ipsec: Allow custom file locations.

"ovs_monitor_ipsec" assumes certain file locations for a number of Libreswan objects. This patch allows these locations to be configurable at startup in the Libreswan case. This additional flexibility enables system testing for OVS IPsec. Signed-off-by: Mark Gray <[email protected]> Acked-by: Flavio Leitner <[email protected]> Acked-by: Aaron Conole <[email protected]> Acked-by: Eelco Chaudron <[email protected]> Signed-off-by: Ilya Maximets <[email protected]>
timofei-durakov · Apr 1, 2021 · d6afbc0 · d6afbc0
1 parent 4ce8bb1
commit d6afbc0
Showing 1 changed file with 80 additions and 23 deletions.
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
@@ -445,12 +445,26 @@ conn prevent_unencrypted_vxlan
     CERT_PREFIX = "ovs_cert_"
     CERTKEY_PREFIX = "ovs_certkey_"
 
-    def __init__(self, libreswan_root_prefix):
+    def __init__(self, libreswan_root_prefix, args):
+        ipsec_conf = args.ipsec_conf if args.ipsec_conf else "/etc/ipsec.conf"
+        ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d"
+        ipsec_secrets = (args.ipsec_secrets if args.ipsec_secrets
+                        else "/etc/ipsec.secrets")
+        ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl
+                        else "/run/pluto/pluto.ctl")
+
         self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec"
-        self.IPSEC_CONF = libreswan_root_prefix + "/etc/ipsec.conf"
-        self.IPSEC_SECRETS = libreswan_root_prefix + "/etc/ipsec.secrets"
+        self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf
+        self.IPSEC_SECRETS = libreswan_root_prefix + ipsec_secrets
+        self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d
+        self.IPSEC_CTL = libreswan_root_prefix + ipsec_ctl
         self.conf_file = None
         self.secrets_file = None
+        vlog.dbg("Using: " + self.IPSEC)
+        vlog.dbg("Configuration file: " + self.IPSEC_CONF)
+        vlog.dbg("Secrets file: " + self.IPSEC_SECRETS)
+        vlog.dbg("ipsec.d: " + self.IPSEC_D)
+        vlog.dbg("Pluto socket: " + self.IPSEC_CTL)
 
     def restart_ike_daemon(self):
         """This function restarts LibreSwan."""
@@ -548,7 +562,8 @@ conn prevent_unencrypted_vxlan
 
     def refresh(self, monitor):
         vlog.info("Refreshing LibreSwan configuration")
-        subprocess.call([self.IPSEC, "auto", "--rereadsecrets"])
+        subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL,
+                        "--config", self.IPSEC_CONF, "--rereadsecrets"])
         tunnels = set(monitor.tunnels.keys())
 
         # Delete old connections
@@ -575,7 +590,9 @@ conn prevent_unencrypted_vxlan
 
                 if not tunnel or tunnel.version != ver:
                     vlog.info("%s is outdated %u" % (conn, ver))
-                    subprocess.call([self.IPSEC, "auto", "--delete", conn])
+                    subprocess.call([self.IPSEC, "auto", "--ctlsocket",
+                                    self.IPSEC_CTL, "--config",
+                                    self.IPSEC_CONF, "--delete", conn])
                 elif ifname in tunnels:
                     tunnels.remove(ifname)
 
@@ -595,22 +612,46 @@ conn prevent_unencrypted_vxlan
         # Update shunt policy if changed
         if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]:
             if monitor.conf["skb_mark"]:
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                             "--asynchronous", "prevent_unencrypted_gre"])
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                             "--asynchronous", "prevent_unencrypted_geneve"])
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                             "--asynchronous", "prevent_unencrypted_stt"])
-                subprocess.call([self.IPSEC, "auto", "--add",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--add",
                             "--asynchronous", "prevent_unencrypted_vxlan"])
             else:
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                             "--asynchronous", "prevent_unencrypted_gre"])
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                             "--asynchronous", "prevent_unencrypted_geneve"])
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                             "--asynchronous", "prevent_unencrypted_stt"])
-                subprocess.call([self.IPSEC, "auto", "--delete",
+                subprocess.call([self.IPSEC, "auto",
+                            "--config", self.IPSEC_CONF,
+                            "--ctlsocket", self.IPSEC_CTL,
+                            "--delete",
                             "--asynchronous", "prevent_unencrypted_vxlan"])
             monitor.conf_in_use["skb_mark"] = monitor.conf["skb_mark"]
 
@@ -622,7 +663,8 @@ conn prevent_unencrypted_vxlan
         sample line from the parsed outpus as <value>. """
 
         conns = {}
-        proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE)
+        proc = subprocess.Popen([self.IPSEC, 'status', '--ctlsocket',
+                                self.IPSEC_CTL], stdout=subprocess.PIPE)
 
         while True:
             line = proc.stdout.readline().strip().decode()
@@ -653,7 +695,10 @@ conn prevent_unencrypted_vxlan
         # the "ipsec auto --start" command is lost. Just retry to make sure
         # the command is received by LibreSwan.
         while True:
-            proc = subprocess.Popen([self.IPSEC, "auto", "--start",
+            proc = subprocess.Popen([self.IPSEC, "auto",
+                                    "--config", self.IPSEC_CONF,
+                                    "--ctlsocket", self.IPSEC_CTL,
+                                    "--start",
                                     "--asynchronous", conn],
                                     stdout=subprocess.PIPE,
                                     stderr=subprocess.PIPE)
@@ -667,7 +712,7 @@ conn prevent_unencrypted_vxlan
         """Remove all OVS IPsec related state from the NSS database"""
         try:
             proc = subprocess.Popen(['certutil', '-L', '-d',
-                                    'sql:/etc/ipsec.d/'],
+                                    self.IPSEC_D],
                                     stdout=subprocess.PIPE,
                                     stderr=subprocess.PIPE,
                                     universal_newlines=True)
@@ -691,7 +736,7 @@ conn prevent_unencrypted_vxlan
         normal certificate."""
         try:
             proc = subprocess.Popen(['certutil', '-A', '-a', '-i', cert,
-                                    '-d', 'sql:/etc/ipsec.d/', '-n',
+                                    '-d', self.IPSEC_D, '-n',
                                     name, '-t', cert_type],
                                     stdout=subprocess.PIPE,
                                     stderr=subprocess.PIPE)
@@ -704,7 +749,7 @@ conn prevent_unencrypted_vxlan
     def _nss_delete_cert(self, name):
         try:
             proc = subprocess.Popen(['certutil', '-D', '-d',
-                                    'sql:/etc/ipsec.d/', '-n', name],
+                                    self.IPSEC_D, '-n', name],
                                     stdout=subprocess.PIPE,
                                     stderr=subprocess.PIPE)
             proc.wait()
@@ -732,7 +777,7 @@ conn prevent_unencrypted_vxlan
 
             # Load p12 file to the database
             proc = subprocess.Popen(['pk12util', '-i', path, '-d',
-                                    'sql:/etc/ipsec.d/', '-W', ''],
+                                    self.IPSEC_D, '-W', ''],
                                     stdout=subprocess.PIPE,
                                     stderr=subprocess.PIPE)
             proc.wait()
@@ -747,7 +792,7 @@ conn prevent_unencrypted_vxlan
         try:
             # Delete certificate and private key
             proc = subprocess.Popen(['certutil', '-F', '-d',
-                                    'sql:/etc/ipsec.d/', '-n', name],
+                                    self.IPSEC_D, '-n', name],
                                     stdout=subprocess.PIPE,
                                     stderr=subprocess.PIPE)
             proc.wait()
@@ -949,7 +994,7 @@ class IPsecTunnel(object):
 class IPsecMonitor(object):
     """This class monitors and configures IPsec tunnels"""
 
-    def __init__(self, root_prefix, ike_daemon, restart):
+    def __init__(self, root_prefix, ike_daemon, restart, args):
         self.IPSEC = root_prefix + "/usr/sbin/ipsec"
         self.tunnels = {}
 
@@ -969,7 +1014,7 @@ class IPsecMonitor(object):
         if ike_daemon == "strongswan":
             self.ike_helper = StrongSwanHelper(root_prefix)
         elif ike_daemon == "libreswan":
-            self.ike_helper = LibreSwanHelper(root_prefix)
+            self.ike_helper = LibreSwanHelper(root_prefix, args)
         else:
             vlog.err("The IKE daemon should be strongswan or libreswan.")
             sys.exit(1)
@@ -1227,6 +1272,18 @@ def main():
                         " (either libreswan or strongswan).")
     parser.add_argument("--no-restart-ike-daemon", action='store_true',
                         help="Don't restart the IKE daemon on startup.")
+    parser.add_argument("--ipsec-conf", metavar="IPSEC-CONF",
+                        help="Use DIR/IPSEC-CONF as location for "
+                        " ipsec.conf (libreswan only).")
+    parser.add_argument("--ipsec-d", metavar="IPSEC-D",
+                        help="Use DIR/IPSEC-D as location for "
+                        " ipsec.d (libreswan only).")
+    parser.add_argument("--ipsec-secrets", metavar="IPSEC-SECRETS",
+                        help="Use DIR/IPSEC-SECRETS as location for "
+                        " ipsec.secrets (libreswan only).")
+    parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL",
+                        help="Use DIR/IPSEC-CTL as location for "
+                        " pluto ctl socket (libreswan only).")
 
     ovs.vlog.add_args(parser)
     ovs.daemon.add_args(parser)
@@ -1240,7 +1297,7 @@ def main():
     root_prefix = args.root_prefix if args.root_prefix else ""
     xfrm = XFRM(root_prefix)
     monitor = IPsecMonitor(root_prefix, args.ike_daemon,
-                           not args.no_restart_ike_daemon)
+                           not args.no_restart_ike_daemon, args)
 
     remote = args.database
     schema_helper = ovs.db.idl.SchemaHelper()