diff --git a/0001-Use-strongswan-for-openvswitch-ipsec-service.patch b/0001-Use-strongswan-for-openvswitch-ipsec-service.patch new file mode 100644 index 0000000..887b08b --- /dev/null +++ b/0001-Use-strongswan-for-openvswitch-ipsec-service.patch @@ -0,0 +1,27 @@ +From 6aca005f17aecf003da9a85f8dd099baef771572 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= +Date: Fri, 26 Apr 2019 15:27:05 +0200 +Subject: [PATCH 1/6] Use strongswan for openvswitch-ipsec service + +Since libreswan is not packaged for Leap/SLES, use strongswan for the +time being. +--- + rhel/usr_lib_systemd_system_openvswitch-ipsec.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service +index 6e309aa57..34e3f4c90 100644 +--- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service ++++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service +@@ -6,7 +6,7 @@ After=openvswitch.service + [Service] + Type=forking + ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ +- --ike-daemon=libreswan start-ovs-ipsec ++ --ike-daemon=strongswan start-ovs-ipsec + ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec + + [Install] +-- +2.16.4 + diff --git a/openvswitch-2.11.0.tar.gz b/openvswitch-2.11.0.tar.gz deleted file mode 100644 index 1152340..0000000 --- a/openvswitch-2.11.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f4b01d7376d7298bc6e7fa7a6067229ca7c7e299394e5ea9aff651d52edfdbee -size 7680146 diff --git a/openvswitch-2.11.1.tar.gz b/openvswitch-2.11.1.tar.gz new file mode 100644 index 0000000..50bc673 --- /dev/null +++ b/openvswitch-2.11.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c1296ae44a7b176150915e33bc497cc0a7a02caeba84ea43ce9b6a2509d9b5dc +size 7682693 diff --git a/openvswitch.changes b/openvswitch.changes index e8917f7..c9249d7 100644 --- a/openvswitch.changes +++ b/openvswitch.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Mon Apr 29 14:12:36 UTC 2019 - + +- Fix problem preventing new installs to run as non root (bsc#1132029), + including: + * Align with upstream so that no running configuration is changed on + upgrades, specifically to avoid changes on the user Open vSwitch runs + under. + * hugetblfs groups is created as system group. +- Add missing opnvswitch-ipsec package and systemd service. +- Add patch to use strongswan instead of libreswan for openvswitch-ipsec. + libreswan package not available currently. + * 0001-Use-strongswan-for-openvswitch-ipsec-service.patch +- Add missing ovs-delete-transient-ports systemd service. +- Align installed headers with upstream. +- Fix problem preventing rpm build '--with check'. +- Fix python environment that had directories pointing to /usr/local. +- Version bump to 2.11.1. Some of the changes are: + * netdev-tc-offloads: Fix probe tc block support + * rhel: Include all header files in the Fedora's devel package + * reconnect.c: Don't transition back to ACTIVE when forced to RECONNECT. + * OVN: Make periodic RAs consistent with RA responder. + * OVN: Always send prefix option in RAs + * OVN: Use offset instead of pointer into ofpbuf + * ofproto: fix the bug of bucket counter is not updated + * netdev-dpdk: Print netdev name for txq mapping. + * dpif-netdev-perf: Fix millisecond stats precision with slower TSC. + * ifupdown.sh: Add missing "--may-exist" option + * dpif-netdev-perf: Fix double update of perf histograms. + * dpdk: Stop dumping memzones to stdout. + * dpctl: Drop parser debug information. + * netdev-tc-offloads: Properly get the block id on flow del/get + * netdev-tc-offloads: Improve log message for icmpv6 offload not supported + * conntrack: Replace structure copy by memcpy(). + * conntrack: Lookup only 'UNNAT conns' in 'nat_clean()'. + * conntrack: Fix race for NAT cleanup. + * ovn-nbctl: Don't segfault when ovn-northd doesn't configure dynamic addresses. + * datapath-windows: Add annotations to find vport functions + * datapath-windows: Guard vport usage in user.c + * datapath-windows: Fix potential deadlock in event subscription + * datapath-windows: Fix race condition during port creation + * datapath-windows: Fix nbl cleanup when memory allocation fails + * netdev-linux: Remove ingress qdisc before trying to add shared block + * netdev-tc-offloads: Remove ingress qdisc on tc init flow api + * ovsdb-idl: Fix memory leak of idl->remote. + * travis: Remove 'sudo' configuration. + * OVN: Add port addresses to IPAM after all ports are joined. + * dpif-netlink: Free leaked ofpbuf by using ofpbuf_delete + * OVN: update RA next_announce according to {min, max}_interval + * rconn: Avoid occasional immediate connection failures. + * dpdk: Fix case-sensitivity of dpdk-init knob. + * NEWS: Clean up the 2.11.0 release notes a bit. + * conntrack: Fix L4 csum for V6 extension hdr pkts. + * packets: Change return type for 'packet_csum_upperlayer6()'. + * ovsdb-client: Fix typo. + * ovn-nbctl: Daemon mode should retry when IDL connection lost. + * ofctl: break the loop if ovs_pcap_read returns error + * netlink: added check to prevent netlink attribute overflow + ------------------------------------------------------------------- Mon Mar 25 14:18:56 UTC 2019 - diff --git a/openvswitch.spec b/openvswitch.spec index e478bc8..717f1c8 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -41,7 +41,7 @@ # Disable building the external kernel datapath by default %bcond_with kmp Name: openvswitch -Version: 2.11.0 +Version: 2.11.1 Release: 0 Summary: A multilayer virtual network switch # All code is Apache-2.0 except @@ -53,6 +53,8 @@ Url: http://openvswitch.org/ Source0: http://openvswitch.org/releases/openvswitch-%{version}.tar.gz Source1: preamble Source89: Module.supported.updates +# PATCH-FIX-OPENSUSE: Use-strongswan-for-openvswitch-ipsec-service.patch +Patch0: 0001-Use-strongswan-for-openvswitch-ipsec-service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: graphviz @@ -270,6 +272,17 @@ forwarding. Open vSwitch is a full-featured software-based Ethernet switch. +%package ipsec +Summary: Open vSwitch IPsec tunneling support +License: Apache-2.0 +Group: Productivity/Networking/System +Requires: %{name} = %{version} +Requires: python-openvswitch = %{version} +Requires: strongswan + +%description ipsec +This package provides IPsec tunneling support for OVS tunnels. + %package -n python2-ovs Summary: Python2 bindings for Open vSwitch License: Apache-2.0 @@ -322,6 +335,7 @@ performance and connectivity issues in Open vSwitch setup. %prep %setup -q -n openvswitch-%{version} +%patch0 -p1 %build set -- * .travis* .mailmap .cirrus.yml @@ -383,6 +397,13 @@ popd %check %if %{with check} pushd source +touch resolv.conf +export OVS_RESOLV_CONF=$(pwd)/resolv.conf + +# Python build macros have moved out of the build directory some +# extra_dist files that are required for check, put them back. +cp python/_build.tmp/*.py python/build/ + # Recheck tests before we declare them broken. If that fails, dump # the log and exit. >2.5.0 uses the RECHECK env variable so this # needs to be taken into consideration for future releases. @@ -412,13 +433,21 @@ pushd source %make_install # Install extra headers not included with 'make install' -for header in $(find lib -type f -name "*.h"); do - install -d -m 755 %{buildroot}%{_includedir}/%{name}/"$(dirname $header)" - install -m 644 "$header" %{buildroot}%{_includedir}/%{name}/"$(dirname $header)" -done +copy_headers() { + src=$1 + dst=$RPM_BUILD_ROOT/$2 + install -d -m 0755 $dst + install -m 0644 $src/*.h $dst +} +copy_headers include/sparse %{_includedir}/openvswitch/sparse +copy_headers include/sparse/arpa %{_includedir}/openvswitch/sparse/arpa +copy_headers include/sparse/netinet %{_includedir}/openvswitch/sparse/netinet +copy_headers include/sparse/sys %{_includedir}/openvswitch/sparse/sys +copy_headers lib %{_includedir}/openvswitch/lib for service in openvswitch ovn-controller ovn-controller-vtep \ - ovn-northd ovsdb-server ovs-vswitchd; do + ovn-northd ovsdb-server ovs-vswitchd ovs-delete-transient-ports \ + openvswitch-ipsec; do install -D -m 644 rhel/usr_lib_systemd_system_${service}.service \ %{buildroot}%{_unitdir}/${service}.service ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc${service} @@ -485,6 +514,18 @@ pushd source/python export LDFLAGS="${LDFLAGS} -L %{buildroot}%{_libdir}" export CPPFLAGS="-I ../include" +# Set python environment +sed \ + -e '/^##/d' \ + -e 's,[@]pkgdatadir[@],%{_datadir}/%{name},g' \ + -e 's,[@]RUNDIR[@],%{_rundir},g' \ + -e 's,[@]LOGDIR[@],%{_localstatedir}/log,g' \ + -e 's,[@]bindir[@],%{_bindir},g' \ + -e 's,[@]sysconfdir[@],%{_sysconfdir},g' \ + -e 's,[@]DBDIR[@],%{_sysconfdir}/%{name},g' \ + < ovs/dirs.py.template \ + > ovs/dirs.py + %if 0%{?suse_version} # SLES %{python_build} @@ -509,24 +550,29 @@ find %{buildroot} -type f -name "*.la" -delete -print %post /sbin/ldconfig -%{fillup_only -n openvswitch} if [ $1 -eq 1 ]; then - sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' %{_sysconfdir}/sysconfig/openvswitch - sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' %{_sysconfdir}/logrotate.d/openvswitch + # Follow the upstream strategy that no running openvswitch + # configuration is changed on upgrade so use fillup only for new installs. + %{?suse_version: %fillup_only -n openvswitch} %if %{with dpdk} - sed -i \ - 's@OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\ - %{_sysconfdir}/sysconfig/openvswitch + %define rgroup hugetlbfs +%else + %define rgroup openvswitch %endif + + sed -i \ + 's@^#OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:%{rgroup}"@'\ + %{_sysconfdir}/sysconfig/openvswitch + sed -i 's:\(.*su\).*:\1 openvswitch %{rgroup}:' %{_sysconfdir}/logrotate.d/openvswitch + # In the case of upgrade, this is not needed chown -R openvswitch:openvswitch %{_sysconfdir}/openvswitch - chown -R openvswitch:openvswitch %{_localstatedir}/log/openvswitch + chown -R openvswitch:%{rgroup} %{_localstatedir}/log/openvswitch fi %if 0%{?suse_version} - %service_add_post ovsdb-server.service ovs-vswitchd.service openvswitch.service - %{fillup_only -n openvswitch} + %service_add_post ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service %else %if 0%{?systemd_post:1} %systemd_post %{name}.service @@ -538,6 +584,11 @@ fi %endif %endif +%post ipsec +%if 0%{?suse_version} + %service_add_post openvswitch-ipsec.service +%endif + %posttrans # Save the "enabled" state across the transition of ownership # of openvswitch.service from openvswitch-switch to @@ -557,7 +608,7 @@ fi # admin decide when it's the best time for an OvS restart. # 5771f476573445710834234a6a9f7bd999a027e7 ("fedora: do not restart the service on a pkg upgrade") %if 0%{?suse_version} - %service_del_postun -n ovsdb-server.service -n ovs-vswitchd.service -n openvswitch.service + %service_del_postun -n ovsdb-server.service -n ovs-vswitchd.service -n openvswitch.service -n ovs-delete-transient-ports.service %else %if 0%{?systemd_postun:1} %systemd_postun %{name}.service @@ -566,9 +617,14 @@ fi %endif %endif +%postun ipsec +%if 0%{?suse_version} + %service_del_postun -n openvswitch-ipsec.service +%endif + %pre %if 0%{?suse_version} -%service_add_pre ovsdb-server.service ovs-vswitchd.service openvswitch.service +%service_add_pre ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service %endif # Save the "enabled" state across the transition of # ownership of openvswitch.service from openvswitch-switch to @@ -586,14 +642,19 @@ getent passwd openvswitch >/dev/null || \ %if %{with dpdk} getent group hugetlbfs >/dev/null || \ - groupadd hugetlbfs + groupadd -r hugetlbfs usermod -a -G hugetlbfs openvswitch %endif exit 0 +%pre ipsec +%if 0%{?suse_version} + %service_add_pre openvswitch-ipsec.service +%endif + %preun %if 0%{?suse_version} - %service_del_preun ovsdb-server.service ovs-vswitchd.service openvswitch.service + %service_del_preun ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service %else %if 0%{?systemd_preun:1} %systemd_preun %{name}.service @@ -606,6 +667,11 @@ exit 0 %endif %endif +%preun ipsec +%if 0%{?suse_version} + %service_del_preun openvswitch-ipsec.service +%endif + %post -n %{lname} -p /sbin/ldconfig %postun -n %{lname} -p /sbin/ldconfig @@ -804,7 +870,6 @@ exit 0 %{_datadir}/openvswitch/scripts/ovs-ctl %{_datadir}/openvswitch/scripts/ovs-kmod-ctl %{_datadir}/openvswitch/scripts/ovs-lib -%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec %{_datadir}/openvswitch/scripts/ovs-save %{_datadir}/openvswitch/vswitch.ovsschema %{_mandir}/man1/ovsdb-client.1%{?ext_man} @@ -829,9 +894,11 @@ exit 0 %{_sbindir}/rcovsdb-server %{_sbindir}/rcovs-vswitchd %{_sbindir}/rcopenvswitch +%{_sbindir}/rcovs-delete-transient-ports %{_unitdir}/openvswitch.service %{_unitdir}/ovs-vswitchd.service %{_unitdir}/ovsdb-server.service +%{_unitdir}/ovs-delete-transient-ports.service %if 0%{?suse_version} %{_fillupdir}/sysconfig.openvswitch %{_datadir}/bash-completion/completions/ovs-appctl-bashcomp.bash @@ -878,6 +945,11 @@ exit 0 %{_datadir}/openvswitch/scripts/ovs-vtep %{_datadir}/openvswitch/vtep.ovsschema +%files ipsec +%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec +%{_sbindir}/rcopenvswitch-ipsec +%{_unitdir}/openvswitch-ipsec.service + %files -n python2-ovs %{python2_sitearch}/ovs/ %{python2_sitearch}/ovs-*.egg-info