mirror of
https://github.com/openvswitch/ovs
synced 2025-08-22 01:51:26 +00:00
83de251fa5
If started with --no-restart-ike-daemon, ovs-monitor-ipsec doesn't
clear the NSS database. This is not a problem if the certificates do
not change while the monitor is down, because completely duplicate
entries cannot be added to the NSS database. However, if the monitor
is stopped, then certificates change on disk and then the monitor is
started back, it will add new tunnel certificates alongside the old
ones and will fail to add the new CA certificate. So, we'll end up
with multiple certificates for the same tunnel and the outdated CA
certificate. This will not allow creating new connections as we'll
not be able to verify certificates of the new CA:
# certutil -L -d sql:/var/lib/ipsec/nss
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ovs_certkey_c04c352b u,u,u
ovs_cert_cacert CT,,
ovs_certkey_c04c352b u,u,u
ovs_certkey_c04c352b u,u,u
ovs_certkey_c04c352b u,u,u
ovs_certkey_c04c352b u,u,u
ovs_certkey_c04c352b u,u,u
ovs_certkey_c04c352b u,u,u
pluto: "ovn-c04c35-0-out-1" #459: processing decrypted
IKE_AUTH request containing SK{IDi,CERT,CERTREQ,IDr,AUTH,SA,
TSi,TSr,N(USE_TRANSPORT_MODE)}
pluto: "ovn-c04c35-0-out-1" #459: NSS: ERROR:
IPsec certificate CN=c04c352b,OU=kind,O=ovnkubernetes,C=US invalid:
SEC_ERROR_UNKNOWN_ISSUER: Peer's Certificate issuer is not recognized.
pluto: "ovn-c04c35-0-out-1" #459: NSS: end certificate invalid
Fix that by always checking certificates in the NSS database before
importing the new one. If they do not match, then remove the old
one from the NSS and add the new one.
We have to call deletion multiple times in order to remove all the
potential duplicates from previous runs. This will be useful on
upgrade, but also may save us if one of the deletions ever fail for
any reason and we'll end up with a duplicate entry anyway.
One alternative might be to always clear the database, even if the
--no-restart-ike-daemon option is set, but there is a chance that
we'll refresh and ask to re-read secrets before we got all the tunnel
information from the database. That may affect dataplane. Even if
this is really not possible, the logic seems too far apart to rely on.
Also, Libreswan 4.6 seems to have some bug that prevents re-adding
deleted connections if we removed and re-add the same certificate
(newer versions don't have this issue), so it's better if we do not
touch certificates that didn't actually change if we're not restarting
the IKE daemon.
The clearing may seem redundant now, but it may still be useful to
clean up certificates for tunnels that disappeared while the monitor
was down. Approach taken in this change doesn't cover this case.
Test is added to check the described scenario. The 'on_exit' command
is converted to obtain the monitor PID at exit, since we're now killing
one monitor and starting another.
Fixes: fe5ff26a49f6 ("ovs-monitor-ipsec: Add option to not restart IKE daemon.")
Reported-at: https://issues.redhat.com/browse/FDP-1473
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
.. NOTE(stephenfin): If making changes to this file, ensure that the
start-after/end-before lines found in 'Documentation/intro/what-is-ovs'
are kept up-to-date.
============
Open vSwitch
============
.. image:: https://github.com/openvswitch/ovs/workflows/Build%20and%20Test/badge.svg
:target: https://github.com/openvswitch/ovs/actions
.. image:: https://ci.appveyor.com/api/projects/status/github/openvswitch/ovs?branch=main&svg=true&retina=true
:target: https://ci.appveyor.com/project/blp/ovs/history
.. image:: https://api.cirrus-ci.com/github/openvswitch/ovs.svg
:target: https://cirrus-ci.com/github/openvswitch/ovs
.. image:: https://readthedocs.org/projects/openvswitch/badge/?version=latest
:target: https://docs.openvswitch.org/en/latest/
What is Open vSwitch?
---------------------
Open vSwitch is a multilayer software switch licensed under the open source
Apache 2 license. Our goal is to implement a production quality switch
platform that supports standard management interfaces and opens the forwarding
functions to programmatic extension and control.
Open vSwitch is well suited to function as a virtual switch in VM environments.
In addition to exposing standard control and visibility interfaces to the
virtual networking layer, it was designed to support distribution across
multiple physical servers. Open vSwitch supports multiple Linux-based
virtualization technologies including KVM, and VirtualBox.
The bulk of the code is written in platform-independent C and is easily ported
to other environments. The current release of Open vSwitch supports the
following features:
- Standard 802.1Q VLAN model with trunk and access ports
- NIC bonding with or without LACP on upstream switch
- NetFlow, sFlow(R), and mirroring for increased visibility
- QoS (Quality of Service) configuration, plus policing
- Geneve, GRE, VXLAN, ERSPAN, GTP-U, SRv6, and Bareudp tunneling
- 802.1ag connectivity fault management
- OpenFlow 1.0 plus numerous extensions
- Transactional configuration database with C and Python bindings
- High-performance forwarding using a Linux kernel module
Open vSwitch can also operate entirely in userspace without assistance from
a kernel module. This userspace implementation should be easier to port than
the kernel-based switch. OVS in userspace can access Linux or DPDK devices.
Note Open vSwitch with userspace datapath and non DPDK devices is considered
experimental and comes with a cost in performance.
What's here?
------------
The main components of this distribution are:
- ovs-vswitchd, a daemon that implements the switch, along with a companion
Linux kernel module for flow-based switching.
- ovsdb-server, a lightweight database server that ovs-vswitchd queries to
obtain its configuration.
- ovs-dpctl, a tool for configuring the switch kernel module.
- Scripts and specs for building RPMs for Red Hat Enterprise Linux and
deb packages for Ubuntu/Debian.
- ovs-vsctl, a utility for querying and updating the configuration of
ovs-vswitchd.
- ovs-appctl, a utility that sends commands to running Open vSwitch daemons.
Open vSwitch also provides some tools:
- ovs-ofctl, a utility for querying and controlling OpenFlow switches and
controllers.
- ovs-pki, a utility for creating and managing the public-key infrastructure
for OpenFlow switches.
- ovs-testcontroller, a simple OpenFlow controller that may be useful for
testing (though not for production).
- A patch to tcpdump that enables it to parse OpenFlow messages.
What other documentation is available?
--------------------------------------
.. TODO(stephenfin): Update with a link to the hosting site of the docs, once
we know where that is
To install Open vSwitch on a regular Linux or FreeBSD host, please read the
`installation guide <Documentation/intro/install/general.rst>`__. For specifics
around installation on a specific platform, refer to one of the `other
installation guides <Documentation/intro/install/index.rst>`__
For answers to common questions, refer to the `FAQ <Documentation/faq>`__.
To learn about some advanced features of the Open vSwitch software switch, read
the `tutorial <Documentation/tutorials/ovs-advanced.rst>`__.
Each Open vSwitch userspace program is accompanied by a manpage. Many of the
manpages are customized to your configuration as part of the build process, so
we recommend building Open vSwitch before reading the manpages.
License
-------
The following is a summary of the licensing of files in this distribution.
As mentioned, Open vSwitch is licensed under the open source Apache 2 license.
Some files may be marked specifically with a different license, in which case
that license applies to the file in question.
Files under the datapath directory are licensed under the GNU General Public
License, version 2.
File build-aux/cccl is licensed under the GNU General Public License, version 2.
The following files are licensed under the 2-clause BSD license.
include/windows/getopt.h
lib/getopt_long.c
lib/conntrack-tcp.c
The following files are licensed under the 3-clause BSD-license
include/windows/netinet/icmp6.h
include/windows/netinet/ip6.h
lib/strsep.c
Files lib/sflow*.[ch] are licensed under the terms of either the
Sun Industry Standards Source License 1.1, that is available at:
http://host-sflow.sourceforge.net/sissl.html
or the InMon sFlow License, that is available at:
http://www.inmon.com/technology/sflowlicense.txt
Contact
-------
bugs@openvswitch.org