diff mbox series

[ovs-dev,1/2] ovs-ctl: Fix inability to set custom options for ovs-monitor-ipsec.

Message ID 20250110165226.4167289-2-i.maximets@ovn.org
State Superseded
Headers show
Series Fixes for ipsec support with ovs-ctl and systemd units. | expand

Checks

Context Check Description
ovsrobot/apply-robot warning apply and check: warning
ovsrobot/github-robot-_Build_and_Test success github build: passed

Commit Message

Ilya Maximets Jan. 10, 2025, 4:52 p.m. UTC
Commit in the fixes tag added support for using custom ipsec.conf
with ovs-monitor-ipsec, but it didn't provide a way to use those
options via ovs-ctl.  This makes it not possible to use these options
from a systemd unit, for example.

Fix that by adding --ovs-monitor-ipsec-options knob to ovs-ctl and
allowing OPTIONS to be passed via sysconfig.

Our Debian units are using StrongSwan, so they do not need these
Libreswan-specific options.

There is a line length warning in the example, but it's hard to split
it into multiple lines, and I think, it's a good configuration example
to provide.

Fixes: 09d7c5ac0054 ("ipsec: Add support for using non-root ipsec.conf.")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
---
 NEWS                                          |  2 ++
 ...b_systemd_system_openvswitch-ipsec.service |  6 +++++-
 ...vswitch_scripts_systemd_sysconfig.template |  3 +++
 utilities/ovs-ctl.in                          | 20 +++++++++++++------
 4 files changed, 24 insertions(+), 7 deletions(-)
diff mbox series

Patch

diff --git a/NEWS b/NEWS
index 83f051379..1aedbbe44 100644
--- a/NEWS
+++ b/NEWS
@@ -55,6 +55,8 @@  Post-v3.4.0
        to make it not configure any crypto options (ike/esp) for connections.
        Most useful in combination with '--root-ipsec-conf' where system-wide
        crypto-policy is included from the root ipsec.conf.
+     * New option '--ovs-monitor-ipsec-options' for 'ovs-ctl start-ovs-ipsec'
+       to pass above new options to ovs-monitor-ipsec.
 
 
 v3.4.0 - 15 Aug 2024
diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
index 92dad44f9..b508d21dc 100644
--- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
+++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
@@ -6,8 +6,12 @@  After=openvswitch.service
 [Service]
 Type=forking
 PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
+EnvironmentFile=/etc/openvswitch/default.conf
+EnvironmentFile=-/etc/sysconfig/openvswitch
+EnvironmentFile=-/run/openvswitch.useropts
+
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
-                    --ike-daemon=libreswan start-ovs-ipsec
+                    --ike-daemon=libreswan start-ovs-ipsec $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
 
 [Install]
diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
index c467d02db..63833c4d8 100644
--- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
+++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
@@ -25,6 +25,9 @@ 
 #   --ovs-vswitchd-options='-vconsole:dbg -vfile:dbg'
 #   --ovsdb-server-options='-vconsole:dbg -vfile:dbg'
 #
+# Or to start with non-root IPsec config file:
+#   --ovs-monitor-ipsec-options='--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf'
+#
 OPTIONS=""
 
 # Uncomment and set the OVS User/Group value
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 57abd3a5b..5b1c24b5a 100644
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -242,15 +242,19 @@  start_forwarding () {
 }
 
 start_ovs_ipsec () {
+    set ${datadir}/scripts/ovs-monitor-ipsec unix:"$DB_SOCK"
+    set "$@" --log-file=${logdir}/ovs-monitor-ipsec.log
+    set "$@" --pidfile=${rundir}/ovs-monitor-ipsec.pid
+    set "$@" --detach --monitor
+    set "$@" --ike-daemon=$IKE_DAEMON
     if test X$RESTART_IKE_DAEMON = Xno; then
-        no_restart="--no-restart-ike-daemon"
+        set "$@" --no-restart-ike-daemon
+    fi
+    if test X"$OVS_MONITOR_IPSEC_OPTIONS" != X; then
+        set "$@" $OVS_MONITOR_IPSEC_OPTIONS
     fi
 
-    ${datadir}/scripts/ovs-monitor-ipsec \
-        --pidfile=${rundir}/ovs-monitor-ipsec.pid \
-        --ike-daemon=$IKE_DAEMON \
-        $no_restart \
-        --log-file --detach --monitor unix:${rundir}/db.sock || return 1
+    action "Starting ovs-monitor-ipsec" "$@" || return 1
     return 0
 }
 
@@ -348,6 +352,7 @@  set_defaults () {
     OVS_VSWITCHD_WRAPPER=
     OVSDB_SERVER_OPTIONS=
     OVS_VSWITCHD_OPTIONS=
+    OVS_MONITOR_IPSEC_OPTIONS=
     OVSDB_SERVER_UMASK=
     OVS_VSWITCHD_UMASK=
 
@@ -463,6 +468,9 @@  Option for "start-ovs-ipsec":
       the IKE daemon for ipsec tunnels (either libreswan or strongswan)
   --no-restart-ike-daemon
       do not restart the IKE daemon on startup
+  --ovs-monitor-ipsec-options=OPTIONS
+      additional options for ovs-monitor-ipsec (example:
+      '--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf')
 
 Other options:
   -h, --help                  display this help message