Check on ipsec.service instead of libreswan package on host

The rpm db directory is different on rhcos and rhel workers, so mounting
/usr/share/rpm directory will not work for rhel worker nodes. To avoid
this, this commit checks on ipsec systemd service on the host to decide
which ipsec deployment to be active or dormant.

Signed-off-by: Periyasamy Palanisamy <[email protected]>

Author: pperiyasamy

bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml

@@ -37,6 +37,9 @@ spec:
               - key: network.operator.openshift.io/dpu-host
                 operator: DoesNotExist
       serviceAccountName: ovn-kubernetes-node
+{{ if .IPsecServiceCheckOnHost }}
+      hostPID: true
+{{ end }}
       hostNetwork: true
       dnsPolicy: Default
       priorityClassName: "system-node-critical"
@@ -50,9 +53,9 @@ spec:
           #!/bin/bash
           set -exuo pipefail
 
-{{ if .IPsecCheckForLibreswan }}
-          if rpm --dbpath=/usr/share/rpm -q libreswan; then
-            echo "host has libreswan and therefore ipsec will be configured by ipsec host daemonset, this ovn ipsec container doesnt need to init anything"
+{{ if .IPsecServiceCheckOnHost }}
+          if chroot /proc/1/root systemctl is-active --quiet ipsec.service; then
+            echo "host has ipsec.service running and therefore ipsec will be configured by ipsec host daemonset, this ovn ipsec container doesnt need to init anything"
             exit 0
           fi
 {{ end }}
@@ -197,9 +200,6 @@ spec:
           name: signer-ca
         - mountPath: /etc/openvswitch
           name: etc-openvswitch
-        - mountPath: /usr/share/rpm
-          name: host-usr-share-rpm
-          readOnly: true
         resources:
           requests:
             cpu: 10m
@@ -231,9 +231,9 @@ spec:
           }
           trap cleanup SIGTERM
 
-{{ if .IPsecCheckForLibreswan }}
-          if rpm --dbpath=/usr/share/rpm -q libreswan; then
-            echo "host has libreswan and therefore ipsec will be configured by ipsec host daemonset, this ovn ipsec container will sleep to infinity"
+{{ if .IPsecServiceCheckOnHost }}
+          if chroot /proc/1/root systemctl is-active --quiet ipsec.service; then
+            echo "host has ipsec.service running and therefore ipsec will be configured by ipsec host daemonset, this ovn ipsec container will sleep to infinity"
             sleep infinity
           fi
 {{ end }}
@@ -294,9 +294,6 @@ spec:
           name: host-var-log-ovs
         - mountPath: /etc/openvswitch
           name: etc-openvswitch
-        - mountPath: /usr/share/rpm
-          name: host-usr-share-rpm
-          readOnly: true
         resources:
           requests:
             cpu: 10m
@@ -309,9 +306,9 @@ spec:
             - -c
             - |
               #!/bin/bash
-{{ if .IPsecCheckForLibreswan }}
-              if rpm --dbpath=/usr/share/rpm -q libreswan; then
-                echo "host has libreswan and therefore ipsec will be configured by ipsec host daemonset, this ovn ipsec container is always \"alive\""
+{{ if .IPsecServiceCheckOnHost }}
+              if chroot /proc/1/root systemctl is-active --quiet ipsec.service; then
+                echo "host has ipsec.service running and therefore ipsec will be configured by ipsec host daemonset, this ovn ipsec container is always \"alive\""
                 exit 0
               fi
 {{ end }}
@@ -348,10 +345,6 @@ spec:
       - name: host-cni-netd
         hostPath:
           path: "{{.CNIConfDir}}"
-      - name: host-usr-share-rpm
-        hostPath:
-          path: /usr/share/rpm
-          type: DirectoryOrCreate
       tolerations:
       - operator: "Exists"
 {{end}}

bindata/network/ovn-kubernetes/common/ipsec-host.yaml

@@ -50,9 +50,9 @@ spec:
         - |
           #!/bin/bash
           set -exuo pipefail
-{{ if .IPsecCheckForLibreswan }}
-          if ! rpm --dbpath=/usr/share/rpm -q libreswan; then
-            echo "host doesnt have libreswan, therefore ipsec will be configured by ipsec-containerized daemonset, this ovn ipsec container has nothing to init"
+{{ if .IPsecServiceCheckOnHost }}
+          if ! chroot /proc/1/root systemctl is-active --quiet ipsec.service; then
+            echo "host doesn't have ipsec.service running, therefore ipsec will be configured by ipsec-containerized daemonset, this ovn ipsec container has nothing to init"
             exit 0
           fi
 {{ end }}
@@ -200,9 +200,6 @@ spec:
           name: etc-openvswitch
         - mountPath: /etc
           name: host-etc
-        - mountPath: /usr/share/rpm
-          name: host-usr-share-rpm
-          readOnly: true
         resources:
           requests:
             cpu: 10m
@@ -219,9 +216,9 @@ spec:
           #!/bin/bash
           set -exuo pipefail
 
-{{ if .IPsecCheckForLibreswan }}
-          if ! rpm --dbpath=/usr/share/rpm -q libreswan; then
-            echo "host doesnt have libreswan, therefore ipsec will be configured by ipsec-containerized daemonset, this ovn ipsec container will sleep to infinity"
+{{ if .IPsecServiceCheckOnHost }}
+          if ! chroot /proc/1/root systemctl is-active --quiet ipsec.service; then
+            echo "host doesn't have ipsec.service running, therefore ipsec will be configured by ipsec-containerized daemonset, this ovn ipsec container will sleep to infinity"
             sleep infinity
           fi
 {{ end }}
@@ -301,9 +298,9 @@ spec:
                    # In order to maintain traffic flows during container restart, we
                    # need to ensure that xfrm state and policies are not flushed.
 
-{{ if .IPsecCheckForLibreswan }}
-                   if ! rpm --dbpath=/usr/share/rpm -q libreswan; then
-                     echo "host doesnt have libreswan, therefore ipsec will be configured by ipsec-containerized daemonset, preStop wont do anything"
+{{ if .IPsecServiceCheckOnHost }}
+                   if ! chroot /proc/1/root systemctl is-active --quiet ipsec.service; then
+                     echo "host doesn't have ipsec.service running, therefore ipsec will be configured by ipsec-containerized daemonset, preStop wont do anything"
                      exit 0
                    fi
 {{ end }}
@@ -335,9 +332,6 @@ spec:
           name: usr-sbin
         - mountPath: /usr/libexec
           name: usr-libexec
-        - mountPath: /usr/share/rpm
-          name: host-usr-share-rpm
-          readOnly: true
         resources:
           requests:
             cpu: 10m
@@ -350,9 +344,9 @@ spec:
             - -c
             - |
               #!/bin/bash
-{{ if .IPsecCheckForLibreswan }}
-              if ! rpm --dbpath=/usr/share/rpm -q libreswan; then
-                echo "host doesnt have libreswan, therefore ipsec will be configured by ipsec-containerized daemonset, this ovn ipsec container is always \"alive\""
+{{ if .IPsecServiceCheckOnHost }}
+              if ! chroot /proc/1/root systemctl is-active --quiet ipsec.service; then
+                echo "host doesn't have ipsec.service running, therefore ipsec will be configured by ipsec-containerized daemonset, this ovn ipsec container is always \"alive\""
                 exit 0
               fi
 {{ end }}
@@ -541,10 +535,6 @@ spec:
           path: /usr/libexec
           type: Directory
         name: usr-libexec
-      - name: host-usr-share-rpm
-        hostPath:
-          path: /usr/share/rpm
-          type: DirectoryOrCreate
       tolerations:
       - operator: "Exists"
 {{end}}

pkg/network/ovn_kubernetes.go

@@ -292,7 +292,7 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	data.Data["IPsecMachineConfigEnable"] = IPsecMachineConfigEnable
 	data.Data["OVNIPsecDaemonsetEnable"] = OVNIPsecDaemonsetEnable
 	data.Data["OVNIPsecEnable"] = OVNIPsecEnable
-	data.Data["IPsecCheckForLibreswan"] = renderIPsecHostDaemonSet && renderIPsecContainerizedDaemonSet
+	data.Data["IPsecServiceCheckOnHost"] = renderIPsecHostDaemonSet && renderIPsecContainerizedDaemonSet
 
 	klog.V(5).Infof("IPsec: is MachineConfig enabled: %v, is East-West DaemonSet enabled: %v", data.Data["IPsecMachineConfigEnable"], data.Data["OVNIPsecDaemonsetEnable"])