From 7e9922858fc36cb890b59232d72cf6e7bcb5957c Mon Sep 17 00:00:00 2001 From: Stephen Ma Date: Fri, 29 Mar 2019 09:31:03 -0700 Subject: [PATCH] Execute neutron-vpn-netns-wrapper with rootwrap_config argument When neutron uses neutron-rootwrap as the root_helper, add the --rootwrap_config parameter to neutron-vpn-netns-wrapper execution to support environments where rootwrap.conf is not in the default location. Closes-Bug: #1822199 Change-Id: I0a345d1b1815560dc4dd35fa5c9a34055fc9fb08 --- neutron_vpnaas/services/vpn/device_drivers/ipsec.py | 7 +++++++ .../services/vpn/device_drivers/libreswan_ipsec.py | 3 +++ .../services/vpn/device_drivers/strongswan_ipsec.py | 3 +++ 3 files changed, 13 insertions(+) diff --git a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py index d597ed4de..5014a78dd 100644 --- a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py +++ b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py @@ -279,6 +279,13 @@ class BaseSwanProcess(object): {'vpnservice': vpnservice, 'state_path': self.conf.state_path}) + def _get_rootwrap_config(self): + if 'neutron-rootwrap' in cfg.CONF.AGENT.root_helper: + rh_tokens = cfg.CONF.AGENT.root_helper.split(' ') + if len(rh_tokens) == 3 and os.path.exists(rh_tokens[2]): + return rh_tokens[2] + return None + @abc.abstractmethod def get_status(self): pass diff --git a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py index 76d943a6b..530f505b5 100644 --- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py +++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py @@ -29,6 +29,7 @@ class LibreSwanProcess(ipsec.OpenSwanProcess): """ # pylint: disable=useless-super-delegation def __init__(self, conf, process_id, vpnservice, namespace): + self._rootwrap_cfg = self._get_rootwrap_config() super(LibreSwanProcess, self).__init__(conf, process_id, vpnservice, namespace) @@ -47,6 +48,8 @@ class LibreSwanProcess(ipsec.OpenSwanProcess): return ip_wrapper.netns.execute( [NS_WRAPPER, '--mount_paths=%s' % mount_paths_str, + ('--rootwrap_config=%s' % self._rootwrap_cfg + if self._rootwrap_cfg else ''), '--cmd=%s,%s' % (self.binary, ','.join(cmd))], check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes) diff --git a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py index 17ef226b9..45cdf6b89 100644 --- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py +++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py @@ -82,6 +82,7 @@ class StrongSwanProcess(ipsec.BaseSwanProcess): self.DIALECT_MAP['v2'] = 'ikev2' self.DIALECT_MAP['sha256'] = 'sha256' self._strongswan_piddir = self._get_strongswan_piddir() + self._rootwrap_cfg = self._get_rootwrap_config() LOG.debug("strongswan piddir is '%s'", (self._strongswan_piddir)) super(StrongSwanProcess, self).__init__(conf, process_id, vpnservice, namespace) @@ -115,6 +116,8 @@ class StrongSwanProcess(ipsec.BaseSwanProcess): [NS_WRAPPER, '--mount_paths=/etc:%s/etc,%s:%s/var/run' % ( self.config_dir, self._strongswan_piddir, self.config_dir), + ('--rootwrap_config=%s' % self._rootwrap_cfg + if self._rootwrap_cfg else ''), '--cmd=%s' % ','.join(cmd)], check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)