search

openvswitch / ovs-issues

Issue tracker repo for Open vSwitch
10 stars 3 forks source link

ovs ipsec function start failed #301

Closed bettswang closed 1 year ago

bettswang commented 1 year ago

Hi, maintainers

After installing ovs ipsec with apt on ubuntu22.04, failed to start with systemctl start openvswitch-ipsec.service. I check the syslog, found some error, but have no way to slove it. Could you help me please?

There is an error on my installation. Is this related with the fail of starting ipsec daemon?

root@ubuntu2204:~# apt install openvswitch-ipsec
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libcharon-extauth-plugins libevent-2.1-7 libstrongswan libstrongswan-standard-plugins libunbound8 openvswitch-common openvswitch-switch python3-openvswitch python3-sortedcontainers strongswan strongswan-charon strongswan-libcharon strongswan-starter
……
Created symlink /etc/systemd/system/multi-user.target.wants/openvswitch-ipsec.service → /lib/systemd/system/openvswitch-ipsec.service.
Could not execute systemctl:  at /usr/bin/deb-systemd-invoke line 142.
……

After installation , there are two processes related with openvswitch. The openvswitch ipsec daemon did not exist. 

root@ubuntu2204:~# ps -ef | grep ovs
root        3713       1  0 06:24 ?        00:00:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach
root        3768       1  0 06:24 ?        00:00:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
root        4124    2600  0 06:30 pts/1    00:00:00 grep --color=auto ovs

Also it produces some error messages on syslog. I don't know why it did not search the vswitch.ovsschema in/usr/share/openvswitch instead of '/usr/local/share/openvswitch'. Cause of the installation dir of openvswitch is the former one.

root@ubuntu2204:~# cat /var/log/syslog
Sep  7 06:24:17 ubuntu2204 systemd[1]: Starting Open vSwitch IPsec daemon...
Sep  7 06:24:17 ubuntu2204 ovs-ctl[3919]: 2023-09-07T06:24:17Z |  0  | ovs-monitor-ipsec | INFO | Restarting IKE daemon
Sep  7 06:24:17 ubuntu2204 ovs|  0  | ovs-monitor-ipsec | INFO | Restarting IKE daemon
Sep  7 06:24:17 ubuntu2204 ovs-ctl[3919]: 2023-09-07T06:24:17Z |  1  | ovs-monitor-ipsec | INFO | Restarting StrongSwan
Sep  7 06:24:17 ubuntu2204 ovs|  1  | ovs-monitor-ipsec | INFO | Restarting StrongSwan
Sep  7 06:24:17 ubuntu2204 ovs-ctl[3923]: Stopping strongSwan IPsec...
Sep  7 06:24:17 ubuntu2204 charon: 00[DMN] SIGINT received, shutting down
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-60-generic, x86_64)
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[LIB] providers loaded by OpenSSL: legacy default
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[JOB] spawning 16 worker threads
Sep  7 06:24:17 ubuntu2204 ipsec[3420]: 00[DMN] SIGINT received, shutting down
Sep  7 06:24:17 ubuntu2204 ipsec[3412]: charon stopped after 200 ms
Sep  7 06:24:17 ubuntu2204 ipsec[3412]: ipsec starter stopped
Sep  7 06:24:17 ubuntu2204 systemd[1]: strongswan-starter.service: Deactivated successfully.
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3920]: Starting strongSwan 5.9.5 IPsec [starter]...
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]: 2023-09-07T06:24:19Z |  2  | ovs-monitor-ipsec | ERR | traceback
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]: Traceback (most recent call last):
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:   File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1366, in <module>
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:     main()
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:   File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1315, in main
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:     schema_helper = ovs.db.idl.SchemaHelper()
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:   File "/usr/lib/python3/dist-packages/ovs/db/idl.py", line 2271, in __init__
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:     schema_json = ovs.json.from_file(location)
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:   File "/usr/lib/python3/dist-packages/ovs/json.py", line 61, in from_file
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]:     stream = open(name, "r")
Sep  7 06:24:19 ubuntu2204 ovs-ctl[3919]: FileNotFoundError: [Errno 2] No such file or directory: '/usr/local/share/openvswitch/vswitch.ovsschema'
Sep  7 06:24:19 ubuntu2204 ovs|  2  | ovs-monitor-ipsec | ERR | traceback#012Traceback (most recent call last):#012  File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1366, in <module>#012    main()#012  File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1315, in main#012    schema_helper = ovs.db.idl.SchemaHelper()#012  File "/usr/lib/python3/dist-packages/ovs/db/idl.py", line 2271, in __init__#012    schema_json = ovs.json.from_file(location)#012  File "/usr/lib/python3/dist-packages/ovs/json.py", line 61, in from_file#012    stream = open(name, "r")#012FileNotFoundError: [Errno 2] No such file or directory: '/usr/local/share/openvswitch/vswitch.ovsschema'
Sep  7 06:24:19 ubuntu2204 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-60-generic, x86_64)
Sep  7 06:24:19 ubuntu2204 charon: 00[LIB] providers loaded by OpenSSL: legacy default
Sep  7 06:24:19 ubuntu2204 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  7 06:24:19 ubuntu2204 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  7 06:24:19 ubuntu2204 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  7 06:24:19 ubuntu2204 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep  7 06:24:19 ubuntu2204 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  7 06:24:19 ubuntu2204 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  7 06:24:19 ubuntu2204 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Sep  7 06:24:19 ubuntu2204 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  7 06:24:19 ubuntu2204 charon: 00[JOB] spawning 16 worker threads
Sep  7 06:24:19 ubuntu2204 systemd[1]: openvswitch-ipsec.service: Control process exited, code=exited, status=1/FAILURE
Sep  7 06:24:19 ubuntu2204 charon: 00[DMN] SIGTERM received, shutting down
Sep  7 06:24:19 ubuntu2204 systemd[1]: openvswitch-ipsec.service: Failed with result 'exit-code'.
Sep  7 06:24:19 ubuntu2204 systemd[1]: Failed to start Open vSwitch IPsec daemon.
Sep  7 06:25:01 ubuntu2204 CRON[4112]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
igsilya commented 1 year ago

The search location depends on how the ovs-monitor-ipsec script was built, not where openvswitch itself was installed. I assume you're mixing a .deb package installation with a manual build somehow.

bettswang commented 1 year ago

Oh, you may miss my words. I just want to know how it could be this. All I have done is following the offical manual. Why does the ovs-monitor-ipsec script search the wrong path which cause the ipsec daemon unable to start?

apt install openvswitch-ipsec

This operation would install four package which are openvswitch-common , openvswitch-switch, openvswitch-ipsec, python3-openvswitch . And there are no more any openvswitch related on the system.

bettswang commented 1 year ago

Hi,everyone

I found the root cause of this issue. The ubuntu22.04 python3-openvswitch package define a wrong path for the openvswitch defalut setting. Change the dirs to "/usr","/var"

root@ubuntu2204:/usr/lib/python3/dist-packages/ovs# cat /usr/lib/python3/dist-packages/ovs/dirs.py
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# The @variables@ in this file are replaced by default directories for
# use in python/ovs/dirs.py in the source directory and replaced by the
# configured directories for use in the installed python/ovs/dirs.py.
#
import os

# Note that the use of """ is to aid in dealing with paths with quotes in them.
PKGDATADIR = os.environ.get("OVS_PKGDATADIR", """/usr/share/openvswitch""")
RUNDIR = os.environ.get("OVS_RUNDIR", """/var/run/openvswitch""")
LOGDIR = os.environ.get("OVS_LOGDIR", """/var/log/openvswitch""")
BINDIR = os.environ.get("OVS_BINDIR", """/usr/local/bin""")

DBDIR = os.environ.get("OVS_DBDIR")
if not DBDIR:
    sysconfdir = os.environ.get("OVS_SYSCONFDIR")
    if sysconfdir:
        DBDIR = "%s/openvswitch" % sysconfdir
    else:
        DBDIR = """/usr/local/etc/openvswitch"""
root@ubuntu2204:/usr/lib/python3/dist-packages/ovs#