@@ -55,6 +55,8 @@ Post-v3.4.0
to make it not configure any crypto options (ike/esp) for connections.
Most useful in combination with '--root-ipsec-conf' where system-wide
crypto-policy is included from the root ipsec.conf.
+ * New option '--ovs-monitor-ipsec-options' for 'ovs-ctl start-ovs-ipsec'
+ to pass above new options to ovs-monitor-ipsec.
v3.4.0 - 15 Aug 2024
@@ -6,8 +6,12 @@ After=openvswitch.service
[Service]
Type=forking
PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
+EnvironmentFile=/etc/openvswitch/default.conf
+EnvironmentFile=-/etc/sysconfig/openvswitch
+EnvironmentFile=-/run/openvswitch.useropts
+
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
- --ike-daemon=libreswan start-ovs-ipsec
+ --ike-daemon=libreswan start-ovs-ipsec $OPTIONS
ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
[Install]
@@ -25,6 +25,9 @@
# --ovs-vswitchd-options='-vconsole:dbg -vfile:dbg'
# --ovsdb-server-options='-vconsole:dbg -vfile:dbg'
#
+# Or to start with non-root IPsec config file:
+# --ovs-monitor-ipsec-options='--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf'
+#
OPTIONS=""
# Uncomment and set the OVS User/Group value
@@ -242,15 +242,19 @@ start_forwarding () {
}
start_ovs_ipsec () {
+ set ${datadir}/scripts/ovs-monitor-ipsec unix:"$DB_SOCK"
+ set "$@" --log-file=${logdir}/ovs-monitor-ipsec.log
+ set "$@" --pidfile=${rundir}/ovs-monitor-ipsec.pid
+ set "$@" --detach --monitor
+ set "$@" --ike-daemon=$IKE_DAEMON
if test X$RESTART_IKE_DAEMON = Xno; then
- no_restart="--no-restart-ike-daemon"
+ set "$@" --no-restart-ike-daemon
+ fi
+ if test X"$OVS_MONITOR_IPSEC_OPTIONS" != X; then
+ set "$@" $OVS_MONITOR_IPSEC_OPTIONS
fi
- ${datadir}/scripts/ovs-monitor-ipsec \
- --pidfile=${rundir}/ovs-monitor-ipsec.pid \
- --ike-daemon=$IKE_DAEMON \
- $no_restart \
- --log-file --detach --monitor unix:${rundir}/db.sock || return 1
+ action "Starting ovs-monitor-ipsec" "$@" || return 1
return 0
}
@@ -348,6 +352,7 @@ set_defaults () {
OVS_VSWITCHD_WRAPPER=
OVSDB_SERVER_OPTIONS=
OVS_VSWITCHD_OPTIONS=
+ OVS_MONITOR_IPSEC_OPTIONS=
OVSDB_SERVER_UMASK=
OVS_VSWITCHD_UMASK=
@@ -463,6 +468,9 @@ Option for "start-ovs-ipsec":
the IKE daemon for ipsec tunnels (either libreswan or strongswan)
--no-restart-ike-daemon
do not restart the IKE daemon on startup
+ --ovs-monitor-ipsec-options=OPTIONS
+ additional options for ovs-monitor-ipsec (example:
+ '--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf')
Other options:
-h, --help display this help message
Commit in the fixes tag added support for using custom ipsec.conf with ovs-monitor-ipsec, but it didn't provide a way to use those options via ovs-ctl. This makes it not possible to use these options from a systemd unit, for example. Fix that by adding --ovs-monitor-ipsec-options knob to ovs-ctl and allowing OPTIONS to be passed via sysconfig. Our Debian units are using StrongSwan, so they do not need these Libreswan-specific options. There is a line length warning in the example, but it's hard to split it into multiple lines, and I think, it's a good configuration example to provide. Fixes: 09d7c5ac0054 ("ipsec: Add support for using non-root ipsec.conf.") Signed-off-by: Ilya Maximets <i.maximets@ovn.org> --- NEWS | 2 ++ ...b_systemd_system_openvswitch-ipsec.service | 6 +++++- ...vswitch_scripts_systemd_sysconfig.template | 3 +++ utilities/ovs-ctl.in | 20 +++++++++++++------ 4 files changed, 24 insertions(+), 7 deletions(-)