ipsec: Allow custom file locations.

"ovs_monitor_ipsec" assumes certain file locations for a number of Libreswan objects. This patch allows these locations to be configurable at startup in the Libreswan case. This additional flexibility enables system testing for OVS IPsec. Signed-off-by: Mark Gray <mark.d.gray@redhat.com> Acked-by: Flavio Leitner <fbl@sysclose.org> Acked-by: Aaron Conole <aconole@redhat.com> Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-09-01 06:45:17 +00:00 · 2021-04-01 09:58:26 -04:00
parent 4ce8bb159e
commit d6afbc00d5
1 changed files with 80 additions and 23 deletions
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -445,12 +445,26 @@ conn prevent_unencrypted_vxlan
    CERT_PREFIX = "ovs_cert_"
    CERTKEY_PREFIX = "ovs_certkey_"

-    def __init__(self, libreswan_root_prefix):
+    def __init__(self, libreswan_root_prefix, args):
+        ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf"
+        ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d"
+        ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets
+                        else "/etc/ipsec.secrets")
+        ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl
+                        else "/run/pluto/pluto.ctl")
+
        self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec"
-        self.IPSEC_CONF = libreswan_root_prefix + "/etc/ipsec.conf"
-        self.IPSEC_SECRETS = libreswan_root_prefix + "/etc/ipsec.secrets"
+        self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf
+        self.IPSEC_SECRETS = libreswan_root_prefix + ipsec_secrets
+        self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d
+        self.IPSEC_CTL = libreswan_root_prefix + ipsec_ctl
        self.conf_file = None
        self.secrets_file = None
+        vlog.dbg("Using: " + self.IPSEC)
+        vlog.dbg("Configuration file: " + self.IPSEC_CONF)
+        vlog.dbg("Secrets file: " + self.IPSEC_SECRETS)
+        vlog.dbg("ipsec.d: " + self.IPSEC_D)
+        vlog.dbg("Pluto socket: " + self.IPSEC_CTL)

    def restart_ike_daemon(self):
        """This function restarts LibreSwan."""
@@ -548,7 +562,8 @@ conn prevent_unencrypted_vxlan

    def refresh(self, monitor):
        vlog.info("Refreshing LibreSwan configuration")
-        subprocess.call([self.IPSEC, "auto", "--rereadsecrets"])
+        subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL,
+                        "--config", self.IPSEC_CONF, "--rereadsecrets"])
        tunnels = set(monitor.tunnels.keys())

        # Delete old connections
@@ -575,7 +590,9 @@ conn prevent_unencrypted_vxlan

                if not tunnel or tunnel.version != ver:
                    vlog.info("%s is outdated %u" % (conn, ver))
-                    subprocess.call([self.IPSEC, "auto", "--delete", conn])
+                    subprocess.call([self.IPSEC, "auto", "--ctlsocket",
+                                    self.IPSEC_CTL, "--config",
+                                    self.IPSEC_CONF, "--delete", conn])
                elif ifname in tunnels:
                    tunnels.remove(ifname)

@@ -595,22 +612,46 @@ conn prevent_unencrypted_vxlan
        # Update shunt policy if changed
        if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]:
            if monitor.conf["skb_mark"]:
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                            "--asynchronous", "prevent_unencrypted_gre"])
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                            "--asynchronous", "prevent_unencrypted_geneve"])
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                            "--asynchronous", "prevent_unencrypted_stt"])
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                            "--asynchronous", "prevent_unencrypted_vxlan"])
            else:
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                            "--asynchronous", "prevent_unencrypted_gre"])
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                            "--asynchronous", "prevent_unencrypted_geneve"])
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                            "--asynchronous", "prevent_unencrypted_stt"])
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                            "--asynchronous", "prevent_unencrypted_vxlan"])
            monitor.conf_in_use["skb_mark"] = monitor.conf["skb_mark"]

@@ -622,7 +663,8 @@ conn prevent_unencrypted_vxlan
        sample line from the parsed outpus as <value>. """

        conns = {}
-        proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE)
+        proc = subprocess.Popen([self.IPSEC, 'status', '--ctlsocket',
+                                self.IPSEC_CTL], stdout=subprocess.PIPE)

        while True:
            line = proc.stdout.readline().strip().decode()
@@ -653,7 +695,10 @@ conn prevent_unencrypted_vxlan
        # the "ipsec auto --start" command is lost. Just retry to make sure
        # the command is received by LibreSwan.
        while True:
-            proc = subprocess.Popen([self.IPSEC, "auto", "--start",
+            proc = subprocess.Popen([self.IPSEC, "auto",
+                                    "--config", self.IPSEC_CONF,
+                                    "--ctlsocket", self.IPSEC_CTL,
+                                    "--start",
                                    "--asynchronous", conn],
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE)
@@ -667,7 +712,7 @@ conn prevent_unencrypted_vxlan
        """Remove all OVS IPsec related state from the NSS database"""
        try:
            proc = subprocess.Popen(['certutil', '-L', '-d',
-                                    'sql:/etc/ipsec.d/'],
+                                    self.IPSEC_D],
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE,
                                    universal_newlines=True)
@@ -691,7 +736,7 @@ conn prevent_unencrypted_vxlan
        normal certificate."""
        try:
            proc = subprocess.Popen(['certutil', '-A', '-a', '-i', cert,
-                                    '-d', 'sql:/etc/ipsec.d/', '-n',
+                                    '-d', self.IPSEC_D, '-n',
                                    name, '-t', cert_type],
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE)
@@ -704,7 +749,7 @@ conn prevent_unencrypted_vxlan
    def _nss_delete_cert(self, name):
        try:
            proc = subprocess.Popen(['certutil', '-D', '-d',
-                                    'sql:/etc/ipsec.d/', '-n', name],
+                                    self.IPSEC_D, '-n', name],
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE)
            proc.wait()
@@ -732,7 +777,7 @@ conn prevent_unencrypted_vxlan

            # Load p12 file to the database
            proc = subprocess.Popen(['pk12util', '-i', path, '-d',
-                                    'sql:/etc/ipsec.d/', '-W', ''],
+                                    self.IPSEC_D, '-W', ''],
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE)
            proc.wait()
@@ -747,7 +792,7 @@ conn prevent_unencrypted_vxlan
        try:
            # Delete certificate and private key
            proc = subprocess.Popen(['certutil', '-F', '-d',
-                                    'sql:/etc/ipsec.d/', '-n', name],
+                                    self.IPSEC_D, '-n', name],
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE)
            proc.wait()
@@ -949,7 +994,7 @@ class IPsecTunnel(object):
 class IPsecMonitor(object):
    """This class monitors and configures IPsec tunnels"""

-    def __init__(self, root_prefix, ike_daemon, restart):
+    def __init__(self, root_prefix, ike_daemon, restart, args):
        self.IPSEC = root_prefix + "/usr/sbin/ipsec"
        self.tunnels = {}

@@ -969,7 +1014,7 @@ class IPsecMonitor(object):
        if ike_daemon == "strongswan":
            self.ike_helper = StrongSwanHelper(root_prefix)
        elif ike_daemon == "libreswan":
-            self.ike_helper = LibreSwanHelper(root_prefix)
+            self.ike_helper = LibreSwanHelper(root_prefix, args)
        else:
            vlog.err("The IKE daemon should be strongswan or libreswan.")
            sys.exit(1)
@@ -1227,6 +1272,18 @@ def main():
                        " (either libreswan or strongswan).")
    parser.add_argument("--no-restart-ike-daemon", action='store_true',
                        help="Don't restart the IKE daemon on startup.")
+    parser.add_argument("--ipsec-conf", metavar="IPSEC-CONF",
+                        help="Use DIR/IPSEC-CONF as location for "
+                        " ipsec.conf (libreswan only).")
+    parser.add_argument("--ipsec-d", metavar="IPSEC-D",
+                        help="Use DIR/IPSEC-D as location for "
+                        " ipsec.d (libreswan only).")
+    parser.add_argument("--ipsec-secrets", metavar="IPSEC-SECRETS",
+                        help="Use DIR/IPSEC-SECRETS as location for "
+                        " ipsec.secrets (libreswan only).")
+    parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL",
+                        help="Use DIR/IPSEC-CTL as location for "
+                        " pluto ctl socket (libreswan only).")

    ovs.vlog.add_args(parser)
    ovs.daemon.add_args(parser)
@@ -1240,7 +1297,7 @@ def main():
    root_prefix = args.root_prefix if args.root_prefix else ""
    xfrm = XFRM(root_prefix)
    monitor = IPsecMonitor(root_prefix, args.ike_daemon,
-                           not args.no_restart_ike_daemon)
+                           not args.no_restart_ike_daemon, args)

    remote = args.database
    schema_helper = ovs.db.idl.SchemaHelper()