[strongSwan] Multiple charon daemons mininet namespaces

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 27 00:25:12 CEST 2017


Hello Piyush,

The path to the PID file is hard coded during build time.
Take a look at the source code of starter[1] and track the
variable assignments down.

[1] https://github.com/strongswan/strongswan/tree/master/src/starter

Kind regards,
Noel

On 27.04.2017 00:14, Piyush Agarwal wrote:
> Hi Noel,
> Thanks for your reply but I am not sure I completely understood your answer.
>
> While waiting for a reply to my question, I tried this though:
>
> 1) Downloaded strongswan-starter deb file. Unpacked it.
> 2) Changed IPSEC_PIDDIR in usr/sbin/ipsec file to point to /etc/ipsec.d/run (rather than /var/run) 
> 3) Re-built the deb file
> 4) Installed this new deb file on my ubuntu 14.04 host
> 5) Now ipsec binary does report piddir to be the changed location:
>
> a at strongswan3:~$ sudo ip netns exec blue ipsec --piddir
> /etc/ipsec.d/run
>
> But charon seems to still think the piddir is /var/run and hence wouldn't start the second instance.
>
> a at strongswan3:~$ sudo ip netns exec red ipsec start
> Starting strongSwan 5.1.2 IPsec [starter]...
> charon is already running (/var/run/charon.pid exists) -- skipping daemon start
> starter is already running (/var/run/starter.charon.pid exists) -- no fork done
>
> So obviously charon is getting its piddir from somewhere else. I am looking for source code to modify such that charon's piddir is not hardcoded to /var/run (as it currently seems to be). I'd like to make it modifiable via either a command line, conf file or some other similar way. Perhaps I may be okay to even hardcode it in my private .deb file to be /etc/ipsec.d/run rather than /var/run.
>
> Is there any pointer to achieving this? Requiring install from source code and modifying ./configure options to change piddir is just a no-go for me unfortunately.
>
> Thank you.
> Piyush
>
> On Wed, Apr 26, 2017 at 11:23 AM, Noel Kuntze <noel.kuntze at thermi.consulting <mailto:noel.kuntze at thermi.consulting>> wrote:
>
>     You can't do that when you start charon using "ipsec" (which implicitely calls "ipsec starter".
>     You can do it with charon-systemd, though (but then you need to start it using systemd and you get a similiar problem).
>
>     On 26.04.2017 20 <tel:26.04.2017%2020>:11, Piyush Agarwal wrote:
>     > Hi,
>     > I need to run multiple ipsec charon daemons in multiple mininet namespaces (perhaps some semantics change from ip namespaces).
>     >
>     > Sure enough, on following steps from https://wiki.strongswan.org/projects/strongswan/wiki/Netns <https://wiki.strongswan.org/projects/strongswan/wiki/Netns> (including piddir change), I could get multiple charon daemons running with*ip network namespaces*.
>     >
>     > I am not trying to achieve two things:
>     > 1) Run multiple charon daemons with mininet namespaces
>     > 2) Be able to do so without requiring piddir configuration option change.
>     >
>     > Regarding (1): I am not sure if mininet namespaces provide for bind mounting anything /etc/netns/<namespace name>/ to /etc/ for the process running in that network namespace -- if it doesn't, I will bind mount manually before starting charon/ipsec. So this should be okay.
>     >
>     > But, I am trying to find how I can do away the piddir configuration change and make it work directly from the deb file install. Is there no way to achieve this? No environment variable that can be set?
>     >
>     > Appreciate any comments/directions/pointers.
>     >
>     > Thank you.
>     > Piyush
>     >
>     >
>     > --
>     > Piyush Agarwal
>     > Life can only be understood backwards; but it must be lived forwards.
>     >
>     >
>     > _______________________________________________
>     > Users mailing list
>     > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>
>     --
>     Noel Kuntze
>     IT security consultant
>
>     GPG Key ID: 0x0739AD6C
>     Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
>
>
>
> -- 
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170427/0c3efe36/attachment.sig>


More information about the Users mailing list