CentOS 7 – Installing Openvswitch 2.3.0 LTS

Update: If using Openvswitch 2.3.1 LTS please visit my new post.

Well, summer is ending, but the summer brought us CentOS 7 and Openvswitch 2.3 Long-Term Support.

Openvswitch’s kernel module is already available in CentOS 7’s 3.10 kernel (also for CentOS 6) so this time I’m only preparing the rpm package to install the command-line tools (e.g ovs-vsctl). I’ve found some issues with CentOS 7 and Openvswitch 2.3.0 version but maybe they will be solved in the future and the rpm generation will be easy as always thanks to Nicira. In any case I’m offering you this post, maybe it can help you.

Let’s start. For the first part we’re creating a user and downloading openvswitch as we’ve done with previous Openvswitch releases.

[root@herge ~] yum -y install wget openssl-devel kernel-devel
[root@herge ~] yum groupinstall "Development Tools"
[root@herge ~] adduser ovswitch
[root@herge ~] su - ovswitch
[ovswitch@herge ~]$ wget http://openvswitch.org/releases/openvswitch-2.3.0.tar.gz
[ovswitch@herge ~]$ tar xfz openvswitch-2.3.0.tar.gz
[ovswitch@herge ~]$ mkdir -p ~/rpmbuild/SOURCES

Now we’re removing the openvswitch-kmod package dependency from the spec file offered by Nicira and create a new spec file.

[ovswitch@herge ~]$ sed 's/openvswitch-kmod, //g' openvswitch-2.3.0/rhel/openvswitch.spec > openvswitch-2.3.0/rhel/openvswitch_no_kmod.spec

OK. Now we have two options. In the first one I create the package without tests… I don’t like it but if you can’t be patient…. Option 2 is the one I prefer, I’ll try to contact openvswitch developers so they can apply the change I suggest.

  1. Let’s create the openvswitch rpm package but we’re going to skip the tests. Be warned I don’t know if openvswitch package will work 100%, I haven’t tested, but the rpm will be generated and you should be able to install it. That’s the end of this option, jump to the final section where we start the openvswitch service.
    [ovswitch@herge ~]$ rpmbuild -bb --without check ~/openvswitch-2.3.0/rhel/openvswitch_no_kmod.spec
    [ovswitch@herge ~]$ exit
    [root@herge ~] yum localinstall /home/ovswitch/rpmbuild/RPMS/x86_64/openvswitch-2.3.0-1.x86_64.rpm
  2. Let’s create the rpm package but first we’re going to solve the tests issue. If you run the rpmbuild -bb you may find errors about some tests failing. The tests fail because an SSL issue. It seems that ovs-pki tool generates certificates using MD5 which is considered an insecure algorithm and the error: SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm will be logged. We’re going to change a file so we can run the tests, install the package. If you’ve disabled SELinux jump to the final section, if not continue reading.
    [ovswitch@herge ~]$ rm openvswitch-2.3.0.tar.gz
    [ovswitch@herge ~]$ mv openvswitch-2.3.0/utilities/ovs-pki.in openvswitch-2.3.0/utilities/ovs-pki.tmp
    [ovswitch@herge ~]$ sed 's/md5/sha1/g' openvswitch-2.3.0/utilities/ovs-pki.tmp > openvswitch-2.3.0/utilities/ovs-pki.in
    [ovswitch@herge ~]$ tar czvf ~/rpmbuild/SOURCES/openvswitch-2.3.0.tar.gz openvswitch-2.3.0/
    [ovswitch@herge ~]$ rpmbuild -bb ~/openvswitch-2.3.0/rhel/openvswitch_no_kmod.spec
    [ovswitch@herge ~]$ exit
    [root@herge ~] yum localinstall /home/ovswitch/rpmbuild/RPMS/x86_64/openvswitch-2.3.0-1.x86_64.rpm

    I like SELinux so I try keep it enabled and play with setroubleshoot and sealert to find a way to solve SELinux issues. If you try to start the service you’ll find some errors: install: cannot change owner and permissions of ‘/etc/openvswitch’: No such file or directory and Creating empty database /etc/openvswitch/conf.db ovsdb-tool: I/O error: /etc/openvswitch/conf.db: failed to lock lockfile (No such file or directory). This is how I solved them:

    [root@herge ~] mkdir /etc/openvswitch
    [root@herge ~] semanage fcontext -a -t openvswitch_rw_t "/etc/openvswitch(/.*)?"
    [root@herge ~] restorecon -Rv /etc/openvswitch

Final section! We’ve created the rpm package so we’re going to start the openvswitch service using systemctl! the new way to start and stop services.

[root@herge ~]# systemctl start openvswitch.service
[root@herge ~]# systemctl -l status openvswitch.service
openvswitch.service - LSB: Open vSwitch switch
Loaded: loaded (/etc/rc.d/init.d/openvswitch)
Active: active (running) since jue 2014-09-04 20:07:02 CEST; 4s ago
Process: 5419 ExecStop=/etc/rc.d/init.d/openvswitch stop (code=exited, status=0/SUCCESS)
Process: 5474 ExecStart=/etc/rc.d/init.d/openvswitch start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/openvswitch.service
├─5496 ovsdb-server: monitoring pid 5497 (healthy) 
├─5497 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
├─5506 ovs-vswitchd: monitoring pid 5507 (healthy) 
└─5507 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach --monitor
sep 04 20:07:02 herge.artemit.com.es systemd[1]: Starting LSB: Open vSwitch switch...
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Starting ovsdb-server [ OK ]
sep 04 20:07:02 herge.artemit.com.es ovs-vsctl[5498]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait -- init -- set Open_vSwitch . db-version=7.6.0
sep 04 20:07:02 herge.artemit.com.es ovs-vsctl[5503]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait set Open_vSwitch . ovs-version=2.3.0 "external-ids:system-id=\"4f7759f2-19e9-4be0-8960-c19c124a4528\"" "system-type=\"unknown\"" "system-version=\"unknown\""
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Configuring Open vSwitch system IDs [ OK ]
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Starting ovs-vswitchd [ OK ]
sep 04 20:07:02 herge.artemit.com.es openvswitch[5474]: Enabling remote OVSDB managers [ OK ]

And, openvswitch 2.3.0 tools are ready in my CentOS 7 host. If you’ve doubts about using the kernel module and not compiling the openvswitch kernel mode please read the Releases section in the Openvswitch’s FAQ.

Thanks for reading!

Advertisements

11 thoughts on “CentOS 7 – Installing Openvswitch 2.3.0 LTS

  1. Maxwell Bottiger says:

    Thanks a lot for this write up! The hacks to fix the kmod requirement and the pki tool were a huge time saver.

    For whatever reason my copy of your tar command didn’t generate a valid archive file, so I changed my line to look like this:
    tar czvf ~/rpmbuild/SOURCES/openvswitch-2.3.0.tar.gz openvswitch-2.3.0/

    That worked fine, but I probably just didn’t cut and paste your example correctly.

    Cheers!

    Like

    • n40lab says:

      Thanks a lot for your comment, I’m glad the post has helped you. I’m going to change the line about openvswitch compression step with yours, that way we get the gzip file quicker. Cheers!

      Like

  2. Anonymous says:

    THANK YOU…. This information was very informative and valuable as I now have a working openvswitch configuration.

    Like

      • gstanden says:

        Just FYI… I re-verified my procedures for the deb builds and concluded that the MD5 / SHA1 issue with ovs-pki.in is not relevant to the 2.5.1 build of openvswitch. Not sure why SSL tests had issue in the openvswitch testsuite on my 2,5.1 build last night (late hours maybe some other issue). I tested it 2X and the build runs fine as designed with no edits needed.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s