New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/openvswitch : upgrade 2.5.4 -> 2.9.2 and vlans #35127
Conversation
I saw while rebasing that the upgrade to 2.5.4 was performed by @jokogr indeed! I couldn't test for the setup bug with this version, but 2.8.1 brings interesting stuff (in the IPSec department for example). |
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \ | ||
--replace "self.cert_dir" "root_prefix + self.cert_dir" | ||
''; | ||
# ovs-monitor-ipsec removed in ovs: 2b02d770c4cb381ec32cd4b7b1e991c42b448884 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to leave this as a comment since the command was removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. I wanted to make sure I didn't forget some other script in this step. Should I leave the comment about removal of the script in upstream ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO no, since it is now removed and users should read the OVS documentation before using a new version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done !
To be honest, I was using This one seems much cleaner, let me try in for a couple of days (I am heavily modifying VLANs etc.) before totally approving it. |
I thought about Thank you for looking at this ! I have to play with the |
I did some more testing in a more complex scenario and found a few snags in the current implementation, I originally wanted to attach tap (using I worked on a new implementation:
I have a couple of questions still:
I will push the upgrade soon (after some more testing on my side). |
afbb447
to
c16f748
Compare
I pushed the changes, I also renames Also, I updated to 2.8.2 because I had crashes with 2.8.1 (and 2.8.2 is out with some fixes, which solved my crashes). |
Since we are on the subject of openvswitch, do you know of limitations regarding usage of (I am planning on supporting both |
Thank you for this info. I was just thinking of configuring the bridge with a nixos generated unit, and then let systemd-networkd do the address and other parts. The way I see it, I just have to insert this config unit before the systemd-network process (and maybe prevent the physical interfaces from matching networkd). |
c16f748
to
1087c24
Compare
I pushed an implementation in the I found that using systemd is much, much, much more stable than scripted interfaces. Internal interfaces (created by openvswitch) can be referred to and configured in the normal Also, I fixed an mistake in the stop process of the switch (that was not cleaning the switch correctly) |
@netixx this is impressive, thank you for your work! I will try the module with systemd-networkd this week. So far setting VLANs with your module (and not Version 2.8.2 seems also stable to me, but I have a small request to make: Is it possible to keep the LTS version as well, and allow users to select it via a |
6970d4e
to
872236e
Compare
Including both version seems the most flexible choice to me too ! I am not sure how we should implement (I am not very familiar with package building...), do we include a Also, should there be a nixos flag as well ? EDIT:
If this seems good to you, should I bring back the IPsec options in Nixos (if package == openvswitch-lts) given they did not work in the first place ? |
872236e
to
06a2d4d
Compare
Did you have time to look at the new implementation ? |
@@ -487,9 +513,8 @@ in | |||
|
|||
interfaces = mkOption { | |||
example = [ "eth0" "eth1" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure the example still compatible with the new type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! I forgot to update the example. All done now !
06a2d4d
to
5ed6a48
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many thanks for including the LTS version!
5ed6a48
to
e124038
Compare
I resolved the conflict (by re-adding the IPSec behaviour only for lts version). I also added the option to select the supported openFlow version for the switch. |
e124038
to
194295e
Compare
Openvswitch was upgraded to the latest stable version (currenty 2.12.0). This remove ovs-monitor-ipsec commands. LTS version is still available using `config.virtualisation.vswitch.package = pkgs.openvswitch-lts` it has been upgraded to 2.5.6. This commit is a split from the original PR NixOS#35127.
Openvswitch was upgraded to the latest stable version (currenty 2.12.0). This remove ovs-monitor-ipsec commands. LTS version is still available using `config.virtualisation.vswitch.package = pkgs.openvswitch-lts` it has been upgraded to 2.5.6. This commit is a split from the original PR NixOS#35127. (cherry picked from commit e8e980e)
Systemd dependencies for scripted mode were refactored according to analysis in #34586. networking.vswitches can now be used with systemd-networkd, although they are not supported by the daemon, a nixos receipe creates the switch and attached required interfaces (just like the scripted version). Vlans and internal interfaces are implemented following the template format i.e. each interface is described using an attributeSet (vlan and type at the moment). If vlan is present, then interface is added to the vswitch with given tag (access mode). Type internal enabled vswitch to create interfaces (see openvswitch docs). Added configuration for configuring supported openFlow version on the vswitch This commit is a split from the original PR #35127.
Systemd dependencies for scripted mode were refactored according to analysis in NixOS#34586. networking.vswitches can now be used with systemd-networkd, although they are not supported by the daemon, a nixos receipe creates the switch and attached required interfaces (just like the scripted version). Vlans and internal interfaces are implemented following the template format i.e. each interface is described using an attributeSet (vlan and type at the moment). If vlan is present, then interface is added to the vswitch with given tag (access mode). Type internal enabled vswitch to create interfaces (see openvswitch docs). Added configuration for configuring supported openFlow version on the vswitch This commit is a split from the original PR NixOS#35127.
Systemd dependencies for scripted mode were refactored according to analysis in #34586. networking.vswitches can now be used with systemd-networkd, although they are not supported by the daemon, a nixos receipe creates the switch and attached required interfaces (just like the scripted version). Vlans and internal interfaces are implemented following the template format i.e. each interface is described using an attributeSet (vlan and type at the moment). If vlan is present, then interface is added to the vswitch with given tag (access mode). Type internal enabled vswitch to create interfaces (see openvswitch docs). Added configuration for configuring supported openFlow version on the vswitch This commit is a split from the original PR #35127.
Originnaly, the need was to fix #34336 and add features in #34851.
With remarks from @volth, openvswitch was upgraded to the latest
stable version (currenty 2.8.1).
Systemd dependencies were refactored according to analysis in #34586.
Vlans and internal interfaces are implemented following the
networking.interfaces
template format i.e. each interface isdescribed using an attributeSet (vlan and type at the moment).
If vlan is present, then interface is added to the vswitch with
given tag (access mode). Type internal enables
vswitchd
to createinterfaces (see openvswitch docs).
I am not sure about this implementation and this PR may need some tuning. Also, this change breaks compatibility with previous
vswitch.interfaces
syntax.EDIT: More details on implementation:
I only included
type
andvlan
options but there are a lot more (seeset
command in ovs-vsctl) and I hesitated to put a generickey=value
options that would be translated inset port/interface <key>=<value>
, but I think for usability for the user the minimal options are better. Maybe we could have a list of commands as an interface parameter, and we would replace a token by the name of the current interface in the actual commands (but I don't know how to do that).About
type
argument, I originally thought (reading the docs) that it was required to apply this tag to virtual interfaces attached to the bridge, but actually, it leads to an error if the interface already exists (say created bynetworking.interface
with optionvirtual=true
). In the end, the 'type=internalenables
vswitchd` to create the given interface. I think we could use this in a container scenario for example (by changing the network namespace of this interface), which is why I left it.Motivation for this change
sleep 1
to workThings done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)