From patchwork Wed Mar 31 08:05:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Gray X-Patchwork-Id: 1460392 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=TpVOCbtR; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4F9Jlc11lNz9sWK for ; Wed, 31 Mar 2021 19:05:31 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 83B5584813; Wed, 31 Mar 2021 08:05:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cifi9SWcxzvc; Wed, 31 Mar 2021 08:05:27 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTP id F200784830; Wed, 31 Mar 2021 08:05:25 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EEB61C0015; Wed, 31 Mar 2021 08:05:24 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 03665C000B for ; Wed, 31 Mar 2021 08:05:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id DB44684810 for ; Wed, 31 Mar 2021 08:05:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5dokPpEi_aof for ; Wed, 31 Mar 2021 08:05:20 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 9A89184806 for ; Wed, 31 Mar 2021 08:05:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617177919; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AI9kjbnWlrUDmKHFrY43hmQERO93l27NDsz9scgqPkU=; b=TpVOCbtRspbN0qqbbjQRcFU0ZVKFuZMKGz7Jkagh73MVApq2q4g8n0ZgNFP3lGFSc9TkDF u9PnRHquxI99it+K7bbw9nehK1DwagYau5Vmkw3wIGIRQphnRB/QOhMSgbZFJgaMx+PP0C 6whDukznm/O6aV/usIewnD2iDO/5T7Q= Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-602-MnloX8EnOWC2GH4YA4weRw-1; Wed, 31 Mar 2021 04:05:14 -0400 X-MC-Unique: MnloX8EnOWC2GH4YA4weRw-1 Received: by mail-qt1-f199.google.com with SMTP id v3so708452qtw.8 for ; Wed, 31 Mar 2021 01:05:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AI9kjbnWlrUDmKHFrY43hmQERO93l27NDsz9scgqPkU=; b=C8Az0PdaZ/D9sDarvXZtmbxqjHcG5baaFJO3o9j8R5Q4kWlLOf4yol20uoqgkrCogo 5NWFyX+V05BkGVqhV7U028NcLKZq3jG2tYQxImKXHFVDQ6QgpBL15IgBOyW0bD/YPuDY pVD2fSQoQgZZkZa2WYqgYE+Gld4TPiBLlTOKIvsDe6SizMv/RPaaeqqx21LKHXVq52lN MAHxrpgOkyFlRX0dS7lIcvDOrxmH+NWij+eqiYTptTD9DpZsoWmNtBxzwSK3Po8KyHhG gG6EjZBdYtkysisWQWnFMZzLZQBX5sLjO5/uexI39v3WOCAtUWgGbqVU8M/aRE4YyPPQ Mj4g== X-Gm-Message-State: AOAM5305qHQ4oWGkCGUz4r9RRQ1KcHIEtMVQQUj1GE51Hix1wZVkX7xM O0lKZPWTV93xzuDuHMPSdlJrguITblNuaYtSbol+EVE0hQs/Kbx1vkDQDZD0buz8w90xfda1oCY t+jeZe4BmUhJcSIkkau3qFTMyuuJIeUZ4YpYu4eNIBxsHZ1n6GsZtLdZ35h8Q9hjeb4X5 X-Received: by 2002:a05:620a:102f:: with SMTP id a15mr2031030qkk.87.1617177913476; Wed, 31 Mar 2021 01:05:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzx0j0h9pD6ENHRR+9pXzfWk6mrcF+C3APeXrhtwjuAX78DDmC6Imh6jPyoj3xzlx6SfqwuDQ== X-Received: by 2002:a05:620a:102f:: with SMTP id a15mr2031011qkk.87.1617177913203; Wed, 31 Mar 2021 01:05:13 -0700 (PDT) Received: from wsfd-netdev91.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id b10sm939665qkg.50.2021.03.31.01.05.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 01:05:12 -0700 (PDT) From: Mark Gray To: dev@openvswitch.org Date: Wed, 31 Mar 2021 04:05:06 -0400 Message-Id: <20210331080509.532086-3-mark.d.gray@redhat.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210331080509.532086-1-mark.d.gray@redhat.com> References: <20210331080509.532086-1-mark.d.gray@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mark.d.gray@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v2 2/5] ipsec: Allow custom file locations X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" "ovs_monitor_ipsec" assumes certain file locations for a number of Libreswan objects. This patch allows these locations to be configurable at startup in the Libreswan case. This additional flexibility enables system testing for OVS IPsec. Signed-off-by: Mark Gray Acked-by: Eelco Chaudron Acked-by: Aaron Conole Acked-by: Flavio Leitner --- v2: removed unneeded '+' operator, moved libreswan arg parsing ipsec/ovs-monitor-ipsec.in | 103 ++++++++++++++++++++++++++++--------- 1 file changed, 80 insertions(+), 23 deletions(-) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 64111768b33a..802f57641cdc 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -439,12 +439,26 @@ conn prevent_unencrypted_vxlan CERT_PREFIX = "ovs_cert_" CERTKEY_PREFIX = "ovs_certkey_" - def __init__(self, libreswan_root_prefix): + def __init__(self, libreswan_root_prefix, args): + ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf" + ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d" + ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets + else "/etc/ipsec.secrets") + ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl + else "/run/pluto/pluto.ctl") + self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec" - self.IPSEC_CONF = libreswan_root_prefix + "/etc/ipsec.conf" - self.IPSEC_SECRETS = libreswan_root_prefix + "/etc/ipsec.secrets" + self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf + self.IPSEC_SECRETS = libreswan_root_prefix + ipsec_secrets + self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d + self.IPSEC_CTL = libreswan_root_prefix + ipsec_ctl self.conf_file = None self.secrets_file = None + vlog.dbg("Using: " + self.IPSEC) + vlog.dbg("Configuration file: " + self.IPSEC_CONF) + vlog.dbg("Secrets file: " + self.IPSEC_SECRETS) + vlog.dbg("ipsec.d: " + self.IPSEC_D) + vlog.dbg("Pluto socket: " + self.IPSEC_CTL) def restart_ike_daemon(self): """This function restarts LibreSwan.""" @@ -539,7 +553,8 @@ conn prevent_unencrypted_vxlan def refresh(self, monitor): vlog.info("Refreshing LibreSwan configuration") - subprocess.call([self.IPSEC, "auto", "--rereadsecrets"]) + subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL, + "--config", self.IPSEC_CONF, "--rereadsecrets"]) tunnels = set(monitor.tunnels.keys()) # Delete old connections @@ -566,7 +581,9 @@ conn prevent_unencrypted_vxlan if not tunnel or tunnel.version != ver: vlog.info("%s is outdated %u" % (conn, ver)) - subprocess.call([self.IPSEC, "auto", "--delete", conn]) + subprocess.call([self.IPSEC, "auto", "--ctlsocket", + self.IPSEC_CTL, "--config", + self.IPSEC_CONF, "--delete", conn]) elif ifname in tunnels: tunnels.remove(ifname) @@ -586,22 +603,46 @@ conn prevent_unencrypted_vxlan # Update shunt policy if changed if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]: if monitor.conf["skb_mark"]: - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_gre"]) - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_geneve"]) - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_stt"]) - subprocess.call([self.IPSEC, "auto", "--add", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", "--asynchronous", "prevent_unencrypted_vxlan"]) else: - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_gre"]) - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_geneve"]) - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_stt"]) - subprocess.call([self.IPSEC, "auto", "--delete", + subprocess.call([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", "--asynchronous", "prevent_unencrypted_vxlan"]) monitor.conf_in_use["skb_mark"] = monitor.conf["skb_mark"] @@ -613,7 +654,8 @@ conn prevent_unencrypted_vxlan sample line from the parsed outpus as . """ conns = {} - proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE) + proc = subprocess.Popen([self.IPSEC, 'status', '--ctlsocket', + self.IPSEC_CTL], stdout=subprocess.PIPE) while True: line = proc.stdout.readline().strip().decode() @@ -644,7 +686,10 @@ conn prevent_unencrypted_vxlan # the "ipsec auto --start" command is lost. Just retry to make sure # the command is received by LibreSwan. while True: - proc = subprocess.Popen([self.IPSEC, "auto", "--start", + proc = subprocess.Popen([self.IPSEC, "auto", + "--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--start", "--asynchronous", conn], stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -658,7 +703,7 @@ conn prevent_unencrypted_vxlan """Remove all OVS IPsec related state from the NSS database""" try: proc = subprocess.Popen(['certutil', '-L', '-d', - 'sql:/etc/ipsec.d/'], + self.IPSEC_D], stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True) @@ -682,7 +727,7 @@ conn prevent_unencrypted_vxlan normal certificate.""" try: proc = subprocess.Popen(['certutil', '-A', '-a', '-i', cert, - '-d', 'sql:/etc/ipsec.d/', '-n', + '-d', self.IPSEC_D, '-n', name, '-t', cert_type], stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -695,7 +740,7 @@ conn prevent_unencrypted_vxlan def _nss_delete_cert(self, name): try: proc = subprocess.Popen(['certutil', '-D', '-d', - 'sql:/etc/ipsec.d/', '-n', name], + self.IPSEC_D, '-n', name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.wait() @@ -723,7 +768,7 @@ conn prevent_unencrypted_vxlan # Load p12 file to the database proc = subprocess.Popen(['pk12util', '-i', path, '-d', - 'sql:/etc/ipsec.d/', '-W', ''], + self.IPSEC_D, '-W', ''], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.wait() @@ -738,7 +783,7 @@ conn prevent_unencrypted_vxlan try: # Delete certificate and private key proc = subprocess.Popen(['certutil', '-F', '-d', - 'sql:/etc/ipsec.d/', '-n', name], + self.IPSEC_D, '-n', name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.wait() @@ -925,7 +970,7 @@ class IPsecTunnel(object): class IPsecMonitor(object): """This class monitors and configures IPsec tunnels""" - def __init__(self, root_prefix, ike_daemon, restart): + def __init__(self, root_prefix, ike_daemon, restart, args): self.IPSEC = root_prefix + "/usr/sbin/ipsec" self.tunnels = {} @@ -945,7 +990,7 @@ class IPsecMonitor(object): if ike_daemon == "strongswan": self.ike_helper = StrongSwanHelper(root_prefix) elif ike_daemon == "libreswan": - self.ike_helper = LibreSwanHelper(root_prefix) + self.ike_helper = LibreSwanHelper(root_prefix, args) else: vlog.err("The IKE daemon should be strongswan or libreswan.") sys.exit(1) @@ -1190,6 +1235,18 @@ def main(): " (either libreswan or strongswan).") parser.add_argument("--no-restart-ike-daemon", action='store_true', help="Don't restart the IKE daemon on startup.") + parser.add_argument("--ipsec-conf", metavar="IPSEC-CONF", + help="Use DIR/IPSEC-CONF as location for " + " ipsec.conf (libreswan only).") + parser.add_argument("--ipsec-d", metavar="IPSEC-D", + help="Use DIR/IPSEC-D as location for " + " ipsec.d (libreswan only).") + parser.add_argument("--ipsec-secrets", metavar="IPSEC-SECRETS", + help="Use DIR/IPSEC-SECRETS as location for " + " ipsec.secrets (libreswan only).") + parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL", + help="Use DIR/IPSEC-CTL as location for " + " pluto ctl socket (libreswan only).") ovs.vlog.add_args(parser) ovs.daemon.add_args(parser) @@ -1203,7 +1260,7 @@ def main(): root_prefix = args.root_prefix if args.root_prefix else "" xfrm = XFRM(root_prefix) monitor = IPsecMonitor(root_prefix, args.ike_daemon, - not args.no_restart_ike_daemon) + not args.no_restart_ike_daemon, args) remote = args.database schema_helper = ovs.db.idl.SchemaHelper()