[VPNAAS] No start possible without rootwrap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Please bear with me this is my first bug report. :)
When agent.root_helper is not set, the strongswan ipsec device driver will fail to start as the vpn_netns_agent does not like being started with '' as one of the options before --cmd.
The result:
['sudo', 'ip', 'netns', 'exec', 'qvpn-be40f416-
The (easy) patch:
diff --git a/neutron_
index 708952a1f.
--- a/neutron_
+++ b/neutron_
@@ -111,15 +111,25 @@ class StrongSwanProce
"""
ip_wrapper = ip_lib.
ns_wrapper = self.get_
- return ip_wrapper.
- [ns_wrapper,
- '--mount_
- self.config_dir, self._strongswa
- ('--rootwrap_
- if self._rootwrap_cfg else ''),
- '--cmd=%s' % ','.join(cmd)],
- check_exit_
- extra_ok_
+
+ if self._rootwrap_cfg:
+ return ip_wrapper.
+ [ns_wrapper,
+ '--mount_
+ self.config_dir, self._strongswa
+ '--rootwrap_
+ '--cmd=%s' % ','.join(cmd)],
+ check_exit_
+ extra_ok_
+ else:
+ return ip_wrapper.
+ [ns_wrapper,
+ '--mount_
+ self.config_dir, self._strongswa
+ '--cmd=%s' % ','.join(cmd)],
+ check_exit_
+ extra_ok_
+
def copy_and_
# NOTE(toabctl): the agent may run as non-root user, so rm/copy as root
Hello Justin:
Thanks for reporting this bug and welcome.
The solution you are providing could be valid as a quick fix for this specific problem. However, my suggestion is try to refactor first the "neutron- vpn-netns- wrapper" script. This is just, if I'm not wrong, a namespace wrapper. We have methods to execute commands inside namespaces and libraries to execute long term scripts that could run inside namespaces.
If I'm not wrong, the "ipsec" commands return immediately (ipsec start, ipsec reload, rereadsecrets, etc.). You can implement those commands using "privsep".
But please, take this as a recommendation, nothing else.
Regards.