@@ -20,6 +20,9 @@ EXTRA_DIST += \
debian/openvswitch-datapath-source.copyright \
debian/openvswitch-datapath-source.dirs \
debian/openvswitch-datapath-source.install \
+ debian/openvswitch-ipsec.dirs \
+ debian/openvswitch-ipsec.init \
+ debian/openvswitch-ipsec.install \
debian/openvswitch-pki.dirs \
debian/openvswitch-pki.postinst \
debian/openvswitch-pki.postrm \
@@ -320,3 +320,24 @@ Description: Open vSwitch development package
1000V.
.
This package provides openvswitch headers and libopenvswitch for developers.
+
+Package: openvswitch-ipsec
+Architecture: linux-any
+Depends: iproute2,
+ openvswitch-common (= ${binary:Version}),
+ openvswitch-switch (= ${binary:Version}),
+ python,
+ python-openvswitch (= ${source:Version}),
+ strongswan,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: Open vSwitch IPsec tunneling support
+ Open vSwitch is a production quality, multilayer, software-based,
+ Ethernet virtual switch. It is designed to enable massive network
+ automation through programmatic extension, while still supporting
+ standard management interfaces and protocols (e.g. NetFlow, IPFIX,
+ sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
+ to support distribution across multiple physical servers similar to
+ VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+ .
+ This package provides IPsec tunneling support for OVS tunnels.
new file mode 100644
@@ -0,0 +1 @@
+usr/share/openvswitch/scripts
\ No newline at end of file
new file mode 100644
@@ -0,0 +1,181 @@
+#!/bin/sh
+#
+# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org>
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides: openvswitch-ipsec
+# Required-Start: $network $local_fs $remote_fs openvswitch-switch
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Open vSwitch GRE-over-IPsec daemon
+# Description: The ovs-monitor-ipsec script provides support for
+# encrypting GRE tunnels with IPsec.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
+NAME=ovs-monitor-ipsec # Introduce the short server's name here
+LOGDIR=/var/log/openvswitch # Log directory to use
+DATADIR=/usr/share/openvswitch
+
+PIDFILE=/var/run/openvswitch/$NAME.pid
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+DODTIME=10 # Time to wait for the server to die, in seconds
+ # If this value is set too low you might not
+ # let some servers to die gracefully and
+ # 'restart' will not work
+
+set -e
+
+running_pid() {
+# Check if a given process pid's cmdline matches a given name
+ pid=$1
+ name=$2
+ [ -z "$pid" ] && return 1
+ [ ! -d /proc/$pid ] && return 1
+ cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
+ # Is this the expected server
+ [ "$cmd" != "$name" ] && return 1
+ return 0
+}
+
+running() {
+# Check if the process is running looking at /proc
+# (works for all users)
+
+ # No pidfile, probably no daemon present
+ [ ! -f "$PIDFILE" ] && return 1
+ pid=`cat $PIDFILE`
+ running_pid $pid $DAEMON || return 1
+ return 0
+}
+
+start_server() {
+ ${DATADIR}/scripts/ovs-ctl start-ovs-ipsec
+ return 0
+}
+
+stop_server() {
+ ${DATADIR}/scripts/ovs-ctl stop-ovs-ipsec
+ return 0
+}
+
+force_stop() {
+# Force the process to die killing it manually
+ [ ! -e "$PIDFILE" ] && return
+ if running ; then
+ kill -15 $pid
+ # Is it really dead?
+ sleep "$DODTIME"
+ if running ; then
+ kill -9 $pid
+ sleep "$DODTIME"
+ if running ; then
+ echo "Cannot kill $NAME (pid=$pid)!"
+ exit 1
+ fi
+ fi
+ fi
+ rm -f $PIDFILE
+}
+
+
+case "$1" in
+ start)
+ log_daemon_msg "Starting $NAME"
+ # Check if it's running first
+ if running ; then
+ log_progress_msg "apparently already running"
+ log_end_msg 0
+ exit 0
+ fi
+ if start_server && running ; then
+ # It's ok, the server started and is running
+ log_end_msg 0
+ else
+ # Either we could not start it or it is not running
+ # after we did
+ # NOTE: Some servers might die some time after they start,
+ # this code does not try to detect this and might give
+ # a false positive (use 'status' for that)
+ log_end_msg 1
+ fi
+ ;;
+ stop)
+ log_daemon_msg "Stopping $NAME"
+ if running ; then
+ # Only stop the server if we see it running
+ stop_server
+ log_end_msg $?
+ else
+ # If it's not running don't do anything
+ log_progress_msg "apparently not running"
+ log_end_msg 0
+ exit 0
+ fi
+ ;;
+ force-stop)
+ # First try to stop gracefully the program
+ $0 stop
+ if running; then
+ # If it's still running try to kill it more forcefully
+ log_daemon_msg "Stopping (force) $NAME"
+ force_stop
+ log_end_msg $?
+ fi
+ ;;
+ restart|force-reload)
+ log_daemon_msg "Restarting $NAME"
+ stop_server
+ # Wait some sensible amount, some server need this
+ [ -n "$DODTIME" ] && sleep $DODTIME
+ start_server
+ running
+ log_end_msg $?
+ ;;
+ status)
+ log_daemon_msg "Checking status of $NAME"
+ if running ; then
+ log_progress_msg "running"
+ log_end_msg 0
+ else
+ log_progress_msg "apparently not running"
+ log_end_msg 1
+ exit 1
+ fi
+ ;;
+ # Use this if the daemon cannot reload
+ reload)
+ log_warning_msg "Reloading $NAME daemon: not implemented, as the"
+ log_warning_msg "deamon cannot re-read the config file (use restart)."
+ ;;
+ *)
+ N=/etc/init.d/openvswitch-ipsec
+ echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" \
+ >&2
+ exit 1
+ ;;
+esac
+
+exit 0
new file mode 100644
@@ -0,0 +1 @@
+ipsec/ovs-monitor-ipsec usr/share/openvswitch/scripts
@@ -35,6 +35,7 @@ EXTRA_DIST += \
rhel/usr_lib_systemd_system_ovn-controller.service \
rhel/usr_lib_systemd_system_ovn-controller-vtep.service \
rhel/usr_lib_systemd_system_ovn-northd.service \
+ rhel/usr_lib_systemd_system_openvswitch-ipsec.service \
rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml
@@ -208,6 +208,14 @@ Requires: openvswitch openvswitch-ovn-common %{_py2}-openvswitch
%description ovn-docker
Docker network plugins for OVN.
+%package openvswitch-ipsec
+Summary: Open vSwitch IPsec tunneling support
+License: ASL 2.0
+Requires: openvswitch %{_py2}-openvswitch libreswan
+
+%description openvswitch-ipsec
+This package provides IPsec tunneling support for OVS tunnels.
+
%prep
%setup -q
@@ -259,7 +267,8 @@ install -p -D -m 0644 \
rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \
$RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch
for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \
- ovn-controller ovn-controller-vtep ovn-northd; do
+ ovn-controller ovn-controller-vtep ovn-northd \
+ openvswitch-ipsec; do
install -p -D -m 0644 \
rhel/usr_lib_systemd_system_${service}.service \
$RPM_BUILD_ROOT%{_unitdir}/${service}.service
@@ -317,6 +326,10 @@ install -p -D -m 0755 \
rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \
$RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload
+install -m 0755 \
+ ipsec/ovs-monitor-ipsec \
+ $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+
# remove unpackaged files
rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
$RPM_BUILD_ROOT%{_sbindir}/ovs-vlan-bug-workaround \
@@ -638,6 +651,10 @@ fi
%{_mandir}/man8/ovn-controller-vtep.8*
%{_unitdir}/ovn-controller-vtep.service
+%files openvswitch-ipsec
+%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+%{_unitdir}/openvswitch-ipsec.service
+
%changelog
* Wed Jan 12 2011 Ralf Spenneberg <ralf@os-s.net>
- First build on F14
new file mode 100644
@@ -0,0 +1,12 @@
+[Unit]
+Description=OVS IPsec daemon
+Requires=openvswitch.service
+After=openvswitch.service
+
+[Service]
+Type=forking
+ExecStart=/usr/share/openvswitch/scripts/ovs-ctl start-ovs-ipsec
+ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
+
+[Install]
+WantedBy=multi-user.target
@@ -250,6 +250,13 @@ start_forwarding () {
return 0
}
+start_ovs_ipsec () {
+ ${datadir}/scripts/ovs-monitor-ipsec \
+ --pidfile=${rundir}/ovs-monitor-ipsec.pid \
+ --log-file --detach --monitor unix:${rundir}/db.sock
+ return 0
+}
+
## ---- ##
## stop ##
## ---- ##
@@ -266,6 +273,11 @@ stop_forwarding () {
fi
}
+stop_ovs_ipsec () {
+ ${bindir}/ovs-appctl -t ovs-monitor-ipsec exit
+ return 0
+}
+
## --------------- ##
## enable-protocol ##
## --------------- ##
@@ -550,6 +562,12 @@ case $command in
delete-transient-ports)
del_transient_ports
;;
+ start-ovs-ipsec)
+ start_ovs_ipsec
+ ;;
+ stop-ovs-ipsec)
+ stop_ovs_ipsec
+ ;;
help)
usage
;;