From 2430c4ef82a58d9a2903785a8edef7392f49bea2 Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Wed, 28 Jul 2021 17:48:41 +0300 Subject: [PATCH 1/2] openvswitch: add missing basescript variable The Open vSwitch init script does not set USE_PROCD=1. Instead, it defines most of the functions and variables that would be set when USE_PROCD is set to 1, but with some minor changes. The basescript variable however, which is used when calling procd_open_service and procd_kill, is not set. As a result, basename of the contents of the initscript variable is used as the service name. As the service is automatically started via its symlink in /etc/rc.d, S15openvswitch, the service name is S15openvswitch. Set the basescript variable so that the service name is openvswitch. Signed-off-by: Stijn Tintel --- net/openvswitch/files/openvswitch.init | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/openvswitch/files/openvswitch.init b/net/openvswitch/files/openvswitch.init index 32adbac49..84ba17b62 100755 --- a/net/openvswitch/files/openvswitch.init +++ b/net/openvswitch/files/openvswitch.init @@ -7,6 +7,8 @@ . /lib/functions/procd.sh START=15 +basescript=$(readlink "$initscript") + ovs_ctl="/usr/share/openvswitch/scripts/ovs-ctl"; [ -x "$ovs_ctl" ] || ovs_ctl=: ovn_ctl="/usr/share/ovn/scripts/ovn-ctl"; [ -x "$ovn_ctl" ] || ovn_ctl=: From 653716eb19121752ad041a3faffc61777698e82a Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Tue, 27 Jul 2021 13:00:15 +0300 Subject: [PATCH 2/2] openvswitch: add SSL support Open vSwitch supports SSL to connect to an OpenFlow controller. This is recommended for security. Expand the UCI ovs config section to allow configuring SSL CA, certificate and private key. Signed-off-by: Stijn Tintel --- net/openvswitch/Makefile | 2 +- net/openvswitch/README.md | 13 +++++++++++++ net/openvswitch/files/openvswitch.config | 3 +++ net/openvswitch/files/openvswitch.init | 12 ++++++++++++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/net/openvswitch/Makefile b/net/openvswitch/Makefile index 9c23a2467..6883ba4ba 100644 --- a/net/openvswitch/Makefile +++ b/net/openvswitch/Makefile @@ -17,7 +17,7 @@ include ./openvswitch.mk # PKG_NAME:=openvswitch PKG_VERSION:=$(ovs_version) -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.openvswitch.org/releases/ PKG_HASH:=7d5797f2bf2449c6a266149e88f72123540f7fe7f31ad52902057ae8d8f88c38 diff --git a/net/openvswitch/README.md b/net/openvswitch/README.md index 5ed04d771..5cc8bbffe 100644 --- a/net/openvswitch/README.md +++ b/net/openvswitch/README.md @@ -69,6 +69,19 @@ ovs ovn_northd, ovn_controller & ovs_bridge. Each of these supports a disabled option, which should be set to 0 to launch the respective daemons. +The ovs section section also supports the options below, to configure a set of +SSL CA, certificate and private key. After adding these to Open vSwitch, you +may specify ssl: connection methods for e.g. the OpenFlow controller. Note that +Open vSwitch only reads these files during startup, so it needs to be restarted +after adding or changing these options. + +| Name | Type | Required | Default | Description | +|----------|---------|----------|---------|-----------------------------------| +| disabled | boolean | no | 0 | If set to 1, do not configure SSL | +| ca | string | no | (none) | Path to CA certificate | +| cert | string | no | (none) | Path to certificate | +| key | string | no | (none) | Path to private key | + The ovs_bridge section also supports the options below, for initialising a virtual bridge with an OpenFlow controller. diff --git a/net/openvswitch/files/openvswitch.config b/net/openvswitch/files/openvswitch.config index 56900b888..c812b7dd6 100644 --- a/net/openvswitch/files/openvswitch.config +++ b/net/openvswitch/files/openvswitch.config @@ -1,5 +1,8 @@ config ovs ovs option disabled 1 + option ca '/etc/openvswitch/example_ca.crt' + option cert '/etc/openvswitch/example_cert.crt' + option key '/etc/openvswitch/example_key.crt' config ovn_northd north option disabled 1 diff --git a/net/openvswitch/files/openvswitch.init b/net/openvswitch/files/openvswitch.init index 84ba17b62..229e6869b 100755 --- a/net/openvswitch/files/openvswitch.init +++ b/net/openvswitch/files/openvswitch.init @@ -90,6 +90,7 @@ ovs_xx() { ovs) "$ovs_ctl" "$action" \ --system-id=random 1000>&- + ovs_set_ssl ;; ovn_*) "$ovn_ctl" "${action}_${cfgtype#ovn_}" @@ -216,3 +217,14 @@ ovs_bridge_init() { [ -n "$controller" ] && \ ovs-vsctl set-controller "$name" "$controller" } + +ovs_set_ssl() { + local ca="$(uci -q get openvswitch.ovs.ca)" + [ -f "$ca" ] || return + local cert="$(uci get openvswitch.ovs.cert)" + [ -f "$cert" ] || return + local key="$(uci get openvswitch.ovs.key)" + [ -f "$key" ] || return + + ovs-vsctl set-ssl "$key" "$cert" "$ca" +}