debian and rhel: Create IPsec package.

Added rules and files to create debian and rpm ovs-ipsec packages.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>

9 files changed, 266 insertions, 1 deletions

diff --git a/debian/automake.mk b/debian/automake.mk
index 4d8e204bb..8a8d43c9f 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -20,6 +20,9 @@ EXTRA_DIST += \
 	debian/openvswitch-datapath-source.copyright \
 	debian/openvswitch-datapath-source.dirs \
 	debian/openvswitch-datapath-source.install \
+	debian/openvswitch-ipsec.dirs \
+	debian/openvswitch-ipsec.init \
+	debian/openvswitch-ipsec.install \
 	debian/openvswitch-pki.dirs \
 	debian/openvswitch-pki.postinst \
 	debian/openvswitch-pki.postrm \
diff --git a/debian/control b/debian/control
index 9ae248f27..cde93f20e 100644
--- a/debian/control
+++ b/debian/control
@@ -322,3 +322,24 @@ Description: Open vSwitch development package
  1000V.
  .
  This package provides openvswitch headers and libopenvswitch for developers.
+
+Package: openvswitch-ipsec
+Architecture: linux-any
+Depends: iproute2,
+         openvswitch-common (= ${binary:Version}),
+         openvswitch-switch (= ${binary:Version}),
+         python,
+         python-openvswitch (= ${source:Version}),
+         strongswan,
+         ${misc:Depends},
+         ${shlibs:Depends}
+Description: Open vSwitch IPsec tunneling support
+ Open vSwitch is a production quality, multilayer, software-based,
+ Ethernet virtual switch. It is designed to enable massive network
+ automation through programmatic extension, while still supporting
+ standard management interfaces and protocols (e.g. NetFlow, IPFIX,
+ sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
+ to support distribution across multiple physical servers similar to
+ VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+ .
+ This package provides IPsec tunneling support for OVS tunnels.
diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs
new file mode 100644
index 000000000..fca44aa7b
--- /dev/null
+++ b/debian/openvswitch-ipsec.dirs
@@ -0,0 +1 @@
+usr/share/openvswitch/scripts
\ No newline at end of file
diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
new file mode 100644
index 000000000..aa6838454
--- /dev/null
+++ b/debian/openvswitch-ipsec.init
@@ -0,0 +1,181 @@
+#!/bin/sh
+#
+# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org>
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL;  if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides:          openvswitch-ipsec
+# Required-Start:    $network $local_fs $remote_fs openvswitch-switch
+# Required-Stop:     $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Open vSwitch GRE-over-IPsec daemon
+# Description:       The ovs-monitor-ipsec script provides support for
+#                    encrypting GRE tunnels with IPsec.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
+NAME=ovs-monitor-ipsec          # Introduce the short server's name here
+LOGDIR=/var/log/openvswitch     # Log directory to use
+DATADIR=/usr/share/openvswitch
+
+PIDFILE=/var/run/openvswitch/$NAME.pid
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+DODTIME=10              # Time to wait for the server to die, in seconds
+                        # If this value is set too low you might not
+                        # let some servers to die gracefully and
+                        # 'restart' will not work
+
+set -e
+
+running_pid() {
+# Check if a given process pid's cmdline matches a given name
+    pid=$1
+    name=$2
+    [ -z "$pid" ] && return 1
+    [ ! -d /proc/$pid ] &&  return 1
+    cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
+    # Is this the expected server
+    [ "$cmd" != "$name" ] &&  return 1
+    return 0
+}
+
+running() {
+# Check if the process is running looking at /proc
+# (works for all users)
+
+    # No pidfile, probably no daemon present
+    [ ! -f "$PIDFILE" ] && return 1
+    pid=`cat $PIDFILE`
+    running_pid $pid $DAEMON || return 1
+    return 0
+}
+
+start_server() {
+    ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec
+    return 0
+}
+
+stop_server() {
+    ${DATADIR}/scripts/ovs-ctl stop-ovs-ipsec
+    return 0
+}
+
+force_stop() {
+# Force the process to die killing it manually
+    [ ! -e "$PIDFILE" ] && return
+    if running ; then
+        kill -15 $pid
+        # Is it really dead?
+        sleep "$DODTIME"
+        if running ; then
+            kill -9 $pid
+            sleep "$DODTIME"
+            if running ; then
+                echo "Cannot kill $NAME (pid=$pid)!"
+                exit 1
+            fi
+        fi
+    fi
+    rm -f $PIDFILE
+}
+
+
+case "$1" in
+  start)
+        log_daemon_msg "Starting $NAME"
+        # Check if it's running first
+        if running ;  then
+            log_progress_msg "apparently already running"
+            log_end_msg 0
+            exit 0
+        fi
+        if start_server && running ;  then
+            # It's ok, the server started and is running
+            log_end_msg 0
+        else
+            # Either we could not start it or it is not running
+            # after we did
+            # NOTE: Some servers might die some time after they start,
+            # this code does not try to detect this and might give
+            # a false positive (use 'status' for that)
+            log_end_msg 1
+        fi
+        ;;
+  stop)
+        log_daemon_msg "Stopping $NAME"
+        if running ; then
+            # Only stop the server if we see it running
+            stop_server
+            log_end_msg $?
+        else
+            # If it's not running don't do anything
+            log_progress_msg "apparently not running"
+            log_end_msg 0
+            exit 0
+        fi
+        ;;
+  force-stop)
+        # First try to stop gracefully the program
+        $0 stop
+        if running; then
+            # If it's still running try to kill it more forcefully
+            log_daemon_msg "Stopping (force) $NAME"
+            force_stop
+            log_end_msg $?
+        fi
+        ;;
+  restart|force-reload)
+        log_daemon_msg "Restarting $NAME"
+        stop_server
+        # Wait some sensible amount, some server need this
+        [ -n "$DODTIME" ] && sleep $DODTIME
+        start_server
+        running
+        log_end_msg $?
+        ;;
+  status)
+        log_daemon_msg "Checking status of $NAME"
+        if running ;  then
+            log_progress_msg "running"
+            log_end_msg 0
+        else
+            log_progress_msg "apparently not running"
+            log_end_msg 1
+            exit 1
+        fi
+        ;;
+  # Use this if the daemon cannot reload
+  reload)
+        log_warning_msg "Reloading $NAME daemon: not implemented, as the"
+        log_warning_msg "deamon cannot re-read the config file (use restart)."
+        ;;
+  *)
+        N=/etc/init.d/openvswitch-ipsec
+        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" \
+             >&2
+        exit 1
+        ;;
+esac
+
+exit 0
diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install
new file mode 100644
index 000000000..8fe665cb3
--- /dev/null
+++ b/debian/openvswitch-ipsec.install
@@ -0,0 +1 @@
+ipsec/ovs-monitor-ipsec usr/share/openvswitch/scripts
diff --git a/rhel/automake.mk b/rhel/automake.mk
index 7b6c78fd7..bc65d83e5 100644
--- a/rhel/automake.mk
+++ b/rhel/automake.mk
@@ -35,6 +35,7 @@ EXTRA_DIST += \
 	rhel/usr_lib_systemd_system_ovn-controller.service \
 	rhel/usr_lib_systemd_system_ovn-controller-vtep.service \
 	rhel/usr_lib_systemd_system_ovn-northd.service \
+	rhel/usr_lib_systemd_system_openvswitch-ipsec.service \
 	rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
 	rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml
 
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 7a3fcf93a..574e89eb5 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -222,6 +222,14 @@ Requires: openvswitch openvswitch-ovn-common %{_py2}-openvswitch
 %description ovn-docker
 Docker network plugins for OVN.
 
+%package openvswitch-ipsec
+Summary: Open vSwitch IPsec tunneling support
+License: ASL 2.0
+Requires: openvswitch %{_py2}-openvswitch libreswan
+
+%description openvswitch-ipsec
+This package provides IPsec tunneling support for OVS tunnels.
+
 %prep
 %setup -q
 
@@ -274,7 +282,8 @@ install -p -D -m 0644 \
         rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \
         $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch
 for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \
-                ovn-controller ovn-controller-vtep ovn-northd; do
+                ovn-controller ovn-controller-vtep ovn-northd \
+                openvswitch-ipsec; do
         install -p -D -m 0644 \
                         rhel/usr_lib_systemd_system_${service}.service \
                         $RPM_BUILD_ROOT%{_unitdir}/${service}.service
@@ -332,6 +341,10 @@ install -p -D -m 0755 \
         rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \
         $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload
 
+install -m 0755 \
+        ipsec/ovs-monitor-ipsec \
+        $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+
 # remove unpackaged files
 rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
         $RPM_BUILD_ROOT%{_sbindir}/ovs-vlan-bug-workaround \
@@ -672,6 +685,10 @@ fi
 %{_mandir}/man8/ovn-controller-vtep.8*
 %{_unitdir}/ovn-controller-vtep.service
 
+%files openvswitch-ipsec
+%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+%{_unitdir}/openvswitch-ipsec.service
+
 %changelog
 * Wed Jan 12 2011 Ralf Spenneberg <ralf@os-s.net>
 - First build on F14
diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
new file mode 100644
index 000000000..6e309aa57
--- /dev/null
+++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=OVS IPsec daemon
+Requires=openvswitch.service
+After=openvswitch.service
+
+[Service]
+Type=forking
+ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
+                    --ike-daemon=libreswan start-ovs-ipsec
+ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
+
+[Install]
+WantedBy=multi-user.target
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 2d01c7553..e42f0f1e6 100644
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -224,6 +224,14 @@ start_forwarding () {
     return 0
 }
 
+start_ovs_ipsec () {
+    ${datadir}/scripts/ovs-monitor-ipsec \
+        --pidfile=${rundir}/ovs-monitor-ipsec.pid \
+        --ike-daemon=$IKE_DAEMON \
+        --log-file --detach --monitor unix:${rundir}/db.sock || return 1
+    return 0
+}
+
 ## ---- ##
 ## stop ##
 ## ---- ##
@@ -240,6 +248,11 @@ stop_forwarding () {
     fi
 }
 
+stop_ovs_ipsec () {
+    ${bindir}/ovs-appctl -t ovs-monitor-ipsec exit || return 1
+    return 0
+}
+
 ## --------------- ##
 ## enable-protocol ##
 ## --------------- ##
@@ -320,6 +333,8 @@ set_defaults () {
     DPORT=
     SPORT=
 
+    IKE_DAEMON=
+
     type_file=$etcdir/system-type.conf
     version_file=$etcdir/system-version.conf
 
@@ -360,6 +375,8 @@ Commands:
                           module, reload kernel module, start OVS, restore state
   enable-protocol         enable protocol specified in options with iptables
   delete-transient-ports  delete transient (other_config:transient=true) ports
+  start-ovs-ipsec         start Open vSwitch ipsec daemon
+  stop-ovs-ipsec          stop Open vSwitch ipsec daemon
   help                    display this help message
 
 One of the following options is required for "start", "restart" and "force-reload-kmod":
@@ -397,6 +414,10 @@ Options for "enable-protocol":
   --sport=PORT       source port to match (for tcp or udp protocol)
   --dport=PORT       ddestination port to match (for tcp or udp protocol)
 
+Option for "start-ovs-ipsec":
+  --ike-daemon=IKE_DAEMON
+      the IKE daemon for ipsec tunnels (either libreswan or strongswan)
+
 Other options:
   -h, --help                  display this help message
   -V, --version               display version information
@@ -527,6 +548,12 @@ case $command in
     delete-transient-ports)
         del_transient_ports
         ;;
+    start-ovs-ipsec)
+        start_ovs_ipsec
+        ;;
+    stop-ovs-ipsec)
+        stop_ovs_ipsec
+        ;;
     help)
         usage
         ;;