Bug 1262446
Summary: | libreswan is unable to open ipsec.secrets file | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Brent Eagles <beagles> |
Component: | openstack-neutron-vpnaas | Assignee: | Brent Eagles <beagles> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Eran Kuris <ekuris> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 (Kilo) | CC: | amuller, apevec, beagles, ihrachys, lhh, lpeer, mlopes, nyechiel, oblaut, ohochman, pwouters, tfreger |
Target Milestone: | z5 | Keywords: | OtherQA, TestOnly, Triaged, ZStream |
Target Release: | 7.0 (Kilo) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-neutron-vpnaas-2015.1.1-2.el7ost | Doc Type: | Bug Fix |
Doc Text: |
Previously, VPNaaS configured filesystem permissions on a connection's ipsec.secrets file to be accessible by the owner only (0600). The service generates this file at runtime, and typically it has the service user as the owner (for example, neutron). LibreSwan's strict access control requires that the ipsec.secrets be owned by 'root'. As a result of this configuration, connections would fail to start due to access errors on the ipsec.secrets file.
This update addresses this issue, with VPNaaS now changing the owner of the ipsec.secrets file to root before starting. Consequently, connections are now expected to start normally.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-19 13:31:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1268444 | ||
Bug Blocks: | 1077162 |
Description
Brent Eagles
2015-09-11 17:13:03 UTC
Adding a bare chown rootwrap filter is a little onerous so added a followup patchto use RegExpFilter and rules to make it ipsec.secrets specific. There currently isn't adequate test coverage to verify this in our functional/system level tests, so manual verification is necessary for now. I did this by configuring a devstack environment and running this script: https://github.com/beagles/oddsnends/blob/master/openstack/vpnaas/test_vpn.sh Equivalent commands can also be used in an OSP environment but a public network and related subnet will need to be created prior to running these commands (in this script the network is "public"). And checking the logs for errors. One important caveat is that the /etc/neutron/vpn_agent.ini file needs to have the vpn_device_driver set as follows: vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver Which it should be already in our packaging - if not, bug. It should also be the only vpn_device_driver line specified. The relevant error string will indicate that an ipsec.secrets file cannot be opened. blocked by Bug 1268444 Can you please fill in the 'Fixed-in-version' field and set to MODIFIED? It looks like the package might not have been built with this fix. Hi Assaf, the fixes for this issue were actually pulled in the 2015.1.2 rebase and are currently part of the packages. There is probably some confusion with another related bug that wasn't found until the 2015.1.2 package was built - https://bugzilla.redhat.com/show_bug.cgi?id=1268444. This bug interferes with proper system testing running vpnaas a service. Good catch by the QE team really. Basically we have a series of bugs with fixes but QE can't verify until all of them are fixed. Unfortunately the last one is not on us (https://bugzilla.redhat.com/show_bug.cgi?id=1290907). We might be able to verify everything with simple tests, but I don't think it will even pass our CI without the LibreSwan fix (which is how we found it in the first place). According to our records, this should be resolved by openstack-neutron-vpnaas-2015.1.2-1.el7ost. This build is available now. Forgot to clear needinfo in c10 |