Remove IPSec tunnel limitation #2489
Conversation
luolanzone
force-pushed
the
ipsec-vxlan
branch
2 times, most recently
from
d145bfd
to
fa00c64
Compare
Codecov Report
@@ Coverage Diff @@
## main #2489 +/- ##
===========================================
+ Coverage 42.51% 53.75% +11.23%
===========================================
Files 148 283 +135
Lines 18247 22455 +4208
===========================================
+ Hits 7758 12070 +4312
+ Misses 9789 9099 -690
- Partials 700 1286 +586
Flags with carried forward coverage won't be shown. Click here to find out more.
|
luolanzone
changed the title
docs/ipsec-tunnel.md
Outdated
| moment, IPsec encyption works only for GRE tunnel (but not Geneve, VXLAN, and | ||
| STT tunnel types). | ||
| Antrea supports encrypting tunnel traffic across Nodes with IPsec ESP. | ||
| IPsec encyption works for all OVS supported tunnel including GRE, Geneve, |
There was a problem hiding this comment.
Then move Geneve to the be first, before GRE.
luolanzone
force-pushed
the
ipsec-vxlan
branch
from
7d50614
to
4d7473b
Compare
|
/test-all |
|
/test-ipv6-all |
|
/test-ipv6-only-all |
|
@jianjuns e2e test failed on CI testbed with IPsec+Geneve mode , after double check in my local clusters, it turns out it's kernel version issue, I test in one cluster with ubuntu 18.04.3 which has kernel version 4.15.0-66 failed, but another one with 4.15.0-143 passed. I suppose we need to update docs to point out the kernel version to support different tunnel mode. any other suggestion for this kind of requirement? |
|
I think we need to figure out from exact what kernel version or with what kernel change Geneve can pass. I am surprised it can change from 4.15.0-66 to 4.15.0-143. |
|
@jianjuns yes, I will figure out what's changed or required, I was actually running 'apt-get upgrade', so I suspect maybe it's some software upgrades fix it. but I need time to check. |
|
Hi @jianjuns the change or fix is introduced in this commit: https://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/commit/?id=be556894e8eaefd5d21690d56614d76e45786ecb, I verified it on my local cluster, for ubuntu 18.04, it has to be a version after 4.15.0-124. if we use Geneve as default tunnel for IPSec, we have to upgrade the e2e environment to pass it. do you think it's OK to still keep the old setting to use IPSec+GRE so we can run e2e without testbed change? |
|
@luolanzone: thanks for the update! Given Geneve and others are not supported by earlier kernel version, I think still better to keep GRE to be the default for antrea-ipsec.yml, and test GRE in CI. I first thought we should update CI testbed to support Geneve + IPsec, but even we update testbed do we want to run tests for both GRE and Geneve? @antoninbas : thoughts? |
I feel like it's ok to test a single transport (GRE) since the code is the same on the Antrea side. Just like we run pretty much all of our testing with Geneve (there are some leftover tests for VXLAN, but it won't necessarily always be the case). We should document the kernel version requirements for using IPsec + Geneve though. |
luolanzone
force-pushed
the
ipsec-vxlan
branch
from
4d7473b
to
8084d87
Compare
|
Hi @antoninbas @jianjuns , I change the manifest back to use GRE with IPSec, and update the doc |
docs/ipsec-tunnel.md
Outdated
|
|
||
| ## Prerequisites | ||
|
|
||
| IPsec requires a set of Linux kernel modules. Check the required kernel modules | ||
| listed in the [strongSwan documentation](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules). | ||
| Make sure the required kernel modules are loaded on the Kubernetes Nodes before | ||
| deploying Antrea with IPsec encyption enabled. | ||
|
|
||
| If you want to enable IPsec with Geneve, please make sure [this commit](https://github.com/torvalds/linux/commit/34beb21594519ce64a55a498c2fe7d567bc1ca20) is included |
There was a problem hiding this comment.
So do VXLAN and STT work with older 18.04 versions, without the commit?
There was a problem hiding this comment.
Add a new line before this paragraph.
There was a problem hiding this comment.
yes, VXLAN works, STT module is not in the Linux tree, so need extra step to install it manually from source, I have updated here last time, let me add it here as well.
There was a problem hiding this comment.
I do not see you added a new line.
There was a problem hiding this comment.
ah, misunderstood the new line, I added it before ## Installation, will add it.
docs/ipsec-tunnel.md
Outdated
|
|
||
| ## Prerequisites | ||
|
|
||
| IPsec requires a set of Linux kernel modules. Check the required kernel modules | ||
| listed in the [strongSwan documentation](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules). | ||
| Make sure the required kernel modules are loaded on the Kubernetes Nodes before | ||
| deploying Antrea with IPsec encyption enabled. | ||
|
|
||
| If you want to enable IPsec with Geneve, please make sure [this commit](https://github.com/torvalds/linux/commit/34beb21594519ce64a55a498c2fe7d567bc1ca20) is included | ||
| in your kernel. for Ubuntu 18.04, it should be a version after 4.15.0-124. for Ubuntu 20.04, it should be a version after 5.4.67. |
luolanzone
force-pushed
the
ipsec-vxlan
branch
from
8084d87
to
a306b94
Compare
docs/ipsec-tunnel.md
Outdated
|
|
||
| ## Prerequisites | ||
|
|
||
| IPsec requires a set of Linux kernel modules. Check the required kernel modules | ||
| listed in the [strongSwan documentation](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules). | ||
| Make sure the required kernel modules are loaded on the Kubernetes Nodes before | ||
| deploying Antrea with IPsec encyption enabled. | ||
| If you want to enable IPsec with Geneve, please make sure [this commit](https://github.com/torvalds/linux/commit/34beb21594519ce64a55a498c2fe7d567bc1ca20) is included | ||
| in your kernel. For Ubuntu 18.04, it should be a version after `4.15.0-124`. For Ubuntu 20.04, it should be a version after `5.4.67`. | ||
| If you'd like to enable IPSec with STT, please be ware that the `vport-stt` module is not in the Linux tree and needs to be built from source, please build and load it manually before IPSec with STT tunneling is enabled. |
There was a problem hiding this comment.
I feel no need to mention the STT prerequisite here. It is documented in getting-started already.
docs/ipsec-tunnel.md
Outdated
|
|
||
| ## Prerequisites | ||
|
|
||
| IPsec requires a set of Linux kernel modules. Check the required kernel modules | ||
| listed in the [strongSwan documentation](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules). | ||
| Make sure the required kernel modules are loaded on the Kubernetes Nodes before | ||
| deploying Antrea with IPsec encyption enabled. | ||
|
|
||
| If you want to enable IPsec with Geneve, please make sure [this commit](https://github.com/torvalds/linux/commit/34beb21594519ce64a55a498c2fe7d567bc1ca20) is included |
There was a problem hiding this comment.
I do not see you added a new line.
luolanzone
force-pushed
the
ipsec-vxlan
branch
from
a306b94
to
fdb5457
Compare
|
/test-all /test-ipv6-all /test-ipv6-only-all |
docs/ipsec-tunnel.md
Outdated
| moment, IPsec encyption works only for GRE tunnel (but not Geneve, VXLAN, and | ||
| STT tunnel types). | ||
| Antrea supports encrypting tunnel traffic across Nodes with IPsec ESP. | ||
| IPsec encyption works for all OVS supported tunnel including Geneve, GRE, |
There was a problem hiding this comment.
| IPsec encyption works for all OVS supported tunnel including Geneve, GRE, | |
| IPsec encyption works for all tunnel types supported by OVS including Geneve, GRE, |
docs/ipsec-tunnel.md
Outdated
| @@ -11,6 +11,9 @@ listed in the [strongSwan documentation](https://wiki.strongswan.org/projects/st | |||
| Make sure the required kernel modules are loaded on the Kubernetes Nodes before | |||
| deploying Antrea with IPsec encyption enabled. | |||
|
|
|||
| If you want to enable IPsec with Geneve, please make sure [this commit](https://github.com/torvalds/linux/commit/34beb21594519ce64a55a498c2fe7d567bc1ca20) is included | |||
| in your kernel. For Ubuntu 18.04, it should be a version after `4.15.0-124`. For Ubuntu 20.04, it should be a version after `5.4.67`. | |||
docs/ipsec-tunnel.md
Outdated
| @@ -11,6 +11,9 @@ listed in the [strongSwan documentation](https://wiki.strongswan.org/projects/st | |||
| Make sure the required kernel modules are loaded on the Kubernetes Nodes before | |||
| deploying Antrea with IPsec encyption enabled. | |||
|
|
|||
| If you want to enable IPsec with Geneve, please make sure [this commit](https://github.com/torvalds/linux/commit/34beb21594519ce64a55a498c2fe7d567bc1ca20) is included | |||
| in your kernel. For Ubuntu 18.04, it should be a version after `4.15.0-124`. For Ubuntu 20.04, it should be a version after `5.4.67`. | |||
There was a problem hiding this comment.
s/it should be a version after/kernel version should be at least
(both occurrences)
(assuming that 4.15.0-124 itself includes the patch, but typically the provided version number is the first one which includes the required patch).
There was a problem hiding this comment.
Ok, there are kernel version tags like 4.15.0-125 and 5.4.68, but I can't get them from apt list. so minimum working version should be 4.15.0-128 and 5.4.70. let me correct it.
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
force-pushed
the
ipsec-vxlan
branch
from
fdb5457
to
1858113
Compare
|
/skip-all |
We have verified that all tunnel types can be used for IPsec. When using Geneve though, a recent enough kernel version is required. Signed-off-by: Lan Luo <luola@vmware.com>
I was trying to enable IPSec with VxLAN tunnel, after verify the traffic in real cluster, it turns out Antrea can actually support all tunnel modes now without much code changes.
I verified all tunnel modes with IPSec in a local Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code.
resolves #2468