From 4e7131d5978258de3d90e6c767a8dacf0fc66122 Mon Sep 17 00:00:00 2001 From: clyi Date: Mon, 12 Aug 2024 10:12:38 +0800 Subject: [PATCH] refactor ovn ipsec and remove old ipsec.sh Signed-off-by: clyi --- docs/advance/ovn-ipsec.en.md | 93 ++---------------------------------- docs/advance/ovn-ipsec.md | 91 +---------------------------------- 2 files changed, 5 insertions(+), 179 deletions(-) diff --git a/docs/advance/ovn-ipsec.en.md b/docs/advance/ovn-ipsec.en.md index 658c9fe13..7b8bd5cf9 100644 --- a/docs/advance/ovn-ipsec.en.md +++ b/docs/advance/ovn-ipsec.en.md @@ -1,94 +1,7 @@ -# Encrypt inter-node communication using IPsec +# Use IPsec to encrypt communication between node -This function is supported after v1.10.11 and v1.11.4, the kernel version is at least 3.10.0 or above, and UDP ports 500 and 4500 are available. +This function is supported from v1.13.0 onwards, and the host UDP 500 and 4500 ports need to be available. ## Start IPsec -Copy the script from the Kube-OVN source code [ipsec.sh](https://raw.githubusercontent.com/kubeovn/kube-ovn/master/dist/images/ipsec.sh), execute the command as follows, the script will call ovs-pki to generate and distribute the certificate required for encryption: - -```bash -bash ipsec.sh init -``` - -After the execution is completed, the nodes will negotiate for a period of time to establish an IPsec tunnel. The experience value is between ten seconds and one minute.You can check the IPsec status with the following command: - -```bash -# bash ipsec.sh status - Pod {ovs-ovn-d7hdt} ipsec status... -Interface name: ovn-a4718e-0 v1 (CONFIGURED) - Tunnel Type: geneve - Local IP: 172.18.0.2 - Remote IP: 172.18.0.4 - Address Family: IPv4 - SKB mark: None - Local cert: /etc/ipsec.d/certs/8aebd9df-46ef-47b9-85e3-73e9a765296d-cert.pem - Local name: 8aebd9df-46ef-47b9-85e3-73e9a765296d - Local key: /etc/ipsec.d/private/8aebd9df-46ef-47b9-85e3-73e9a765296d-privkey.pem - Remote cert: None - Remote name: a4718e55-5b85-4f46-90e6-63527d080590 - CA cert: /etc/ipsec.d/cacerts/cacert.pem - PSK: None - Custom Options: {} - Ofport: 2 - CFM state: Disabled -Kernel policies installed: - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 -Kernel security associations installed: - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 -IPsec connections that are active: - - Pod {ovs-ovn-fvbbj} ipsec status... -Interface name: ovn-8aebd9-0 v1 (CONFIGURED) - Tunnel Type: geneve - Local IP: 172.18.0.4 - Remote IP: 172.18.0.2 - Address Family: IPv4 - SKB mark: None - Local cert: /etc/ipsec.d/certs/a4718e55-5b85-4f46-90e6-63527d080590-cert.pem - Local name: a4718e55-5b85-4f46-90e6-63527d080590 - Local key: /etc/ipsec.d/private/a4718e55-5b85-4f46-90e6-63527d080590-privkey.pem - Remote cert: None - Remote name: 8aebd9df-46ef-47b9-85e3-73e9a765296d - CA cert: /etc/ipsec.d/cacerts/cacert.pem - PSK: None - Custom Options: {} - Ofport: 1 - CFM state: Disabled -Kernel policies installed: - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 -Kernel security associations installed: - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 -IPsec connections that are active: -``` - -After the establishment is complete, you can capture packets and observe that the packets have been encrypted: - -```bash -# tcpdump -i eth0 -nel esp -10:01:40.349896 IP kube-ovn-worker > kube-ovn-control-plane.kind: ESP(spi=0xcc91322a,seq=0x13d0), length 156 -10:01:40.350015 IP kube-ovn-control-plane.kind > kube-ovn-worker: ESP(spi=0xc8df4221,seq=0x1d37), length 156 -``` - -After executing the script, you can turn off IPsec by executing the command: - -```bash -# bash ipsec.sh stop -``` - -Or execute the command to open it again: - -```bash -# bash ipsec.sh start -``` +Change the args `--enable-ovn-ipsec=false` in kube-ovn-controller and kube-ovn-cni to `--enable-ovn-ipsec=true`. \ No newline at end of file diff --git a/docs/advance/ovn-ipsec.md b/docs/advance/ovn-ipsec.md index aabdbc343..0531a17e9 100644 --- a/docs/advance/ovn-ipsec.md +++ b/docs/advance/ovn-ipsec.md @@ -1,94 +1,7 @@ # 使用 IPsec 加密节点间通信 -该功能从 v1.10.11 和 v1.11.4 后开始支持,kernel 版本至少是 3.10.0 以上,同时需要保证主机 UDP 500 和 4500 端口可用。 +该功能从 v1.13.0 后支持,同时需要保证主机 UDP 500 和 4500 端口可用。 ## 启动 IPsec -从 Kube-OVN 源码拷贝脚本 [ipsec.sh](https://raw.githubusercontent.com/kubeovn/kube-ovn/master/dist/images/ipsec.sh),执行命令如下,该脚本会调用 ovs-pki 生成和分配加密需要的证书: - -```bash -bash ipsec.sh init -``` - -执行完毕后,节点之间会协商一段时间建立 IPsec 隧道,经验值是十几秒到一分钟之间,可以通过如下命令来查看 IPsec 状态: - -```bash -# bash ipsec.sh status - Pod {ovs-ovn-d7hdt} ipsec status... -Interface name: ovn-a4718e-0 v1 (CONFIGURED) - Tunnel Type: geneve - Local IP: 172.18.0.2 - Remote IP: 172.18.0.4 - Address Family: IPv4 - SKB mark: None - Local cert: /etc/ipsec.d/certs/8aebd9df-46ef-47b9-85e3-73e9a765296d-cert.pem - Local name: 8aebd9df-46ef-47b9-85e3-73e9a765296d - Local key: /etc/ipsec.d/private/8aebd9df-46ef-47b9-85e3-73e9a765296d-privkey.pem - Remote cert: None - Remote name: a4718e55-5b85-4f46-90e6-63527d080590 - CA cert: /etc/ipsec.d/cacerts/cacert.pem - PSK: None - Custom Options: {} - Ofport: 2 - CFM state: Disabled -Kernel policies installed: - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 - src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 -Kernel security associations installed: - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 -IPsec connections that are active: - - Pod {ovs-ovn-fvbbj} ipsec status... -Interface name: ovn-8aebd9-0 v1 (CONFIGURED) - Tunnel Type: geneve - Local IP: 172.18.0.4 - Remote IP: 172.18.0.2 - Address Family: IPv4 - SKB mark: None - Local cert: /etc/ipsec.d/certs/a4718e55-5b85-4f46-90e6-63527d080590-cert.pem - Local name: a4718e55-5b85-4f46-90e6-63527d080590 - Local key: /etc/ipsec.d/private/a4718e55-5b85-4f46-90e6-63527d080590-privkey.pem - Remote cert: None - Remote name: 8aebd9df-46ef-47b9-85e3-73e9a765296d - CA cert: /etc/ipsec.d/cacerts/cacert.pem - PSK: None - Custom Options: {} - Ofport: 1 - CFM state: Disabled -Kernel policies installed: - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 - src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 -Kernel security associations installed: - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp dport 6081 - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp sport 6081 - sel src 172.18.0.4/32 dst 172.18.0.2/32 proto udp sport 6081 - sel src 172.18.0.2/32 dst 172.18.0.4/32 proto udp dport 6081 -IPsec connections that are active: -``` - -建立完成后可以抓包观察报文已经被加密: - -```bash -# tcpdump -i eth0 -nel esp -10:01:40.349896 IP kube-ovn-worker > kube-ovn-control-plane.kind: ESP(spi=0xcc91322a,seq=0x13d0), length 156 -10:01:40.350015 IP kube-ovn-control-plane.kind > kube-ovn-worker: ESP(spi=0xc8df4221,seq=0x1d37), length 156 -``` - -当执行完脚本后,可以通过执行命令关闭 IPsec: - -```bash -# bash ipsec.sh stop -``` - -或者执行命令再次打开: - -```bash -# bash ipsec.sh start -``` +将 kube-ovn-controller 和 kube-ovn-cni 中的 args `--enable-ovn-ipsec=false` 修改为 `--enable-ovn-ipsec=true`。