++ b/debian/control @@ -322,3 +322,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 000000000..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 000000000..aa6838454 --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start: $network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +# encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds + # If this value is set too low you might not + # let some servers to die gracefully and + # 'restart' will not work + +set -e + +running_pid() { +# Check if a given process pid's cmdline matches a given name + pid=$1 + name=$2 + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2` + # Is this the expected server + [ "$cmd" != "$name" ] && return 1 + return 0 +} + +running() { +# Check if the process is running looking at /proc +# (works for all users) + + # No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + pid=`cat $PIDFILE` + running_pid $pid $DAEMON || return 1 + return 0 +} + +start_server() { + ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec + return 0 +} + +stop_server() { + ${DATADIR}/scripts/ovs-ctl stop-ovs-ipsec + return 0 +} + +force_stop() { +# Force the process to die killing it manually + [ ! -e "$PIDFILE" ] && return + if running ; then + kill -15 $pid + # Is it really dead? + sleep "$DODTIME" + if running ; then + kill -9 $pid + sleep "$DODTIME" + if running ; then + echo "Cannot kill $NAME (pid=$pid)!" + exit 1 + fi + fi + fi + rm -f $PIDFILE +} + + +case "$1" in + start) + log_daemon_msg "Starting $NAME" + # Check if it's running first + if running ; then + log_progress_msg "apparently already running" + log_end_msg 0 + exit 0 + fi + if start_server && running ; then + # It's ok, the server started and is running + log_end_msg 0 + else + # Either we could not start it or it is not running + # after we did + # NOTE: Some servers might die some time after they start, + # this code does not try to detect this and might give + # a false positive (use 'status' for that) + log_end_msg 1 + fi + ;; + stop) + log_daemon_msg "Stopping $NAME" + if running ; then + # Only stop the server if we see it running + stop_server + log_end_msg $? + else + # If it's not running don't do anything + log_progress_msg "apparently not running" + log_end_msg 0 + exit 0 + fi + ;; + force-stop) + # First try to stop gracefully the program + $0 stop + if running; then + # If it's still running try to kill it more forcefully + log_daemon_msg "Stopping (force) $NAME" + force_stop + log_end_msg $? + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $NAME" + stop_server + # Wait some sensible amount, some server need this + [ -n "$DODTIME" ] && sleep $DODTIME + start_server + running + log_end_msg $? + ;; + status) + log_daemon_msg "Checking status of $NAME" + if running ; then + log_progress_msg "running" + log_end_msg 0 + else + log_progress_msg "apparently not running" + log_end_msg 1 + exit 1 + fi + ;; + # Use this if the daemon cannot reload + reload) + log_warning_msg "Reloading $NAME daemon: not implemented, as the" + log_warning_msg "deamon cannot re-read the config file (use restart)." + ;; + *) + N=/etc/init.d/openvswitch-ipsec + echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" \ + >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install new file mode 100644 index 000000000..8fe665cb3 --- /dev/null +++ b/debian/openvswitch-ipsec.install @@ -0,0 +1 @@ +ipsec/ovs-monitor-ipsec usr/share/openvswitch/scripts diff --git a/rhel/automake.mk b/rhel/automake.mk index 7b6c78fd7..bc65d83e5 100644 --- a/rhel/automake.mk +++ b/rhel/automake.mk @@ -35,6 +35,7 @@ EXTRA_DIST += \ rhel/usr_lib_systemd_system_ovn-controller.service \ rhel/usr_lib_systemd_system_ovn-controller-vtep.service \ rhel/usr_lib_systemd_system_ovn-northd.service \ + rhel/usr_lib_systemd_system_openvswitch-ipsec.service \ rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \ rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index cb7eccae1..480c547dd 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -222,6 +222,14 @@ Requires: openvswitch openvswitch-ovn-common %{_py2}-openvswitch %description ovn-docker Docker network plugins for OVN. +%package openvswitch-ipsec +Summary: Open vSwitch IPsec tunneling support +License: ASL 2.0 +Requires: openvswitch %{_py2}-openvswitch libreswan + +%description openvswitch-ipsec +This package provides IPsec tunneling support for OVS tunnels. + %prep %setup -q @@ -273,7 +281,8 @@ install -p -D -m 0644 \ rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \ $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \ - ovn-controller ovn-controller-vtep ovn-northd; do + ovn-controller ovn-controller-vtep ovn-northd \ + openvswitch-ipsec; do install -p -D -m 0644 \ rhel/usr_lib_systemd_system_${service}.service \ $RPM_BUILD_ROOT%{_unitdir}/${service}.service @@ -331,6 +340,10 @@ install -p -D -m 0755 \ rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \ $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload +install -m 0755 \ + ipsec/ovs-monitor-ipsec \ + $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec + # remove unpackaged files rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ $RPM_BUILD_ROOT%{_sbindir}/ovs-vlan-bug-workaround \ @@ -669,6 +682,10 @@ fi %{_mandir}/man8/ovn-controller-vtep.8* %{_unitdir}/ovn-controller-vtep.service +%files openvswitch-ipsec +%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec +%{_unitdir}/openvswitch-ipsec.service + %changelog * Wed Jan 12 2011 Ralf Spenneberg - First build on F14 diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service new file mode 100644 index 000000000..6e309aa57 --- /dev/null +++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service @@ -0,0 +1,13 @@ +[Unit] +Description=OVS IPsec daemon +Requires=openvswitch.service +After=openvswitch.service + +[Service] +Type=forking +ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ + --ike-daemon=libreswan start-ovs-ipsec +ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec + +[Install] +WantedBy=multi-user.target diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in index 43c8f32b7..d28afc549 100755 --- a/utilities/ovs-ctl.in +++ b/utilities/ovs-ctl.in @@ -222,6 +222,14 @@ start_forwarding () { return 0 } +start_ovs_ipsec () { + ${datadir}/scripts/ovs-monitor-ipsec \ + --pidfile=${rundir}/ovs-monitor-ipsec.pid \ + --ike-daemon=$IKE_DAEMON \ + --log-file --detach --monitor unix:${rundir}/db.sock + return 0 +} + ## ---- ## ## stop ## ## ---- ## @@ -238,6 +246,11 @@ stop_forwarding () { fi } +stop_ovs_ipsec () { + ${bindir}/ovs-appctl -t ovs-monitor-ipsec exit + return 0 +} + ## --------------- ## ## enable-protocol ## ## --------------- ## @@ -316,6 +329,8 @@ set_defaults () { DPORT= SPORT= + IKE_DAEMON= + type_file=$etcdir/system-type.conf version_file=$etcdir/system-version.conf @@ -356,6 +371,8 @@ Commands: module, reload kernel module, start OVS, restore state enable-protocol enable protocol specified in options with iptables delete-transient-ports delete transient (other_config:transient=true) ports + start-ovs-ipsec start Open vSwitch ipsec daemon + stop-ovs-ipsec stop Open vSwitch ipsec daemon help display this help message One of the following options is required for "start", "restart" and "force-reload-kmod": @@ -392,6 +409,10 @@ Options for "enable-protocol": --sport=PORT source port to match (for tcp or udp protocol) --dport=PORT ddestination port to match (for tcp or udp protocol) +Option for "start-ovs-ipsec": + --ike-daemon=IKE_DAEMON + the IKE daemon for ipsec tunnels (either libreswan or strongswan) + Other options: -h, --help display this help message -V, --version display version information @@ -522,6 +543,12 @@ case $command in delete-transient-ports) del_transient_ports ;; + start-ovs-ipsec) + start_ovs_ipsec + ;; + stop-ovs-ipsec) + stop_ovs_ipsec + ;; help) usage ;;