Bug 1262446 - libreswan is unable to open ipsec.secrets file
Summary: libreswan is unable to open ipsec.secrets file
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron-vpnaas
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: z5
: 7.0 (Kilo)
Assignee: Brent Eagles
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On: 1268444
Blocks: 1077162
TreeView+ depends on / blocked
 
Reported: 2015-09-11 17:13 UTC by Brent Eagles
Modified: 2023-02-22 23:02 UTC (History)
12 users (show)

Fixed In Version: openstack-neutron-vpnaas-2015.1.1-2.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, VPNaaS configured filesystem permissions on a connection's ipsec.secrets file to be accessible by the owner only (0600). The service generates this file at runtime, and typically it has the service user as the owner (for example, neutron). LibreSwan's strict access control requires that the ipsec.secrets be owned by 'root'. As a result of this configuration, connections would fail to start due to access errors on the ipsec.secrets file. This update addresses this issue, with VPNaaS now changing the owner of the ipsec.secrets file to root before starting. Consequently, connections are now expected to start normally.
Clone Of:
Environment:
Last Closed: 2017-01-19 13:31:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1493492 0 None None None Never
OpenStack gerrit 222192 0 None MERGED Set owner to root for ipsec.secrets for LibreSwan 2020-09-16 12:22:13 UTC
OpenStack gerrit 224133 0 None MERGED Make chown rootwrap filter ipsec.secrets file specific 2020-09-16 12:22:13 UTC

Description Brent Eagles 2015-09-11 17:13:03 UTC
Recent changes to the general neutron-vpnaas driver to improve compliance with security best practices, namely chmod 0600 to ipsec.secrets, have resulted in permission denied errors in LibreSwan when establishing connections. 

NOTE: At the time of this reporting this change has NOT made it into the RedHat packaging. The upstream gerrit review for this change can be found here:

https://review.openstack.org/#/c/216812/

This BZ is reported for tracking/informational purposes to ensure that the proposed u/s patch (https://review.openstack.org/#/c/222192/) is backported if the patch to set the permissions is pulled in through a rebase without the LibreSwan fix.

Comment 3 Brent Eagles 2015-09-21 20:58:24 UTC
Adding a bare chown rootwrap filter is a little onerous so added a followup patchto use RegExpFilter and rules to make it ipsec.secrets specific.

Comment 5 Brent Eagles 2015-09-23 18:54:30 UTC
There currently isn't adequate test coverage to verify this in our functional/system level tests, so manual verification is necessary for now. I did this by configuring a devstack environment and running this script:

https://github.com/beagles/oddsnends/blob/master/openstack/vpnaas/test_vpn.sh

Equivalent commands can also be used in an OSP environment but a public network and related subnet will need to be created prior to running these commands (in this script the network is "public").

And checking the logs for errors. One important caveat is that the /etc/neutron/vpn_agent.ini file needs to have the vpn_device_driver set as follows:

vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver

Which it should be already in our packaging - if not, bug. It should also be the only vpn_device_driver line specified.

The relevant error string will indicate that an ipsec.secrets file cannot be opened.

Comment 7 Eran Kuris 2015-12-09 09:32:33 UTC
blocked by Bug 1268444

Comment 9 Assaf Muller 2016-06-04 02:07:40 UTC
Can you please fill in the 'Fixed-in-version' field and set to MODIFIED? It looks like the package might not have been built with this fix.

Comment 10 Brent Eagles 2016-06-06 13:48:44 UTC
Hi Assaf, the fixes for this issue were actually pulled in the 2015.1.2 rebase and are currently part of the packages. There is probably some confusion with another related bug that wasn't found until the 2015.1.2 package was built - https://bugzilla.redhat.com/show_bug.cgi?id=1268444. This bug interferes with proper system testing running vpnaas a service. Good catch by the QE team really.

Basically we have a series of bugs with fixes but QE can't verify until all of them are fixed. Unfortunately the last one is not on us (https://bugzilla.redhat.com/show_bug.cgi?id=1290907). We might be able to verify everything with simple tests, but I don't think it will even pass our CI without the LibreSwan fix (which is how we found it in the first place).

Comment 11 Lon Hohberger 2016-06-23 18:20:32 UTC
According to our records, this should be resolved by openstack-neutron-vpnaas-2015.1.2-1.el7ost.  This build is available now.

Comment 13 Brent Eagles 2016-07-28 17:08:11 UTC
Forgot to clear needinfo in c10


Note You need to log in before you can comment on or make changes to this bug.