* Update upstream OVS debian packaging to be on par with package
source in Debian/Ubuntu:
- Provide a openvswitch-switch-dpdk package that integrates with
the dpdk package in the distributions so that end users can opt
into a DPDK-enabled Open vSwitch binary.
- Provide systemd service files.
- Provide openvswitch-source package for reproducible integrated
build of for example OVN.
- Stop building shared library and subsequently remove
libopenvswitch and libopenvswitch-dev binary packages.
Co-authored-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Luca Boccassi <bluca@debian.org>
Co-authored-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Co-authored-by: James Page <james.page@ubuntu.com>
Signed-off-by: James Page <james.page@ubuntu.com>
Co-authored-by: Corey Bryant <corey.bryant@canonical.com>
Signed-off-by: Corey Bryant <corey.bryant@canonical.com>
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
The packaging source in the OVS repository has drifted away from
what is currently in Debian and Ubuntu. This state is problematic
because from time to time someone tries to build packages from the
upstream OVS debian package source and then expect that package to
work with up-/down-grades from-/to/ distro versions.
To support the on-going work to remove the out of tree OVS kernel
driver from the repository [0], an update to the debian packaging
is also required. On the back of the discussion in [0] we agreed
that replacing the current version with what Debian and Ubuntu
is currently converging on would be preferable.
This commit is a first in a series to update the upstream OVS
debian packaging source to be up to date with what is currently
in Debian and Ubuntu.
0: https://mail.openvswitch.org/pipermail/ovs-dev/2022-June/394634.html
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
OVS GRE IPsec tunnel support has multiple issues, Therefore
it was deprecated in OVS 2.6.
Following patch removes support for GRE IPsec and allows external
IPsec tunnel management for any type of tunnel not just GRE.
e.g. user can encrypt Geneve or VxLan traffic.
It can be done by using openflow pipeline to set skb-mark
and using IPsec keying daemons to implement IPsec tunnels.
This packet can be matched for the skb-mark to encrypt
selective tunnel traffic.
VMware-BZ: 1710701
Signed-off-by: Pravin B Shelar <pshelar@ovn.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Without these two iptables rules (one for UDP encapsulated IPsec and
another for direct IPsec), ovs-vswitchd would incorrectly conclude
that GRE packet belonged to a plain GRE tunnel instead of IPsec GRE
tunnel.
Reported-by: Aryan TaheriMonfared <aryan.taherimonfared@uis.no>
Reported-by: Daniel Hiltgen <daniel@netkine.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
ovs-monitor-ipsec uses the OVS database to get configuration, so don't
bother starting the daemon until it's up.
Debian recently switched to using the LSB fields in the header of init
scripts to allow dependency-based boots. This is described in the
following page:
http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot
This commit makes use of those fields to get the ordering we want.
The ovs-monitor-ipsec init script used the old "pidfile-name"
instead of the new "pidfile" option. This should cause it to fail
when starting.
This patch also causes ovs-monitor-ipsec to create a log file.
dh_pysupport that the packaging used until now is deprecated, with
dh_python2 as its successor.
This commit removes the PYTHONPATH setting from
debian/openvswitch-ipsec.init because it is not needed, as the Python
packaging is public. In fact, the Python packaging was public,
unintentionally, before, so the PYTHONPATH could have been removed earlier.
Brad pointed out that openvswitch-ipsec init script defined the variable
DIETIME but attempted to use it as DODTIME. This commit uses DODTIME,
since it's the name used by the openvswitch-switch init script. The
openvswitch-controller init script had the same issue.
As suggested by Ben, the "s" suffixes are removed from sleep commands,
since they are a GNU extension.
Reported-by: Brad Hall <brad@nicira.com>
The ovs-monitor-ipsec daemon monitors the Interface table for GRE
entries. If an entry specifies other-config parameters "ipsec-local-ip"
and ("ipsec-psk" or "ipsec-cert"), it will create the appropriate
security associations so that all GRE traffic to the remote host will be
encrypted. In order for the two GRE tunnels to communicate, both sides
need to be configured for IPsec with appropriate authentication.
Currently, ovs-monitor-ipsec does not support certificate authentication
or ensure that an interface is actually attached to a bridge. Both of
these issues will be addressed in a forthcoming patch.
NB: While GRE-over-IPsec should work on any system with a relatively
recent racoon and setkey, it has only been tested on Debian. As such,
only Debian packaging has been provided.
