CentOS 7 – Installing Openvswitch 2.3.0 LTS

Update: If using Openvswitch 2.3.1 LTS please visit my new post.

Well, summer is ending, but the summer brought us CentOS 7 and Openvswitch 2.3 Long-Term Support.

Openvswitch’s kernel module is already available in CentOS 7’s 3.10 kernel (also for CentOS 6) so this time I’m only preparing the rpm package to install the command-line tools (e.g ovs-vsctl). I’ve found some issues with CentOS 7 and Openvswitch 2.3.0 version but maybe they will be solved in the future and the rpm generation will be easy as always thanks to Nicira. In any case I’m offering you this post, maybe it can help you.

Let’s start. For the first part we’re creating a user and downloading openvswitch as we’ve done with previous Openvswitch releases.

[root@herge ~] yum -y install wget openssl-devel kernel-devel
[root@herge ~] yum groupinstall "Development Tools"
[root@herge ~] adduser ovswitch
[root@herge ~] su - ovswitch
[ovswitch@herge ~]$ wget http://openvswitch.org/releases/openvswitch-2.3.0.tar.gz
[ovswitch@herge ~]$ tar xfz openvswitch-2.3.0.tar.gz
[ovswitch@herge ~]$ mkdir -p ~/rpmbuild/SOURCES

Now we’re removing the openvswitch-kmod package dependency from the spec file offered by Nicira and create a new spec file.

[ovswitch@herge ~]$ sed 's/openvswitch-kmod, //g' openvswitch-2.3.0/rhel/openvswitch.spec > openvswitch-2.3.0/rhel/openvswitch_no_kmod.spec

OK. Now we have two options. In the first one I create the package without tests… I don’t like it but if you can’t be patient…. Option 2 is the one I prefer, I’ll try to contact openvswitch developers so they can apply the change I suggest.

  1. Let’s create the openvswitch rpm package but we’re going to skip the tests. Be warned I don’t know if openvswitch package will work 100%, I haven’t tested, but the rpm will be generated and you should be able to install it. That’s the end of this option, jump to the final section where we start the openvswitch service.
    [ovswitch@herge ~]$ rpmbuild -bb --without check ~/openvswitch-2.3.0/rhel/openvswitch_no_kmod.spec
    [ovswitch@herge ~]$ exit
    [root@herge ~] yum localinstall /home/ovswitch/rpmbuild/RPMS/x86_64/openvswitch-2.3.0-1.x86_64.rpm
  2. Let’s create the rpm package but first we’re going to solve the tests issue. If you run the rpmbuild -bb you may find errors about some tests failing. The tests fail because an SSL issue. It seems that ovs-pki tool generates certificates using MD5 which is considered an insecure algorithm and the error: SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm will be logged. We’re going to change a file so we can run the tests, install the package. If you’ve disabled SELinux jump to the final section, if not continue reading.
    [ovswitch@herge ~]$ rm openvswitch-2.3.0.tar.gz
    [ovswitch@herge ~]$ mv openvswitch-2.3.0/utilities/ovs-pki.in openvswitch-2.3.0/utilities/ovs-pki.tmp
    [ovswitch@herge ~]$ sed 's/md5/sha1/g' openvswitch-2.3.0/utilities/ovs-pki.tmp > openvswitch-2.3.0/utilities/ovs-pki.in
    [ovswitch@herge ~]$ tar czvf ~/rpmbuild/SOURCES/openvswitch-2.3.0.tar.gz openvswitch-2.3.0/
    [ovswitch@herge ~]$ rpmbuild -bb ~/openvswitch-2.3.0/rhel/openvswitch_no_kmod.spec
    [ovswitch@herge ~]$ exit
    [root@herge ~] yum localinstall /home/ovswitch/rpmbuild/RPMS/x86_64/openvswitch-2.3.0-1.x86_64.rpm

    I like SELinux so I try keep it enabled and play with setroubleshoot and sealert to find a way to solve SELinux issues. If you try to start the service you’ll find some errors: install: cannot change owner and permissions of ‘/etc/openvswitch’: No such file or directory and Creating empty database /etc/openvswitch/conf.db ovsdb-tool: I/O error: /etc/openvswitch/conf.db: failed to lock lockfile (No such file or directory). This is how I solved them:

    [root@herge ~] mkdir /etc/openvswitch
    [root@herge ~] semanage fcontext -a -t openvswitch_rw_t "/etc/openvswitch(/.*)?"
    [root@herge ~] restorecon -Rv /etc/openvswitch

Final section! We’ve created the rpm package so we’re going to start the openvswitch service using systemctl! the new way to start and stop services.

[root@herge ~]# systemctl start openvswitch.service
[root@herge ~]# systemctl -l status openvswitch.service
openvswitch.service - LSB: Open vSwitch switch
Loaded: loaded (/etc/rc.d/init.d/openvswitch)
Active: active (running) since jue 2014-09-04 20:07:02 CEST; 4s ago
Process: 5419 ExecStop=/etc/rc.d/init.d/openvswitch stop (code=exited, status=0/SUCCESS)
Process: 5474 ExecStart=/etc/rc.d/init.d/openvswitch start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/openvswitch.service
├─5496 ovsdb-server: monitoring pid 5497 (healthy) 
├─5497 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
├─5506 ovs-vswitchd: monitoring pid 5507 (healthy) 
└─5507 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach --monitor
sep 04 20:07:02 herge.artemit.com.es systemd[1]: Starting LSB: Open vSwitch switch...
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Starting ovsdb-server [ OK ]
sep 04 20:07:02 herge.artemit.com.es ovs-vsctl[5498]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait -- init -- set Open_vSwitch . db-version=7.6.0
sep 04 20:07:02 herge.artemit.com.es ovs-vsctl[5503]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait set Open_vSwitch . ovs-version=2.3.0 "external-ids:system-id=\"4f7759f2-19e9-4be0-8960-c19c124a4528\"" "system-type=\"unknown\"" "system-version=\"unknown\""
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Configuring Open vSwitch system IDs [ OK ]
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Starting ovs-vswitchd [ OK ]
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Enabling remote OVSDB managers [ OK ]

And, openvswitch 2.3.0 tools are ready in my CentOS 7 host. If you’ve doubts about using the kernel module and not compiling the openvswitch kernel mode please read the Releases section in the Openvswitch’s FAQ.

Thanks for reading!