Recent changes to the general neutron-vpnaas driver to improve compliance with security best practices, namely chmod 0600 to ipsec.secrets, have resulted in permission denied errors in LibreSwan when establishing connections. NOTE: At the time of this reporting this change has NOT made it into the RedHat packaging. The upstream gerrit review for this change can be found here: https://review.openstack.org/#/c/216812/ This BZ is reported for tracking/informational purposes to ensure that the proposed u/s patch (https://review.openstack.org/#/c/222192/) is backported if the patch to set the permissions is pulled in through a rebase without the LibreSwan fix.
Adding a bare chown rootwrap filter is a little onerous so added a followup patchto use RegExpFilter and rules to make it ipsec.secrets specific.
There currently isn't adequate test coverage to verify this in our functional/system level tests, so manual verification is necessary for now. I did this by configuring a devstack environment and running this script: https://github.com/beagles/oddsnends/blob/master/openstack/vpnaas/test_vpn.sh Equivalent commands can also be used in an OSP environment but a public network and related subnet will need to be created prior to running these commands (in this script the network is "public"). And checking the logs for errors. One important caveat is that the /etc/neutron/vpn_agent.ini file needs to have the vpn_device_driver set as follows: vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver Which it should be already in our packaging - if not, bug. It should also be the only vpn_device_driver line specified. The relevant error string will indicate that an ipsec.secrets file cannot be opened.
blocked by Bug 1268444
Can you please fill in the 'Fixed-in-version' field and set to MODIFIED? It looks like the package might not have been built with this fix.
Hi Assaf, the fixes for this issue were actually pulled in the 2015.1.2 rebase and are currently part of the packages. There is probably some confusion with another related bug that wasn't found until the 2015.1.2 package was built - https://bugzilla.redhat.com/show_bug.cgi?id=1268444. This bug interferes with proper system testing running vpnaas a service. Good catch by the QE team really. Basically we have a series of bugs with fixes but QE can't verify until all of them are fixed. Unfortunately the last one is not on us (https://bugzilla.redhat.com/show_bug.cgi?id=1290907). We might be able to verify everything with simple tests, but I don't think it will even pass our CI without the LibreSwan fix (which is how we found it in the first place).
According to our records, this should be resolved by openstack-neutron-vpnaas-2015.1.2-1.el7ost. This build is available now.
Forgot to clear needinfo in c10