Hmm, strange, I retried with a new instance too, now after adding the commands that you missed:
# add-apt-repository cloud-archive:newton # apt update;apt install strongswan neutron-vpn-agent # mkdir /tmp/test # ip netns add testns
I can reproduce with the modified command
# ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/mnt:/tmp/test" --cmd "ipsec,status" 2017-02-08 09:20:15.731 17729 INFO neutron.common.config [-] Logging enabled! 2017-02-08 09:20:15.732 17729 INFO neutron.common.config [-] /usr/bin/neutron-vpn-netns-wrapper version 9.0.0 Command: ['mount', '--bind', '/tmp/test', '/mnt'] Exit code: 0 Stdout: Stderr: 2017-02-08 09:20:15.744 17729 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /tmp/test has been bind-mounted in /mnt Command: ['ipsec', 'status'] Exit code: 0 Stdout: Stderr: connecting to 'unix:///var/run/charon.ctl' failed: Permission denied failed to connect to stroke socket 'unix:///var/run/charon.ctl'
and in the systemd journal I get a matching message:
Feb 08 09:20:15 jr-ansi02 audit[17738]: AVC apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/stroke" name="run/charon.ctl" pid=17738 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
The unwrapped command is indeed doing fine in comparison:
# ipsec status Security Associations (0 up, 0 connecting): none
After adding the flags from your patch into the profile and restarting apparmor, the issue is resolved:
# ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/mnt:/tmp/test" --cmd "ipsec,status" 2017-02-08 09:24:47.555 17912 INFO neutron.common.config [-] Logging enabled! 2017-02-08 09:24:47.557 17912 INFO neutron.common.config [-] /usr/bin/neutron-vpn-netns-wrapper version 9.0.0 Command: ['mount', '--bind', '/tmp/test', '/mnt'] Exit code: 0 Stdout: Stderr: 2017-02-08 09:24:47.568 17912 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /tmp/test has been bind-mounted in /mnt Command: ['ipsec', 'status'] Exit code: 0 Stdout: Security Associations (0 up, 0 connecting): none
Hmm, strange, I retried with a new instance too, now after adding the commands that you missed:
# add-apt-repository cloud-archive: newton
# apt update;apt install strongswan neutron-vpn-agent
# mkdir /tmp/test
# ip netns add testns
I can reproduce with the modified command
# ip netns exec testns neutron- vpn-netns- wrapper --mount_paths "/mnt:/tmp/test" --cmd "ipsec,status" common. config [-] Logging enabled! common. config [-] /usr/bin/ neutron- vpn-netns- wrapper version 9.0.0 vpnaas. services. vpn.common. netns_wrapper [-] /tmp/test has been bind-mounted in /mnt //var/run/ charon. ctl' failed: Permission denied //var/run/ charon. ctl'
2017-02-08 09:20:15.731 17729 INFO neutron.
2017-02-08 09:20:15.732 17729 INFO neutron.
Command: ['mount', '--bind', '/tmp/test', '/mnt'] Exit code: 0 Stdout: Stderr: 2017-02-08 09:20:15.744 17729 INFO neutron_
Command: ['ipsec', 'status'] Exit code: 0 Stdout: Stderr: connecting to 'unix:/
failed to connect to stroke socket 'unix:/
and in the systemd journal I get a matching message:
Feb 08 09:20:15 jr-ansi02 audit[17738]: AVC apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile= "/usr/lib/ ipsec/stroke" name="run/ charon. ctl" pid=17738 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
The unwrapped command is indeed doing fine in comparison:
# ipsec status
Security Associations (0 up, 0 connecting):
none
After adding the flags from your patch into the profile and restarting apparmor, the issue is resolved:
# ip netns exec testns neutron- vpn-netns- wrapper --mount_paths "/mnt:/tmp/test" --cmd "ipsec,status" common. config [-] Logging enabled! common. config [-] /usr/bin/ neutron- vpn-netns- wrapper version 9.0.0 vpnaas. services. vpn.common. netns_wrapper [-] /tmp/test has been bind-mounted in /mnt
2017-02-08 09:24:47.555 17912 INFO neutron.
2017-02-08 09:24:47.557 17912 INFO neutron.
Command: ['mount', '--bind', '/tmp/test', '/mnt'] Exit code: 0 Stdout: Stderr: 2017-02-08 09:24:47.568 17912 INFO neutron_
Command: ['ipsec', 'status'] Exit code: 0 Stdout: Security Associations (0 up, 0 connecting):
none