Libreswan driver support in VPNaaS
VPNaas is not working on Fedora/centos devstack. Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec. Libreswan needs nssdb to be initialised before 'ipsec pluto' command, otherwise pluto daemon will fail to run Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69 Closes-bug: #1444017
This commit is contained in:
parent
84740c1528
commit
72e1f670fd
@ -13,6 +13,7 @@
|
||||
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
|
||||
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
|
||||
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver
|
||||
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
|
||||
# vpn_device_driver=another_driver
|
||||
|
||||
[ipsec]
|
||||
|
@ -0,0 +1,50 @@
|
||||
# Copyright (c) 2015 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
from neutron_vpnaas.services.vpn.device_drivers import ipsec
|
||||
|
||||
|
||||
class LibreSwanProcess(ipsec.OpenSwanProcess):
|
||||
"""Libreswan Process manager class.
|
||||
|
||||
Libreswan needs nssdb initialised before running pluto daemon.
|
||||
"""
|
||||
def __init__(self, conf, process_id, vpnservice, namespace):
|
||||
super(LibreSwanProcess, self).__init__(conf, process_id,
|
||||
vpnservice, namespace)
|
||||
|
||||
def ensure_configs(self):
|
||||
"""Generate config files which are needed for Libreswan.
|
||||
|
||||
Initialise the nssdb, otherwise pluto daemon will fail to run.
|
||||
"""
|
||||
super(LibreSwanProcess, self).ensure_configs()
|
||||
# Load the ipsec kernel module if not loaded
|
||||
self._execute([self.binary, '_stackmanager', 'start'])
|
||||
# checknss creates nssdb only if it is missing
|
||||
# It is added in Libreswan version v3.10
|
||||
# For prior versions use initnss
|
||||
try:
|
||||
self._execute([self.binary, 'checknss', self.etc_dir])
|
||||
except RuntimeError:
|
||||
self._execute([self.binary, 'initnss', self.etc_dir])
|
||||
|
||||
|
||||
class LibreSwanDriver(ipsec.IPsecDriver):
|
||||
def create_process(self, process_id, vpnservice, namespace):
|
||||
return LibreSwanProcess(
|
||||
self.conf,
|
||||
process_id,
|
||||
vpnservice,
|
||||
namespace)
|
@ -27,6 +27,7 @@ from oslo_config import cfg
|
||||
from neutron_vpnaas.extensions import vpnaas
|
||||
from neutron_vpnaas.services.vpn.device_drivers import fedora_strongswan_ipsec
|
||||
from neutron_vpnaas.services.vpn.device_drivers import ipsec as openswan_ipsec
|
||||
from neutron_vpnaas.services.vpn.device_drivers import libreswan_ipsec
|
||||
from neutron_vpnaas.services.vpn.device_drivers import strongswan_ipsec
|
||||
from neutron_vpnaas.tests import base
|
||||
|
||||
@ -637,6 +638,36 @@ class TestOpenSwanProcess(base.BaseTestCase):
|
||||
self.process.connection_status)
|
||||
|
||||
|
||||
class TestLibreSwanProcess(base.BaseTestCase):
|
||||
def setUp(self):
|
||||
super(TestLibreSwanProcess, self).setUp()
|
||||
self.ipsec_process = libreswan_ipsec.LibreSwanProcess(mock.ANY,
|
||||
'foo-process-id',
|
||||
FAKE_VPN_SERVICE,
|
||||
mock.ANY)
|
||||
|
||||
def test_ensure_configs(self):
|
||||
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
|
||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||
self.ipsec_process.ensure_configs()
|
||||
expected = [mock.call(['ipsec', '_stackmanager', 'start']),
|
||||
mock.call(['ipsec', 'checknss',
|
||||
self.ipsec_process.etc_dir])]
|
||||
fake_execute.assert_has_calls(expected)
|
||||
self.assertEqual(fake_execute.call_count, 2)
|
||||
|
||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||
fake_execute.side_effect = [None, RuntimeError, None]
|
||||
self.ipsec_process.ensure_configs()
|
||||
expected = [mock.call(['ipsec', '_stackmanager', 'start']),
|
||||
mock.call(['ipsec', 'checknss',
|
||||
self.ipsec_process.etc_dir]),
|
||||
mock.call(['ipsec', 'initnss',
|
||||
self.ipsec_process.etc_dir])]
|
||||
fake_execute.assert_has_calls(expected)
|
||||
self.assertEqual(fake_execute.call_count, 3)
|
||||
|
||||
|
||||
class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):
|
||||
|
||||
def setUp(self, driver=strongswan_ipsec.StrongSwanDriver,
|
||||
|
Loading…
Reference in New Issue
Block a user