[strongSwan] Multiple charon daemons mininet namespaces

Piyush Agarwal agarwalpiyush at gmail.com
Thu Apr 27 02:27:39 CEST 2017 

Yes I did. Did not help, got same issue.

I guess I'll go the way of modifying configure and generating a private
.deb file (that sets piddir to be /etc/ipsec.d/run).

However, when I download deb-src and _WITHOUT_ any change of mine, just
rebuild it, I seem to have a test failure:

  Running suite 'settings':
    Running case 'get/set_str (basic behavior)': +++++
    Running case 'get/set_bool': ++
    Running case 'get/set_int': ++
    Running case 'get/set_double': ++
    Running case 'get/set_time': ++
    Running case 'section enumerator': +
    Running case 'key/value enumerator': +
    Running case 'include/load_files[_section]': ++-
*      Failure in 'test_load_files_section':
!settings->load_files_section(settings, include1".no", TRUE, "")
(suites/test_settings.c:650, i = 0)*


I even tried disabling running tests by using the following command:
sudo DEB_BUILD_OPTIONS=nocheck debuild -us -uc -b

Does anyone know either (i) How to disable tests or (ii) What the test
failure is without any code change whatsoever?

Thank you.
Piyush



On Wed, Apr 26, 2017 at 5:18 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hello Piyush,
>
> Did you try copying the files, instead of symlinking?
>
> On 27.04.2017 01:04, Piyush Agarwal wrote:
> > Hi Noel,
> > Many thanks for the pointer. Your second suggestion might not work
> though: in addition to changing daemon name, ipsec_starter also looks for
> an actual daemon with that name which it won't find unless it is indeed
> "charon" always.
> >
> > My two namespaces here are "gateway" and "relay".
> >
> > a at strongswan3:~/strongswan$ sudo ip netns exec gateway
> /usr/lib/ipsec/starter --daemon charon_gateway
> > Starting strongSwan 5.1.2 IPsec [starter]...
> > Disabling charon_gatewaystart option, '/usr/lib/ipsec/charon_gateway'
> not found
> >
> > I then tried to symlink such that /usr/lib/ipsec/charon_gateway and
> /usr/lib/ipsec/charon_relay are available (and pointing to
> /usr/lib/ipsec/charon). But that leads to more mess with the daemon getting
> continuously restarted.
> >
> > a at strongswan3:~/strongswan$ ps aux | grep ipsec
> > root      6114  0.1  0.0  15160  1456 ?        Ss   22:58   0:00
> /usr/lib/ipsec/starter --daemon charon_relay
> > root      6253  0.0  0.0 552128  7228 ?        Ssl  22:59   0:00
> /usr/lib/ipsec/charon_relay --use-syslog
> >
> > a at strongswan3:~/strongswan$ ps aux | grep ipsec
> > root      6114  0.1  0.0  15160  1456 ?        Ss   22:58   0:00
> /usr/lib/ipsec/starter --daemon charon_relay
> > root      6535  0.0  0.0 552128  5044 ?        Ssl  23:03   0:00
> /usr/lib/ipsec/charon_relay --use-syslog
> >
> > Sigh.
> >
> >
> > On Wed, Apr 26, 2017 at 3:27 PM, Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+
> strongswan-users-ml at thermi.consulting>> wrote:
> >
> >     I just took a look at it and it seems you can change the file's name
> by setting the --daemon[1]
> >     parameter of ipsec starter.
> >
> >     [1] https://github.com/strongswan/strongswan/blob/master/src/
> starter/starter.c#L291 <https://github.com/strongswan/strongswan/blob/
> master/src/starter/starter.c#L291>
> >
> >     On 27.04.2017 00 <tel:27.04.2017%2000>:25, Noel Kuntze wrote:
> >     > Hello Piyush,
> >     >
> >     > The path to the PID file is hard coded during build time.
> >     > Take a look at the source code of starter[1] and track the
> >     > variable assignments down.
> >     >
> >     > [1] https://github.com/strongswan/strongswan/tree/master/src/
> starter <https://github.com/strongswan/strongswan/tree/master/src/starter>
> >     >
> >     > Kind regards,
> >     > Noel
> >     >
> >     > On 27.04.2017 00 <tel:27.04.2017%2000>:14, Piyush Agarwal wrote:
> >     >> Hi Noel,
> >     >> Thanks for your reply but I am not sure I completely understood
> your answer.
> >     >>
> >     >> While waiting for a reply to my question, I tried this though:
> >     >>
> >     >> 1) Downloaded strongswan-starter deb file. Unpacked it.
> >     >> 2) Changed IPSEC_PIDDIR in usr/sbin/ipsec file to point to
> /etc/ipsec.d/run (rather than /var/run)
> >     >> 3) Re-built the deb file
> >     >> 4) Installed this new deb file on my ubuntu 14.04 host
> >     >> 5) Now ipsec binary does report piddir to be the changed location:
> >     >>
> >     >> a at strongswan3:~$ sudo ip netns exec blue ipsec --piddir
> >     >> /etc/ipsec.d/run
> >     >>
> >     >> But charon seems to still think the piddir is /var/run and hence
> wouldn't start the second instance.
> >     >>
> >     >> a at strongswan3:~$ sudo ip netns exec red ipsec start
> >     >> Starting strongSwan 5.1.2 IPsec [starter]...
> >     >> charon is already running (/var/run/charon.pid exists) --
> skipping daemon start
> >     >> starter is already running (/var/run/starter.charon.pid exists)
> -- no fork done
> >     >>
> >     >> So obviously charon is getting its piddir from somewhere else. I
> am looking for source code to modify such that charon's piddir is not
> hardcoded to /var/run (as it currently seems to be). I'd like to make it
> modifiable via either a command line, conf file or some other similar way.
> Perhaps I may be okay to even hardcode it in my private .deb file to be
> /etc/ipsec.d/run rather than /var/run.
> >     >>
> >     >> Is there any pointer to achieving this? Requiring install from
> source code and modifying ./configure options to change piddir is just a
> no-go for me unfortunately.
> >     >>
> >     >> Thank you.
> >     >> Piyush
> >     >>
> >     >> On Wed, Apr 26, 2017 at 11:23 AM, Noel Kuntze
> <noel.kuntze at thermi.consulting <mailto:noel.kuntze at thermi.consulting
> <mailto:noel.kuntze at thermi.consulting>>> wrote:
> >     >>
> >     >>     You can't do that when you start charon using "ipsec" (which
> implicitely calls "ipsec starter".
> >     >>     You can do it with charon-systemd, though (but then you need
> to start it using systemd and you get a similiar problem).
> >     >>
> >     >>     On 26.04.2017 20 <tel:26.04.2017%2020>
> <tel:26.04.2017%2020>:11, Piyush Agarwal wrote:
> >     >>     > Hi,
> >     >>     > I need to run multiple ipsec charon daemons in multiple
> mininet namespaces (perhaps some semantics change from ip namespaces).
> >     >>     >
> >     >>     > Sure enough, on following steps from
> https://wiki.strongswan.org/projects/strongswan/wiki/Netns <
> https://wiki.strongswan.org/projects/strongswan/wiki/Netns> <
> https://wiki.strongswan.org/projects/strongswan/wiki/Netns <
> https://wiki.strongswan.org/projects/strongswan/wiki/Netns>> (including
> piddir change), I could get multiple charon daemons running with*ip network
> namespaces*.
> >     >>     >
> >     >>     > I am not trying to achieve two things:
> >     >>     > 1) Run multiple charon daemons with mininet namespaces
> >     >>     > 2) Be able to do so without requiring piddir configuration
> option change.
> >     >>     >
> >     >>     > Regarding (1): I am not sure if mininet namespaces provide
> for bind mounting anything /etc/netns/<namespace name>/ to /etc/ for the
> process running in that network namespace -- if it doesn't, I will bind
> mount manually before starting charon/ipsec. So this should be okay.
> >     >>     >
> >     >>     > But, I am trying to find how I can do away the piddir
> configuration change and make it work directly from the deb file install.
> Is there no way to achieve this? No environment variable that can be set?
> >     >>     >
> >     >>     > Appreciate any comments/directions/pointers.
> >     >>     >
> >     >>     > Thank you.
> >     >>     > Piyush
> >     >>     >
> >     >>     >
> >     >>     > --
> >     >>     > Piyush Agarwal
> >     >>     > Life can only be understood backwards; but it must be lived
> forwards.
> >     >>     >
> >     >>     >
> >     >>     > _______________________________________________
> >     >>     > Users mailing list
> >     >>     > Users at lists.strongswan.org <mailto:Users at lists.
> strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.
> strongswan.org>>
> >     >>     > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users> <
> https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>>
> >     >>
> >     >>     --
> >     >>     Noel Kuntze
> >     >>     IT security consultant
> >     >>
> >     >>     GPG Key ID: 0x0739AD6C
> >     >>     Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >     >>
> >     >>
> >     >>
> >     >>
> >     >>
> >     >> --
> >     >> Piyush Agarwal
> >     >> Life can only be understood backwards; but it must be lived
> forwards.
> >     >>
> >     >>
> >     >> _______________________________________________
> >     >> Users mailing list
> >     >> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     >> https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > Users mailing list
> >     > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >     >
> >
> >
> >
> >
> > --
> > Piyush Agarwal
> > Life can only be understood backwards; but it must be lived forwards.
>
>
>


-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170426/88823cdc/attachment-0001.html>

More information about the Users mailing list