diff --git a/NEWS b/NEWS index 83f05137979..1aedbbe44ee 100644 --- a/NEWS +++ b/NEWS @@ -55,6 +55,8 @@ Post-v3.4.0 to make it not configure any crypto options (ike/esp) for connections. Most useful in combination with '--root-ipsec-conf' where system-wide crypto-policy is included from the root ipsec.conf. + * New option '--ovs-monitor-ipsec-options' for 'ovs-ctl start-ovs-ipsec' + to pass above new options to ovs-monitor-ipsec. v3.4.0 - 15 Aug 2024 diff --git a/debian/automake.mk b/debian/automake.mk index b86003f5613..7ae4e00e584 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -14,6 +14,8 @@ EXTRA_DIST += \ debian/openvswitch-common.lintian-overrides \ debian/openvswitch-doc.doc-base \ debian/openvswitch-doc.install \ + debian/openvswitch-ipsec.default \ + debian/openvswitch-ipsec.dirs \ debian/openvswitch-ipsec.init \ debian/openvswitch-ipsec.install \ debian/openvswitch-ipsec.service \ diff --git a/debian/openvswitch-ipsec.default b/debian/openvswitch-ipsec.default new file mode 100644 index 00000000000..a0749485911 --- /dev/null +++ b/debian/openvswitch-ipsec.default @@ -0,0 +1,5 @@ +# This is a POSIX shell fragment -*- sh -*- + +# OVS_CTL_OPTS: Extra options to pass to ovs-ctl. This is, for example, +# a suitable place to specify --no-restart-ike-daemon. +# OVS_CTL_OPTS= diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 00000000000..4b83f296618 --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +/usr/share/openvswitch/ipsec diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init index aa683845475..4fc7701b831 100755 --- a/debian/openvswitch-ipsec.init +++ b/debian/openvswitch-ipsec.init @@ -41,6 +41,8 @@ test -x $DAEMON || exit 0 . /lib/lsb/init-functions +test -e /etc/default/openvswitch-ipsec && . /etc/default/openvswitch-ipsec + DODTIME=10 # Time to wait for the server to die, in seconds # If this value is set too low you might not # let some servers to die gracefully and @@ -72,7 +74,8 @@ running() { } start_server() { - ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec + ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan \ + start-ovs-ipsec $OVS_CTL_OPTS return 0 } diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install old mode 100644 new mode 100755 index 31a8945e2f1..ae127e2d4d0 --- a/debian/openvswitch-ipsec.install +++ b/debian/openvswitch-ipsec.install @@ -1 +1,3 @@ +#!/usr/bin/dh-exec +debian/openvswitch-ipsec.default => /usr/share/openvswitch/ipsec/default.template usr/share/openvswitch/scripts/ovs-monitor-ipsec diff --git a/debian/openvswitch-ipsec.service b/debian/openvswitch-ipsec.service index 51b9b315a0a..2f92def514f 100644 --- a/debian/openvswitch-ipsec.service +++ b/debian/openvswitch-ipsec.service @@ -7,8 +7,9 @@ After=openvswitch-switch.service Type=forking PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid Restart=on-failure +EnvironmentFile=-/etc/default/openvswitch-ipsec ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \ - --ike-daemon=strongswan start-ovs-ipsec + --ike-daemon=strongswan start-ovs-ipsec $OVS_CTL_OPTS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec [Install] diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service index a4bf475d0c9..913598f080f 100644 --- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service +++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service @@ -7,8 +7,10 @@ After=openvswitch.service Type=forking PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid Restart=on-failure +EnvironmentFile=/etc/openvswitch/default.conf +EnvironmentFile=-/etc/sysconfig/openvswitch ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \ - --ike-daemon=libreswan start-ovs-ipsec + --ike-daemon=libreswan start-ovs-ipsec $OPTIONS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec [Install] diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template index c467d02db9d..63833c4d8ef 100644 --- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template +++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template @@ -25,6 +25,9 @@ # --ovs-vswitchd-options='-vconsole:dbg -vfile:dbg' # --ovsdb-server-options='-vconsole:dbg -vfile:dbg' # +# Or to start with non-root IPsec config file: +# --ovs-monitor-ipsec-options='--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf' +# OPTIONS="" # Uncomment and set the OVS User/Group value diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in index 1f9ce1e6e8b..03a39337f52 100644 --- a/utilities/ovs-ctl.in +++ b/utilities/ovs-ctl.in @@ -242,18 +242,20 @@ start_forwarding () { } start_ovs_ipsec () { + set ${datadir}/scripts/ovs-monitor-ipsec unix:"$DB_SOCK" + set "$@" --log-file=${logdir}/ovs-monitor-ipsec.log + set "$@" --pidfile=${rundir}/ovs-monitor-ipsec.pid + set "$@" --detach + test X"$MONITOR" = Xno || set "$@" --monitor + set "$@" --ike-daemon=$IKE_DAEMON if test X$RESTART_IKE_DAEMON = Xno; then - no_restart="--no-restart-ike-daemon" + set "$@" --no-restart-ike-daemon fi - if test X"$MONITOR" != Xno; then - monitor_arg="--monitor" + if test X"$OVS_MONITOR_IPSEC_OPTIONS" != X; then + set "$@" $OVS_MONITOR_IPSEC_OPTIONS fi - ${datadir}/scripts/ovs-monitor-ipsec \ - --pidfile=${rundir}/ovs-monitor-ipsec.pid \ - --ike-daemon=$IKE_DAEMON \ - $no_restart $monitor_arg \ - --log-file --detach unix:${rundir}/db.sock || return 1 + action "Starting ovs-monitor-ipsec" "$@" || return 1 return 0 } @@ -351,6 +353,7 @@ set_defaults () { OVS_VSWITCHD_WRAPPER= OVSDB_SERVER_OPTIONS= OVS_VSWITCHD_OPTIONS= + OVS_MONITOR_IPSEC_OPTIONS= OVSDB_SERVER_UMASK= OVS_VSWITCHD_UMASK= @@ -466,6 +469,9 @@ Option for "start-ovs-ipsec": the IKE daemon for ipsec tunnels (either libreswan or strongswan) --no-restart-ike-daemon do not restart the IKE daemon on startup + --ovs-monitor-ipsec-options=OPTIONS + additional options for ovs-monitor-ipsec (example: + '--ipsec-conf=/etc/ipsec.d/ovs.conf --root-ipsec-conf=/etc/ipsec.conf') Other options: -h, --help display this help message