Virtual private network services for OpenStack Neutron.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

143 lines
5.5 KiB

# Copyright (c) 2015 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
import os.path
from neutron.agent.linux import ip_lib
from neutron_vpnaas.services.vpn.device_drivers import ipsec
class LibreSwanProcess(ipsec.OpenSwanProcess):
"""Libreswan Process manager class.
Libreswan needs nssdb initialised before running pluto daemon.
"""
# pylint: disable=useless-super-delegation
def __init__(self, conf, process_id, vpnservice, namespace):
self._rootwrap_cfg = self._get_rootwrap_config()
super(LibreSwanProcess, self).__init__(conf, process_id,
vpnservice, namespace)
def _ipsec_execute(self, cmd, check_exit_code=True, extra_ok_codes=None):
"""Execute ipsec command on namespace.
This execute is wrapped by namespace wrapper.
The namespace wrapper will bind /etc and /var/run
"""
ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
mount_paths = {'/etc': '%s/etc' % self.config_dir,
'/var/run': '%s/var/run' % self.config_dir}
mount_paths_str = ','.join(
"%s:%s" % (source, target)
for source, target in mount_paths.items())
ns_wrapper = self.get_ns_wrapper()
return ip_wrapper.netns.execute(
[ns_wrapper,
'--mount_paths=%s' % mount_paths_str,
('--rootwrap_config=%s' % self._rootwrap_cfg
if self._rootwrap_cfg else ''),
'--cmd=%s,%s' % (self.binary, ','.join(cmd))],
check_exit_code=check_exit_code,
extra_ok_codes=extra_ok_codes)
def _ensure_needed_files(self):
# addconn reads from /etc/hosts and /etc/resolv.conf. As /etc would be
# bind-mounted, create these two empty files in the target directory.
with open('%s/etc/hosts' % self.config_dir, 'a'):
pass
with open('%s/etc/resolv.conf' % self.config_dir, 'a'):
pass
def ensure_configs(self):
"""Generate config files which are needed for Libreswan.
Initialise the nssdb, otherwise pluto daemon will fail to run.
"""
# Since we set ipsec.secrets to be owned by root, the standard
# mechanisms for setting up the config files will get a permission
# problem when attempting to overwrite the file, so we need to
# remove it first.
secrets_file = self._get_config_filename('ipsec.secrets')
if os.path.exists(secrets_file):
self._execute(['rm', '-f', secrets_file])
super(LibreSwanProcess, self).ensure_configs()
# LibreSwan uses the capabilities library to restrict access to
# ipsec.secrets to users that have explicit access. Since pluto is
# running as root and the file has 0600 perms, we must set the
# owner of the file to root.
self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
secrets_file])
# Libreswan needs to write logs to this directory.
self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
self.log_dir])
self._ensure_needed_files()
# Load the ipsec kernel module if not loaded
self._ipsec_execute(['_stackmanager', 'start'])
# checknss creates nssdb only if it is missing
# It is added in Libreswan version v3.10
# For prior versions use initnss
try:
self._ipsec_execute(['checknss'])
except RuntimeError:
self._ipsec_execute(['initnss'])
def get_status(self):
return self._ipsec_execute(['whack', '--status'],
extra_ok_codes=[1, 3])
def start_pluto(self):
cmd = ['pluto',
'--use-netkey',
'--uniqueids']
if self.conf.ipsec.enable_detailed_logging:
cmd += ['--perpeerlog', '--perpeerlogbase', self.log_dir]
self._ipsec_execute(cmd)
def add_ipsec_connection(self, nexthop, conn_id):
# Connections will be automatically added as auto=start/add for
# initiator=bi-directional/response-only specified in the config.
pass
def start_whack_listening(self):
# NOTE(huntxu): This is a workaround for with a weak (len<8) secret,
# "ipsec whack --listen" will exit with 3.
self._ipsec_execute(['whack', '--listen'], extra_ok_codes=[3])
def shutdown_whack(self):
self._ipsec_execute(['whack', '--shutdown'])
def initiate_connection(self, conn_name):
self._ipsec_execute(
['whack', '--name', conn_name, '--asynchronous', '--initiate'])
def terminate_connection(self, conn_name):
self._ipsec_execute(['whack', '--name', conn_name, '--terminate'])
class LibreSwanDriver(ipsec.IPsecDriver):
def create_process(self, process_id, vpnservice, namespace):
return LibreSwanProcess(
self.conf,
process_id,
vpnservice,
namespace)