I saw while rebasing that the upgrade to 2.5.4 was performed by @jokogr indeed!

I couldn't test for the setup bug with this version, but 2.8.1 brings interesting stuff (in the IPSec department for example).

To be honest, I was using extraOvsctlCmds in order to tag ports so far, as well as a minor modification in network-interfaces-scripted.nix to ensure the tagged interfaces were starting after the actual ones.

This one seems much cleaner, let me try in for a couple of days (I am heavily modifying VLANs etc.) before totally approving it.

I thought about extraOvsctlCmds too but I didn't want to repeat interface names in multiple places...

Thank you for looking at this ! I have to play with the slaves variables a bit to make it work (e.g. for dhcpcd, if the attached interface is a virtual or internal then we should be able to do dhcp on it).

I did some more testing in a more complex scenario and found a few snags in the current implementation, I originally wanted to attach tap (using virtual=true and virtualType=tap) devices to the bridges (in vlans) and assign IP to them, but this does not work see here. Instead, we should let openvswitch create the interfaces (which is what type=internal does) and assign IP addresses on those interfaces.

I worked on a new implementation:

• I needed to add before dependency to network-addresses-${i}.service for all internal interfaces because otherwise, ip address assignment failed (Cannot find device in the start script for addresses).
• I removed the IPsec related config options (which referenced the script that was removed in 2.8)
• I added an schema upgrade script in ovsdb (I got warnings when testing after upgrade to 2.8)
• the binding to the subsystem devices was killing the service upon startup (during the pre-start), so I removed it for now. I don't think systemd supports binding to the subsystem when your are deleting/creating said device. Perhaps we should split the service (with creation of the bridge in a separate unit)

I have a couple of questions still:

• Openvswitch 2.9 is out, should I push the upgrade as well ?
• I saw db = pkgs.stdenv.mkDerivation { in openvswitch.nix, but I don't think it's used for the database (I am not sure though)
• What about subsystemDevice binding ?

I will push the upgrade soon (after some more testing on my side).

I pushed the changes, I also renames vswitchd to ovs-vswitchd for clarity (we now have ovs-db and ovs-vswitchd as supporting services for ovs).

Also, I updated to 2.8.2 because I had crashes with 2.8.1 (and 2.8.2 is out with some fixes, which solved my crashes).

Since we are on the subject of openvswitch, do you know of limitations regarding usage of systemd-networkd with networking.vswitches (I know it is forbidden by nixos, but I don't know why) ?

(I am planning on supporting both networking.useNetworkd and networking.vswitches at the same time because I need it for my setup)

Thank you for this info. I was just thinking of configuring the bridge with a nixos generated unit, and then let systemd-networkd do the address and other parts. The way I see it, I just have to insert this config unit before the systemd-network process (and maybe prevent the physical interfaces from matching networkd).

I pushed an implementation in the network-interfaces-systemd.nix which means that networking.vswitches can now be used with networking.useNetworkd=true :)

I found that using systemd is much, much, much more stable than scripted interfaces. Internal interfaces (created by openvswitch) can be referred to and configured in the normal networking.interfaces. The only thing that could need fixing (improved, really), is to add a warning if the user tries to configure a IP address and a physical (i.e. not internal) interface : this actually works, but the address will be unusable.

Also, I fixed an mistake in the stop process of the switch (that was not cleaning the switch correctly)

@netixx this is impressive, thank you for your work! I will try the module with systemd-networkd this week.

So far setting VLANs with your module (and not extraOvsctlCmds) is working as expected for my workloads.

Version 2.8.2 seems also stable to me, but I have a small request to make: Is it possible to keep the LTS version as well, and allow users to select it via a package attribute (unsure where to put it, though)?

Including both version seems the most flexible choice to me too !

I am not sure how we should implement (I am not very familiar with package building...), do we include a lts flag on the package ? What should the default value be (false ?) ?

Also, should there be a nixos flag as well ?

EDIT:
I propose the following (pushed):

• add openvswitch-lts in all-packages.nix, calling openvswitch/lts.nix, this way, we don't break LTS build if we change the latest build (default.nix) because they are totally independent.
• use the already existing option config.virtualisation.vswitch.package to choose the version to use.

If this seems good to you, should I bring back the IPsec options in Nixos (if package == openvswitch-lts) given they did not work in the first place ?

Did you have time to look at the new implementation ?

I resolved the conflict (by re-adding the IPSec behaviour only for lts version).

I also added the option to select the supported openFlow version for the switch.