netdev-vport: Warn on IPsec tunnels when ovs-monitor-ipsec not running.

IPsec tunnels are only supported on Debian systems running
ovs-monitor-ipsec.  Since that daemon configures IPsec, ovs-vswitchd
doesn't know whether IPsec will actually work.  With this commit, a
warning is printed that it is unlikely to work unless that daemon is
started.

There is a more serious issue that IPsec traffic can pass unencrypted if
that daemon is not running.  To fix that problem, changes to the kernel
module will need to occur.  A future commit will address that issue, but
this earlier warning will be useful regardless.

Bug #4854

diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
index 97cc170..875bf71 100644 (file)
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@@ -26,6 +26,8 @@
 #include <sys/ioctl.h>
 
 #include "byte-order.h"
+#include "daemon.h"
+#include "dirs.h"
 #include "dpif-linux.h"
 #include "hash.h"
 #include "hmap.h"
@@ -716,6 +718,14 @@ parse_tunnel_config(const char *name, const char *type,
     }
 
     if (is_ipsec) {
+        char *file_name = xasprintf("%s/%s", ovs_rundir(),
+                "ovs-monitor-ipsec.pid");
+        if (read_pidfile(file_name) < 0) {
+            VLOG_WARN("%s: ovs-monitor-ipsec doesn't appear to be running, "
+                    "traffic may not pass", name);
+        }
+        free(file_name);
+
         if (shash_find(args, "peer_cert") && shash_find(args, "psk")) {
             VLOG_WARN("%s: cannot define both 'peer_cert' and 'psk'", name);
             return EINVAL;