[strongSwan] Multiple charon daemons mininet namespaces

Piyush Agarwal agarwalpiyush at gmail.com
Thu Apr 27 01:04:06 CEST 2017 

Hi Noel,
Many thanks for the pointer. Your second suggestion might not work though:
in addition to changing daemon name, ipsec_starter also looks for an actual
daemon with that name which it won't find unless it is indeed "charon"
always.

My two namespaces here are "gateway" and "relay".

a at strongswan3:~/strongswan$ sudo ip netns exec gateway
/usr/lib/ipsec/starter --daemon charon_gateway
Starting strongSwan 5.1.2 IPsec [starter]...
Disabling charon_gatewaystart option, '/usr/lib/ipsec/charon_gateway' not
found

I then tried to symlink such that /usr/lib/ipsec/charon_gateway and
/usr/lib/ipsec/charon_relay are available (and pointing to
/usr/lib/ipsec/charon). But that leads to more mess with the daemon getting
continuously restarted.

a at strongswan3:~/strongswan$ ps aux | grep ipsec
root      6114  0.1  0.0  15160  1456 ?        Ss   22:58   0:00
/usr/lib/ipsec/starter --daemon charon_relay
root      6253  0.0  0.0 552128  7228 ?        Ssl  22:59   0:00
/usr/lib/ipsec/charon_relay --use-syslog

a at strongswan3:~/strongswan$ ps aux | grep ipsec
root      6114  0.1  0.0  15160  1456 ?        Ss   22:58   0:00
/usr/lib/ipsec/starter --daemon charon_relay
root      6535  0.0  0.0 552128  5044 ?        Ssl  23:03   0:00
/usr/lib/ipsec/charon_relay --use-syslog

Sigh.


On Wed, Apr 26, 2017 at 3:27 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> I just took a look at it and it seems you can change the file's name by
> setting the --daemon[1]
> parameter of ipsec starter.
>
> [1] https://github.com/strongswan/strongswan/blob/master/src/
> starter/starter.c#L291
>
> On 27.04.2017 00:25, Noel Kuntze wrote:
> > Hello Piyush,
> >
> > The path to the PID file is hard coded during build time.
> > Take a look at the source code of starter[1] and track the
> > variable assignments down.
> >
> > [1] https://github.com/strongswan/strongswan/tree/master/src/starter
> >
> > Kind regards,
> > Noel
> >
> > On 27.04.2017 00:14, Piyush Agarwal wrote:
> >> Hi Noel,
> >> Thanks for your reply but I am not sure I completely understood your
> answer.
> >>
> >> While waiting for a reply to my question, I tried this though:
> >>
> >> 1) Downloaded strongswan-starter deb file. Unpacked it.
> >> 2) Changed IPSEC_PIDDIR in usr/sbin/ipsec file to point to
> /etc/ipsec.d/run (rather than /var/run)
> >> 3) Re-built the deb file
> >> 4) Installed this new deb file on my ubuntu 14.04 host
> >> 5) Now ipsec binary does report piddir to be the changed location:
> >>
> >> a at strongswan3:~$ sudo ip netns exec blue ipsec --piddir
> >> /etc/ipsec.d/run
> >>
> >> But charon seems to still think the piddir is /var/run and hence
> wouldn't start the second instance.
> >>
> >> a at strongswan3:~$ sudo ip netns exec red ipsec start
> >> Starting strongSwan 5.1.2 IPsec [starter]...
> >> charon is already running (/var/run/charon.pid exists) -- skipping
> daemon start
> >> starter is already running (/var/run/starter.charon.pid exists) -- no
> fork done
> >>
> >> So obviously charon is getting its piddir from somewhere else. I am
> looking for source code to modify such that charon's piddir is not
> hardcoded to /var/run (as it currently seems to be). I'd like to make it
> modifiable via either a command line, conf file or some other similar way.
> Perhaps I may be okay to even hardcode it in my private .deb file to be
> /etc/ipsec.d/run rather than /var/run.
> >>
> >> Is there any pointer to achieving this? Requiring install from source
> code and modifying ./configure options to change piddir is just a no-go for
> me unfortunately.
> >>
> >> Thank you.
> >> Piyush
> >>
> >> On Wed, Apr 26, 2017 at 11:23 AM, Noel Kuntze
> <noel.kuntze at thermi.consulting <mailto:noel.kuntze at thermi.consulting>>
> wrote:
> >>
> >>     You can't do that when you start charon using "ipsec" (which
> implicitely calls "ipsec starter".
> >>     You can do it with charon-systemd, though (but then you need to
> start it using systemd and you get a similiar problem).
> >>
> >>     On 26.04.2017 20 <tel:26.04.2017%2020>:11, Piyush Agarwal wrote:
> >>     > Hi,
> >>     > I need to run multiple ipsec charon daemons in multiple mininet
> namespaces (perhaps some semantics change from ip namespaces).
> >>     >
> >>     > Sure enough, on following steps from https://wiki.strongswan.org/
> projects/strongswan/wiki/Netns <https://wiki.strongswan.org/
> projects/strongswan/wiki/Netns> (including piddir change), I could get
> multiple charon daemons running with*ip network namespaces*.
> >>     >
> >>     > I am not trying to achieve two things:
> >>     > 1) Run multiple charon daemons with mininet namespaces
> >>     > 2) Be able to do so without requiring piddir configuration option
> change.
> >>     >
> >>     > Regarding (1): I am not sure if mininet namespaces provide for
> bind mounting anything /etc/netns/<namespace name>/ to /etc/ for the
> process running in that network namespace -- if it doesn't, I will bind
> mount manually before starting charon/ipsec. So this should be okay.
> >>     >
> >>     > But, I am trying to find how I can do away the piddir
> configuration change and make it work directly from the deb file install.
> Is there no way to achieve this? No environment variable that can be set?
> >>     >
> >>     > Appreciate any comments/directions/pointers.
> >>     >
> >>     > Thank you.
> >>     > Piyush
> >>     >
> >>     >
> >>     > --
> >>     > Piyush Agarwal
> >>     > Life can only be understood backwards; but it must be lived
> forwards.
> >>     >
> >>     >
> >>     > _______________________________________________
> >>     > Users mailing list
> >>     > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >>     > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >>
> >>     --
> >>     Noel Kuntze
> >>     IT security consultant
> >>
> >>     GPG Key ID: 0x0739AD6C
> >>     Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Piyush Agarwal
> >> Life can only be understood backwards; but it must be lived forwards.
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
>


-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170426/cc8ad7a7/attachment.html>

More information about the Users mailing list