Message ID | 20220214083947.30774-1-mheib@redhat.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [ovs-dev] ovs-monitor-ipsec: LibreSwan update nssdb default path | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
On 2/14/22 09:39, Mohammad Heib wrote: > Currently ovs-monitor-ipsec script uses the old NSSDB path (/etc/ipsec.d) > to store the connections keys and certificates and initiate these connections > using ipsec command which in turn uses the NSSDB that located in the new > location (see: https://github.com/libreswan/libreswan/issues/391) and that > causes connection issues. > > This patch change the default NSSDB path in ovs-monitor-ipsec to match > LibreSwan NSSDB default path. > > Signed-off-by: Mohammad Heib <mheib@redhat.com> > --- > ipsec/ovs-monitor-ipsec.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in > index a8b0705d9..78d390802 100755 > --- a/ipsec/ovs-monitor-ipsec.in > +++ b/ipsec/ovs-monitor-ipsec.in > @@ -447,7 +447,7 @@ conn prevent_unencrypted_vxlan > > def __init__(self, libreswan_root_prefix, args): > ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf" > - ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d" > + ipsec_d = args.ipsec_d if args.ipsec_d else "/var/lib/ipsec/nss" > ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets > else "/etc/ipsec.secrets") > ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl Hi, Mohammad. Sorry it took so long to review. Do you know in which version the change was made exactly? I'm looking at my RHEL 8.5 vm and it seems to have the "/etc/ipsec.d" as a default location. Since the location change also requires the SELinux policy change for the pluto service, maybe it's better to just add 'nssdir' config to the ipsec.conf ? Will that solve the problem? Best regards, Ilya Maximets.
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index a8b0705d9..78d390802 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -447,7 +447,7 @@ conn prevent_unencrypted_vxlan def __init__(self, libreswan_root_prefix, args): ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf" - ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d" + ipsec_d = args.ipsec_d if args.ipsec_d else "/var/lib/ipsec/nss" ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets else "/etc/ipsec.secrets") ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl
Currently ovs-monitor-ipsec script uses the old NSSDB path (/etc/ipsec.d) to store the connections keys and certificates and initiate these connections using ipsec command which in turn uses the NSSDB that located in the new location (see: https://github.com/libreswan/libreswan/issues/391) and that causes connection issues. This patch change the default NSSDB path in ovs-monitor-ipsec to match LibreSwan NSSDB default path. Signed-off-by: Mohammad Heib <mheib@redhat.com> --- ipsec/ovs-monitor-ipsec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)