Libreswan driver support in VPNaaS

VPNaas is not working on Fedora/centos devstack. Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec. Libreswan needs nssdb to be initialised before 'ipsec pluto' command, otherwise pluto daemon will fail to run Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69 Closes-bug: #1444017
2015-05-03 10:27:12 +00:00 · 2015-05-03 10:27:12 +00:00 · 72e1f670fd
commit 72e1f670fd
parent 84740c1528
3 changed files with 82 additions and 0 deletions
--- a/etc/vpn_agent.ini
+++ b/etc/vpn_agent.ini
@ -13,6 +13,7 @@
 # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
 # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
 # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver
 # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
 # vpn_device_driver=another_driver
 [ipsec]
--- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
@ -0,0 +1,50 @@
 # Copyright (c) 2015 Red Hat, Inc.
 # All Rights Reserved.
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from neutron_vpnaas.services.vpn.device_drivers import ipsec
 class LibreSwanProcess(ipsec.OpenSwanProcess):
    """Libreswan Process manager class.
    Libreswan needs nssdb initialised before running pluto daemon.
    """
    def __init__(self, conf, process_id, vpnservice, namespace):
        super(LibreSwanProcess, self).__init__(conf, process_id,
                                              vpnservice, namespace)
    def ensure_configs(self):
        """Generate config files which are needed for Libreswan.
        Initialise the nssdb, otherwise pluto daemon will fail to run.
        """
        super(LibreSwanProcess, self).ensure_configs()
        # Load the ipsec kernel module if not loaded
        self._execute([self.binary, '_stackmanager', 'start'])
        # checknss creates nssdb only if it is missing
        # It is added in Libreswan version v3.10
        # For prior versions use initnss
        try:
            self._execute([self.binary, 'checknss', self.etc_dir])
        except RuntimeError:
            self._execute([self.binary, 'initnss', self.etc_dir])
 class LibreSwanDriver(ipsec.IPsecDriver):
    def create_process(self, process_id, vpnservice, namespace):
        return LibreSwanProcess(
            self.conf,
            process_id,
            vpnservice,
            namespace)
--- a/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
+++ b/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
@ -27,6 +27,7 @@ from oslo_config import cfg
 from neutron_vpnaas.extensions import vpnaas
 from neutron_vpnaas.services.vpn.device_drivers import fedora_strongswan_ipsec
 from neutron_vpnaas.services.vpn.device_drivers import ipsec as openswan_ipsec
 from neutron_vpnaas.services.vpn.device_drivers import libreswan_ipsec
 from neutron_vpnaas.services.vpn.device_drivers import strongswan_ipsec
 from neutron_vpnaas.tests import base
@ -637,6 +638,36 @@ class TestOpenSwanProcess(base.BaseTestCase):
                         self.process.connection_status)
 class TestLibreSwanProcess(base.BaseTestCase):
    def setUp(self):
        super(TestLibreSwanProcess, self).setUp()
        self.ipsec_process = libreswan_ipsec.LibreSwanProcess(mock.ANY,
                                                       'foo-process-id',
                                                       FAKE_VPN_SERVICE,
                                                       mock.ANY)
    def test_ensure_configs(self):
        openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
        with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
            self.ipsec_process.ensure_configs()
            expected = [mock.call(['ipsec', '_stackmanager', 'start']),
                        mock.call(['ipsec', 'checknss',
                                   self.ipsec_process.etc_dir])]
            fake_execute.assert_has_calls(expected)
            self.assertEqual(fake_execute.call_count, 2)
        with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
            fake_execute.side_effect = [None, RuntimeError, None]
            self.ipsec_process.ensure_configs()
            expected = [mock.call(['ipsec', '_stackmanager', 'start']),
                        mock.call(['ipsec', 'checknss',
                                   self.ipsec_process.etc_dir]),
                        mock.call(['ipsec', 'initnss',
                                   self.ipsec_process.etc_dir])]
            fake_execute.assert_has_calls(expected)
            self.assertEqual(fake_execute.call_count, 3)
 class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):
    def setUp(self, driver=strongswan_ipsec.StrongSwanDriver,