From patchwork Tue Jan 5 22:53:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Gray X-Patchwork-Id: 1422739 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=iBMu5cC7; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4D9STz54FWz9sTv for ; Wed, 6 Jan 2021 09:53:59 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 07F4487263; Tue, 5 Jan 2021 22:53:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esCESpe+hCa1; Tue, 5 Jan 2021 22:53:53 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 421DE871FE; Tue, 5 Jan 2021 22:53:52 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1ED5CC0FA8; Tue, 5 Jan 2021 22:53:52 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7AA30C013A for ; Tue, 5 Jan 2021 22:53:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 7282C86BD4 for ; Tue, 5 Jan 2021 22:53:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TO+5NUpWrz+K for ; Tue, 5 Jan 2021 22:53:50 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by whitealder.osuosl.org (Postfix) with ESMTPS id 3811886A24 for ; Tue, 5 Jan 2021 22:53:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1609887228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M3fKOQKGgAxw0NxU3q5MKqevsQWG7LQd/iKZvcuqmlE=; b=iBMu5cC7uj8ms6SnQPkjyioS4f2gVj3/BEJ6bAm1OF58nt6z45nOp2AoN/lfMulHujFZsQ Ln5waow5Pqd9LTKCxqBVbZ1IyW+20ZYuFdZPuzVo3/MOVUpsMrZ0hL1pzMnpBzRUVKCR3t YTea5R1hPHAFshM6uKyFuDus/IeTeWA= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-38-4kZ_MrGUPZKGzPtxtUh7Sw-1; Tue, 05 Jan 2021 17:53:47 -0500 X-MC-Unique: 4kZ_MrGUPZKGzPtxtUh7Sw-1 Received: by mail-wm1-f72.google.com with SMTP id a205so94843wme.9 for ; Tue, 05 Jan 2021 14:53:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=M3fKOQKGgAxw0NxU3q5MKqevsQWG7LQd/iKZvcuqmlE=; b=ad2wG2r10ZuRlD9SFtkgKGmbP1aRbBNRcQhI7uVH8sUyilIlu6VXOZ1YKsx1d7nqlN iTnLDGjD2jAMWkKN0k5ensnapMfZDtKDfX+Kl+h2u2ANtt1OdRid6zWCif8St3+Tis+f oiND++GW5AoiKc9L83uQmu3viIv/2PtJ9a+z99cjhtwvvB+mqic4wCgn2j4ky7zI/nzw +1YD/5OTHswBMn3QvVm3M6KqmZ+Q42+LlJ+zblgU29R3pIpp02I4oS612aepuLqMcnXR yrFo8L1XcahMRpu6hEwX6tzIT0XAAxKdiVu5TlwebdayE3Potwr21uIL9fLkTqUTvIgB t3Og== X-Gm-Message-State: AOAM533j6mBfD1KH0D9giWWVxB+Iqwm2/C/QKphKnPipSsC5T0PLWdN1 q2iYR7NvjKGYVZ2z/Lz5Vud7Irbyy71FVQ3CZ702+zGV0hpNyF9arcJKNPL/Q148MWd3jCNhStf MaGaNM2FvyBgI X-Received: by 2002:a1c:4407:: with SMTP id r7mr1118452wma.104.1609887226034; Tue, 05 Jan 2021 14:53:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJy52UaEsUK/h1R/O5GgVcDPJZziNqpjphW9w/+tUJO8BFPQJblKgVU/QrMjx2PvQlReeWWWVQ== X-Received: by 2002:a1c:4407:: with SMTP id r7mr1118447wma.104.1609887225910; Tue, 05 Jan 2021 14:53:45 -0800 (PST) Received: from wsfd-netdev77.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id v1sm691932wmj.31.2021.01.05.14.53.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Jan 2021 14:53:45 -0800 (PST) From: Mark Gray To: mark.d.gray@redhat.com, dev@openvswitch.org Date: Tue, 5 Jan 2021 17:53:40 -0500 Message-Id: <20210105225341.1751305-2-mark.d.gray@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210105225341.1751305-1-mark.d.gray@redhat.com> References: <20210105225341.1751305-1-mark.d.gray@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mark.d.gray@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: Flavio Leitner Subject: [ovs-dev] [PATCH v4 1/2] ovs-monitor-ipsec: Allow exit of ipsec daemon maintaining state X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When 'ovs-monitor-ipsec' exits, it clears all persistent state (i.e. active ipsec connections, /etc/ipsec.conf, certs/keys). In some use-cases, we may want to exit and maintain state so that ipsec connectivity is maintained. One example of this is during an upgrade. This will require the caller to clear this persistent state when appropriate (e.g. before 'ovs-monitor-ipsec') is restarted. Signed-off-by: Mark Gray Acked-by: Eelco Chaudron Acked-by: Flavio Leitner --- v2: Changed command syntax v3: Added Flavio's ack v4: Rebased and added NEWS section NEWS | 3 +++ ipsec/ovs-monitor-ipsec.in | 30 +++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/NEWS b/NEWS index 402b4c6646c3..b847c6a995bd 100644 --- a/NEWS +++ b/NEWS @@ -38,6 +38,9 @@ Post-v2.14.0 - ovs-dpctl and 'ovs-appctl dpctl/': * New commands '{add,mod,del}-flows' where added, which allow adding, deleting, or modifying flows based on information read from a file. + - IPsec: + * Add option to allow ovs-monitor-ipsec to stop without tearing down + IPsec tunnels. v2.14.0 - 17 Aug 2020 diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index f9451e53cd40..6d12cd8d2b03 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -1150,19 +1150,30 @@ def unixctl_refresh(conn, unused_argv, unused_aux): conn.reply(None) -def unixctl_exit(conn, unused_argv, unused_aux): +def unixctl_exit(conn, argv, unused_aux): global monitor global exiting + ret = None exiting = True + cleanup = True - # Make sure persistent global states are cleared - monitor.update_conf([None, None, None, None], None) - # Make sure persistent tunnel states are cleared - for tunnel in monitor.tunnels.keys(): - monitor.del_tunnel(tunnel) - monitor.run() + for arg in argv: + if arg == "--no-cleanup": + cleanup = False + else: + cleanup = False + exiting = False + ret = str("unrecognized parameter: %s" % arg) + + if cleanup: + # Make sure persistent global states are cleared + monitor.update_conf([None, None, None, None], None) + # Make sure persistent tunnel states are cleared + for tunnel in monitor.tunnels.keys(): + monitor.del_tunnel(tunnel) + monitor.run() - conn.reply(None) + conn.reply(ret) def main(): @@ -1208,7 +1219,8 @@ def main(): ovs.unixctl.command_register("tunnels/show", "", 0, 0, unixctl_show, None) ovs.unixctl.command_register("refresh", "", 0, 0, unixctl_refresh, None) - ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None) + ovs.unixctl.command_register("exit", "[--no-cleanup]", 0, 1, + unixctl_exit, None) error, unixctl_server = ovs.unixctl.server.UnixctlServer.create(None) if error: From patchwork Tue Jan 5 22:53:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Gray X-Patchwork-Id: 1422740 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Jg86XaC5; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4D9SV14qflz9sTv for ; Wed, 6 Jan 2021 09:54:01 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 1607187292; Tue, 5 Jan 2021 22:54:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2iSVyKxI2Yx; Tue, 5 Jan 2021 22:53:59 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 67F3C87234; Tue, 5 Jan 2021 22:53:59 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 410D9C0893; Tue, 5 Jan 2021 22:53:59 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id AF146C0893 for ; Tue, 5 Jan 2021 22:53:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9A3C887287 for ; Tue, 5 Jan 2021 22:53:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SioUPRufS8gp for ; Tue, 5 Jan 2021 22:53:53 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by hemlock.osuosl.org (Postfix) with ESMTPS id DF5898722C for ; Tue, 5 Jan 2021 22:53:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1609887231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xa3B46Y96QqHCrieImhDzIC9B11NPUvXn2z9s0bQoHQ=; b=Jg86XaC5NDG2Yn0GNcF9eCvmBo69bDG4XHcv6w7mTkhmupa3HqmzJhLDQzGY6ttVjidoGI r+ilxA1V/rHV5sxns2xrNwB+5rIbWZ2Die73ca4/7xy3qMDIYWoCZf3nRcoN+RO994TWu7 IDfRk2unux1ie7rzyZ84sgM5ZBdVsvI= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-469-QR6eP-_xN3mqZxxv0IdAKQ-1; Tue, 05 Jan 2021 17:53:49 -0500 X-MC-Unique: QR6eP-_xN3mqZxxv0IdAKQ-1 Received: by mail-wm1-f72.google.com with SMTP id h21so478826wmq.7 for ; Tue, 05 Jan 2021 14:53:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xa3B46Y96QqHCrieImhDzIC9B11NPUvXn2z9s0bQoHQ=; b=OJDoyc554YaiRgcH+UcP0ijAkeBZnkQiOb1BRE1VApDO+e0c7wOMJgj318G9Ch2muT w/hxnIqwgSyGs8HUROqkae8Ci1Cenbv5QudfVKipcBBuZXJ45b1ABEF7cvu9qzz3Lk8e DT+0VF07AH8m8XY9BwNgWMlXuVCWhoafTBegLYGI8QWdn3aw2SSIb1w0BP37iVugOiEC f2+ah1qNsdTLDxYk8uEJrztWisEOLZ5g+WXKi6Qn/kHXxWdBYXYusvesGMv78UJ+IKyk IoaBVkDUAH9Grp8vWnPlsYD/SHHGFKCfZ+zXDmqaoKJ4/4ERJJ4IuUIzdPCSQATUOupE NUqw== X-Gm-Message-State: AOAM5332LtMzyV8JiSOinw2qFCanr8ApYEs84MORTTEeaikFhdziFw4V fbjXalr5atJZCAW0ygeL7mrJSuOobvIoGKSUYUpqSHIJzEDxVgewJTiVLoEx1bIl3LZcmzZ86So lShGTGJ2t++TI X-Received: by 2002:a1c:bb06:: with SMTP id l6mr1159311wmf.112.1609887227791; Tue, 05 Jan 2021 14:53:47 -0800 (PST) X-Google-Smtp-Source: ABdhPJzhsHj7pt9grLRjhSpG5smWiCCKMYaHB55as4Kc1gw87oKR/DBvl8jVYuKLVF7LbwoYJXBSqQ== X-Received: by 2002:a1c:bb06:: with SMTP id l6mr1159304wmf.112.1609887227648; Tue, 05 Jan 2021 14:53:47 -0800 (PST) Received: from wsfd-netdev77.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id v1sm691932wmj.31.2021.01.05.14.53.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Jan 2021 14:53:47 -0800 (PST) From: Mark Gray To: mark.d.gray@redhat.com, dev@openvswitch.org Date: Tue, 5 Jan 2021 17:53:41 -0500 Message-Id: <20210105225341.1751305-3-mark.d.gray@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210105225341.1751305-1-mark.d.gray@redhat.com> References: <20210105225341.1751305-1-mark.d.gray@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mark.d.gray@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: Flavio Leitner Subject: [ovs-dev] [PATCH v4 2/2] ovs-monitor-ipsec: Add option to not restart IKE daemon X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Signed-off-by: Mark Gray Acked-by: Eelco Chaudron Acked-by: Flavio Leitner --- v3: Add Flavio's ack v4: Rebased and added NEWS section NEWS | 2 ++ ipsec/ovs-monitor-ipsec.in | 11 ++++++++--- utilities/ovs-ctl.in | 8 ++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index b847c6a995bd..cb3071a08ff8 100644 --- a/NEWS +++ b/NEWS @@ -41,6 +41,8 @@ Post-v2.14.0 - IPsec: * Add option to allow ovs-monitor-ipsec to stop without tearing down IPsec tunnels. + * Add option to allow ovs-monitor-ipsec to start without restarting + ipsec daemon. v2.14.0 - 17 Aug 2020 diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 6d12cd8d2b03..64111768b33a 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -925,7 +925,7 @@ class IPsecTunnel(object): class IPsecMonitor(object): """This class monitors and configures IPsec tunnels""" - def __init__(self, root_prefix, ike_daemon): + def __init__(self, root_prefix, ike_daemon, restart): self.IPSEC = root_prefix + "/usr/sbin/ipsec" self.tunnels = {} @@ -955,7 +955,9 @@ class IPsecMonitor(object): not os.access(self.IPSEC, os.X_OK): vlog.err("IKE daemon is not installed in the system.") - self.ike_helper.restart_ike_daemon() + if restart: + vlog.info("Restarting IKE daemon") + self.ike_helper.restart_ike_daemon() def is_tunneling_type_supported(self, tunnel_type): """Returns True if we know how to configure IPsec for these @@ -1186,6 +1188,8 @@ def main(): parser.add_argument("--ike-daemon", metavar="IKE-DAEMON", help="The IKE daemon used for IPsec tunnels" " (either libreswan or strongswan).") + parser.add_argument("--no-restart-ike-daemon", action='store_true', + help="Don't restart the IKE daemon on startup.") ovs.vlog.add_args(parser) ovs.daemon.add_args(parser) @@ -1198,7 +1202,8 @@ def main(): root_prefix = args.root_prefix if args.root_prefix else "" xfrm = XFRM(root_prefix) - monitor = IPsecMonitor(root_prefix, args.ike_daemon) + monitor = IPsecMonitor(root_prefix, args.ike_daemon, + not args.no_restart_ike_daemon) remote = args.database schema_helper = ovs.db.idl.SchemaHelper() diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in index 86d7fe2c4df6..d71c34e69106 100644 --- a/utilities/ovs-ctl.in +++ b/utilities/ovs-ctl.in @@ -231,9 +231,14 @@ start_forwarding () { } start_ovs_ipsec () { + if test X$RESTART_IKE_DAEMON = Xno; then + no_restart="--no-restart-ike-daemon" + fi + ${datadir}/scripts/ovs-monitor-ipsec \ --pidfile=${rundir}/ovs-monitor-ipsec.pid \ --ike-daemon=$IKE_DAEMON \ + $no_restart \ --log-file --detach --monitor unix:${rundir}/db.sock || return 1 return 0 } @@ -341,6 +346,7 @@ set_defaults () { SPORT= IKE_DAEMON= + RESTART_IKE_DAEMON=yes type_file=$etcdir/system-type.conf version_file=$etcdir/system-version.conf @@ -424,6 +430,8 @@ Options for "enable-protocol": Option for "start-ovs-ipsec": --ike-daemon=IKE_DAEMON the IKE daemon for ipsec tunnels (either libreswan or strongswan) + --no-restart-ike-daemon + do not restart the IKE daemon on startup Other options: -h, --help display this help message