On 8/8/24 00:23, Jim C wrote: > Thanks Ilya, that's super helpful! > > Regarding updating the file path, can we only do it in the python script? > Is there an ENV VAR somewhere that we can use for the update?
Unfortunately, no. Code change in the python script is needed today for unusual setups. Best regards, Ilya Maximets. > > Thanks. > > On Wed, Aug 7, 2024 at 2:27 PM Ilya Maximets <i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>> wrote: > > On 8/7/24 23:10, Jim C wrote: > > Actually, we may not have the right path. Instead of /etc/strongswan.d, > > we have /etc/strongswan/strongswan.d. > > > > Is it fine as long as we manually create /etc/strongswan.d to allow OVS > > to place its config file? > > I think, it should be in the main strongswan.d directory because that's > the > place charon (strongSwan) will look for configuration. And it will likely > not be found in /etc/strongswan.d. > > The path is hardcoded, unfortunately, because that's the place strongSwan > stores configuration on Debian/Ubuntu. You'll need to either re-configure > your strongSwan to use /etc/strongswan.d (I'm not familiar enough with it > to know how to do that) or you need to modify the hardcoded path in the > ovs-monitor-ipsec daemon. It is a python script, so you could just > manually > modify it for testing. Locate the ovs-monitor-ipsec file on the disk, > open > it and change the self.CHARON_CONF variable to a different location. > > > > > Also, by `by ovs-monitor-ipsec daemon when it starts`, is it when we run > > `systemctl start openvswitch-ipsec`? > > Yes. > > > > > On Wed, Aug 7, 2024 at 12:03 PM Ilya Maximets <i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>>> wrote: > > > > On 8/7/24 20:36, Jim C wrote: > > > Thanks Ilya! > > > > > > We do have the directory /etc/strongswan.d on our host. How is > this ovs.conf created? > > > Is it created when we install the OVS IPSec package and it will > look for the strongSwan > > > directory and place the file there? > > > > It is created by ovs-monitor-ipsec daemon when it starts. > > Where the error you posted is coming from? > > > > I'd suggest checking audit log in case selinux is blocking access > > to that directory. And generally checking if the daemon has access > > to that directory, i.e. user/group permissions. > > > > > > > > If that's the case, does it mean that we must install OVS after > strongSwan is installed? > > > > > > Thanks. > > > > > > On Wed, Aug 7, 2024 at 9:14 AM Ilya Maximets <i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>>>> wrote: > > > > > > On 8/7/24 09:11, Jim C wrote: > > > > Thanks Ilya, but we see an error complaining: > > > > > > > > *FileNotFoundError: [Errno 2] No such file or directory: > '/etc/strongswan.d/ovs.conf' > > > > > > Does the /etc/strongswan.d directory exist? > > > If not, you may need to check your strongswan installation > > > and find out why it is not there. > > > > > > Best regards, Ilya Maximets. > > > > > > > * > > > > > > > > We are using: > > > > strongSwan 5.10 > > > > Rocky (RHEL) Linux > > > > > > > > We do hope to get rid of the libreswan dependency tho. But > for now, we can't switch to using strongSwan. > > > > > > > > Thanks. > > > > > > > > On Wed, Jul 24, 2024 at 4:50 AM Ilya Maximets > <i.maxim...@ovn.org <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>>> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>>>>> wrote: > > > > > > > > On 7/24/24 08:31, Jim C via discuss wrote: > > > > > Hi, > > > > > > > > > > We saw our OVS has the following specs from this > service file: > > > > > > > > > > # cat > /etc/systemd/system/multi-user.target.wants/openvswitch-ipsec.service > > > > > [Unit] > > > > > Description=OVS IPsec daemon > > > > > Requires=openvswitch.service > > > > > After=openvswitch.service > > > > > > > > > > [Service] > > > > > Type=forking > > > > > PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid > > > > > *ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ > > > > > --ike-daemon=libreswan > start-ovs-ipsec* > > > > > ExecStop=/usr/share/openvswitch/scripts/ovs-ctl > stop-ovs-ipsec > > > > > > > > > > [Install] > > > > > WantedBy=multi-user.target > > > > > > > > > > It seems it's using libreswan. How can we switch to > using strongSwan instead? > > > > > > > > If you have strongSwan installed, you should be able to > just > > > > replace --ike-daemon=libreswan with > --ike-daemon=strongswan > > > > in the service file. > > > > > > > > Best regards, Ilya Maximets. > > > > > > > > > > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
