search

openvswitch / ovs-issues

Issue tracker repo for Open vSwitch
10 stars 3 forks source link

ovs openvswitch-ipsec.service unable to start ? #243

Closed bettswang closed 2 years ago

bettswang commented 2 years ago

I had install the ovs by doc. I did as below, but the openvswitch-ipsec.service unable to start .

dnf install python3-openvswitch libreswan openvswitch openvswitch-ipsec

systemctl enable firewalld

firewall-cmd --permanent --add-service ipsec

systemctl start openvswitch-ipsec.service

logs in the file /var/log/messages are shown as below. I don't konw what's wrong , because the ike daemon has installed by libreswan.

logs: Jan 28 11:12:03 fedora33 systemd[1]: /usr/lib/systemd/system/openvswitch-ipsec.service:8: PIDFile= references a path below legacy directory /var/run/, updating /var/run/openvswitch/ovs-monitor-ipsec.pid → /run/openvswitch/ovs-monitor-ipsec.pid; please update the unit file accordingly. Jan 28 11:12:03 fedora33 systemd[1]: /usr/lib/systemd/system/ovs-vswitchd.service:12: PIDFile= references a path below legacy directory /var/run/, updating /var/run/openvswitch/ovs-vswitchd.pid → /run/openvswitch/ovs-vswitchd.pid; please update the unit file accordingly. Jan 28 11:12:03 fedora33 systemd[1]: /usr/lib/systemd/system/ovsdb-server.service:10: PIDFile= references a path below legacy directory /var/run/, updating /var/run/openvswitch/ovsdb-server.pid → /run/openvswitch/ovsdb-server.pid; please update the unit file accordingly. Jan 28 11:12:03 fedora33 systemd[1]: Starting Open vSwitch Database Unit... Jan 28 11:12:03 fedora33 chown[25224]: /usr/bin/chown: 无法访问 '/var/run/openvswitch': 没有那个文件或目录 Jan 28 11:12:03 fedora33 ovs-ctl[25229]: /etc/openvswitch/conf.db does not exist ... (warning). Jan 28 11:12:03 fedora33 ovs-ctl[25229]: Creating empty database /etc/openvswitch/conf.db [ OK ] Jan 28 11:12:03 fedora33 ovs-ctl[25275]: install: cannot change owner and permissions of '/var/run/openvswitch': Operation not permitted Jan 28 11:12:03 fedora33 audit[25275]: AVC avc: denied { fowner } for pid=25275 comm="install" capability=3 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 Jan 28 11:12:03 fedora33 ovs-ctl[25229]: Starting ovsdb-server [ OK ] Jan 28 11:12:03 fedora33 ovs-vsctl[25279]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait -- init -- set Open_vSwitch . db-version=8.2.0 Jan 28 11:12:03 fedora33 ovs-vsctl[25290]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait set Open_vSwitch . ovs-version=2.15.0 "external-ids:system-id=\"f1028788-b409-44d6-868a-c205605b318c\"" "external-ids:rundir=\"/var/run/openvswitch\"" "system-type=\"fedora\"" "system-version=\"33\"" Jan 28 11:12:04 fedora33 ovs-ctl[25229]: Configuring Open vSwitch system IDs [ OK ] Jan 28 11:12:04 fedora33 ovs-ctl[25229]: Enabling remote OVSDB managers [ OK ] Jan 28 11:12:04 fedora33 systemd[1]: Started Open vSwitch Database Unit. Jan 28 11:12:04 fedora33 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ovsdb-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 28 11:12:04 fedora33 ovs-vsctl[25296]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait add Open_vSwitch . external-ids hostname=fedora33 Jan 28 11:12:04 fedora33 systemd[1]: Starting Open vSwitch Delete Transient Ports... Jan 28 11:12:04 fedora33 systemd[1]: Finished Open vSwitch Delete Transient Ports. Jan 28 11:12:04 fedora33 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ovs-delete-transient-ports comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 28 11:12:04 fedora33 systemd[1]: Starting Open vSwitch Forwarding Unit... Jan 28 11:12:04 fedora33 kernel: openvswitch: Open vSwitch switching datapath Jan 28 11:12:04 fedora33 ovs-ctl[25341]: Inserting openvswitch module [ OK ] Jan 28 11:12:04 fedora33 ovs-ctl[25309]: Starting ovs-vswitchd [ OK ] Jan 28 11:12:04 fedora33 ovs-vsctl[25363]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait add Open_vSwitch . external-ids hostname=fedora33 Jan 28 11:12:04 fedora33 ovs-ctl[25309]: Enabling remote OVSDB managers [ OK ] Jan 28 11:12:04 fedora33 systemd[1]: Started Open vSwitch Forwarding Unit. Jan 28 11:12:04 fedora33 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ovs-vswitchd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 28 11:12:04 fedora33 systemd[1]: Starting Open vSwitch... Jan 28 11:12:04 fedora33 systemd[1]: Finished Open vSwitch. Jan 28 11:12:04 fedora33 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 28 11:12:04 fedora33 systemd[1]: Starting OVS IPsec daemon... Jan 28 11:12:04 fedora33 audit[25380]: AVC avc: denied { getattr } for pid=25380 comm="ovs-monitor-ips" path="/usr/sbin/ipsec" dev="dm-0" ino=26508115 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=0 Jan 28 11:12:04 fedora33 ovs-ctl[25380]: 2022-01-28T03:12:04Z | 0 | ovs-monitor-ipsec | ERR | IKE daemon is not installed in the system. Jan 28 11:12:04 fedora33 ovs-ctl[25380]: 2022-01-28T03:12:04Z | 1 | ovs-monitor-ipsec | INFO | Restarting IKE daemon Jan 28 11:12:04 fedora33 journal[25380]: ovs| 0 | ovs-monitor-ipsec | ERR | IKE daemon is not installed in the system. Jan 28 11:12:04 fedora33 journal[25380]: ovs| 1 | ovs-monitor-ipsec | INFO | Restarting IKE daemon Jan 28 11:12:04 fedora33 audit[25382]: AVC avc: denied { search } for pid=25382 comm="certutil" name="ipsec.d" dev="dm-0" ino=26508108 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir permissive=0 Jan 28 11:12:04 fedora33 audit[25382]: AVC avc: denied { search } for pid=25382 comm="certutil" name="ipsec.d" dev="dm-0" ino=26508108 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir permissive=0 Jan 28 11:12:04 fedora33 audit[25382]: AVC avc: denied { search } for pid=25382 comm="certutil" name="ipsec.d" dev="dm-0" ino=26508108 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir permissive=0 Jan 28 11:12:04 fedora33 audit[25380]: AVC avc: denied { write } for pid=25380 comm="ovs-monitor-ips" name="ipsec.conf" dev="dm-0" ino=8622659 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=0 Jan 28 11:12:04 fedora33 ovs-ctl[25380]: 2022-01-28T03:12:04Z | 2 | ovs-monitor-ipsec | ERR | traceback Jan 28 11:12:04 fedora33 ovs-ctl[25380]: Traceback (most recent call last): Jan 28 11:12:04 fedora33 ovs-ctl[25380]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1260, in Jan 28 11:12:04 fedora33 ovs-ctl[25380]: main() Jan 28 11:12:04 fedora33 ovs-ctl[25380]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1205, in main Jan 28 11:12:04 fedora33 ovs-ctl[25380]: monitor = IPsecMonitor(root_prefix, args.ike_daemon, Jan 28 11:12:04 fedora33 ovs-ctl[25380]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 960, in init Jan 28 11:12:04 fedora33 ovs-ctl[25380]: self.ike_helper.restart_ike_daemon() Jan 28 11:12:04 fedora33 ovs-ctl[25380]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 454, in restart_ike_daemon Jan 28 11:12:04 fedora33 ovs-ctl[25380]: f = open(self.IPSEC_CONF, "w") Jan 28 11:12:04 fedora33 ovs-ctl[25380]: PermissionError: [Errno 13] Permission denied: '/etc/ipsec.conf' Jan 28 11:12:04 fedora33 journal[25380]: ovs| 2 | ovs-monitor-ipsec | ERR | traceback#012Traceback (most recent call last):#012 File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1260, in #012 main()#012 File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1205, in main#012 monitor = IPsecMonitor(root_prefix, args.ike_daemon,#012 File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 960, in init#012 self.ike_helper.restart_ike_daemon()#012 File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 454, in restart_ike_daemon#012 f = open(self.IPSEC_CONF, "w")#012PermissionError: [Errno 13] Permission denied: '/etc/ipsec.conf' Jan 28 11:12:04 fedora33 systemd[1]: openvswitch-ipsec.service: Control process exited, code=exited, status=1/FAILURE Jan 28 11:12:04 fedora33 systemd[1]: openvswitch-ipsec.service: Failed with result 'exit-code'. Jan 28 11:12:04 fedora33 systemd[1]: Failed to start OVS IPsec daemon. Jan 28 11:12:04 fedora33 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' [root@fedora33 log]#

igsilya commented 2 years ago

PermissionError: [Errno 13] Permission denied: '/etc/ipsec.conf' According to the ipsec tutorial: https://docs.openvswitch.org/en/latest/tutorials/ipsec/#fedora there are possible issues with SELinux on your setup. Please, check if you have SELinux enabled. You may also look at audit.log on your system to find out if access to ipsec.conf was actually denied by SELinux. If so, you have 2 ways to solve the issue:

  1. Switch SELinux to permissive mode with setenforce permissive.
  2. Create and install SELinux policy based on your audit.log to allow ovs-monitor-ipsec write access to the ipsec.conf.
bettswang commented 2 years ago

I noticed the SELinux. And I did as you said(also set it to disabled). How did it still effect while I have disabled SELinux . I don't know how to change the SELinux rule . Would you tell me some details? Many thanks.

[root@fedora33 ~]# sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33

/var/log/audit/audit.log type=AVC msg=audit(1643385311.183:305): avc: denied { getattr } for pid=1719 comm="ovs-monitor-ips" path="/usr/sbin/ipsec" dev="dm-0" ino=26508115 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643385311.183:306): avc: denied { execute } for pid=1719 comm="ovs-monitor-ips" name="ipsec" dev="dm-0" ino=26508115 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643385311.206:307): avc: denied { search } for pid=1720 comm="certutil" name="ipsec.d" dev="dm-0" ino=26508108 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1643385311.206:308): avc: denied { write } for pid=1719 comm="ovs-monitor-ips" name="ipsec.conf" dev="dm-0" ino=8622659 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643385311.206:309): avc: denied { open } for pid=1719 comm="ovs-monitor-ips" path="/etc/ipsec.conf" dev="dm-0" ino=8622659 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643385311.207:310): avc: denied { getattr } for pid=1719 comm="ovs-monitor-ips" path="/etc/ipsec.conf" dev="dm-0" ino=8622659 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643385311.207:311): avc: denied { ioctl } for pid=1719 comm="ovs-monitor-ips" path="/etc/ipsec.conf" dev="dm-0" ino=8622659 ioctlcmd=0x5401 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643385311.207:312): avc: denied { write } for pid=1719 comm="ovs-monitor-ips" name="ipsec.secrets" dev="dm-0" ino=8622660 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643385311.207:313): avc: denied { open } for pid=1719 comm="ovs-monitor-ips" path="/etc/ipsec.secrets" dev="dm-0" ino=8622660 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file permissive=1

/var/log/messages Jan 29 00:03:52 fedora33 systemd[1]: Starting OVS IPsec daemon... Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { getattr } for pid=2176 comm="ovs-monitor-ips" path="/usr/sbin/ipsec" dev="dm-0" ino=26508115 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { execute } for pid=2176 comm="ovs-monitor-ips" name="ipsec" dev="dm-0" ino=26508115 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 ovs-ctl[2176]: 2022-01-28T16:03:52Z | 0 | ovs-monitor-ipsec | INFO | Restarting IKE daemon Jan 29 00:03:52 fedora33 journal[2176]: ovs| 0 | ovs-monitor-ipsec | INFO | Restarting IKE daemon Jan 29 00:03:52 fedora33 audit[2177]: AVC avc: denied { search } for pid=2177 comm="certutil" name="ipsec.d" dev="dm-0" ino=26508108 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { write } for pid=2176 comm="ovs-monitor-ips" name="ipsec.conf" dev="dm-0" ino=8622659 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { open } for pid=2176 comm="ovs-monitor-ips" path="/etc/ipsec.conf" dev="dm-0" ino=8622659 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { getattr } for pid=2176 comm="ovs-monitor-ips" path="/etc/ipsec.conf" dev="dm-0" ino=8622659 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { ioctl } for pid=2176 comm="ovs-monitor-ips" path="/etc/ipsec.conf" dev="dm-0" ino=8622659 ioctlcmd=0x5401 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { write } for pid=2176 comm="ovs-monitor-ips" name="ipsec.secrets" dev="dm-0" ino=8622660 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { open } for pid=2176 comm="ovs-monitor-ips" path="/etc/ipsec.secrets" dev="dm-0" ino=8622660 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { getattr } for pid=2176 comm="ovs-monitor-ips" path="/etc/ipsec.secrets" dev="dm-0" ino=8622660 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2176]: AVC avc: denied { ioctl } for pid=2176 comm="ovs-monitor-ips" path="/etc/ipsec.secrets" dev="dm-0" ino=8622660 ioctlcmd=0x5401 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 ovs-ctl[2176]: 2022-01-28T16:03:52Z | 1 | ovs-monitor-ipsec | INFO | Restarting LibreSwan Jan 29 00:03:52 fedora33 journal[2176]: ovs| 1 | ovs-monitor-ipsec | INFO | Restarting LibreSwan Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { read open } for pid=2178 comm="ovs-monitor-ips" path="/usr/sbin/ipsec" dev="dm-0" ino=26508115 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { execute_no_trans } for pid=2178 comm="ovs-monitor-ips" path="/usr/sbin/ipsec" dev="dm-0" ino=26508115 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { ioctl } for pid=2178 comm="ipsec" path="/usr/sbin/ipsec" dev="dm-0" ino=26508115 ioctlcmd=0x5401 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { getattr } for pid=2178 comm="setup" path="/usr/bin/systemctl" dev="dm-0" ino=17319265 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { execute } for pid=2178 comm="setup" name="systemctl" dev="dm-0" ino=17319265 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { read } for pid=2178 comm="setup" name="systemctl" dev="dm-0" ino=17319265 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { open } for pid=2178 comm="setup" path="/usr/bin/systemctl" dev="dm-0" ino=17319265 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { execute_no_trans } for pid=2178 comm="setup" path="/usr/bin/systemctl" dev="dm-0" ino=17319265 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { map } for pid=2178 comm="systemctl" path="/usr/bin/systemctl" dev="dm-0" ino=17319265 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 ovs-ctl[2178]: Redirecting to: systemctl restart ipsec.service Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { read } for pid=2178 comm="systemctl" name="root" dev="proc" ino=18746 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1 Jan 29 00:03:52 fedora33 audit[2178]: AVC avc: denied { read } for pid=2178 comm="systemctl" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 Jan 29 00:03:52 fedora33 systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec... Jan 29 00:03:52 fedora33 whack[2181]: 002 shutting down Jan 29 00:03:52 fedora33 audit: MAC_IPSEC_EVENT op=SPD-delete auid=4294967295 ses=4294967295 subj=system_u:system_r:ifconfig_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:52 fedora33 audit: MAC_IPSEC_EVENT op=SPD-delete auid=4294967295 ses=4294967295 subj=system_u:system_r:ifconfig_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:52 fedora33 audit: MAC_IPSEC_EVENT op=SPD-delete auid=4294967295 ses=4294967295 subj=system_u:system_r:ifconfig_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:52 fedora33 audit: MAC_IPSEC_EVENT op=SPD-delete auid=4294967295 ses=4294967295 subj=system_u:system_r:ifconfig_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:52 fedora33 audit: MAC_IPSEC_EVENT op=SPD-delete auid=4294967295 ses=4294967295 subj=system_u:system_r:ifconfig_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:52 fedora33 audit: MAC_IPSEC_EVENT op=SPD-delete auid=4294967295 ses=4294967295 subj=system_u:system_r:ifconfig_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:52 fedora33 systemd[1]: ipsec.service: Succeeded. Jan 29 00:03:52 fedora33 systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec. Jan 29 00:03:52 fedora33 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 29 00:03:52 fedora33 systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec... Jan 29 00:03:53 fedora33 ipsec[2434]: nflog ipsec capture disabled Jan 29 00:03:53 fedora33 audit[2445]: AVC avc: denied { read } for pid=2445 comm="pluto" name="pkcs11.txt" dev="dm-0" ino=16798643 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Jan 29 00:03:53 fedora33 audit[2445]: AVC avc: denied { open } for pid=2445 comm="pluto" path="/var/lib/ipsec/nss/pkcs11.txt" dev="dm-0" ino=16798643 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Jan 29 00:03:53 fedora33 audit[2445]: AVC avc: denied { getattr } for pid=2445 comm="pluto" path="/var/lib/ipsec/nss/pkcs11.txt" dev="dm-0" ino=16798643 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Jan 29 00:03:53 fedora33 audit[2445]: AVC avc: denied { lock } for pid=2445 comm="pluto" path="/var/lib/ipsec/nss/cert9.db" dev="dm-0" ino=16799237 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Jan 29 00:03:53 fedora33 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:53 fedora33 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:53 fedora33 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:53 fedora33 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:53 fedora33 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:53 fedora33 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 Jan 29 00:03:53 fedora33 systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec. Jan 29 00:03:53 fedora33 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 29 00:03:53 fedora33 ovs-ctl[2176]: 2022-01-28T16:03:53Z | 2 | ovs-monitor-ipsec | ERR | traceback Jan 29 00:03:53 fedora33 ovs-ctl[2176]: Traceback (most recent call last): Jan 29 00:03:53 fedora33 ovs-ctl[2176]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1260, in Jan 29 00:03:53 fedora33 ovs-ctl[2176]: main() Jan 29 00:03:53 fedora33 ovs-ctl[2176]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1209, in main Jan 29 00:03:53 fedora33 ovs-ctl[2176]: schema_helper = ovs.db.idl.SchemaHelper() Jan 29 00:03:53 fedora33 ovs-ctl[2176]: File "/usr/lib64/python3.9/site-packages/ovs/db/idl.py", line 1958, in init Jan 29 00:03:53 fedora33 ovs-ctl[2176]: schema_json = ovs.json.from_file(location) Jan 29 00:03:53 fedora33 ovs-ctl[2176]: File "/usr/lib64/python3.9/site-packages/ovs/json.py", line 61, in from_file Jan 29 00:03:53 fedora33 ovs-ctl[2176]: stream = open(name, "r") Jan 29 00:03:53 fedora33 ovs-ctl[2176]: FileNotFoundError: [Errno 2] No such file or directory: '/usr/local/share/openvswitch/vswitch.ovsschema' Jan 29 00:03:53 fedora33 journal[2176]: ovs| 2 | ovs-monitor-ipsec | ERR | traceback#012Traceback (most recent call last):#012 File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1260, in #012 main()#012 File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1209, in main#012 schema_helper = ovs.db.idl.SchemaHelper()#012 …… ……

igsilya commented 2 years ago

SELinux will still report all the issues it finds, but it doesn't actually prohibit access. Your main issue seems to be changed, it's now: FileNotFoundError: [Errno 2] No such file or directory: '/usr/local/share/openvswitch/vswitch.ovsschema' Please, check if you have this file and check if you have the main openvswitch package installed.

bettswang commented 2 years ago

I check the path , do not find the file. It Actually exist in /usr/share/openvswitch. I installed the openvswitch by dnf . I try to use option (--installroot)to change the install path , but it failed. So would you like to show me that how to repair this issue ?

bettswang commented 2 years ago

Meanwhile I use dpkg -i to install releated deb package on ubuntu20.04, also get a error as below.

root@ubuntu2004:~# ll *.deb -rw-r--r-- 1 root root 1220976 Feb 9 14:00 libopenvswitch_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 1697568 Feb 9 14:00 libopenvswitch-dev_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 165856 Feb 9 14:00 openvswitch-common_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 4952564 Feb 9 14:00 openvswitch-datapath-dkms_2.16.1-1_all.deb -rw-r--r-- 1 root root 7798532 Feb 9 14:00 openvswitch-datapath-source_2.16.1-1_all.deb -rw-r--r-- 1 root root 6492364 Feb 9 14:00 openvswitch-dbg_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 35040 Feb 9 14:00 openvswitch-ipsec_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 23512 Feb 9 14:00 openvswitch-pki_2.16.1-1_all.deb -rw-r--r-- 1 root root 301280 Feb 9 14:00 openvswitch-switch_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 37048 Feb 9 14:00 openvswitch-test_2.16.1-1_all.deb -rw-r--r-- 1 root root 40764 Feb 9 14:00 openvswitch-testcontroller_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 61484 Feb 9 14:00 openvswitch-vtep_2.16.1-1_amd64.deb -rw-r--r-- 1 root root 105500 Feb 9 14:00 python3-openvswitch_2.16.1-1_all.deb

root@ubuntu2004:~# dpkg -i libopenvswitch*.deb openvswitch-common.deb openvswitch-switch_.deb openvswitch-datapath-dkms*.deb python3-openvswitch.deb openvswitch-pki_.deb openvswitch-ipsec_*.deb ... Preparing to unpack openvswitch-ipsec_2.16.1-1_amd64.deb ... Unpacking openvswitch-ipsec (2.16.1-1) over (2.16.1-1) ... Setting up openvswitch-ipsec (2.16.1-1) ... Job for openvswitch-ipsec.service failed because the control process exited with error code. See "systemctl status openvswitch-ipsec.service" and "journalctl -xe" for details. invoke-rc.d: initscript openvswitch-ipsec, action "start" failed. ● openvswitch-ipsec.service - LSB: Open vSwitch GRE-over-IPsec daemon Loaded: loaded (/etc/init.d/openvswitch-ipsec; generated) Active: failed (Result: exit-code) since Fri 2022-02-11 02:18:09 UTC; 6ms ago Docs: man:systemd-sysv-generator(8) Process: 44718 ExecStart=/etc/init.d/openvswitch-ipsec start (code=exited, status=1/FAILURE)

Feb 11 02:18:09 ubuntu2004 systemd[1]: Starting LSB: Open vSwitch GRE-over-IPsec daemon... Feb 11 02:18:09 ubuntu2004 openvswitch-ipsec[44718]: * Starting ovs-monitor-ipsec Feb 11 02:18:09 ubuntu2004 openvswitch-ipsec[44753]: Traceback (most recent call last): Feb 11 02:18:09 ubuntu2004 openvswitch-ipsec[44753]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 25, in Feb 11 02:18:09 ubuntu2004 openvswitch-ipsec[44753]: import ovs.daemon Feb 11 02:18:09 ubuntu2004 openvswitch-ipsec[44753]: ModuleNotFoundError: No module named 'ovs' Feb 11 02:18:09 ubuntu2004 openvswitch-ipsec[44718]: ...fail! Feb 11 02:18:09 ubuntu2004 systemd[1]: openvswitch-ipsec.service: Control process exited, code=exited, status=1/FAILURE Feb 11 02:18:09 ubuntu2004 systemd[1]: openvswitch-ipsec.service: Failed with result 'exit-code'. Feb 11 02:18:09 ubuntu2004 systemd[1]: Failed to start LSB: Open vSwitch GRE-over-IPsec daemon. dpkg: error processing package openvswitch-ipsec (--install): installed openvswitch-ipsec package post-installation script subprocess returned error exit status 1 Processing triggers for systemd (245.4-4ubuntu3.15) ... Errors were encountered while processing: openvswitch-ipsec

igsilya commented 2 years ago

I check the path , do not find the file. It Actually exist in /usr/share/openvswitch. I installed the openvswitch by dnf . I try to use option (--installroot)to change the install path , but it failed. So would you like to show me that how to repair this issue ?

Are all the packages from the same source? It looks like they were built with different --prefix.

ModuleNotFoundError: No module named 'ovs'

I'm not sure if dpkg checks for package dependencies, but python3-openvswitch package should be installed before trying to start the ipsec deamon.

bettswang commented 2 years ago
  1. they all are installed from the same fedora33 repo. 
[root@fedora33 ~]# dnf list python3-openvswitch libreswan openvswitch openvswitch-ipsec
libreswan.x86_64                                     4.4-2.fc33                               updates
openvswitch.i686                                   2.15.0-1.fc33                            updates
openvswitch.x86_64                               2.15.0-1.fc33                            updates
openvswitch-ipsec.x86_64                      2.15.0-1.fc33                            updates
python3-openvswitch.x86_64                 2.15.0-1.fc33                            updates
  1. python3-openvswitch has been installed before. AS I have did "root@ubuntu2004:~# dpkg -i libopenvswitch.deb openvswitch-common.deb openvswitch-switch.deb openvswitch-datapath-dkms.deb python3-openvswitch_.deb openvswitch-pki.deb openvswitch-ipsec*.deb"
igsilya commented 2 years ago
  1. they all are installed from the same fedora33 repo.

In that case it's a packaging bug. Try fedora 35. 33 reached end of life last year. If the problem remains on fedora 35, you may open a bug for fedora, so they can fix the package.

2. python3-openvswitch has been installed before. AS I have did "root@ubuntu2004:~# dpkg -i libopenvswitch_.deb openvswitch-common_.deb openvswitch-switch_.deb openvswitch-datapath-dkms_.deb `python3-openvswitch_.deb` openvswitch-pki_.deb openvswitch-ipsec_*.deb"

Try installing them in separate commands Make sure that python can locate the 'ovs' package (i.e. if you're starting the interpreter in the console and trying to import ovs), make sure that python3 is your default python (should not matter, but maybe). Not sure what else could be a problem.

bettswang commented 2 years ago

try on fedora35, the same problem. So sad , still no way to slove it on ubuntu20.04.

igsilya commented 2 years ago

Yeah, fedora package seems broken. Looking at the dirs.py file in the python3-openvswitch package, it contains /usr/local/... paths and this is obviously incorrect, because the rest of OVS built without the local prefix. Please, report that to fedora.

In the meantime, you may try following this guide: https://docs.openvswitch.org/en/latest/intro/install/fedora/ to build your own packages.

And you built ubuntu packages yourself right? If so, try applying the following change (maybe the problem is the python version mismatch):

diff --git a/debian/openvswitch-test.install b/debian/openvswitch-test.install
index cb371c906..83d0022a5 100644
--- a/debian/openvswitch-test.install
+++ b/debian/openvswitch-test.install
@@ -1,3 +1,3 @@
 usr/bin/ovs-l3ping
 usr/bin/ovs-test
-usr/share/openvswitch/python/ovstest usr/lib/python3.7/dist-packages/
+usr/share/openvswitch/python/ovstest usr/lib/python3/dist-packages/
diff --git a/debian/python3-openvswitch.install b/debian/python3-openvswitch.install
index 7ba956e3b..979f1c265 100644
--- a/debian/python3-openvswitch.install
+++ b/debian/python3-openvswitch.install
@@ -1 +1 @@
-usr/share/openvswitch/python/ovs usr/lib/python3.7/dist-packages/
+usr/share/openvswitch/python/ovs usr/lib/python3/dist-packages/
bettswang commented 2 years ago

ok, i will try to report this issue to fedora. And all the deb packages are built under the direction of ovs offical manual on the ubuntu20.04. As below command:

#tar xf openvswitch-2.16.1.tar.gz
#cd openvswitch-2.16.1
#apt-get install build-essential fakeroot
#apt install graphviz  autoconf  automake  bzip2  debhelper  dh-autoreconf  libssl-dev  libtool  openssl  procps  python3-all  python3-sphinx  python3-twisted  python3-zope.interface  libunbound-dev  libunwind-dev  dh-python  
#DEB_BUILD_OPTIONS='parallel=8' fakeroot debian/rules binary

What do you mean of "the following change" ? In my environment, the python version is 3.8 . Should I use the lower version ( i.e v3.7 or v3)?

bettswang commented 2 years ago

By the way , I have reported the issue to fedora . And also I try it on Fedora32 ( reffer to the ovs doc Page87 , it writes "This tutorial uses Ubuntu 16.04 and Fedora 32 as examples."). In the meantime , I disable update repo to avoid the package of update repo, but it also failed to start openvswitch-ipsec.serivice . The error message is the same with fedora33 and fedora35.

bug report link : https://bugzilla.redhat.com/show_bug.cgi?id=2055576

igsilya commented 2 years ago

What do you mean of "the following change" ? In my environment, the python version is 3.8 . Should I use the lower version ( i.e v3.7 or v3)?

I mean, replace python3.7 with python3 in the following 2 files before building packages:

bettswang commented 2 years ago

I have modified the file debian/openvswitch-test.install and debian/python3-openvswitch.install , then reconfigure and build the deb package. It's ok now. I really appreciate your help!

root@ubuntu2004:~/openvswitch-2.16.1# cat debian/openvswitch-test.install usr/share/openvswitch/python/ovstest usr/lib/python3/dist-packages/

root@ubuntu2004:~/openvswitch-2.16.1# cat debian/python3-openvswitch.install usr/share/openvswitch/python/ovs usr/lib/python3/dist-packages/

root@ubuntu2004:~# ps -ef | grep ovs-monitor-ipse
root      650691       1  0 03:23 ?        00:00:00 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=strongswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock