From 864bdc599ff0da2693b9d6969d87b5853ed71abc Mon Sep 17 00:00:00 2001 From: Periyasamy Palanisamy Date: Thu, 19 Dec 2024 15:32:21 +0100 Subject: [PATCH 1/3] Cleanup ipsec state only when ipsec is not full mode There is an incorrect check while cleaning up ipsec state upon deleting ipsec pod which removes states in all cases, so this fix removes state only when ipsec mode is not full mode. Signed-off-by: Periyasamy Palanisamy --- bindata/network/ovn-kubernetes/common/ipsec-host.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml index f0ecd632e3..7771d7095c 100644 --- a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml +++ b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml @@ -407,7 +407,7 @@ spec: # When east-west ipsec is not disabled, then do not flush xfrm states and # policies in order to maintain traffic flows during container restart. ipsecflush() { - if [ "$(kubectl get networks.operator.openshift.io cluster -ojsonpath='{.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig.mode}')" != "Full" ] || \ + if [ "$(kubectl get networks.operator.openshift.io cluster -ojsonpath='{.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig.mode}')" != "Full" ] && \ [ "$(kubectl get networks.operator.openshift.io cluster -ojsonpath='{.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig}')" != "{}" ]; then ip x s flush ip x p flush From ece9fbb3eab09a1d962bd09d395be457275474a3 Mon Sep 17 00:00:00 2001 From: Periyasamy Palanisamy Date: Thu, 19 Dec 2024 18:28:51 +0100 Subject: [PATCH 2/3] Revert "Configure narrowing=yes for IPsec connections" This reverts commit e0bfa7eb290e70c1e938fefec6a5490b9c71a6db. Signed-off-by: Periyasamy Palanisamy --- .../network/ovn-kubernetes/common/ipsec-host.yaml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml index 7771d7095c..a132e1cbd2 100644 --- a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml +++ b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml @@ -241,20 +241,6 @@ spec: sed -i "/${defaultcpinclude}/s/^/# /" /etc/ipsec.conf fi - # Use /etc/ipsec.d/cno.conf file to write our own default IPsec connection parameters. - # The /etc/ipsec.d/openshift.conf file can not be used because it is managed by openvswitch. - touch /etc/ipsec.d/cno.conf - if ! grep -q "narrowing=yes" /etc/ipsec.d/cno.conf; then - cat < /etc/ipsec.d/cno.conf - # Default IPsec connection parameters rendered by network operator. - # The narrowing=yes is needed to narrow down the proposals exchanged - # by two peers to a mutually acceptable set, otherwise it sometimes - # have traffic hit between peer nodes. - conn %default - narrowing=yes - EOF - fi - # since pluto is on the host, we need to restart it after changing connection # parameters. chroot /proc/1/root ipsec restart From ea1d48918943e4a10de3a7b7de3a029a82bb086e Mon Sep 17 00:00:00 2001 From: Periyasamy Palanisamy Date: Thu, 19 Dec 2024 23:41:02 +0100 Subject: [PATCH 3/3] Restart IPsec service only when needed Signed-off-by: Periyasamy Palanisamy --- .../common/80-ipsec-master-extensions.yaml | 1 + .../common/80-ipsec-worker-extensions.yaml | 1 + .../ovn-kubernetes/common/ipsec-host.yaml | 31 +++++++++---------- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml b/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml index a432d8bae2..830248503b 100644 --- a/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml +++ b/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml @@ -20,6 +20,7 @@ spec: [Service] Type=oneshot + ExecStartPre=rm -f /etc/ipsec.d/cno.conf ExecStart=systemctl enable --now ipsec.service [Install] diff --git a/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml b/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml index 43f9a1bbeb..5acb18ef72 100644 --- a/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml +++ b/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml @@ -20,6 +20,7 @@ spec: [Service] Type=oneshot + ExecStartPre=rm -f /etc/ipsec.d/cno.conf ExecStart=systemctl enable --now ipsec.service [Install] diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml index a132e1cbd2..4d9b882f86 100644 --- a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml +++ b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml @@ -239,23 +239,22 @@ spec: defaultcpinclude="include \/etc\/crypto-policies\/back-ends\/libreswan.config" if ! grep -q "# ${defaultcpinclude}" /etc/ipsec.conf; then sed -i "/${defaultcpinclude}/s/^/# /" /etc/ipsec.conf - fi - - # since pluto is on the host, we need to restart it after changing connection - # parameters. - chroot /proc/1/root ipsec restart + # since pluto is on the host, we need to restart it after changing connection + # parameters. + chroot /proc/1/root ipsec restart - counter=0 - until [ -r /run/pluto/pluto.ctl ]; do - counter=$((counter+1)) - sleep 1 - if [ $counter -gt 300 ]; - then - echo "ipsec has not started after $counter seconds" - exit 1 - fi - done - echo "ipsec service is restarted" + counter=0 + until [ -r /run/pluto/pluto.ctl ]; do + counter=$((counter+1)) + sleep 1 + if [ $counter -gt 300 ]; + then + echo "ipsec has not started after $counter seconds" + exit 1 + fi + done + echo "ipsec service is restarted" + fi # Workaround for https://github.com/libreswan/libreswan/issues/373 ulimit -n 1024