Bug 1262446 - libreswan is unable to open ipsec.secrets file
libreswan is unable to open ipsec.secrets file
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron-vpnaas (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
unspecified Severity high
: z5
: 7.0 (Kilo)
Assigned To: Brent Eagles
Eran Kuris
: OtherQA, TestOnly, Triaged, ZStream
Depends On: 1268444
Blocks: 1077162
  Show dependency treegraph
Reported: 2015-09-11 13:13 EDT by Brent Eagles
Modified: 2017-01-19 08:31 EST (History)
13 users (show)

See Also:
Fixed In Version: openstack-neutron-vpnaas-2015.1.1-2.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, VPNaaS configured filesystem permissions on a connection's ipsec.secrets file to be accessible by the owner only (0600). The service generates this file at runtime, and typically it has the service user as the owner (for example, neutron). LibreSwan's strict access control requires that the ipsec.secrets be owned by 'root'. As a result of this configuration, connections would fail to start due to access errors on the ipsec.secrets file. This update addresses this issue, with VPNaaS now changing the owner of the ipsec.secrets file to root before starting. Consequently, connections are now expected to start normally.
Story Points: ---
Clone Of:
Last Closed: 2017-01-19 08:31:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1493492 None None None Never
OpenStack gerrit 222192 None None None Never
OpenStack gerrit 224133 None None None Never

  None (edit)
Description Brent Eagles 2015-09-11 13:13:03 EDT
Recent changes to the general neutron-vpnaas driver to improve compliance with security best practices, namely chmod 0600 to ipsec.secrets, have resulted in permission denied errors in LibreSwan when establishing connections. 

NOTE: At the time of this reporting this change has NOT made it into the RedHat packaging. The upstream gerrit review for this change can be found here:


This BZ is reported for tracking/informational purposes to ensure that the proposed u/s patch (https://review.openstack.org/#/c/222192/) is backported if the patch to set the permissions is pulled in through a rebase without the LibreSwan fix.
Comment 3 Brent Eagles 2015-09-21 16:58:24 EDT
Adding a bare chown rootwrap filter is a little onerous so added a followup patchto use RegExpFilter and rules to make it ipsec.secrets specific.
Comment 5 Brent Eagles 2015-09-23 14:54:30 EDT
There currently isn't adequate test coverage to verify this in our functional/system level tests, so manual verification is necessary for now. I did this by configuring a devstack environment and running this script:


Equivalent commands can also be used in an OSP environment but a public network and related subnet will need to be created prior to running these commands (in this script the network is "public").

And checking the logs for errors. One important caveat is that the /etc/neutron/vpn_agent.ini file needs to have the vpn_device_driver set as follows:


Which it should be already in our packaging - if not, bug. It should also be the only vpn_device_driver line specified.

The relevant error string will indicate that an ipsec.secrets file cannot be opened.
Comment 7 Eran Kuris 2015-12-09 04:32:33 EST
blocked by Bug 1268444
Comment 9 Assaf Muller 2016-06-03 22:07:40 EDT
Can you please fill in the 'Fixed-in-version' field and set to MODIFIED? It looks like the package might not have been built with this fix.
Comment 10 Brent Eagles 2016-06-06 09:48:44 EDT
Hi Assaf, the fixes for this issue were actually pulled in the 2015.1.2 rebase and are currently part of the packages. There is probably some confusion with another related bug that wasn't found until the 2015.1.2 package was built - https://bugzilla.redhat.com/show_bug.cgi?id=1268444. This bug interferes with proper system testing running vpnaas a service. Good catch by the QE team really.

Basically we have a series of bugs with fixes but QE can't verify until all of them are fixed. Unfortunately the last one is not on us (https://bugzilla.redhat.com/show_bug.cgi?id=1290907). We might be able to verify everything with simple tests, but I don't think it will even pass our CI without the LibreSwan fix (which is how we found it in the first place).
Comment 11 Lon Hohberger 2016-06-23 14:20:32 EDT
According to our records, this should be resolved by openstack-neutron-vpnaas-2015.1.2-1.el7ost.  This build is available now.
Comment 13 Brent Eagles 2016-07-28 13:08:11 EDT
Forgot to clear needinfo in c10

Note You need to log in before you can comment on or make changes to this bug.