Libreswan driver support in VPNaaS

VPNaas is not working on Fedora/centos devstack. Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec. Libreswan needs nssdb to be initialised before 'ipsec pluto' command, otherwise pluto daemon will fail to run Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69 Closes-bug: #1444017
2015-05-03 10:27:12 +00:00 · 2015-05-03 10:27:12 +00:00 · 72e1f670fd
commit 72e1f670fd
parent 84740c1528
3 changed files with 82 additions and 0 deletions
--- a/etc/vpn_agent.ini
+++ b/etc/vpn_agent.ini
@ -13,6 +13,7 @@
 # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
 # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
 # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver
+# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
 # vpn_device_driver=another_driver

 [ipsec]
--- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
@ -0,0 +1,50 @@
+# Copyright (c) 2015 Red Hat, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from neutron_vpnaas.services.vpn.device_drivers import ipsec
+
+
+class LibreSwanProcess(ipsec.OpenSwanProcess):
+    """Libreswan Process manager class.
+
+    Libreswan needs nssdb initialised before running pluto daemon.
+    """
+    def __init__(self, conf, process_id, vpnservice, namespace):
+        super(LibreSwanProcess, self).__init__(conf, process_id,
+                                              vpnservice, namespace)
+
+    def ensure_configs(self):
+        """Generate config files which are needed for Libreswan.
+
+        Initialise the nssdb, otherwise pluto daemon will fail to run.
+        """
+        super(LibreSwanProcess, self).ensure_configs()
+        # Load the ipsec kernel module if not loaded
+        self._execute([self.binary, '_stackmanager', 'start'])
+        # checknss creates nssdb only if it is missing
+        # It is added in Libreswan version v3.10
+        # For prior versions use initnss
+        try:
+            self._execute([self.binary, 'checknss', self.etc_dir])
+        except RuntimeError:
+            self._execute([self.binary, 'initnss', self.etc_dir])
+
+
+class LibreSwanDriver(ipsec.IPsecDriver):
+    def create_process(self, process_id, vpnservice, namespace):
+        return LibreSwanProcess(
+            self.conf,
+            process_id,
+            vpnservice,
+            namespace)
--- a/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
+++ b/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
@ -27,6 +27,7 @@ from oslo_config import cfg
 from neutron_vpnaas.extensions import vpnaas
 from neutron_vpnaas.services.vpn.device_drivers import fedora_strongswan_ipsec
 from neutron_vpnaas.services.vpn.device_drivers import ipsec as openswan_ipsec
+from neutron_vpnaas.services.vpn.device_drivers import libreswan_ipsec
 from neutron_vpnaas.services.vpn.device_drivers import strongswan_ipsec
 from neutron_vpnaas.tests import base

@ -637,6 +638,36 @@ class TestOpenSwanProcess(base.BaseTestCase):
                         self.process.connection_status)


+class TestLibreSwanProcess(base.BaseTestCase):
+    def setUp(self):
+        super(TestLibreSwanProcess, self).setUp()
+        self.ipsec_process = libreswan_ipsec.LibreSwanProcess(mock.ANY,
+                                                       'foo-process-id',
+                                                       FAKE_VPN_SERVICE,
+                                                       mock.ANY)
+
+    def test_ensure_configs(self):
+        openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
+        with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
+            self.ipsec_process.ensure_configs()
+            expected = [mock.call(['ipsec', '_stackmanager', 'start']),
+                        mock.call(['ipsec', 'checknss',
+                                   self.ipsec_process.etc_dir])]
+            fake_execute.assert_has_calls(expected)
+            self.assertEqual(fake_execute.call_count, 2)
+
+        with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
+            fake_execute.side_effect = [None, RuntimeError, None]
+            self.ipsec_process.ensure_configs()
+            expected = [mock.call(['ipsec', '_stackmanager', 'start']),
+                        mock.call(['ipsec', 'checknss',
+                                   self.ipsec_process.etc_dir]),
+                        mock.call(['ipsec', 'initnss',
+                                   self.ipsec_process.etc_dir])]
+            fake_execute.assert_has_calls(expected)
+            self.assertEqual(fake_execute.call_count, 3)
+
+
 class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):

    def setUp(self, driver=strongswan_ipsec.StrongSwanDriver,