Bug 1906701
Summary: | [OVS IPsec] unknown gre/vxlan argument 'remote_cert' when using self-signed certificate | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | qding | ||||||
Component: | openvswitch2.13 | Assignee: | Open vSwitch development team <ovs-team> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | qding | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | FDP 20.I | CC: | ctrautma, fleitner, jhsiao, jishi, ralongi, yinxu | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2023-06-14 14:58:02 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
And when using CA-signed certificate, there is similar issue "unknown gre argument 'remote_name'" for remote_name. [root@dell-per740-41 keys]# ovs-vsctl set Open_vSwitch . \ > other_config:certificate=/root/keys/h1-cert.pem \ > other_config:private_key=/etc/keys/h1-privkey.pem \ > other_config:ca_cert=/root/keys/cacert.pem [root@dell-per740-41 keys]# ovs-vsctl add-br ovsbr0 [root@dell-per740-41 keys]# [root@dell-per740-41 keys]# ovs-vsctl add-port ovsbr0 tun123 -- \ > set interface tun123 type=gre \ > options:remote_ip=192.168.123.2 \ > options:remote_name=h2 [root@dell-per740-41 keys]# ovs-vsctl show d51ceb93-7623-4528-87e7-969cc4054a53 Bridge ovsbr0 Port tun123 Interface tun123 type: gre options: {remote_ip="192.168.123.2", remote_name=h2} Port ovsbr0 Interface ovsbr0 type: internal ovs_version: "2.13.2" [root@dell-per740-41 keys]# [root@dell-per740-41 keys]# cat /var/log/openvswitch/ovs-vswitchd.log ... 2020-12-14T08:13:42.815Z|00030|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534 2020-12-14T08:13:42.815Z|00031|bridge|INFO|bridge ovsbr0: using datapath ID 00004e55dacc4049 2020-12-14T08:13:42.815Z|00032|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt" 2020-12-14T08:13:42.863Z|00033|netdev_vport|WARN|tun123: unknown gre argument 'remote_name' 2020-12-14T08:13:42.895Z|00034|bridge|INFO|bridge ovsbr0: added interface tun123 on port 1 2020-12-14T08:13:42.898Z|00035|netdev_vport|WARN|tun123: unknown gre argument 'remote_name' 2020-12-14T08:13:44.905Z|00036|memory|INFO|peak resident set size grew 207% in last 6615.7 seconds, from 51700 kB to 158540 kB 2020-12-14T08:13:44.905Z|00037|memory|INFO|handlers:35 ports:2 revalidators:13 rules:5 [root@dell-per740-41 keys]# Same issue for RHEL7 packages [root@dell-per730-04 ~]# uname -r 3.10.0-1160.11.1.el7.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-vsctl set Open_vSwitch . \ > other_config:certificate=/root/keys/h1-cert.pem \ > other_config:private_key=/root/keys/h1-privkey.pem [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-vsctl add-br ovsbr0 ovs-vsctl: cannot create a bridge named ovsbr0 because a bridge named ovsbr0 already exists [root@dell-per730-04 ~]# ovs-vsctl del-port ovsbr0 tun123 ovs-vsctl: no port named tun123 [root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- \ > set interface tun123 type=gre \ > options:remote_ip=192.168.123.2 \ > options:remote_cert=/root/keys/h2-cert.pem [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tail /var/log/openvswitch/ovs-vswitchd.log 2020-12-18T04:00:02.711Z|00042|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:00:02.713Z|00043|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:02:07.200Z|00044|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:02:11.064Z|00045|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:03:28.635Z|00046|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:03:33.099Z|00047|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:08:52.869Z|00048|bridge|INFO|bridge ovsbr0: deleted interface tun123 on port 1 2020-12-18T04:12:17.794Z|00049|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' 2020-12-18T04:12:17.800Z|00050|bridge|INFO|bridge ovsbr0: added interface tun123 on port 2 2020-12-18T04:12:17.802Z|00051|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# This is a warning from the ovs-vswitchd specifying that it does not recognise that configuration parameter in the OVSDB. It is expected because OVS does not use these parameters (ovs-monitor-ipsec does). This is not an error message so can be safely ignored. If you think it would help reduce user concern, I can submit a patch to suppress these cases? (In reply to Mark Gray from comment #3) > This is a warning from the ovs-vswitchd specifying that it does not > recognise that configuration parameter in the OVSDB. It is expected because > OVS does not use these parameters (ovs-monitor-ipsec does). This is not an > error message so can be safely ignored. If you think it would help reduce > user concern, I can submit a patch to suppress these cases? In my test I don't think this is just a problem of warning message. I use steps described in https://docs.openvswitch.org/en/latest/tutorials/ipsec/ and don't actually successfully establish IPsec tunnel with self-signed certificate and CA signed certificate. That message should be unrelated but I will confirm as we debug further. * Is it only failing with self-signed and CA-signed certificate cases? * Are you failing across all tunnel-types? * Are there any errors in the libreswan logs in `journalctl`? Created attachment 1740873 [details] journalctl.log (In reply to Mark Gray from comment #5) > That message should be unrelated but I will confirm as we debug further. > > * Is it only failing with self-signed and CA-signed certificate cases? In PSK mode, after changing left to local_ip in /etc/ipsec.conf IPsec tunnel can be successfully established. I never successfully established IPsec tunnel in self-signed or CA-signed certificated modes. > * Are you failing across all tunnel-types? I tried with GRE and VxLAN, they both failed. > * Are there any errors in the libreswan logs in `journalctl`? Please see the attachment journalctl.log I think that log was with the self-signed case? I believe that is a duplicate of this: https://bugzilla.redhat.com/show_bug.cgi?id=1884646 Can you send the same for the CA-signed case? Created attachment 1740938 [details] journalctl log for CA-signed mode (In reply to Mark Gray from comment #7) > I think that log was with the self-signed case? I believe that is a > duplicate of this: https://bugzilla.redhat.com/show_bug.cgi?id=1884646 > > Can you send the same for the CA-signed case? After changing "left=%defaultroute" to "left=192.168.123.1", CA-signed mode works now. Please see the attached journalctl_ca.log The self-signed case is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1884646. I have a patch posted upstream to resolve that. I also have the following patch to suppress the warning messages. https://patchwork.ozlabs.org/project/openvswitch/patch/20201221131233.190544-1-mark.d.gray@redhat.com/ Thanks for testing. |
Description of problem: 2020-12-11T07:58:02.792Z|00032|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' [root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- \ > set interface tun123 type=gre \ > options:remote_ip=192.168.123.2 \ > options:remote_cert=/root/keys/h2-cert.pem [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tail /var/log/openvswitch/ovs-vswitchd.log 2020-12-11T07:57:54.170Z|00027|ofproto_dpif|INFO|system@ovs-system: Datapath does not support IPv6 ND Extensions 2020-12-11T07:57:54.213Z|00028|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534 2020-12-11T07:57:54.213Z|00029|bridge|INFO|bridge ovsbr0: using datapath ID 0000aa8b0cf77a44 2020-12-11T07:57:54.213Z|00030|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt" 2020-12-11T07:57:54.239Z|00031|bridge|INFO|ovs-vswitchd (Open vSwitch) 2.13.2 2020-12-11T07:58:02.792Z|00032|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' 2020-12-11T07:58:02.798Z|00033|bridge|INFO|bridge ovsbr0: added interface tun123 on port 1 2020-12-11T07:58:02.800Z|00034|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' 2020-12-11T07:58:04.147Z|00035|memory|INFO|158328 kB peak resident set size after 10.0 seconds 2020-12-11T07:58:04.147Z|00036|memory|INFO|handlers:35 ports:2 revalidators:13 rules:5 udpif keys:1 [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-vsctl show 6a5a6e4a-5434-40ad-89de-23a57991798a Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: gre options: {remote_cert="/root/keys/h2-cert.pem", remote_ip="192.168.123.2"} ovs_version: "2.13.2" [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# Version-Release number of selected component (if applicable): [root@dell-per730-04 ~]# uname -r 4.18.0-259.el8.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-74.el8fdp.x86_64 openvswitch2.13-2.13.0-74.el8fdp.x86_64 openvswitch2.13-ipsec-2.13.0-74.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch [root@dell-per730-04 ~]# How reproducible: always