| Message ID | 20240313215449.902091-1-mkp@redhat.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev] ovs-monitor-ipsec: LibreSwan autodetect paths. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/intel-ovs-compilation | success | test: success |
On 3/13/24 22:54, Mike Pattrick wrote: > In v4.0, LibreSwan changed a default paths that had been hardcoded in > ovs-monitor-ipsec, breaking some uses of this script. This patch adds > support for both old and newer versions by auto detecting the location > of these paths from LibreSwan shell script environment variables. > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1975039 > Reported-by: Qijun Ding <qding@redhat.com> > Fixes: d6afbc00d5b3 ("ipsec: Allow custom file locations.") > Signed-off-by: Mike Pattrick <mkp@redhat.com> > --- > ipsec/ovs-monitor-ipsec.in | 31 +++++++++++++++++++++++++++---- > 1 file changed, 27 insertions(+), 4 deletions(-) > Hi, Mike. Thanks for working on this! Though using the knowledge that /usr/sbin/ipsec is a shell script and that it defines particular variables inside seems like a hack. Maybe we can just check the version instead? We know that default nss path changed in 4.0. Best regards, Ilya Maximets.
On Tue, Mar 19, 2024 at 5:35 PM Ilya Maximets <i.maximets@ovn.org> wrote: > > On 3/13/24 22:54, Mike Pattrick wrote: > > In v4.0, LibreSwan changed a default paths that had been hardcoded in > > ovs-monitor-ipsec, breaking some uses of this script. This patch adds > > support for both old and newer versions by auto detecting the location > > of these paths from LibreSwan shell script environment variables. > > > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1975039 > > Reported-by: Qijun Ding <qding@redhat.com> > > Fixes: d6afbc00d5b3 ("ipsec: Allow custom file locations.") > > Signed-off-by: Mike Pattrick <mkp@redhat.com> > > --- > > ipsec/ovs-monitor-ipsec.in | 31 +++++++++++++++++++++++++++---- > > 1 file changed, 27 insertions(+), 4 deletions(-) > > > > Hi, Mike. Thanks for working on this! > > Though using the knowledge that /usr/sbin/ipsec is a shell script > and that it defines particular variables inside seems like a hack. > > Maybe we can just check the version instead? We know that default > nss path changed in 4.0. My motivation for this method was because these paths could be changed easier than reimplementing the ipsec script, by the maintainers or downstream distributions. But there's nothing stopping us from addressing any future changes as they happen, I'll resend with just a fix for 4.0. -M > > Best regards, Ilya Maximets. >
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 7945162f9..6c28f30f4 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -456,15 +456,38 @@ conn prevent_unencrypted_vxlan CERT_PREFIX = "ovs_cert_" CERTKEY_PREFIX = "ovs_certkey_" + def collect_environment(self): + """Extract important paths from ipsec file.""" + env = { + "IPSEC_CONF": "/etc/ipsec.conf", + "IPSEC_NSSDIR": "/etc/ipsec.d", + "IPSEC_RUNDIR": "/run/pluto" + } + try: + with open(self.IPSEC) as fh: + e_list = re.findall("^([A-Z_]+)=.*:-(.*)}", + fh.read(), + re.MULTILINE) + except: + return env + + for k, v in e_list: + env[k] = v + + return env + def __init__(self, libreswan_root_prefix, args): - ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf" - ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d" + self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec" + + env = self.collect_environment() + + ipsec_conf = args.ipsec_conf if args.ipsec_conf else env["IPSEC_CONF"] + ipsec_d = args.ipsec_d if args.ipsec_d else env["IPSEC_NSSDIR"] ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets else "/etc/ipsec.secrets") ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl - else "/run/pluto/pluto.ctl") + else os.path.join(env["IPSEC_RUNDIR"], "pluto.ctl")) - self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec" self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf self.IPSEC_SECRETS = libreswan_root_prefix + ipsec_secrets self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d
In v4.0, LibreSwan changed a default paths that had been hardcoded in ovs-monitor-ipsec, breaking some uses of this script. This patch adds support for both old and newer versions by auto detecting the location of these paths from LibreSwan shell script environment variables. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1975039 Reported-by: Qijun Ding <qding@redhat.com> Fixes: d6afbc00d5b3 ("ipsec: Allow custom file locations.") Signed-off-by: Mike Pattrick <mkp@redhat.com> --- ipsec/ovs-monitor-ipsec.in | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-)