<div dir="ltr">Wow,<div><br></div><div style>Thank you very much again for pointing this out, I didn't catch before that <span class="" style>ip</span> <span class="" style>netns</span> exec command was also running process in a mount <span class="" style>namespace</span> (thanks to <span class="" style>unshare</span>(CLONE_<span class="" style>NEWNS</span>) ).</div>
<div style><br></div><div style>As suggested, wrapping <span class="" style>ipsec</span> commands with this kind of scripts seems to work fine:</div><div style><br></div><div style>#!/bin/sh</div><div style><div><br></div>
<div>PREFIX=/var/lib/<span class="" style>ipsecns</span></div><div><br></div><div>for file in $PREFIX/$1/{run,etc}; do</div><div> [ -d $<span class="" style>dir</span> ] || exit</div><div>done</div><div><br></div><div>
mount --bind $PREFIX/$1/run /var/run/</div><div>mount --bind $PREFIX/$1/etc /etc</div><div><br></div><div>shift</div><div><span class="" style>eval</span> "$@"</div></div><div style><br></div><div style>Assuming the above script name is <span class="" style>nswrap</span>, just have to use "<span class="" style>ip</span> <span class="" style>netns</span> exec <span class="" style>netns</span>_name <span class="" style>nswrap</span> <span class="" style>netns</span>_name <span class="" style>ipsec</span> start", to fire up <span class="" style>strongswan</span>.</div>
<div style><br></div><div style>It seems to work fine for basic uses cases, but as you mentioned, /var/run will only contain <span class="" style>charon</span> <span class="" style>pluto</span> and starter <span class="" style>pid</span> and <span class="" style>ctl</span> files, don't know if some <span class="" style>plugins</span> require additional information.</div>
<div style><br></div><div style>Regards,<br></div><div style>Francois.</div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/5/24 Christophe Gouault <span dir="ltr"><<a href="mailto:christophe.gouault@6wind.com" target="_blank">christophe.gouault@6wind.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
On 05/24/2013 11:46 AM, Eleouet Francois wrote:<br>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Thank you very much, great tip!</div>
</div>
</blockquote></div>
You're welcome.<div class="im"><br>
<blockquote type="cite">
<div dir="ltr">
<div>The only issue in openstack context is that it usually has
to work with distro packages... Anyway, providing a strongswan
driver alongside with your ./configure suggestion could
definitively be a solution.</div>
</div>
</blockquote></div>
OK I see.<br>
<br>
I did not test it, but you could maybe write a small launcher
application that does a similar directory remaping as "ip netns
exec". Just take your inspiration from iproute2 function
ip/ipnetns.c:netns_exec(), and remap the directory
/etc/netns/<netnsname>/run to /var/run. (warning, I don't know
if some libraries used by charon read information from /var/run).<br>
<br>
Best Regards,<br>
Christophe.<div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div>Regards,</div>
<div>Francois.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/5/24 Christophe Gouault <span dir="ltr"><<a href="mailto:christophe.gouault@6wind.com" target="_blank">christophe.gouault@6wind.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <tt>Hi François,</tt><tt><br>
</tt><tt><br>
</tt><tt>If you use netns created by "ip netns add
<netnsname>" and start charon with "ip netns exec
<netnsname> ipsec start", then there is a solution
(that we successfully used here to perform IKE tests
with a single machine:</tt><tt><br>
</tt><tt><br>
</tt><tt>"ip netns exec netns1" enables to start the
application in netns netns1, but also, if the
/etc/netns/netns1 directory exists, the files and
sub-directories will be remapped in /etc for the
application (provided a file or directory with the same
name already exists in /etc).</tt><tt><br>
</tt><tt><br>
</tt><tt>So, you just have to store your configuration
files in this directory and the pid and socket files in
a sub-directory. To do that, you must chose a different
piddir when compiling strongswan:</tt><tt><br>
</tt><tt><br>
</tt><tt>Example for netns1 and netns2:</tt><tt><br>
</tt><tt><br>
</tt><tt>create netns and director</tt><tt>ies</tt><tt><br>
</tt><tt>----------------------------<br>
</tt><tt>ip netns add netns1</tt><tt><br>
</tt><tt>ip netns add netns2</tt><tt><br>
</tt><tt>mkdir -p /etc/run<br>
mkdir -p /etc/netns/netns1/run<br>
mkdir -p /etc/netns/netns2/run</tt><tt><br>
</tt><tt><br>
</tt><tt>generate strongswan</tt><tt><br>
</tt><tt>-------------------<br>
</tt><tt>./configure --sysconfdir=/etc
--with-piddir=/etc/run make</tt><tt><br>
</tt><tt>make install</tt><tt><br>
</tt><tt><br>
configure and run strongswan instances<br>
--------------------------------------<br>
</tt><tt>Then, you can store configurations files for each
charon instance in the /etc/netns/<netnsname>
directory, and start each instance of charon with:</tt><tt><br>
</tt><tt>ip netns exec <netnsname> ipsec start</tt><tt><br>
</tt><tt><br>
</tt><tt>The pid and unix socket files will be stored in
/etc/netns/<netnsname>/run directory instead of
the default /var/run.</tt><tt><br>
</tt><tt><br>
</tt><tt>(From the application point of view, the
configuration files are in /etc, pid and socket files
are in /etc/run directories, but they are actually
stored in /etc/netns/<netnsname> and
/etc/netns/<netnsname>/run directories)</tt><tt><br>
</tt><tt><br>
</tt><tt>Enjoy</tt><tt><br>
</tt><tt><br>
</tt><tt>Best Regards,</tt><tt><br>
</tt><tt>Christophe</tt>
<div>
<div><br>
<tt><br>
</tt>
<div><tt>On 05/22/2013 10:16 PM, Eleouet Francois
wrote:</tt><tt><br>
</tt></div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr"><tt>Hi,</tt>
<div><tt><br>
</tt></div>
<div><tt>I'm actually investigating how to run
multiple IPsec damons within several network
namespaces.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>In the openstack project (an open source
cloud computing platform), we intend to extend
virtual networks to the outside world using
IPsec. Current implentation leverages netns to
provide routing (with support of overlapping
IPs) between different
projects/customers/virtual networks.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>As a consequence, we have to start
multiple IPsec daemons (one within each
namespace), so that they bind sockets and
set-up IPsec SA & SPD in the right netns.
I managed to set up this kind of configuration
using pluto as config, pid and control socket
files location can be specified as comand line
options
(using --ctlbase --ipsecdir --secretsfile --config...)</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Anyway, these variables seems to be hard
coded in charon (at ./configure time). As
IKEv2 support is really required, I was
wondering if I missed something. Is there any
way to change these parameters on a
per-process basis? Or maybe have you plan to
make charon netns aware?</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Thanks in advance,</tt></div>
<div><tt>Francois Eleouet.</tt></div>
</div>
<tt><br>
</tt>
<fieldset></fieldset>
<tt><br>
</tt> </div>
</div>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<tt><br>
</tt> </div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>