0cf7671b0a
strongSwan doesn't support namespace natively, this wrapper will use "mount --bind" to simulate the ns like this: sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns \ exec <namespace-id> neutron-netns-wrapper --mount_paths \ =/etc:/var/lib/neutron/vpnaas/<xxxx-id>/etc, \ /var/run:/var/lib/neutron/vpnaas/<xxxx-id>/var/run \ --cmd=ipsec,status Both sudoers and rootwrap.conf will not exist in the directory /etc after bind-mount, thus we can't use utils.execute(cmd, conf.root_helper) in neutron/agent/linux/utils.py. so implement a function execte(cmd) in this wrapper as an alternative. then we can use root_helper to invoke this wrapper to make sure all commands are still running as root as below code shows. Finally, also need to check in wrapper if cmd matches CommandFilter based on the same reason. ip_wrapper = ip_lib.IPWrapper(root_helper, namespace) ip_wrapper.netns.execute( [NS_WRAPPER, '--mount_paths=/etc:%s/etc,/var/run:%s/var/run' % ( self.config_dir, self.config_dir), '--cmd=%s' % ','.join(cmd)], check_exit_code=check_exit_code) We are using check of net namespace (since linux 3.0), instead of mount namespace (since Linux 3.8), as older kernels do not support mount namespace. In addition, mount --bind has been available since Linux 2.4. so we don't need to worry kilo's minumum kernel requirement. This patch is based on patchset67 of nachi's initial vpnaas implementation, many thanks to nachi. submit this wrapper as a separate review from [1]. [1] https://review.openstack.org/#/c/144391/ Partially-implements: blueprint ipsec-strongswan-driver Change-Id: Icc80b9102acb87170f2d1cda06c848fa71bb1634 |
||
---|---|---|
.. | ||
vpn | ||
__init__.py |