GitList

Browse code

VPNaaS Support for StrongSwan driver.

The StrongSwan driver under development for kilo-3 will replace the
default reference OpenSwan driver.

In the interim though, we need to be able to run functional tests
for both drivers. This change is intending to do the additional
steps that are needed to set up for Strongswan, so that when a
functional test has IPSEC_PACKAGE=strongswan, everything will be
correct.

The intent here is to explicitly set the device driver class in
vpn_agent.ini, so that this will work for when OpenSwan is the
default (currently), when no drivers are specified, and will work
for when StrongSwan is made the default in the code.

For Ubuntu, AppArmor is disabled for charon and stroke.

Note: Both OpenSwan and StrongSwan cannot be installed on the
host at the same time.

Change-Id: Ib8467e24633230d6643d812068e4ed6ffb33f104
Partial-Bug: 1424757

Paul Michali authored on 2015/02/24 07:07:48
Showing 2 changed files

lib/neutron

History View file @ 6fd4720

@@ -931,7 +931,7 @@ function _configure_neutron_l3_agent {
                          Q_L3_ROUTER_PER_TENANT=$Q_USE_NAMESPACE
                          if is_service_enabled q-vpn; then
                     -        cp $NEUTRON_VPNAAS_DIR/etc/vpn_agent.ini $Q_VPN_CONF_FILE
                     +        neutron_vpn_configure_agent
                          fi
                          cp $NEUTRON_DIR/etc/l3_agent.ini $Q_L3_CONF_FILE

lib/neutron_plugins/services/vpn

History View file @ 6fd4720

@@ -12,6 +12,13 @@ IPSEC_PACKAGE=${IPSEC_PACKAGE:-"openswan"}
                      function neutron_vpn_install_agent_packages {
                          install_package $IPSEC_PACKAGE
                     +    if is_ubuntu && [[ "$IPSEC_PACKAGE" == "strongswan" ]]; then
                     +        sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
                     +        sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/
                     +        # NOTE: Due to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1387220
                     +        # one must use 'sudo start apparmor ACTION=reload' for Ubuntu 14.10
                     +        restart_service apparmor
                     +    fi
+                     }
                      function neutron_vpn_configure_common {
@@ -19,6 +26,18 @@ function neutron_vpn_configure_common {
                          _neutron_deploy_rootwrap_filters $NEUTRON_VPNAAS_DIR
+                     }
                     +function neutron_vpn_configure_agent {
                     +    cp $NEUTRON_VPNAAS_DIR/etc/vpn_agent.ini $Q_VPN_CONF_FILE
                     +    if [[ "$IPSEC_PACKAGE" == "strongswan" ]]; then
                     +        iniset_multiline $Q_VPN_CONF_FILE vpnagent vpn_device_driver neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
                     +        if is_fedora; then
                     +            iniset $Q_VPN_CONF_FILE strongswan default_config_area /usr/share/strongswan/templates/config/strongswan.d
                     +        fi
                     +    else
                     +        iniset_multiline $Q_VPN_CONF_FILE vpnagent vpn_device_driver neutron_vpnaas.services.vpn.device_drivers.ipsec.OpenSwanDriver
                     +    fi
                     +}
+                    +
                      function neutron_vpn_stop {
                          local ipsec_data_dir=$DATA_DIR/neutron/ipsec
                          local pids