ovs-monitor-ipsec: Detect correctly IPSEC configuration changes

If Open vSwitch has IPSEC tunnel (with certificates) and Interface
table was updated, then ovs-monitor-ipsec daemon would incorrectly
remove and readd all existing IPSEC tunnels.

The root cause for this issue was that "peer_cert_file" key was present in
interfaces dictionary, but it was not present in new_interfaces dictionary.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Reported-by: Niklas Andersson <nandersson@nicira.com>

diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index 970708264ad0b12ece3cd23ad3609bd1206ad707..1547824acbe1ea8aefd25618f06420ac7203ef4a 100755 (executable)
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -216,12 +216,10 @@ path certificate "%s";
 
         # The peer's certificate comes to us in PEM format as a string.
         # Write that string to a file for Racoon to use.
-        peer_cert_file = "%s/ovs-%s.pem" % (self.cert_dir, host)
-        f = open(root_prefix + peer_cert_file, "w")
+        f = open(root_prefix + vals["peer_cert_file"], "w")
         f.write(vals["peer_cert"])
         f.close()
 
-        vals["peer_cert_file"] = peer_cert_file
 
         self.cert_hosts[host] = vals
         self.commit()
@@ -491,8 +489,10 @@ def main():
                         vlog.warn("no valid SSL entry for %s" % name)
                         continue
 
+                    cert_name = "ovs-%s.pem" % (options.get("remote_ip"))
                     entry["certificate"] = ssl_cert[0]
                     entry["private_key"] = ssl_cert[1]
+                    entry["peer_cert_file"] = Racoon.cert_dir + "/" + cert_name
 
                 new_interfaces[name] = entry