ovs-ctl: Fix inability to set custom options for ovs-monitor-ipsec.

Commit in the fixes tag added support for using custom ipsec.conf with
ovs-monitor-ipsec, but it didn't provide a way to use those options
via ovs-ctl.  This makes it not possible to use these options from a
systemd unit, for example.

Fix that by adding --ovs-monitor-ipsec-options knob to ovs-ctl and
allowing OPTIONS to be passed via sysconfig.

Our Debian units are using StrongSwan, so they do not need these
Libreswan-specific options, however, it's better to keep systemd
integration similar to Fedora/RHEL.  There is at least one other
option that can be used with StrongSwan.

Only the Debian init file is updated, because we don't have IPsec
support for init in Fedora/RHEL.

There is a line length warning in the example, but it's hard to split
it into multiple lines, and I think, it's a good configuration example
to provide.

Fixes: 09d7c5a ("ipsec: Add support for using non-root ipsec.conf.")
Signed-off-by: Ilya Maximets <[email protected]>
Signed-off-by: 0-day Robot <[email protected]>

NEWS

@@ -55,6 +55,8 @@ Post-v3.4.0
        to make it not configure any crypto options (ike/esp) for connections.
        Most useful in combination with '--root-ipsec-conf' where system-wide
        crypto-policy is included from the root ipsec.conf.
+     * New option '--ovs-monitor-ipsec-options' for 'ovs-ctl start-ovs-ipsec'
+       to pass above new options to ovs-monitor-ipsec.
 
 
 v3.4.0 - 15 Aug 2024

debian/automake.mk

@@ -14,6 +14,8 @@ EXTRA_DIST += \
 	debian/openvswitch-common.lintian-overrides \
 	debian/openvswitch-doc.doc-base \
 	debian/openvswitch-doc.install \
+	debian/openvswitch-ipsec.default \
+	debian/openvswitch-ipsec.dirs \
 	debian/openvswitch-ipsec.init \
 	debian/openvswitch-ipsec.install \
 	debian/openvswitch-ipsec.service \

debian/openvswitch-ipsec.default

@@ -0,0 +1,5 @@
+# This is a POSIX shell fragment                -*- sh -*-
+
+# OVS_CTL_OPTS: Extra options to pass to ovs-ctl.  This is, for example,
+# a suitable place to specify --no-restart-ike-daemon.
+# OVS_CTL_OPTS=

debian/openvswitch-ipsec.dirs

@@ -0,0 +1 @@
+/usr/share/openvswitch/ipsec

debian/openvswitch-ipsec.init

@@ -41,6 +41,8 @@ test -x $DAEMON || exit 0
 
 . /lib/lsb/init-functions
 
+test -e /etc/default/openvswitch-ipsec && . /etc/default/openvswitch-ipsec
+
 DODTIME=10              # Time to wait for the server to die, in seconds
                         # If this value is set too low you might not
                         # let some servers to die gracefully and
@@ -72,7 +74,8 @@ running() {
 }
 
 start_server() {
-    ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec
+    ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan \
+        start-ovs-ipsec $OVS_CTL_OPTS
     return 0
 }
 

debian/openvswitch-ipsec.install

@@ -1 +1,3 @@
+#!/usr/bin/dh-exec
+debian/openvswitch-ipsec.default => /usr/share/openvswitch/ipsec/default.template
 usr/share/openvswitch/scripts/ovs-monitor-ipsec

debian/openvswitch-ipsec.service

@@ -7,8 +7,9 @@ After=openvswitch-switch.service
 Type=forking
 PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
 Restart=on-failure
+EnvironmentFile=-/etc/default/openvswitch-ipsec
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \
-                    --ike-daemon=strongswan start-ovs-ipsec
+                    --ike-daemon=strongswan start-ovs-ipsec $OVS_CTL_OPTS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
 
 [Install]

rhel/usr_lib_systemd_system_openvswitch-ipsec.service

@@ -7,8 +7,10 @@ After=openvswitch.service
 Type=forking
 PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
 Restart=on-failure
+EnvironmentFile=/etc/openvswitch/default.conf
+EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \
-                    --ike-daemon=libreswan start-ovs-ipsec
+                    --ike-daemon=libreswan start-ovs-ipsec $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
 
 [Install]

rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template

@@ -25,6 +25,9 @@
 #   --ovs-vswitchd-options='-vconsole:dbg -vfile:dbg'
 #   --ovsdb-server-options='-vconsole:dbg -vfile:dbg'
 #
+# Or to start with non-root IPsec config file:
+#   --ovs-monitor-ipsec-options='--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf'
+#
 OPTIONS=""
 
 # Uncomment and set the OVS User/Group value

utilities/ovs-ctl.in

@@ -242,18 +242,20 @@ start_forwarding () {
 }
 
 start_ovs_ipsec () {
+    set ${datadir}/scripts/ovs-monitor-ipsec unix:"$DB_SOCK"
+    set "$@" --log-file=${logdir}/ovs-monitor-ipsec.log
+    set "$@" --pidfile=${rundir}/ovs-monitor-ipsec.pid
+    set "$@" --detach
+    test X"$MONITOR" = Xno || set "$@" --monitor
+    set "$@" --ike-daemon=$IKE_DAEMON
     if test X$RESTART_IKE_DAEMON = Xno; then
-        no_restart="--no-restart-ike-daemon"
+        set "$@" --no-restart-ike-daemon
     fi
-    if test X"$MONITOR" != Xno; then
-        monitor_arg="--monitor"
+    if test X"$OVS_MONITOR_IPSEC_OPTIONS" != X; then
+        set "$@" $OVS_MONITOR_IPSEC_OPTIONS
     fi
 
-    ${datadir}/scripts/ovs-monitor-ipsec \
-        --pidfile=${rundir}/ovs-monitor-ipsec.pid \
-        --ike-daemon=$IKE_DAEMON \
-        $no_restart $monitor_arg \
-        --log-file --detach unix:${rundir}/db.sock || return 1
+    action "Starting ovs-monitor-ipsec" "$@" || return 1
     return 0
 }
 
@@ -351,6 +353,7 @@ set_defaults () {
     OVS_VSWITCHD_WRAPPER=
     OVSDB_SERVER_OPTIONS=
     OVS_VSWITCHD_OPTIONS=
+    OVS_MONITOR_IPSEC_OPTIONS=
     OVSDB_SERVER_UMASK=
     OVS_VSWITCHD_UMASK=
 
@@ -466,6 +469,9 @@ Option for "start-ovs-ipsec":
       the IKE daemon for ipsec tunnels (either libreswan or strongswan)
   --no-restart-ike-daemon
       do not restart the IKE daemon on startup
+  --ovs-monitor-ipsec-options=OPTIONS
+      additional options for ovs-monitor-ipsec (example:
+      '--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf')
 
 Other options:
   -h, --help                  display this help message