Comment 11 for bug 1938571

My understanding is that pluto is called once per VPN service, each time in its own namespace. The wrapper will call something like "ip netns exec <namespace> neutron-vpn-netns-wrapper --mount_paths=/etc:/var/lib/neutron/xyz/ipsec/etc,/run:/var/lib/neutron/xyz/ipsec/var/run --cmd=ipsec,pluto,--use-xfrm,--uniqueids".

And neutron-vpn-netns-wrapper will call
(1) mount --bind /var/lib/neutron/xyz/ipsec/etc /etc
(2) mount --bind /var/lib/neutron/xyz/ipsec/var/run /run
(3) ipsec pluto --use-xfrm --uniqueids

This way the pluto process will not see the /etc or /run of the host anymore, but the bind-mounted directories instead. So each pluto will create its own pid file, not conflicting with other Plutos.
From outside the neutron-vpn-netns-wrapper you won't see the pid file in /run, but only in /var/lib/neutron/xyz/ipsec/var/run.

Other commands like ipsec whack will also be run in such a wrapper, so they bind-mount /etc and /run in the same way, so they have access to the per-service ctl file or pid file