Bug 1262446 – libreswan is unable to open ipsec.secrets file

This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes

Bug 1262446 - libreswan is unable to open ipsec.secrets file

Summary:	libreswan is unable to open ipsec.secrets file

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron-vpnaas (Show other bugs)
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high
Target Milestone:	z5
Target Release:	7.0 (Kilo)
Assigned To:	Brent Eagles
QA Contact:	Eran Kuris
Docs Contact:

URL:
Whiteboard:
Keywords:	OtherQA, TestOnly, Triaged, ZStream

Depends On:	1268444
Blocks:	1077162
	Show dependency tree / graph

Reported:	2015-09-11 13:13 EDT by Brent Eagles
Modified:	2017-01-19 08:31 EST (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	openstack-neutron-vpnaas-2015.1.1-2.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, VPNaaS configured filesystem permissions on a connection's ipsec.secrets file to be accessible by the owner only (0600). The service generates this file at runtime, and typically it has the service user as the owner (for example, neutron). LibreSwan's strict access control requires that the ipsec.secrets be owned by 'root'. As a result of this configuration, connections would fail to start due to access errors on the ipsec.secrets file. This update addresses this issue, with VPNaaS now changing the owner of the ipsec.secrets file to root before starting. Consequently, connections are now expected to start normally.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-01-19 08:31:30 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Launchpad	1493492	None	None	None	Never
OpenStack gerrit	222192	None	None	None	Never
OpenStack gerrit	224133	None	None	None	Never

Groups: None (edit)

Description Brent Eagles 2015-09-11 13:13:03 EDT

Recent changes to the general neutron-vpnaas driver to improve compliance with security best practices, namely chmod 0600 to ipsec.secrets, have resulted in permission denied errors in LibreSwan when establishing connections. 

NOTE: At the time of this reporting this change has NOT made it into the RedHat packaging. The upstream gerrit review for this change can be found here:

https://review.openstack.org/#/c/216812/

This BZ is reported for tracking/informational purposes to ensure that the proposed u/s patch (https://review.openstack.org/#/c/222192/) is backported if the patch to set the permissions is pulled in through a rebase without the LibreSwan fix.

Comment 3 Brent Eagles 2015-09-21 16:58:24 EDT

Adding a bare chown rootwrap filter is a little onerous so added a followup patchto use RegExpFilter and rules to make it ipsec.secrets specific.

Comment 5 Brent Eagles 2015-09-23 14:54:30 EDT

There currently isn't adequate test coverage to verify this in our functional/system level tests, so manual verification is necessary for now. I did this by configuring a devstack environment and running this script:

https://github.com/beagles/oddsnends/blob/master/openstack/vpnaas/test_vpn.sh

Equivalent commands can also be used in an OSP environment but a public network and related subnet will need to be created prior to running these commands (in this script the network is "public").

And checking the logs for errors. One important caveat is that the /etc/neutron/vpn_agent.ini file needs to have the vpn_device_driver set as follows:

vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver

Which it should be already in our packaging - if not, bug. It should also be the only vpn_device_driver line specified.

The relevant error string will indicate that an ipsec.secrets file cannot be opened.

Comment 7 Eran Kuris 2015-12-09 04:32:33 EST

blocked by Bug 1268444

Comment 9 Assaf Muller 2016-06-03 22:07:40 EDT

Can you please fill in the 'Fixed-in-version' field and set to MODIFIED? It looks like the package might not have been built with this fix.

Comment 10 Brent Eagles 2016-06-06 09:48:44 EDT

Hi Assaf, the fixes for this issue were actually pulled in the 2015.1.2 rebase and are currently part of the packages. There is probably some confusion with another related bug that wasn't found until the 2015.1.2 package was built - https://bugzilla.redhat.com/show_bug.cgi?id=1268444. This bug interferes with proper system testing running vpnaas a service. Good catch by the QE team really.

Basically we have a series of bugs with fixes but QE can't verify until all of them are fixed. Unfortunately the last one is not on us (https://bugzilla.redhat.com/show_bug.cgi?id=1290907). We might be able to verify everything with simple tests, but I don't think it will even pass our CI without the LibreSwan fix (which is how we found it in the first place).

Comment 11 Lon Hohberger 2016-06-23 14:20:32 EDT

According to our records, this should be resolved by openstack-neutron-vpnaas-2015.1.2-1.el7ost.  This build is available now.

Comment 13 Brent Eagles 2016-07-28 13:08:11 EDT

Forgot to clear needinfo in c10

Note You need to log in before you can comment on or make changes to this bug.