[strongSwan] Multiple charon daemons mininet namespaces
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 27 02:18:34 CEST 2017
Hello Piyush,
Did you try copying the files, instead of symlinking?
On 27.04.2017 01:04, Piyush Agarwal wrote:
> Hi Noel,
> Many thanks for the pointer. Your second suggestion might not work though: in addition to changing daemon name, ipsec_starter also looks for an actual daemon with that name which it won't find unless it is indeed "charon" always.
>
> My two namespaces here are "gateway" and "relay".
>
> a at strongswan3:~/strongswan$ sudo ip netns exec gateway /usr/lib/ipsec/starter --daemon charon_gateway
> Starting strongSwan 5.1.2 IPsec [starter]...
> Disabling charon_gatewaystart option, '/usr/lib/ipsec/charon_gateway' not found
>
> I then tried to symlink such that /usr/lib/ipsec/charon_gateway and /usr/lib/ipsec/charon_relay are available (and pointing to /usr/lib/ipsec/charon). But that leads to more mess with the daemon getting continuously restarted.
>
> a at strongswan3:~/strongswan$ ps aux | grep ipsec
> root 6114 0.1 0.0 15160 1456 ? Ss 22:58 0:00 /usr/lib/ipsec/starter --daemon charon_relay
> root 6253 0.0 0.0 552128 7228 ? Ssl 22:59 0:00 /usr/lib/ipsec/charon_relay --use-syslog
>
> a at strongswan3:~/strongswan$ ps aux | grep ipsec
> root 6114 0.1 0.0 15160 1456 ? Ss 22:58 0:00 /usr/lib/ipsec/starter --daemon charon_relay
> root 6535 0.0 0.0 552128 5044 ? Ssl 23:03 0:00 /usr/lib/ipsec/charon_relay --use-syslog
>
> Sigh.
>
>
> On Wed, Apr 26, 2017 at 3:27 PM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>> wrote:
>
> I just took a look at it and it seems you can change the file's name by setting the --daemon[1]
> parameter of ipsec starter.
>
> [1] https://github.com/strongswan/strongswan/blob/master/src/starter/starter.c#L291 <https://github.com/strongswan/strongswan/blob/master/src/starter/starter.c#L291>
>
> On 27.04.2017 00 <tel:27.04.2017%2000>:25, Noel Kuntze wrote:
> > Hello Piyush,
> >
> > The path to the PID file is hard coded during build time.
> > Take a look at the source code of starter[1] and track the
> > variable assignments down.
> >
> > [1] https://github.com/strongswan/strongswan/tree/master/src/starter <https://github.com/strongswan/strongswan/tree/master/src/starter>
> >
> > Kind regards,
> > Noel
> >
> > On 27.04.2017 00 <tel:27.04.2017%2000>:14, Piyush Agarwal wrote:
> >> Hi Noel,
> >> Thanks for your reply but I am not sure I completely understood your answer.
> >>
> >> While waiting for a reply to my question, I tried this though:
> >>
> >> 1) Downloaded strongswan-starter deb file. Unpacked it.
> >> 2) Changed IPSEC_PIDDIR in usr/sbin/ipsec file to point to /etc/ipsec.d/run (rather than /var/run)
> >> 3) Re-built the deb file
> >> 4) Installed this new deb file on my ubuntu 14.04 host
> >> 5) Now ipsec binary does report piddir to be the changed location:
> >>
> >> a at strongswan3:~$ sudo ip netns exec blue ipsec --piddir
> >> /etc/ipsec.d/run
> >>
> >> But charon seems to still think the piddir is /var/run and hence wouldn't start the second instance.
> >>
> >> a at strongswan3:~$ sudo ip netns exec red ipsec start
> >> Starting strongSwan 5.1.2 IPsec [starter]...
> >> charon is already running (/var/run/charon.pid exists) -- skipping daemon start
> >> starter is already running (/var/run/starter.charon.pid exists) -- no fork done
> >>
> >> So obviously charon is getting its piddir from somewhere else. I am looking for source code to modify such that charon's piddir is not hardcoded to /var/run (as it currently seems to be). I'd like to make it modifiable via either a command line, conf file or some other similar way. Perhaps I may be okay to even hardcode it in my private .deb file to be /etc/ipsec.d/run rather than /var/run.
> >>
> >> Is there any pointer to achieving this? Requiring install from source code and modifying ./configure options to change piddir is just a no-go for me unfortunately.
> >>
> >> Thank you.
> >> Piyush
> >>
> >> On Wed, Apr 26, 2017 at 11:23 AM, Noel Kuntze <noel.kuntze at thermi.consulting <mailto:noel.kuntze at thermi.consulting <mailto:noel.kuntze at thermi.consulting>>> wrote:
> >>
> >> You can't do that when you start charon using "ipsec" (which implicitely calls "ipsec starter".
> >> You can do it with charon-systemd, though (but then you need to start it using systemd and you get a similiar problem).
> >>
> >> On 26.04.2017 20 <tel:26.04.2017%2020> <tel:26.04.2017%2020>:11, Piyush Agarwal wrote:
> >> > Hi,
> >> > I need to run multiple ipsec charon daemons in multiple mininet namespaces (perhaps some semantics change from ip namespaces).
> >> >
> >> > Sure enough, on following steps from https://wiki.strongswan.org/projects/strongswan/wiki/Netns <https://wiki.strongswan.org/projects/strongswan/wiki/Netns> <https://wiki.strongswan.org/projects/strongswan/wiki/Netns <https://wiki.strongswan.org/projects/strongswan/wiki/Netns>> (including piddir change), I could get multiple charon daemons running with*ip network namespaces*.
> >> >
> >> > I am not trying to achieve two things:
> >> > 1) Run multiple charon daemons with mininet namespaces
> >> > 2) Be able to do so without requiring piddir configuration option change.
> >> >
> >> > Regarding (1): I am not sure if mininet namespaces provide for bind mounting anything /etc/netns/<namespace name>/ to /etc/ for the process running in that network namespace -- if it doesn't, I will bind mount manually before starting charon/ipsec. So this should be okay.
> >> >
> >> > But, I am trying to find how I can do away the piddir configuration change and make it work directly from the deb file install. Is there no way to achieve this? No environment variable that can be set?
> >> >
> >> > Appreciate any comments/directions/pointers.
> >> >
> >> > Thank you.
> >> > Piyush
> >> >
> >> >
> >> > --
> >> > Piyush Agarwal
> >> > Life can only be understood backwards; but it must be lived forwards.
> >> >
> >> >
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> >> > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users> <https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>>
> >>
> >> --
> >> Noel Kuntze
> >> IT security consultant
> >>
> >> GPG Key ID: 0x0739AD6C
> >> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Piyush Agarwal
> >> Life can only be understood backwards; but it must be lived forwards.
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
> >
>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170427/a7f8add6/attachment-0001.sig>
More information about the Users
mailing list