[strongSwan] Multiple charon daemons mininet namespaces
Piyush Agarwal
agarwalpiyush at gmail.com
Thu Apr 27 21:27:24 CEST 2017
Would appreciate some help on this. Given the need to disable strongswan
tests, I doubt there is a better place to go ask this.
Thanks in advance once again.
Piyush
On Wed, Apr 26, 2017 at 5:27 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:
> Yes I did. Did not help, got same issue.
>
> I guess I'll go the way of modifying configure and generating a private
> .deb file (that sets piddir to be /etc/ipsec.d/run).
>
> However, when I download deb-src and _WITHOUT_ any change of mine, just
> rebuild it, I seem to have a test failure:
>
> Running suite 'settings':
> Running case 'get/set_str (basic behavior)': +++++
> Running case 'get/set_bool': ++
> Running case 'get/set_int': ++
> Running case 'get/set_double': ++
> Running case 'get/set_time': ++
> Running case 'section enumerator': +
> Running case 'key/value enumerator': +
> Running case 'include/load_files[_section]': ++-
> * Failure in 'test_load_files_section':
> !settings->load_files_section(settings, include1".no", TRUE, "")
> (suites/test_settings.c:650, i = 0)*
>
>
> I even tried disabling running tests by using the following command:
> sudo DEB_BUILD_OPTIONS=nocheck debuild -us -uc -b
>
> Does anyone know either (i) How to disable tests or (ii) What the test
> failure is without any code change whatsoever?
>
> Thank you.
> Piyush
>
>
>
> On Wed, Apr 26, 2017 at 5:18 PM, Noel Kuntze <
> noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>> Hello Piyush,
>>
>> Did you try copying the files, instead of symlinking?
>>
>> On 27.04.2017 01:04, Piyush Agarwal wrote:
>> > Hi Noel,
>> > Many thanks for the pointer. Your second suggestion might not work
>> though: in addition to changing daemon name, ipsec_starter also looks for
>> an actual daemon with that name which it won't find unless it is indeed
>> "charon" always.
>> >
>> > My two namespaces here are "gateway" and "relay".
>> >
>> > a at strongswan3:~/strongswan$ sudo ip netns exec gateway
>> /usr/lib/ipsec/starter --daemon charon_gateway
>> > Starting strongSwan 5.1.2 IPsec [starter]...
>> > Disabling charon_gatewaystart option, '/usr/lib/ipsec/charon_gateway'
>> not found
>> >
>> > I then tried to symlink such that /usr/lib/ipsec/charon_gateway and
>> /usr/lib/ipsec/charon_relay are available (and pointing to
>> /usr/lib/ipsec/charon). But that leads to more mess with the daemon getting
>> continuously restarted.
>> >
>> > a at strongswan3:~/strongswan$ ps aux | grep ipsec
>> > root 6114 0.1 0.0 15160 1456 ? Ss 22:58 0:00
>> /usr/lib/ipsec/starter --daemon charon_relay
>> > root 6253 0.0 0.0 552128 7228 ? Ssl 22:59 0:00
>> /usr/lib/ipsec/charon_relay --use-syslog
>> >
>> > a at strongswan3:~/strongswan$ ps aux | grep ipsec
>> > root 6114 0.1 0.0 15160 1456 ? Ss 22:58 0:00
>> /usr/lib/ipsec/starter --daemon charon_relay
>> > root 6535 0.0 0.0 552128 5044 ? Ssl 23:03 0:00
>> /usr/lib/ipsec/charon_relay --use-syslog
>> >
>> > Sigh.
>> >
>> >
>> > On Wed, Apr 26, 2017 at 3:27 PM, Noel Kuntze
>> <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:
>> noel.kuntze+strongswan-users-ml at thermi.consulting>> wrote:
>> >
>> > I just took a look at it and it seems you can change the file's
>> name by setting the --daemon[1]
>> > parameter of ipsec starter.
>> >
>> > [1] https://github.com/strongswan/strongswan/blob/master/src/sta
>> rter/starter.c#L291 <https://github.com/strongswan
>> /strongswan/blob/master/src/starter/starter.c#L291>
>> >
>> > On 27.04.2017 00 <tel:27.04.2017%2000>:25, Noel Kuntze wrote:
>> > > Hello Piyush,
>> > >
>> > > The path to the PID file is hard coded during build time.
>> > > Take a look at the source code of starter[1] and track the
>> > > variable assignments down.
>> > >
>> > > [1] https://github.com/strongswan/strongswan/tree/master/src/sta
>> rter <https://github.com/strongswan/strongswan/tree/master/src/starter>
>> > >
>> > > Kind regards,
>> > > Noel
>> > >
>> > > On 27.04.2017 00 <tel:27.04.2017%2000>:14, Piyush Agarwal wrote:
>> > >> Hi Noel,
>> > >> Thanks for your reply but I am not sure I completely understood
>> your answer.
>> > >>
>> > >> While waiting for a reply to my question, I tried this though:
>> > >>
>> > >> 1) Downloaded strongswan-starter deb file. Unpacked it.
>> > >> 2) Changed IPSEC_PIDDIR in usr/sbin/ipsec file to point to
>> /etc/ipsec.d/run (rather than /var/run)
>> > >> 3) Re-built the deb file
>> > >> 4) Installed this new deb file on my ubuntu 14.04 host
>> > >> 5) Now ipsec binary does report piddir to be the changed
>> location:
>> > >>
>> > >> a at strongswan3:~$ sudo ip netns exec blue ipsec --piddir
>> > >> /etc/ipsec.d/run
>> > >>
>> > >> But charon seems to still think the piddir is /var/run and hence
>> wouldn't start the second instance.
>> > >>
>> > >> a at strongswan3:~$ sudo ip netns exec red ipsec start
>> > >> Starting strongSwan 5.1.2 IPsec [starter]...
>> > >> charon is already running (/var/run/charon.pid exists) --
>> skipping daemon start
>> > >> starter is already running (/var/run/starter.charon.pid exists)
>> -- no fork done
>> > >>
>> > >> So obviously charon is getting its piddir from somewhere else. I
>> am looking for source code to modify such that charon's piddir is not
>> hardcoded to /var/run (as it currently seems to be). I'd like to make it
>> modifiable via either a command line, conf file or some other similar way.
>> Perhaps I may be okay to even hardcode it in my private .deb file to be
>> /etc/ipsec.d/run rather than /var/run.
>> > >>
>> > >> Is there any pointer to achieving this? Requiring install from
>> source code and modifying ./configure options to change piddir is just a
>> no-go for me unfortunately.
>> > >>
>> > >> Thank you.
>> > >> Piyush
>> > >>
>> > >> On Wed, Apr 26, 2017 at 11:23 AM, Noel Kuntze
>> <noel.kuntze at thermi.consulting <mailto:noel.kuntze at thermi.consulting
>> <mailto:noel.kuntze at thermi.consulting>>> wrote:
>> > >>
>> > >> You can't do that when you start charon using "ipsec" (which
>> implicitely calls "ipsec starter".
>> > >> You can do it with charon-systemd, though (but then you need
>> to start it using systemd and you get a similiar problem).
>> > >>
>> > >> On 26.04.2017 20 <tel:26.04.2017%2020>
>> <tel:26.04.2017%2020>:11, Piyush Agarwal wrote:
>> > >> > Hi,
>> > >> > I need to run multiple ipsec charon daemons in multiple
>> mininet namespaces (perhaps some semantics change from ip namespaces).
>> > >> >
>> > >> > Sure enough, on following steps from
>> https://wiki.strongswan.org/projects/strongswan/wiki/Netns <
>> https://wiki.strongswan.org/projects/strongswan/wiki/Netns> <
>> https://wiki.strongswan.org/projects/strongswan/wiki/Netns <
>> https://wiki.strongswan.org/projects/strongswan/wiki/Netns>> (including
>> piddir change), I could get multiple charon daemons running with*ip network
>> namespaces*.
>> > >> >
>> > >> > I am not trying to achieve two things:
>> > >> > 1) Run multiple charon daemons with mininet namespaces
>> > >> > 2) Be able to do so without requiring piddir configuration
>> option change.
>> > >> >
>> > >> > Regarding (1): I am not sure if mininet namespaces provide
>> for bind mounting anything /etc/netns/<namespace name>/ to /etc/ for the
>> process running in that network namespace -- if it doesn't, I will bind
>> mount manually before starting charon/ipsec. So this should be okay.
>> > >> >
>> > >> > But, I am trying to find how I can do away the piddir
>> configuration change and make it work directly from the deb file install.
>> Is there no way to achieve this? No environment variable that can be set?
>> > >> >
>> > >> > Appreciate any comments/directions/pointers.
>> > >> >
>> > >> > Thank you.
>> > >> > Piyush
>> > >> >
>> > >> >
>> > >> > --
>> > >> > Piyush Agarwal
>> > >> > Life can only be understood backwards; but it must be
>> lived forwards.
>> > >> >
>> > >> >
>> > >> > _______________________________________________
>> > >> > Users mailing list
>> > >> > Users at lists.strongswan.org <mailto:Users at lists.strongswan
>> .org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan
>> .org>>
>> > >> > https://lists.strongswan.org/mailman/listinfo/users <
>> https://lists.strongswan.org/mailman/listinfo/users> <
>> https://lists.strongswan.org/mailman/listinfo/users <
>> https://lists.strongswan.org/mailman/listinfo/users>>
>> > >>
>> > >> --
>> > >> Noel Kuntze
>> > >> IT security consultant
>> > >>
>> > >> GPG Key ID: 0x0739AD6C
>> > >> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739
>> AD6C
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> Piyush Agarwal
>> > >> Life can only be understood backwards; but it must be lived
>> forwards.
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> Users mailing list
>> > >> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> > >> https://lists.strongswan.org/mailman/listinfo/users <
>> https://lists.strongswan.org/mailman/listinfo/users>
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > Users mailing list
>> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> > > https://lists.strongswan.org/mailman/listinfo/users <
>> https://lists.strongswan.org/mailman/listinfo/users>
>> > >
>> >
>> >
>> >
>> >
>> > --
>> > Piyush Agarwal
>> > Life can only be understood backwards; but it must be lived forwards.
>>
>>
>>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170427/1e540fad/attachment-0001.html>
More information about the Users
mailing list