[ovs-dev] [PATCH v3 3/5] ipsec: Allow custom file locations
Mark Gray
mark.d.gray at redhat.com
Thu Apr 1 13:58:26 UTC 2021
"ovs_monitor_ipsec" assumes certain file locations for a number
of Libreswan objects. This patch allows these locations to be
configurable at startup in the Libreswan case.
This additional flexibility enables system testing for
OVS IPsec.
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Acked-by: Aaron Conole <aconole at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
---
v2: removed unneeded '+' operator, moved libreswan arg parsing
ipsec/ovs-monitor-ipsec.in | 103 ++++++++++++++++++++++++++++---------
1 file changed, 80 insertions(+), 23 deletions(-)
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
index 668507fd37dd..a9542477577d 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -445,12 +445,26 @@ conn prevent_unencrypted_vxlan
CERT_PREFIX = "ovs_cert_"
CERTKEY_PREFIX = "ovs_certkey_"
- def __init__(self, libreswan_root_prefix):
+ def __init__(self, libreswan_root_prefix, args):
+ ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf"
+ ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d"
+ ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets
+ else "/etc/ipsec.secrets")
+ ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl
+ else "/run/pluto/pluto.ctl")
+
self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec"
- self.IPSEC_CONF = libreswan_root_prefix + "/etc/ipsec.conf"
- self.IPSEC_SECRETS = libreswan_root_prefix + "/etc/ipsec.secrets"
+ self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf
+ self.IPSEC_SECRETS = libreswan_root_prefix + ipsec_secrets
+ self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d
+ self.IPSEC_CTL = libreswan_root_prefix + ipsec_ctl
self.conf_file = None
self.secrets_file = None
+ vlog.dbg("Using: " + self.IPSEC)
+ vlog.dbg("Configuration file: " + self.IPSEC_CONF)
+ vlog.dbg("Secrets file: " + self.IPSEC_SECRETS)
+ vlog.dbg("ipsec.d: " + self.IPSEC_D)
+ vlog.dbg("Pluto socket: " + self.IPSEC_CTL)
def restart_ike_daemon(self):
"""This function restarts LibreSwan."""
@@ -548,7 +562,8 @@ conn prevent_unencrypted_vxlan
def refresh(self, monitor):
vlog.info("Refreshing LibreSwan configuration")
- subprocess.call([self.IPSEC, "auto", "--rereadsecrets"])
+ subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL,
+ "--config", self.IPSEC_CONF, "--rereadsecrets"])
tunnels = set(monitor.tunnels.keys())
# Delete old connections
@@ -575,7 +590,9 @@ conn prevent_unencrypted_vxlan
if not tunnel or tunnel.version != ver:
vlog.info("%s is outdated %u" % (conn, ver))
- subprocess.call([self.IPSEC, "auto", "--delete", conn])
+ subprocess.call([self.IPSEC, "auto", "--ctlsocket",
+ self.IPSEC_CTL, "--config",
+ self.IPSEC_CONF, "--delete", conn])
elif ifname in tunnels:
tunnels.remove(ifname)
@@ -595,22 +612,46 @@ conn prevent_unencrypted_vxlan
# Update shunt policy if changed
if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]:
if monitor.conf["skb_mark"]:
- subprocess.call([self.IPSEC, "auto", "--add",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--add",
"--asynchronous", "prevent_unencrypted_gre"])
- subprocess.call([self.IPSEC, "auto", "--add",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--add",
"--asynchronous", "prevent_unencrypted_geneve"])
- subprocess.call([self.IPSEC, "auto", "--add",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--add",
"--asynchronous", "prevent_unencrypted_stt"])
- subprocess.call([self.IPSEC, "auto", "--add",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--add",
"--asynchronous", "prevent_unencrypted_vxlan"])
else:
- subprocess.call([self.IPSEC, "auto", "--delete",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--delete",
"--asynchronous", "prevent_unencrypted_gre"])
- subprocess.call([self.IPSEC, "auto", "--delete",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--delete",
"--asynchronous", "prevent_unencrypted_geneve"])
- subprocess.call([self.IPSEC, "auto", "--delete",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--delete",
"--asynchronous", "prevent_unencrypted_stt"])
- subprocess.call([self.IPSEC, "auto", "--delete",
+ subprocess.call([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--delete",
"--asynchronous", "prevent_unencrypted_vxlan"])
monitor.conf_in_use["skb_mark"] = monitor.conf["skb_mark"]
@@ -622,7 +663,8 @@ conn prevent_unencrypted_vxlan
sample line from the parsed outpus as <value>. """
conns = {}
- proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE)
+ proc = subprocess.Popen([self.IPSEC, 'status', '--ctlsocket',
+ self.IPSEC_CTL], stdout=subprocess.PIPE)
while True:
line = proc.stdout.readline().strip().decode()
@@ -653,7 +695,10 @@ conn prevent_unencrypted_vxlan
# the "ipsec auto --start" command is lost. Just retry to make sure
# the command is received by LibreSwan.
while True:
- proc = subprocess.Popen([self.IPSEC, "auto", "--start",
+ proc = subprocess.Popen([self.IPSEC, "auto",
+ "--config", self.IPSEC_CONF,
+ "--ctlsocket", self.IPSEC_CTL,
+ "--start",
"--asynchronous", conn],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
@@ -667,7 +712,7 @@ conn prevent_unencrypted_vxlan
"""Remove all OVS IPsec related state from the NSS database"""
try:
proc = subprocess.Popen(['certutil', '-L', '-d',
- 'sql:/etc/ipsec.d/'],
+ self.IPSEC_D],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
universal_newlines=True)
@@ -691,7 +736,7 @@ conn prevent_unencrypted_vxlan
normal certificate."""
try:
proc = subprocess.Popen(['certutil', '-A', '-a', '-i', cert,
- '-d', 'sql:/etc/ipsec.d/', '-n',
+ '-d', self.IPSEC_D, '-n',
name, '-t', cert_type],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
@@ -704,7 +749,7 @@ conn prevent_unencrypted_vxlan
def _nss_delete_cert(self, name):
try:
proc = subprocess.Popen(['certutil', '-D', '-d',
- 'sql:/etc/ipsec.d/', '-n', name],
+ self.IPSEC_D, '-n', name],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
proc.wait()
@@ -732,7 +777,7 @@ conn prevent_unencrypted_vxlan
# Load p12 file to the database
proc = subprocess.Popen(['pk12util', '-i', path, '-d',
- 'sql:/etc/ipsec.d/', '-W', ''],
+ self.IPSEC_D, '-W', ''],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
proc.wait()
@@ -747,7 +792,7 @@ conn prevent_unencrypted_vxlan
try:
# Delete certificate and private key
proc = subprocess.Popen(['certutil', '-F', '-d',
- 'sql:/etc/ipsec.d/', '-n', name],
+ self.IPSEC_D, '-n', name],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
proc.wait()
@@ -949,7 +994,7 @@ class IPsecTunnel(object):
class IPsecMonitor(object):
"""This class monitors and configures IPsec tunnels"""
- def __init__(self, root_prefix, ike_daemon, restart):
+ def __init__(self, root_prefix, ike_daemon, restart, args):
self.IPSEC = root_prefix + "/usr/sbin/ipsec"
self.tunnels = {}
@@ -969,7 +1014,7 @@ class IPsecMonitor(object):
if ike_daemon == "strongswan":
self.ike_helper = StrongSwanHelper(root_prefix)
elif ike_daemon == "libreswan":
- self.ike_helper = LibreSwanHelper(root_prefix)
+ self.ike_helper = LibreSwanHelper(root_prefix, args)
else:
vlog.err("The IKE daemon should be strongswan or libreswan.")
sys.exit(1)
@@ -1227,6 +1272,18 @@ def main():
" (either libreswan or strongswan).")
parser.add_argument("--no-restart-ike-daemon", action='store_true',
help="Don't restart the IKE daemon on startup.")
+ parser.add_argument("--ipsec-conf", metavar="IPSEC-CONF",
+ help="Use DIR/IPSEC-CONF as location for "
+ " ipsec.conf (libreswan only).")
+ parser.add_argument("--ipsec-d", metavar="IPSEC-D",
+ help="Use DIR/IPSEC-D as location for "
+ " ipsec.d (libreswan only).")
+ parser.add_argument("--ipsec-secrets", metavar="IPSEC-SECRETS",
+ help="Use DIR/IPSEC-SECRETS as location for "
+ " ipsec.secrets (libreswan only).")
+ parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL",
+ help="Use DIR/IPSEC-CTL as location for "
+ " pluto ctl socket (libreswan only).")
ovs.vlog.add_args(parser)
ovs.daemon.add_args(parser)
@@ -1240,7 +1297,7 @@ def main():
root_prefix = args.root_prefix if args.root_prefix else ""
xfrm = XFRM(root_prefix)
monitor = IPsecMonitor(root_prefix, args.ike_daemon,
- not args.no_restart_ike_daemon)
+ not args.no_restart_ike_daemon, args)
remote = args.database
schema_helper = ovs.db.idl.SchemaHelper()
--
2.27.0
More information about the dev
mailing list