← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1456722] [NEW] StrongSwan and dynamic peer: Resolv of host failed

 

Public bug reported:

When adding an IPSEC Site to Site connection with peer fqdn, resolving
the peer fqdn fails for strongswan. As neutron relies on ip net
namespaces, the resolv.conf from the neutron node is not used by
StrongSwan.

Usually applications that work in ip netns try to use the resolv.conf in
the net namespace's etc dir and try /etc/ when they cannot find the
specified file, but it seems strongswan does not follow this procedure.

I added resolv.conf to the template directory of strongswan and changed
strongswan_ipsec.py:

- added to strongswan_opts array:

    cfg.StrOpt(
        'resolv_conf_template',
        default=os.path.join(
            TEMPLATE_PATH,
            'template/strongswan/resolv.conf.template'),
        help=_('Template file for resolv configuration.')),

- added to ensure_configs method:

        self.ensure_config_file(
            'resolv.conf',
            cfg.CONF.strongswan.resolv_conf_template,
            self.vpnservice)

Sorry - I dont know yet how to commit fixes and I am not even sure if
that's the correct way :-) But resolv.conf is added to every net ns /etc
dir and name resolution is working now within strongswan.

I attached the updated strongswan_ipsec.py

** Affects: neutron
     Importance: Undecided
         Status: New

** Patch added: "Updated strongswan_ipsec.py"
   https://bugs.launchpad.net/bugs/1456722/+attachment/4400378/+files/strongswan_ipsec.py

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1456722

Title:
  StrongSwan and dynamic peer: Resolv of host failed

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  When adding an IPSEC Site to Site connection with peer fqdn, resolving
  the peer fqdn fails for strongswan. As neutron relies on ip net
  namespaces, the resolv.conf from the neutron node is not used by
  StrongSwan.

  Usually applications that work in ip netns try to use the resolv.conf
  in the net namespace's etc dir and try /etc/ when they cannot find the
  specified file, but it seems strongswan does not follow this
  procedure.

  I added resolv.conf to the template directory of strongswan and
  changed strongswan_ipsec.py:

  - added to strongswan_opts array:

      cfg.StrOpt(
          'resolv_conf_template',
          default=os.path.join(
              TEMPLATE_PATH,
              'template/strongswan/resolv.conf.template'),
          help=_('Template file for resolv configuration.')),

  - added to ensure_configs method:

          self.ensure_config_file(
              'resolv.conf',
              cfg.CONF.strongswan.resolv_conf_template,
              self.vpnservice)

  Sorry - I dont know yet how to commit fixes and I am not even sure if
  that's the correct way :-) But resolv.conf is added to every net ns
  /etc dir and name resolution is working now within strongswan.

  I attached the updated strongswan_ipsec.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1456722/+subscriptions


Follow ups

References