Bug 1290907 - ipsec initnss/checknss custom directory not recognized
ipsec initnss/checknss custom directory not recognized
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan (Show other bugs)
7.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Paul Wouters
Jaroslav Aster
Mirek Jahoda
:
: 1288257 (view as bug list)
Depends On:
Blocks: 1274548 1077162 1266519 1335896
  Show dependency treegraph
 
Reported: 2015-12-11 16:09 EST by Brent Eagles
Modified: 2016-11-03 17:22 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: support for custom location of nss database for the ipsec nss related commands Reason: some cloud frameworks do not use the default location of /etc/ipsec.d. Result: better support for cloud frameworks.
Story Points: ---
Clone Of:
: 1335896 (view as bug list)
Environment:
Last Closed: 2016-11-03 17:22:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brent Eagles 2015-12-11 16:09:15 EST
Copied from u/s: https://github.com/libreswan/libreswan/issues/44

"I set up Openstack with VPNaaS.

During creation process of the VPN this command is executed:
ip netns exec qrouter-664940e8-6139-4c36-8fcc-ee9e06bd5212 ipsec checknss /var/lib/neutron/ipsec/664940e8-6139-4c36-8fcc-ee9e06bd5212/etc

The db files are always added to the directory /etc/ipsec.d
Looking at the bash script "ipsec" i saw that the variable IPSEC_NSSDIR_SQL is set only at the beginning of the script.
If a custom directory is specified, the variable IPSEC_NSSDIR_SQL is not changed.

Adding IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}" resolved the issue."

We are experiencing this issue in our neutron CI system. Our current version of libreswan is 3.15. 

The patch has been already been merged u/s in: 

https://github.com/libreswan/libreswan/commit/709e2a92d768afc6c78e5a243f0076ddec744c8a
Comment 6 Paul Wouters 2016-02-16 16:56:02 EST
Since we need a respin for 7.1.x for FIPS, we should pull this in.
Comment 14 Brent Eagles 2016-06-06 16:21:58 EDT
*** Bug 1288257 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2016-11-03 17:22:10 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2603.html

Note You need to log in before you can comment on or make changes to this bug.