diff mbox series

[ovs-dev,1/2] Documentation: update IPsec tutorial for F32

Message ID 20201002173358.2435528-2-mark.d.gray@redhat.com
State Superseded
Headers show
Series Some fixes for OVS IPsec on Fedora | expand

Commit Message

Mark Gray Oct. 2, 2020, 5:33 p.m. UTC 
F32 requires the "python3-openvswitch" package now. Also, the
iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
---
 Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

Comments

Stokes, Ian Oct. 21, 2020, 3:07 p.m. UTC | #1 
> F32 requires the "python3-openvswitch" package now. Also, the
> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
> 

Hi Mark, thanks for the patch, some minor comments below.

> Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
> ---
>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>  1 file changed, 12 insertions(+), 15 deletions(-)
> 
> diff --git a/Documentation/tutorials/ipsec.rst
> b/Documentation/tutorials/ipsec.rst
> index b4c323513..ea0b6a63f 100644
> --- a/Documentation/tutorials/ipsec.rst
> +++ b/Documentation/tutorials/ipsec.rst
> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>  ---------------------------------
> 
>  OVS IPsec has .deb and .rpm packages. You should use the right package
> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>  as examples.

Given that the instructions change between Fedora versions, is it worth adding a note that for Fedora versions older than Fedora 32, users should consult the previous OVS release tutorial?

The alternative would be to maintain another section here for fedora 27 but that seems like a pain and TBH I'm not sure if Fedora 27 is still active? As such a note might suffice.

> 
>  Ubuntu
> @@ -71,21 +71,18 @@ Ubuntu
>  Fedora
>  ~~~~~~
> 
> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
> +1. Install the related packages. Fedora 32 does not require installation of
> +   the out-of-tree kernel module::
> 
> -2. Install the related packages::
> -
> -       $ dnf install python2-openvswitch libreswan \
> -                     "kernel-devel-uname-r == $(uname -r)"
> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
> -                openvswitch-openvswitch-ipsec-*.rpm
> +       $ dnf install python3-openvswitch libreswan \
> +                     openvswitch openvswitch-ipsec
> 
> -3. Install firewall rules to allow ESP and IKE traffic::
> +2. Install firewall rules to allow ESP and IKE traffic::
> 
> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
> +       $ iptables -A INPUT -p esp -j ACCEPT
> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT

Same as above, again maybe a line at the beginning the tutorial would help point people in the right direction depending on the version they are using?
 
> 
> -4. Run the openvswitch-ipsec service::
> +3. Run the openvswitch-ipsec service::
> 
>         $ systemctl start openvswitch-ipsec.service
> 
> @@ -97,7 +94,7 @@ Fedora
>  Configuring IPsec tunnel
>  ------------------------
> 
> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
> +Suppose you want to build an IPsec tunnel between two hosts. Assume
> `host_1`'s
>  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>  `host_1` and `host_2` can ping each other via these external IPs.
> 
> @@ -123,8 +120,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is
> 2.2.2.2. Make sure
> 
>  2. Set up IPsec tunnel.
> 
> -   There are three authentication methods. You can choose one to set up your
> -   IPsec tunnel.
> +   There are three authentication methods.  Choose one method to set up your
> +   IPsec tunnel and follow the steps below.
> 
>     a) Using pre-shared key:
> 

Other than that LGTM. Did you have any thoughts on requirements for backporting it? 

Regards
Ian
> --
> 2.26.2
> 
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Eric Garver Oct. 22, 2020, 2:01 p.m. UTC | #2 
On Fri, Oct 02, 2020 at 01:33:57PM -0400, Mark Gray wrote:
> F32 requires the "python3-openvswitch" package now. Also, the
> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
> 
> Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
> ---
>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>  1 file changed, 12 insertions(+), 15 deletions(-)
> 
> diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
> index b4c323513..ea0b6a63f 100644
> --- a/Documentation/tutorials/ipsec.rst
> +++ b/Documentation/tutorials/ipsec.rst
> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>  ---------------------------------
>  
>  OVS IPsec has .deb and .rpm packages. You should use the right package
> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>  as examples.
>  
>  Ubuntu
> @@ -71,21 +71,18 @@ Ubuntu
>  Fedora
>  ~~~~~~
>  
> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
> +1. Install the related packages. Fedora 32 does not require installation of
> +   the out-of-tree kernel module::
>  
> -2. Install the related packages::
> -
> -       $ dnf install python2-openvswitch libreswan \
> -                     "kernel-devel-uname-r == $(uname -r)"
> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
> -                openvswitch-openvswitch-ipsec-*.rpm
> +       $ dnf install python3-openvswitch libreswan \
> +                     openvswitch openvswitch-ipsec
>  
> -3. Install firewall rules to allow ESP and IKE traffic::
> +2. Install firewall rules to allow ESP and IKE traffic::
>  
> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
> +       $ iptables -A INPUT -p esp -j ACCEPT
> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT

Fedora uses firewalld by default hence the chain
"IN_FedoraServer_allow". I think adding the rules in iptables will not
work in f32+ because firewalld uses nftables. iptables will accept, but
firewalld/nftables will still drop it. Instead of bypassing firewalld
it's better to open these via firewalld by adding the ipsec service.
This should work for all Fedora versions and firewalld backends.

    # firewall-cmd --add-service ipsec
    # firewall-cmd --permanent --add-service ipsec

First command affects the runtime, the second command affects the
permanent configuration.

> -4. Run the openvswitch-ipsec service::
> +3. Run the openvswitch-ipsec service::
>  
>         $ systemctl start openvswitch-ipsec.service
>  
[..]
Mark Gray Oct. 23, 2020, 10:13 a.m. UTC | #3 
On 22/10/2020 15:01, Eric Garver wrote:
> On Fri, Oct 02, 2020 at 01:33:57PM -0400, Mark Gray wrote:
>> F32 requires the "python3-openvswitch" package now. Also, the
>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
>>
>> Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
>> ---
>>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>>  1 file changed, 12 insertions(+), 15 deletions(-)
>>
>> diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
>> index b4c323513..ea0b6a63f 100644
>> --- a/Documentation/tutorials/ipsec.rst
>> +++ b/Documentation/tutorials/ipsec.rst
>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>>  ---------------------------------
>>  
>>  OVS IPsec has .deb and .rpm packages. You should use the right package
>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>>  as examples.
>>  
>>  Ubuntu
>> @@ -71,21 +71,18 @@ Ubuntu
>>  Fedora
>>  ~~~~~~
>>  
>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
>> +1. Install the related packages. Fedora 32 does not require installation of
>> +   the out-of-tree kernel module::
>>  
>> -2. Install the related packages::
>> -
>> -       $ dnf install python2-openvswitch libreswan \
>> -                     "kernel-devel-uname-r == $(uname -r)"
>> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
>> -                openvswitch-openvswitch-ipsec-*.rpm
>> +       $ dnf install python3-openvswitch libreswan \
>> +                     openvswitch openvswitch-ipsec
>>  
>> -3. Install firewall rules to allow ESP and IKE traffic::
>> +2. Install firewall rules to allow ESP and IKE traffic::
>>  
>> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
>> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
>> +       $ iptables -A INPUT -p esp -j ACCEPT
>> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
> 
> Fedora uses firewalld by default hence the chain
> "IN_FedoraServer_allow". I think adding the rules in iptables will not
> work in f32+ because firewalld uses nftables. iptables will accept, but
> firewalld/nftables will still drop it. Instead of bypassing firewalld
> it's better to open these via firewalld by adding the ipsec service.
> This should work for all Fedora versions and firewalld backends.
> 
>     # firewall-cmd --add-service ipsec
>     # firewall-cmd --permanent --add-service ipsec
> 
> First command affects the runtime, the second command affects the
> permanent configuration.

Hi Eric, this is a much better approach. I will update the documentation
to reflect this. Thanks for your input.

> 
>> -4. Run the openvswitch-ipsec service::
>> +3. Run the openvswitch-ipsec service::
>>  
>>         $ systemctl start openvswitch-ipsec.service
>>  
> [..]
>
Mark Gray Oct. 23, 2020, 2:24 p.m. UTC | #4 
On 21/10/2020 16:07, Stokes, Ian wrote:
>> F32 requires the "python3-openvswitch" package now. Also, the
>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
>>
> 
> Hi Mark, thanks for the patch, some minor comments below.
> 
>> Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
>> ---
>>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>>  1 file changed, 12 insertions(+), 15 deletions(-)
>>
>> diff --git a/Documentation/tutorials/ipsec.rst
>> b/Documentation/tutorials/ipsec.rst
>> index b4c323513..ea0b6a63f 100644
>> --- a/Documentation/tutorials/ipsec.rst
>> +++ b/Documentation/tutorials/ipsec.rst
>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>>  ---------------------------------
>>
>>  OVS IPsec has .deb and .rpm packages. You should use the right package
>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>>  as examples.
> 
> Given that the instructions change between Fedora versions, is it worth adding a note that for Fedora versions older than Fedora 32, users should consult the previous OVS release tutorial?

This is just a tutorial so I am not making any statement about
availability of the IPsec feature in different distros only that, as of
F32, the instructions are correct.

The main difference is regarding the iptables instructions below. I
think Eric has cleared that up and I will update the documentation to
reflect as that seems to be the most generic way to enable the firewall
across multiple Fedora releases.


> 
> The alternative would be to maintain another section here for fedora 27 but that seems like a pain and TBH I'm not sure if Fedora 27 is still active? As such a note might suffice.
> 
>>
>>  Ubuntu
>> @@ -71,21 +71,18 @@ Ubuntu
>>  Fedora
>>  ~~~~~~
>>
>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
>> +1. Install the related packages. Fedora 32 does not require installation of
>> +   the out-of-tree kernel module::
>>
>> -2. Install the related packages::
>> -
>> -       $ dnf install python2-openvswitch libreswan \
>> -                     "kernel-devel-uname-r == $(uname -r)"
>> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
>> -                openvswitch-openvswitch-ipsec-*.rpm
>> +       $ dnf install python3-openvswitch libreswan \
>> +                     openvswitch openvswitch-ipsec
>>
>> -3. Install firewall rules to allow ESP and IKE traffic::
>> +2. Install firewall rules to allow ESP and IKE traffic::
>>
>> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
>> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
>> +       $ iptables -A INPUT -p esp -j ACCEPT
>> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
> 
> Same as above, again maybe a line at the beginning the tutorial would help point people in the right direction depending on the version they are using?

Will update as per Eric's comments
>  
>>
>> -4. Run the openvswitch-ipsec service::
>> +3. Run the openvswitch-ipsec service::
>>
>>         $ systemctl start openvswitch-ipsec.service
>>
>> @@ -97,7 +94,7 @@ Fedora
>>  Configuring IPsec tunnel
>>  ------------------------
>>
>> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
>> +Suppose you want to build an IPsec tunnel between two hosts. Assume
>> `host_1`'s
>>  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>>  `host_1` and `host_2` can ping each other via these external IPs.
>>
>> @@ -123,8 +120,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is
>> 2.2.2.2. Make sure
>>
>>  2. Set up IPsec tunnel.
>>
>> -   There are three authentication methods. You can choose one to set up your
>> -   IPsec tunnel.
>> +   There are three authentication methods.  Choose one method to set up your
>> +   IPsec tunnel and follow the steps below.
>>
>>     a) Using pre-shared key:
>>
> 
> Other than that LGTM. Did you have any thoughts on requirements for backporting it? 

No need for the documentation - 2/2 is a bug though so probably should be.
> 
> Regards
> Ian
>> --
>> 2.26.2
>>
>> _______________________________________________
>> dev mailing list
>> dev@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
Kevin Traynor Oct. 23, 2020, 6:01 p.m. UTC | #5 
On 23/10/2020 15:24, Mark Gray wrote:
> On 21/10/2020 16:07, Stokes, Ian wrote:
>>> F32 requires the "python3-openvswitch" package now. Also, the
>>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
>>>
>>
>> Hi Mark, thanks for the patch, some minor comments below.
>>
>>> Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
>>> ---
>>>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>>>  1 file changed, 12 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/Documentation/tutorials/ipsec.rst
>>> b/Documentation/tutorials/ipsec.rst
>>> index b4c323513..ea0b6a63f 100644
>>> --- a/Documentation/tutorials/ipsec.rst
>>> +++ b/Documentation/tutorials/ipsec.rst
>>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>>>  ---------------------------------
>>>
>>>  OVS IPsec has .deb and .rpm packages. You should use the right package
>>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
>>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>>>  as examples.
>>
>> Given that the instructions change between Fedora versions, is it worth adding a note that for Fedora versions older than Fedora 32, users should consult the previous OVS release tutorial?
> 
> This is just a tutorial so I am not making any statement about
> availability of the IPsec feature in different distros only that, as of
> F32, the instructions are correct.
> 

Fedora 31 will be EOL next month. For Fedora in particular, I don't
think there's any point in writing anything for older releases.

> The main difference is regarding the iptables instructions below. I
> think Eric has cleared that up and I will update the documentation to
> reflect as that seems to be the most generic way to enable the firewall
> across multiple Fedora releases.
> 
> 
>>
>> The alternative would be to maintain another section here for fedora 27 but that seems like a pain and TBH I'm not sure if Fedora 27 is still active? As such a note might suffice.
>>
>>>
>>>  Ubuntu
>>> @@ -71,21 +71,18 @@ Ubuntu
>>>  Fedora
>>>  ~~~~~~
>>>
>>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
>>> +1. Install the related packages. Fedora 32 does not require installation of
>>> +   the out-of-tree kernel module::
>>>
>>> -2. Install the related packages::
>>> -
>>> -       $ dnf install python2-openvswitch libreswan \
>>> -                     "kernel-devel-uname-r == $(uname -r)"
>>> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
>>> -                openvswitch-openvswitch-ipsec-*.rpm
>>> +       $ dnf install python3-openvswitch libreswan \
>>> +                     openvswitch openvswitch-ipsec
>>>
>>> -3. Install firewall rules to allow ESP and IKE traffic::
>>> +2. Install firewall rules to allow ESP and IKE traffic::
>>>
>>> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
>>> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
>>> +       $ iptables -A INPUT -p esp -j ACCEPT
>>> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
>>
>> Same as above, again maybe a line at the beginning the tutorial would help point people in the right direction depending on the version they are using?
> 
> Will update as per Eric's comments
>>  
>>>
>>> -4. Run the openvswitch-ipsec service::
>>> +3. Run the openvswitch-ipsec service::
>>>
>>>         $ systemctl start openvswitch-ipsec.service
>>>
>>> @@ -97,7 +94,7 @@ Fedora
>>>  Configuring IPsec tunnel
>>>  ------------------------
>>>
>>> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
>>> +Suppose you want to build an IPsec tunnel between two hosts. Assume
>>> `host_1`'s
>>>  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>>>  `host_1` and `host_2` can ping each other via these external IPs.
>>>
>>> @@ -123,8 +120,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is
>>> 2.2.2.2. Make sure
>>>
>>>  2. Set up IPsec tunnel.
>>>
>>> -   There are three authentication methods. You can choose one to set up your
>>> -   IPsec tunnel.
>>> +   There are three authentication methods.  Choose one method to set up your
>>> +   IPsec tunnel and follow the steps below.
>>>
>>>     a) Using pre-shared key:
>>>
>>
>> Other than that LGTM. Did you have any thoughts on requirements for backporting it? 
> 
> No need for the documentation - 2/2 is a bug though so probably should be.
>>
>> Regards
>> Ian
>>> --
>>> 2.26.2
>>>
>>> _______________________________________________
>>> dev mailing list
>>> dev@openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
> 
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
diff mbox series

Patch

diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
index b4c323513..ea0b6a63f 100644
--- a/Documentation/tutorials/ipsec.rst
+++ b/Documentation/tutorials/ipsec.rst
@@ -42,7 +42,7 @@  Installing OVS and IPsec Packages
 ---------------------------------
 
 OVS IPsec has .deb and .rpm packages. You should use the right package
-based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
+based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
 as examples.
 
 Ubuntu
@@ -71,21 +71,18 @@  Ubuntu
 Fedora
 ~~~~~~
 
-1. Follow :doc:`/intro/install/fedora` to build RPM packages.
+1. Install the related packages. Fedora 32 does not require installation of
+   the out-of-tree kernel module::
 
-2. Install the related packages::
-
-       $ dnf install python2-openvswitch libreswan \
-                     "kernel-devel-uname-r == $(uname -r)"
-       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
-                openvswitch-openvswitch-ipsec-*.rpm
+       $ dnf install python3-openvswitch libreswan \
+                     openvswitch openvswitch-ipsec
 
-3. Install firewall rules to allow ESP and IKE traffic::
+2. Install firewall rules to allow ESP and IKE traffic::
 
-       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
-       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
+       $ iptables -A INPUT -p esp -j ACCEPT
+       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
 
-4. Run the openvswitch-ipsec service::
+3. Run the openvswitch-ipsec service::
 
        $ systemctl start openvswitch-ipsec.service
 
@@ -97,7 +94,7 @@  Fedora
 Configuring IPsec tunnel
 ------------------------
 
-Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
+Suppose you want to build an IPsec tunnel between two hosts. Assume `host_1`'s
 external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
 `host_1` and `host_2` can ping each other via these external IPs.
 
@@ -123,8 +120,8 @@  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
 
 2. Set up IPsec tunnel.
 
-   There are three authentication methods. You can choose one to set up your
-   IPsec tunnel.
+   There are three authentication methods.  Choose one method to set up your
+   IPsec tunnel and follow the steps below.
 
    a) Using pre-shared key: