Libreswan driver support in VPNaaS

VPNaas is not working on Fedora/centos devstack.
Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec.

Libreswan needs nssdb to be  initialised before
'ipsec pluto' command, otherwise pluto daemon will fail to run

Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69
Closes-bug: #1444017
This commit is contained in:
venkata anil 2015-05-03 10:27:12 +00:00
parent 84740c1528
commit 72e1f670fd
3 changed files with 82 additions and 0 deletions

View File

@ -13,6 +13,7 @@
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
# vpn_device_driver=another_driver
[ipsec]

View File

@ -0,0 +1,50 @@
# Copyright (c) 2015 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron_vpnaas.services.vpn.device_drivers import ipsec
class LibreSwanProcess(ipsec.OpenSwanProcess):
"""Libreswan Process manager class.
Libreswan needs nssdb initialised before running pluto daemon.
"""
def __init__(self, conf, process_id, vpnservice, namespace):
super(LibreSwanProcess, self).__init__(conf, process_id,
vpnservice, namespace)
def ensure_configs(self):
"""Generate config files which are needed for Libreswan.
Initialise the nssdb, otherwise pluto daemon will fail to run.
"""
super(LibreSwanProcess, self).ensure_configs()
# Load the ipsec kernel module if not loaded
self._execute([self.binary, '_stackmanager', 'start'])
# checknss creates nssdb only if it is missing
# It is added in Libreswan version v3.10
# For prior versions use initnss
try:
self._execute([self.binary, 'checknss', self.etc_dir])
except RuntimeError:
self._execute([self.binary, 'initnss', self.etc_dir])
class LibreSwanDriver(ipsec.IPsecDriver):
def create_process(self, process_id, vpnservice, namespace):
return LibreSwanProcess(
self.conf,
process_id,
vpnservice,
namespace)

View File

@ -27,6 +27,7 @@ from oslo_config import cfg
from neutron_vpnaas.extensions import vpnaas
from neutron_vpnaas.services.vpn.device_drivers import fedora_strongswan_ipsec
from neutron_vpnaas.services.vpn.device_drivers import ipsec as openswan_ipsec
from neutron_vpnaas.services.vpn.device_drivers import libreswan_ipsec
from neutron_vpnaas.services.vpn.device_drivers import strongswan_ipsec
from neutron_vpnaas.tests import base
@ -637,6 +638,36 @@ class TestOpenSwanProcess(base.BaseTestCase):
self.process.connection_status)
class TestLibreSwanProcess(base.BaseTestCase):
def setUp(self):
super(TestLibreSwanProcess, self).setUp()
self.ipsec_process = libreswan_ipsec.LibreSwanProcess(mock.ANY,
'foo-process-id',
FAKE_VPN_SERVICE,
mock.ANY)
def test_ensure_configs(self):
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
self.ipsec_process.ensure_configs()
expected = [mock.call(['ipsec', '_stackmanager', 'start']),
mock.call(['ipsec', 'checknss',
self.ipsec_process.etc_dir])]
fake_execute.assert_has_calls(expected)
self.assertEqual(fake_execute.call_count, 2)
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
fake_execute.side_effect = [None, RuntimeError, None]
self.ipsec_process.ensure_configs()
expected = [mock.call(['ipsec', '_stackmanager', 'start']),
mock.call(['ipsec', 'checknss',
self.ipsec_process.etc_dir]),
mock.call(['ipsec', 'initnss',
self.ipsec_process.etc_dir])]
fake_execute.assert_has_calls(expected)
self.assertEqual(fake_execute.call_count, 3)
class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):
def setUp(self, driver=strongswan_ipsec.StrongSwanDriver,