Merge pull request #7559 from offlinehacker/openvswitch/ipsec

openvswitch: ipsec support
This commit is contained in:
Mateusz Kowalczyk 2015-05-26 11:26:02 +01:00
commit 1113efec5e
4 changed files with 175 additions and 69 deletions

View File

@ -307,6 +307,7 @@
./services/networking/privoxy.nix
./services/networking/prosody.nix
./services/networking/quassel.nix
./services/networking/racoon.nix
./services/networking/radicale.nix
./services/networking/radvd.nix
./services/networking/rdnssd.nix

View File

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.racoon;
in {
options.services.racoon = {
enable = mkEnableOption "Whether to enable racoon.";
config = mkOption {
description = "Contents of racoon configuration file.";
default = "";
type = types.str;
};
configPath = mkOption {
description = "Location of racoon config if config is not provided.";
default = "/etc/racoon/racoon.conf";
type = types.path;
};
};
config = mkIf cfg.enable {
systemd.services.racoon = {
description = "Racoon Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${
if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config
else cfg.configPath
}";
ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config";
PIDFile = "/var/run/racoon.pid";
Type = "forking";
Restart = "always";
};
preStart = "rm /var/run/racoon.pid || true";
};
};
}

View File

@ -7,35 +7,36 @@ with lib;
let
cfg = config.virtualisation.vswitch;
in
in {
{
options = {
virtualisation.vswitch.enable = mkOption {
options.virtualisation.vswitch = {
enable = mkOption {
type = types.bool;
default = false;
description =
''
Enable Open vSwitch. A configuration
daemon (ovs-server) will be started.
description = ''
Whether to enable Open vSwitch. A configuration daemon (ovs-server)
will be started.
'';
};
virtualisation.vswitch.package = mkOption {
package = mkOption {
type = types.package;
default = pkgs.openvswitch;
description =
''
description = ''
Open vSwitch package to use.
'';
'';
};
ipsec = mkOption {
type = types.bool;
default = false;
description = ''
Whether to start racoon service for openvswitch.
'';
};
};
config = mkIf cfg.enable (let
config = mkIf cfg.enable (let
# Where the communication sockets live
runDir = "/var/run/openvswitch";
@ -43,7 +44,7 @@ in
# Where the config database live (can't be in nix-store)
stateDir = "/var/db/openvswitch";
# The path to the an initialized version of the database
# The path to the an initialized version of the database
db = pkgs.stdenv.mkDerivation {
name = "vswitch.db";
unpackPhase = "true";
@ -51,15 +52,12 @@ in
buildInputs = with pkgs; [
cfg.package
];
installPhase =
''
ensureDir $out/
'';
installPhase = "mkdir -p $out";
};
in {
in (mkMerge [{
environment.systemPackages = [ cfg.package ];
environment.systemPackages = [ cfg.package pkgs.ipsecTools ];
boot.kernelModules = [ "tun" "openvswitch" ];
@ -73,7 +71,7 @@ in
path = [ cfg.package ];
restartTriggers = [ db cfg.package ];
# Create the config database
preStart =
preStart =
''
mkdir -p ${runDir}
mkdir -p /var/db/openvswitch
@ -85,23 +83,27 @@ in
fi
chmod -R +w /var/db/openvswitch
'';
serviceConfig.ExecStart =
''
${cfg.package}/bin/ovsdb-server \
--remote=punix:${runDir}/db.sock \
--private-key=db:Open_vSwitch,SSL,private_key \
--certificate=db:Open_vSwitch,SSL,certificate \
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
--unixctl=ovsdb.ctl.sock \
/var/db/openvswitch/conf.db
'';
serviceConfig.Restart = "always";
serviceConfig.RestartSec = 3;
postStart =
''
serviceConfig = {
ExecStart =
''
${cfg.package}/bin/ovsdb-server \
--remote=punix:${runDir}/db.sock \
--private-key=db:Open_vSwitch,SSL,private_key \
--certificate=db:Open_vSwitch,SSL,certificate \
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
--unixctl=ovsdb.ctl.sock \
--pidfile=/var/run/openvswitch/ovsdb.pid \
--detach \
/var/db/openvswitch/conf.db
'';
Restart = "always";
RestartSec = 3;
PIDFile = "/var/run/openvswitch/ovsdb.pid";
Type = "forking";
};
postStart = ''
${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init
'';
'';
};
systemd.services.vswitchd = {
@ -109,9 +111,55 @@ in
bindsTo = [ "ovsdb.service" ];
after = [ "ovsdb.service" ];
path = [ cfg.package ];
serviceConfig.ExecStart = ''${cfg.package}/bin/ovs-vswitchd'';
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/ovs-vswitchd \
--pidfile=/var/run/openvswitch/ovs-vswitchd.pid \
--detach
'';
PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid";
Type = "forking";
};
};
});
}
(mkIf cfg.ipsec {
services.racoon.enable = true;
services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf";
networking.firewall.extraCommands = ''
iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1
iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
'';
systemd.services.ovs-monitor-ipsec = {
description = "Open_vSwitch Ipsec Daemon";
wantedBy = [ "multi-user.target" ];
requires = [ "racoon.service" ];
after = [ "vswitchd.service" ];
environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock";
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/ovs-monitor-ipsec \
--root-prefix ${runDir}/ipsec \
--pidfile /var/run/openvswitch/ovs-monitor-ipsec.pid \
--monitor --detach \
unix:/var/run/openvswitch/db.sock
'';
PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid";
Type = "forking";
};
preStart = ''
rm -r ${runDir}/ipsec/etc/racoon/certs || true
mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/}
ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey
ln -fs ${pkgs.writeScript "racoon-restart" ''
#!${pkgs.stdenv.shell}
/var/run/current-system/sw/bin/systemctl $1 racoon
''} ${runDir}/ipsec/etc/init.d/racoon
'';
};
})]));
}

View File

@ -1,47 +1,62 @@
{ stdenv, fetchurl, openssl, python27, iproute, perl, kernel ? null}:
{ stdenv, fetchurl, makeWrapper
, openssl, python27, iproute, perl, kernel ? null }:
with stdenv.lib;
let
version = "2.1.2";
skipKernelMod = kernel == null;
in
stdenv.mkDerivation {
version = "2.1.2";
_kernel = kernel;
in stdenv.mkDerivation rec {
version = "2.3.1";
name = "openvswitch-${version}";
src = fetchurl {
url = "http://openvswitch.org/releases/openvswitch-2.1.2.tar.gz";
sha256 = "16q7faqrj2pfchhn0x5s9ggi5ckcg9n62f6bnqaih064aaq2jm47";
url = "http://openvswitch.org/releases/${name}.tar.gz";
sha256 = "1lmwyhm5wmdv1l4v1v5xd36d5ra21jz9ix57nh1lgm8iqc0lj5r1";
};
kernel = if skipKernelMod then null else kernel.dev;
buildInputs = [
openssl
python27
perl
];
kernel = optional (_kernel != null) _kernel.dev;
buildInputs = [ makeWrapper openssl python27 perl ];
configureFlags = [
"--localstatedir=/var"
"--sharedstatedir=/var"
"--sbindir=$(out)/bin"
] ++ (if skipKernelMod then [] else ["--with-linux"]);
] ++ (optionals (_kernel != null) ["--with-linux"]);
# Leave /var out of this!
installFlags = [
"LOGDIR=$(TMPDIR)/dummy"
"RUNDIR=$(TMPDIR)/dummy"
"PKIDIR=$(TMPDIR)/dummy"
];
postInstall = ''
cp debian/ovs-monitor-ipsec $out/share/openvswitch/scripts
makeWrapper \
$out/share/openvswitch/scripts/ovs-monitor-ipsec \
$out/bin/ovs-monitor-ipsec \
--prefix PYTHONPATH : "$out/share/openvswitch/python"
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
--replace "UnixctlServer.create(None)" "UnixctlServer.create(os.environ['UNIXCTLPATH'])"
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
--replace "self.psk_file" "root_prefix + self.psk_file"
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
--replace "self.cert_dir" "root_prefix + self.cert_dir"
'';
meta = {
platforms = stdenv.lib.platforms.linux;
platforms = platforms.linux;
description = "A multilayer virtual switch";
longDescription =
longDescription =
''
Open vSwitch is a production quality, multilayer virtual switch
licensed under the open source Apache 2.0 license. It is
designed to enable massive network automation through
programmatic extension, while still supporting standard
management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
support distribution across multiple physical servers similar
Open vSwitch is a production quality, multilayer virtual switch
licensed under the open source Apache 2.0 license. It is
designed to enable massive network automation through
programmatic extension, while still supporting standard
management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
support distribution across multiple physical servers similar
to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
'';
homepage = "http://openvswitch.org/";