LibreSwan 3.19 introduces a new commandline argument '--nssdir' for
pluto which defaults to '/etc/ipsec.d'. As older versions don't
understand such an option, we cannot just add it to the commandline.
The commandline arguments of LibreSwan are not stable enough to rely on.
For example, in 3.19, 'ipsec initnss' has the new argument '--nssdir',
and in 3.20, 'ipsec pluto' also gets this new argument '--nssdir', then
in 3.22, the argument '--ctlbase' is phased out.
In this commit, instead of trying new options and then fallback to old
ones for older versions, the bind-mount method used in StrongSwan driver
is adopted. With /etc and /var/run bind mounted, all the commandline
arguments related to configuration file places can be removed. This
ensures that changes of such arguments between different versions won't
bother as the default places are always used.
This commit also replaces 'auth=' by 'phase2=' in the configuration
template as the former is for a long time an alias of the latter and
removed in LibreSwan 3.19.
The virtual-private argument of 'ipsec pluto' has been put into the
configuration file to avoid commas(,) in the commandline so that the
netns_wrapper can work well.
A new tempest job for running LibreSwan as the device driver on CentOS 7
is also added to avoid regression.
This commit has been simply tested on CentOS 7.4 with the following
versions of LibreSwan provided by the CentOS repo:
- libreswan-3.12-5.el7.x86_64.rpm
- libreswan-3.12-10.1.el7_1.x86_64.rpm
- libreswan-3.15-5.el7_1.x86_64.rpm
- libreswan-3.15-8.el7.x86_64.rpm
- libreswan-3.20-3.el7.x86_64.rpm
- libreswan-3.20-5.el7_4.x86_64.rpm
and different versions of LibreSwan provided by libreswan.org[1]:
[1] https://download.libreswan.org/binaries/rhel/7/x86_64/
Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
Closes-Bug: #1711456
b6c8ea8a3c