ovs-monitor-ipsec: Don't reconfigure cert-based authentication as often.

ovs-monitor-ipsec wakes up when the Interface table is modified.  To
prevent needless reconfiguration, it maintains a dictionary of the
currently implemented configuration and compares it to any new changes.
Unfortunately, for certificate-based authentication we create a new
"peer_cert_file" key in our local dictionary, which always causes the
comparison to fail.  This forces expensive renegotiation for any change
in the Interface tables.  This commit uses set difference to detect
changes from the previous configuration as opposed to a straight simple
comparison.

Bug #9103

Signed-off-by: Justin Pettit <jpettit@nicira.com>

diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index ac2cd7e..9707082 100755 (executable)
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -399,11 +399,13 @@ def update_ipsec(ipsec, interfaces, new_interfaces):
         orig_vals = interfaces.get(name)
         if orig_vals:
             # Configuration for this host already exists.  Check if it's
-            # changed.
-            if vals == orig_vals:
-                continue
-            else:
+            # changed.  We use set difference, since we want to ignore
+            # any local additions to "orig_vals" that we've made
+            # (e.g. the "peer_cert_file" key).
+            if set(vals.items()) - set(orig_vals.items()):
                 ipsec.del_entry(vals["local_ip"], vals["remote_ip"])
+            else:
+                continue
 
         try:
             ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals)