ovs-monitor-ipsec: Detect correctly IPSEC configuration changes
authorAnsis Atteka <aatteka@nicira.com>
Fri, 9 Mar 2012 02:58:09 +0000 (18:58 -0800)
committerAnsis Atteka <aatteka@nicira.com>
Fri, 9 Mar 2012 06:43:10 +0000 (22:43 -0800)
If Open vSwitch has IPSEC tunnel (with certificates) and Interface
table was updated, then ovs-monitor-ipsec daemon would incorrectly
remove and readd all existing IPSEC tunnels.

The root cause for this issue was that "peer_cert_file" key was present in
interfaces dictionary, but it was missing in new_interfaces dictionary.

v2: Do not fail buildtests

Issue#10096

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Reported-by: Niklas Andersson <nandersson@nicira.com>
debian/ovs-monitor-ipsec

index 970708264ad0b12ece3cd23ad3609bd1206ad707..981f0a2c820a729c85a04a3e997d2cd48db7139c 100755 (executable)
@@ -216,13 +216,10 @@ path certificate "%s";
 
         # The peer's certificate comes to us in PEM format as a string.
         # Write that string to a file for Racoon to use.
-        peer_cert_file = "%s/ovs-%s.pem" % (self.cert_dir, host)
-        f = open(root_prefix + peer_cert_file, "w")
+        f = open(root_prefix + vals["peer_cert_file"], "w")
         f.write(vals["peer_cert"])
         f.close()
 
-        vals["peer_cert_file"] = peer_cert_file
-
         self.cert_hosts[host] = vals
         self.commit()
 
@@ -467,6 +464,7 @@ def main():
             if rec.type == "ipsec_gre":
                 name = rec.name
                 options = rec.options
+                peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip"))
                 entry = {
                     "remote_ip": options.get("remote_ip"),
                     "local_ip": options.get("local_ip", "0.0.0.0/0"),
@@ -474,6 +472,7 @@ def main():
                     "private_key": options.get("private_key"),
                     "use_ssl_cert": options.get("use_ssl_cert"),
                     "peer_cert": options.get("peer_cert"),
+                    "peer_cert_file": Racoon.cert_dir + "/" + peer_cert_name,
                     "psk": options.get("psk")}
 
                 if entry["peer_cert"] and entry["psk"]: