diff options
| author | Mark Gray <mark.d.gray@redhat.com> | 2021-04-01 09:58:26 -0400 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2021-04-01 19:13:31 +0200 |
| commit | d6afbc00d5b37a62a5544d65c3cc6e689422c273 (patch) | |
| tree | 67ffef2278b163632c900a15ecb6ed5f11f81a20 /ipsec | |
| parent | 4ce8bb159e9cb328ace7ae862026d4220c8bcd3f (diff) | |
| download | openvswitch-d6afbc00d5b37a62a5544d65c3cc6e689422c273.tar.gz | |
ipsec: Allow custom file locations.
"ovs_monitor_ipsec" assumes certain file locations for a number
of Libreswan objects. This patch allows these locations to be
configurable at startup in the Libreswan case.
This additional flexibility enables system testing for
OVS IPsec.
Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Diffstat (limited to 'ipsec')
| -rwxr-xr-x | ipsec/ovs-monitor-ipsec.in | 103 |
1 files changed, 80 insertions, 23 deletions
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 668507fd3..a95424775 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -445,12 +445,26 @@ conn prevent_unencrypted_vxlan CERT_PREFIX = "ovs_cert_" CERTKEY_PREFIX = "ovs_certkey_" - def __init__(self, libreswan_root_prefix): + def __init__(self, libreswan_root_prefix, args): + ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf" + ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d" + ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets + else "/etc/ipsec.secrets") + ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl + else "/run/pluto/pluto.ctl") + self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec" - self.IPSEC_CONF = libreswan_root_prefix + "/etc/ipsec.conf" - self.IPSEC_SECRETS = libreswan_root_prefix + "/etc/ipsec.secrets" + self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf + self.IPSEC_SECRETS = libreswan_root_prefix + ipsec_secrets + self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d + self.IPSEC_CTL = libreswan_root_prefix + ipsec_ctl self.conf_file = None self.secrets_file = None + vlog.dbg("Using: " + self.IPSEC) + vlog.dbg("Configuration file: " + self.IPSEC_CONF) + vlog.dbg("Secrets file: " + self.IPSEC_SECRETS) + vlog.dbg("ipsec.d: " + self.IPSEC_D) + vlog.dbg("Pluto socket: " + self.IPSEC_CTL) def restart_ike_daemon(self): """This function restarts LibreSwan.""" @@ -548,7 +562,8 @@ conn prevent_unencrypted_vxlan def refresh(self, monitor): vlog.info("Refreshing LibreSwan configuration") - subprocess.call([self.IPSEC, "auto", "--rereadsecrets"]) + subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL, + "--config", self.IPSEC_CONF, "--rereadsecrets"]) tunnels = set(monitor.tunnels.keys()) # Delete old connections @@ -575,7 +590,9 @@ conn prevent_unencrypted_vxlan if not tunnel or tunnel.version != ver: vlog.info("%s is outdated %u" % (conn, ver)) - subprocess.call([self.IPSEC, "auto", "--delete", conn]) + subprocess.call([self.IPSEC, "auto", "--ctlsocket", + self.IPSEC_CTL, "--config", + self.IPSEC_CONF, "--delete", conn]) elif ifname in tunnels: tunnels.remove(ifname) @@ -595,22 +612,46 @@ conn prevent_unencrypted_vxlan # Update shunt policy if changed if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]: if monitor.conf["skb_mark"]: - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_gre"]) - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_geneve"]) - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_stt"]) - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_vxlan"]) else: - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_gre"]) - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_geneve"]) - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_stt"]) - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_vxlan"]) monitor.conf_in_use["skb_mark"] = monitor.conf["skb_mark"] @@ -622,7 +663,8 @@ conn prevent_unencrypted_vxlan sample line from the parsed outpus as <value>. """ conns = {} - proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE) + proc = subprocess.Popen([self.IPSEC, 'status', '--ctlsocket', + self.IPSEC_CTL], stdout=subprocess.PIPE) while True: line = proc.stdout.readline().strip().decode() @@ -653,7 +695,10 @@ conn prevent_unencrypted_vxlan # the "ipsec auto --start" command is lost. Just retry to make sure # the command is received by LibreSwan. while True: - proc = subprocess.Popen([self.IPSEC, "auto", "--start", + proc = subprocess.Popen([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--start", "--asynchronous", conn], stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -667,7 +712,7 @@ conn prevent_unencrypted_vxlan """Remove all OVS IPsec related state from the NSS database""" try: proc = subprocess.Popen(['certutil', '-L', '-d', - 'sql:/etc/ipsec.d/'], + self.IPSEC_D], stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True) @@ -691,7 +736,7 @@ conn prevent_unencrypted_vxlan normal certificate.""" try: proc = subprocess.Popen(['certutil', '-A', '-a', '-i', cert, - '-d', 'sql:/etc/ipsec.d/', '-n', + '-d', self.IPSEC_D, '-n', name, '-t', cert_type], stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -704,7 +749,7 @@ conn prevent_unencrypted_vxlan def _nss_delete_cert(self, name): try: proc = subprocess.Popen(['certutil', '-D', '-d', - 'sql:/etc/ipsec.d/', '-n', name], + self.IPSEC_D, '-n', name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.wait() @@ -732,7 +777,7 @@ conn prevent_unencrypted_vxlan # Load p12 file to the database proc = subprocess.Popen(['pk12util', '-i', path, '-d', - 'sql:/etc/ipsec.d/', '-W', ''], + self.IPSEC_D, '-W', ''], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.wait() @@ -747,7 +792,7 @@ conn prevent_unencrypted_vxlan try: # Delete certificate and private key proc = subprocess.Popen(['certutil', '-F', '-d', - 'sql:/etc/ipsec.d/', '-n', name], + self.IPSEC_D, '-n', name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.wait() @@ -949,7 +994,7 @@ class IPsecTunnel(object): class IPsecMonitor(object): """This class monitors and configures IPsec tunnels""" - def __init__(self, root_prefix, ike_daemon, restart): + def __init__(self, root_prefix, ike_daemon, restart, args): self.IPSEC = root_prefix + "/usr/sbin/ipsec" self.tunnels = {} @@ -969,7 +1014,7 @@ class IPsecMonitor(object): if ike_daemon == "strongswan": self.ike_helper = StrongSwanHelper(root_prefix) elif ike_daemon == "libreswan": - self.ike_helper = LibreSwanHelper(root_prefix) + self.ike_helper = LibreSwanHelper(root_prefix, args) else: vlog.err("The IKE daemon should be strongswan or libreswan.") sys.exit(1) @@ -1227,6 +1272,18 @@ def main(): " (either libreswan or strongswan).") parser.add_argument("--no-restart-ike-daemon", action='store_true', help="Don't restart the IKE daemon on startup.") + parser.add_argument("--ipsec-conf", metavar="IPSEC-CONF", + help="Use DIR/IPSEC-CONF as location for " + " ipsec.conf (libreswan only).") + parser.add_argument("--ipsec-d", metavar="IPSEC-D", + help="Use DIR/IPSEC-D as location for " + " ipsec.d (libreswan only).") + parser.add_argument("--ipsec-secrets", metavar="IPSEC-SECRETS", + help="Use DIR/IPSEC-SECRETS as location for " + " ipsec.secrets (libreswan only).") + parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL", + help="Use DIR/IPSEC-CTL as location for " + " pluto ctl socket (libreswan only).") ovs.vlog.add_args(parser) ovs.daemon.add_args(parser) @@ -1240,7 +1297,7 @@ def main(): root_prefix = args.root_prefix if args.root_prefix else "" xfrm = XFRM(root_prefix) monitor = IPsecMonitor(root_prefix, args.ike_daemon, - not args.no_restart_ike_daemon) + not args.no_restart_ike_daemon, args) remote = args.database schema_helper = ovs.db.idl.SchemaHelper() |