alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

Merge pull request #7559 from offlinehacker/openvswitch/ipsec

Browse source 
openvswitch: ipsec support
This commit is contained in:
Mateusz Kowalczyk 2015-05-26 11:26:02 +01:00
parent 4fd0f2cf4d ec6ecce8cf
commit 1113efec5e
4 changed files with 175 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/modules/module-list.nix
View file

@ -307,6 +307,7 @@
./services/networking/privoxy.nix ./services/networking/privoxy.nix
./services/networking/prosody.nix ./services/networking/prosody.nix
./services/networking/quassel.nix ./services/networking/quassel.nix
./services/networking/racoon.nix
./services/networking/radicale.nix ./services/networking/radicale.nix
./services/networking/radvd.nix ./services/networking/radvd.nix
./services/networking/rdnssd.nix ./services/networking/rdnssd.nix

42
nixos/modules/services/networking/racoon.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.racoon;
in {
options.services.racoon = {
enable = mkEnableOption "Whether to enable racoon.";
config = mkOption {
description = "Contents of racoon configuration file.";
default = "";
type = types.str;
};
configPath = mkOption {
description = "Location of racoon config if config is not provided.";
default = "/etc/racoon/racoon.conf";
type = types.path;
};
};
config = mkIf cfg.enable {
systemd.services.racoon = {
description = "Racoon Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${
if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config
else cfg.configPath
}";
ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config";
PIDFile = "/var/run/racoon.pid";
Type = "forking";
Restart = "always";
};
preStart = "rm /var/run/racoon.pid || true";
};
};
}

132
nixos/modules/virtualisation/openvswitch.nix
View file

@ -7,35 +7,36 @@ with lib;
let let
cfg = config.virtualisation.vswitch; cfg = config.virtualisation.vswitch;
in in {
{ options.virtualisation.vswitch = {
enable = mkOption {
options = {
virtualisation.vswitch.enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = description = ''
'' Whether to enable Open vSwitch. A configuration daemon (ovs-server)
Enable Open vSwitch. A configuration will be started.
daemon (ovs-server) will be started.
''; '';
}; };
package = mkOption {
virtualisation.vswitch.package = mkOption {
type = types.package; type = types.package;
default = pkgs.openvswitch; default = pkgs.openvswitch;
description = description = ''
''
Open vSwitch package to use. Open vSwitch package to use.
''; '';
}; };
ipsec = mkOption {
type = types.bool;
default = false;
description = ''
Whether to start racoon service for openvswitch.
'';
};
}; };
config = mkIf cfg.enable (let config = mkIf cfg.enable (let
# Where the communication sockets live # Where the communication sockets live
runDir = "/var/run/openvswitch"; runDir = "/var/run/openvswitch";
@ -43,7 +44,7 @@ in
# Where the config database live (can't be in nix-store) # Where the config database live (can't be in nix-store)
stateDir = "/var/db/openvswitch"; stateDir = "/var/db/openvswitch";
# The path to the an initialized version of the database # The path to the an initialized version of the database
db = pkgs.stdenv.mkDerivation { db = pkgs.stdenv.mkDerivation {
name = "vswitch.db"; name = "vswitch.db";
unpackPhase = "true"; unpackPhase = "true";
@ -51,15 +52,12 @@ in
buildInputs = with pkgs; [ buildInputs = with pkgs; [
cfg.package cfg.package
]; ];
installPhase = installPhase = "mkdir -p $out";
''
ensureDir $out/
'';
}; };
in { in (mkMerge [{
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package pkgs.ipsecTools ];
boot.kernelModules = [ "tun" "openvswitch" ]; boot.kernelModules = [ "tun" "openvswitch" ];
@ -73,7 +71,7 @@ in
path = [ cfg.package ]; path = [ cfg.package ];
restartTriggers = [ db cfg.package ]; restartTriggers = [ db cfg.package ];
# Create the config database # Create the config database
preStart = preStart =
'' ''
mkdir -p ${runDir} mkdir -p ${runDir}
mkdir -p /var/db/openvswitch mkdir -p /var/db/openvswitch
@ -85,23 +83,27 @@ in
fi fi
chmod -R +w /var/db/openvswitch chmod -R +w /var/db/openvswitch
''; '';
serviceConfig.ExecStart = serviceConfig = {
'' ExecStart =
${cfg.package}/bin/ovsdb-server \ ''
--remote=punix:${runDir}/db.sock \ ${cfg.package}/bin/ovsdb-server \
--private-key=db:Open_vSwitch,SSL,private_key \ --remote=punix:${runDir}/db.sock \
--certificate=db:Open_vSwitch,SSL,certificate \ --private-key=db:Open_vSwitch,SSL,private_key \
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ --certificate=db:Open_vSwitch,SSL,certificate \
--unixctl=ovsdb.ctl.sock \ --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
/var/db/openvswitch/conf.db --unixctl=ovsdb.ctl.sock \
''; --pidfile=/var/run/openvswitch/ovsdb.pid \
serviceConfig.Restart = "always"; --detach \
serviceConfig.RestartSec = 3; /var/db/openvswitch/conf.db
postStart = '';
'' Restart = "always";
RestartSec = 3;
PIDFile = "/var/run/openvswitch/ovsdb.pid";
Type = "forking";
};
postStart = ''
${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init ${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init
''; '';
}; };
systemd.services.vswitchd = { systemd.services.vswitchd = {
@ -109,9 +111,55 @@ in
bindsTo = [ "ovsdb.service" ]; bindsTo = [ "ovsdb.service" ];
after = [ "ovsdb.service" ]; after = [ "ovsdb.service" ];
path = [ cfg.package ]; path = [ cfg.package ];
serviceConfig.ExecStart = ''${cfg.package}/bin/ovs-vswitchd''; serviceConfig = {
ExecStart = ''
${cfg.package}/bin/ovs-vswitchd \
--pidfile=/var/run/openvswitch/ovs-vswitchd.pid \
--detach
'';
PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid";
Type = "forking";
};
}; };
}); }
(mkIf cfg.ipsec {
services.racoon.enable = true;
services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf";
networking.firewall.extraCommands = ''
iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1
iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
'';
systemd.services.ovs-monitor-ipsec = {
description = "Open_vSwitch Ipsec Daemon";
wantedBy = [ "multi-user.target" ];
requires = [ "racoon.service" ];
after = [ "vswitchd.service" ];
environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock";
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/ovs-monitor-ipsec \
--root-prefix ${runDir}/ipsec \
--pidfile /var/run/openvswitch/ovs-monitor-ipsec.pid \
--monitor --detach \
unix:/var/run/openvswitch/db.sock
'';
PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid";
Type = "forking";
};
preStart = ''
rm -r ${runDir}/ipsec/etc/racoon/certs || true
mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/}
ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey
ln -fs ${pkgs.writeScript "racoon-restart" ''
#!${pkgs.stdenv.shell}
/var/run/current-system/sw/bin/systemctl $1 racoon
''} ${runDir}/ipsec/etc/init.d/racoon
'';
};
})]));
} }

69
pkgs/os-specific/linux/openvswitch/default.nix
View file

@ -1,47 +1,62 @@
{ stdenv, fetchurl, openssl, python27, iproute, perl, kernel ? null}: { stdenv, fetchurl, makeWrapper
, openssl, python27, iproute, perl, kernel ? null }:
with stdenv.lib;
let let
_kernel = kernel;
version = "2.1.2"; in stdenv.mkDerivation rec {
version = "2.3.1";
skipKernelMod = kernel == null;
in
stdenv.mkDerivation {
version = "2.1.2";
name = "openvswitch-${version}"; name = "openvswitch-${version}";
src = fetchurl { src = fetchurl {
url = "http://openvswitch.org/releases/openvswitch-2.1.2.tar.gz"; url = "http://openvswitch.org/releases/${name}.tar.gz";
sha256 = "16q7faqrj2pfchhn0x5s9ggi5ckcg9n62f6bnqaih064aaq2jm47"; sha256 = "1lmwyhm5wmdv1l4v1v5xd36d5ra21jz9ix57nh1lgm8iqc0lj5r1";
}; };
kernel = if skipKernelMod then null else kernel.dev;
buildInputs = [ kernel = optional (_kernel != null) _kernel.dev;
openssl
python27 buildInputs = [ makeWrapper openssl python27 perl ];
perl
];
configureFlags = [ configureFlags = [
"--localstatedir=/var" "--localstatedir=/var"
"--sharedstatedir=/var" "--sharedstatedir=/var"
"--sbindir=$(out)/bin" "--sbindir=$(out)/bin"
] ++ (if skipKernelMod then [] else ["--with-linux"]); ] ++ (optionals (_kernel != null) ["--with-linux"]);
# Leave /var out of this! # Leave /var out of this!
installFlags = [ installFlags = [
"LOGDIR=$(TMPDIR)/dummy" "LOGDIR=$(TMPDIR)/dummy"
"RUNDIR=$(TMPDIR)/dummy" "RUNDIR=$(TMPDIR)/dummy"
"PKIDIR=$(TMPDIR)/dummy" "PKIDIR=$(TMPDIR)/dummy"
]; ];
postInstall = ''
cp debian/ovs-monitor-ipsec $out/share/openvswitch/scripts
makeWrapper \
$out/share/openvswitch/scripts/ovs-monitor-ipsec \
$out/bin/ovs-monitor-ipsec \
--prefix PYTHONPATH : "$out/share/openvswitch/python"
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
--replace "UnixctlServer.create(None)" "UnixctlServer.create(os.environ['UNIXCTLPATH'])"
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
--replace "self.psk_file" "root_prefix + self.psk_file"
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
--replace "self.cert_dir" "root_prefix + self.cert_dir"
'';
meta = { meta = {
platforms = stdenv.lib.platforms.linux; platforms = platforms.linux;
description = "A multilayer virtual switch"; description = "A multilayer virtual switch";
longDescription = longDescription =
'' ''
Open vSwitch is a production quality, multilayer virtual switch Open vSwitch is a production quality, multilayer virtual switch
licensed under the open source Apache 2.0 license. It is licensed under the open source Apache 2.0 license. It is
designed to enable massive network automation through designed to enable massive network automation through
programmatic extension, while still supporting standard programmatic extension, while still supporting standard
management interfaces and protocols (e.g. NetFlow, sFlow, SPAN, management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
support distribution across multiple physical servers similar support distribution across multiple physical servers similar
to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
''; '';
homepage = "http://openvswitch.org/"; homepage = "http://openvswitch.org/";