Adds VPNaaS support for OVN.
Add a new stand-alone VPN agent to support OVN+VPN. Add OVN-specific
service and device drivers that support this new VPN agent. This will
have no impact on the existing VPN solution for ML2/OVS, the existing
L3 agent and its VPN extension will still work.
Add a new VPN agent scheduler that will schedule VPN services to VPN
agents on a per-router basis.
Add two new database tables: vpn_ext_gws (to store extra port IDs)
and routervpnagentbindings (to store VPN agent ID per router).
More details see spec (neutron-specs/specs/xena/vpnaas-ovn.rst).
This work is based on work of MingShuan Xian (xianms@cn.ibm.com),
see https://bugs.launchpad.net/networking-ovn/+bug/1586253
Depends-On: https://review.opendev.org/c/openstack/neutron/+/847005
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/847007
Closes-Bug: #1905391
Change-Id: I632f86762d63edbfe225727db11ea21bbb1ffc25
This commit defines the default policies in code. VPNaaS has
no policy.json so far, so all policy definitions are newly created.
Partially Implements: blueprint neutron-policy-in-code
Change-Id: Ic0bf99b69a792197399e38ace6d23ea18874892a
LibreSwan 3.19 introduces a new commandline argument '--nssdir' for
pluto which defaults to '/etc/ipsec.d'. As older versions don't
understand such an option, we cannot just add it to the commandline.
The commandline arguments of LibreSwan are not stable enough to rely on.
For example, in 3.19, 'ipsec initnss' has the new argument '--nssdir',
and in 3.20, 'ipsec pluto' also gets this new argument '--nssdir', then
in 3.22, the argument '--ctlbase' is phased out.
In this commit, instead of trying new options and then fallback to old
ones for older versions, the bind-mount method used in StrongSwan driver
is adopted. With /etc and /var/run bind mounted, all the commandline
arguments related to configuration file places can be removed. This
ensures that changes of such arguments between different versions won't
bother as the default places are always used.
This commit also replaces 'auth=' by 'phase2=' in the configuration
template as the former is for a long time an alias of the latter and
removed in LibreSwan 3.19.
The virtual-private argument of 'ipsec pluto' has been put into the
configuration file to avoid commas(,) in the commandline so that the
netns_wrapper can work well.
A new tempest job for running LibreSwan as the device driver on CentOS 7
is also added to avoid regression.
This commit has been simply tested on CentOS 7.4 with the following
versions of LibreSwan provided by the CentOS repo:
- libreswan-3.12-5.el7.x86_64.rpm
- libreswan-3.12-10.1.el7_1.x86_64.rpm
- libreswan-3.15-5.el7_1.x86_64.rpm
- libreswan-3.15-8.el7.x86_64.rpm
- libreswan-3.20-3.el7.x86_64.rpm
- libreswan-3.20-5.el7_4.x86_64.rpm
and different versions of LibreSwan provided by libreswan.org[1]:
[1] https://download.libreswan.org/binaries/rhel/7/x86_64/
Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
Closes-Bug: #1711456
After https://review.openstack.org/#/c/555167/ merged
downstream packaging jobs broke due to the filename
change to l3_agent.ini. Change it back to vpn_agent.ini
since it could cause an upgrade issue.
Also, since l3_agent.ini is already used in the neutron
tree, having a file with the same name could cause some
confusion, so it's better to use something unique.
Change-Id: I39cf2c0d1c54e7c292dcdf71831c1a3cbc67284a
neutron-vpnaas documentation needed to be updated to the document
structure recommended by the docs team.
This commits add several sections and reorganizes the existing docs.
Change-Id: Iae2704f3d0653e00c18cf1fccdbcb8b926a5b15c
The strongswan.d config dir (usually /etc/strongswan.d) is usually owned
by root but the neutron-vpn-agent may run as non-root so the files need
to be copied as root to not get a "permission denied" error.
Change-Id: I40785f8c89b304efdf0f95469ec5a2d57b0cad60
Closes-Bug: #1586986
Oslo config generator was introduced in patch [1] to
automatically generate the sample Neutron VPNaaS configuration
files.
This patch removes the static example configuration files from
the repository as they are now redundant.
[1] https://review.openstack.org/#/c/253399/
Change-Id: Ibf5ed0f1e80d01dd2332a3638974479bca350ecf
Partially-Implements: blueprint autogen-neutron-conf-file
Partial-bug: #1199963
Depends-On: Icef8f7e8f0e8e78bfffa7a5af3f9f2300376b115
This adds a new tox environment, genconfig, which generates sample
neutron VPNaaS configuration file using oslo-config-generator.
Updates to some configuration option help messages to reflect useful
details that were missing in the code but were present in config files.
DocImpact: Update the docs that VPNaaS no longer includes static example
configuration files. Instead, use tools/generate_config_file_samples.sh
to generate them and the files generated now end with .sample extension.
Partially-Implements: blueprint autogen-neutron-conf-file
Change-Id: I4a6094b8218dfd320d05bfb1e3bc121e8930c551
Partial-bug: #1199963
--perpeerlogbase option has no effect without --perpeerlog. [1]
Moreover there is no need to create 'logs' dir as there is a 'log'
dir that can be reused.
Also fixed indentation issue for enable_detailed_logging option
declaration.
[1] http://linux.die.net/man/8/ipsec_pluto
DocImpact
Related-Bug: #1308730
Change-Id: Ie5ef72c2abd83b9b1114d90a6c7294cc34174018
Change I5c215d70c348524979b740f882029f74e400e6d7 introduced cleanup
of pluto ctl/pid files on starting and restarting of pluto daemon
for LibreSwan driver. But the problem with managing these files is
also common for the OpenSwan driver: pluto daemon fails to start if
a pid file it tries to create already exists (see bug report for
details).
This change moves the cleaup functionality to the OpenSwanProcess so
that is will be used by both OpenSwan and LibreSwan drivers.
Also fixed a typo in _cleanup_control_files where it was attempted to
remove pluto.ctl.ctl file instead of pluto.ctl
Changed the name of 'libreswan' configuration section to 'pluto'.
DocImpact
Change-Id: I717e8fcc1add35b7099c977235e4eff5da9e093b
Closes-Bug: #1506794
The LibreSwan ipsec driver needs to be able to change the ownership of
generated ipsec.secrets files to root. This modifies the existing
rootwrap filter to allow chown operations only to be performed on files
named ipsec.secrets that have the expected UID.
Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d
Related-bug: #1493492
LibreSwan runs as root and needs access to ipsec.secrets. Currently,
ipsec.secrets is not owned by root and has 0600 permissions. This patch
adds a rootwrap filter for the chown operation and sets the
ipsec.secrets ownership to root.
Change-Id: I414b5d9285d7a3ba9d3132bce9d7d5e3af43c37f
Closes-Bug: #1493492
LibreSwan checks for the presence of pid/ctl files when starting up and
will error out if they already exist. However, LibreSwan's usage of the
capabilities library removes the access required to cleanup .ctl and
.pid files on shutdown if any of the directories in the path are missing
explicit permissions for root. This is not considered a bug by the
LibreSwan maintainers, so the LibreSwan driver must work around it by
checking if it is okay to remove the files and removing them on
startup. It must also wait for shutdown to complete before restarting
the daemon on LibreSwanProcess.restart().
Introduces new configuration for retrying check for process shutdown.
DocImpact
Change-Id: I5c215d70c348524979b740f882029f74e400e6d7
Closes-Bug: #1331502
Add log for IPSec pluto process. This log will be useful
to developers for debug IPSec site connection and IPSec
connectivity.
This applies to OpenSwan and Libraswan, and that StrongSwan
has logging that logs to syslog.
DocImpact
Closes-Bug: #1484410
Change-Id: Id150416a179ae4ddeed5bd13d6c50793e6183f55
Now that https://review.openstack.org/#/c/213750/ has merged,
which addresses the root issue, this symptom fixer, which has
quite a few side effects, can be reverted until it's addressed
sanely.
This reverts commit f9d5c05057.
Change-Id: Ie013b452457b460de798c5d5d06133784d2f321f
VPNaas is not working on Fedora/centos devstack.
Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec.
Libreswan needs nssdb to be initialised before
'ipsec pluto' command, otherwise pluto daemon will fail to run
Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69
Closes-bug: #1444017
The initial release of StrongSwan VPNaaS driver only support Ubuntu.
This patch will provide the Fedora support. The different usage of
StrongSwan between Fedora and Ubuntu are:
- Uses 'strongswan' CLI command instead of 'ipsec'
- Configuration files location is different
- Strongswan.d directory in template directory does not include
'charon' directory
Change-Id: I27d8518d1d8110453d4674a0c6fb3cb6072a32f0
Closes-bug: 1444776
Closes-bug: 1441788
This patch implements strongSwan driver for VPNaaS, Initial effort
only supports strongSwan >= 5.x and implements an equivalent psk
net-to-net vpn service as openSwan driver did based on recommended
configuration.
Implements blueprint ipsec-strongswan-driver
DocImpact
a, StrongSwan and openSwan cannot be installed at the same time.
Thus, both cannot be enabled for use. In the future when
flavors/STF support is available, this will still constrain
the flavors which can be used together.
b, Adding StrongswanDriver in the file /etc/neutron/vpn_agent.ini
vpn_device_driver=neutron.services.vpn.device_drivers \
.strongswan_ipsec.StrongSwanDriver
c, Apparmor can interfere with both creation of tunnels and
established tunnels, because it controls access to operating
system resources. Thus we can use below commands to remove
apparmor definitions from the kernel.
sudo apparmor_parser -R usr.lib.ipsec.charon
sudo apparmor_parser -R usr.lib.ipsec.stroke
However, what we are seeing is that even though we disable the
profile for charon and stroke, apparmor is re-enabling them
(at unknown times). As a result, we can directly disable them
by the following commands:
sudo ln -s /etc/apparmor.d/usr.lib.ipsec.charon \
/etc/apparmor.d/disable/
sudo ln -s /etc/apparmor.d/usr.lib.ipsec.stroke \
/etc/apparmor.d/disable/
sudo service apparmor restart
In a word, you need to take care of your apparmor configurations.
d, Supports Ubuntu only. A separate commit will address Fedora.
e, Other steps are the same with the existing openSwan driver.
This patch is based on patchset67 of nachi's initial vpnaas
implementation, many thanks to nachi.
Change-Id: Ia3eb10a9103bdceb2a29f2372b410b946f3a89cc
Introducing new service-driver and device-driver for Vyatta vRouter.
with portions of vRouter parsing code hosted in stackforge/networking-brocade
repo.
Change-Id: I6028283c86849196170ada8b5ebeb1efe4e38ea4
Implements: blueprint brocade-vyatta-vpnaas-plugin
- Some shared exceptions will be left in Neutron, until further l3 refactoring
Depends on neutron change I16b5e5b2bb70717166da14faa975fa2ab9129049
Change-Id: I081b7482776b7294fcafcae6c8610ddd5271cc5e
Partially-Implements: blueprint services-split
strongSwan doesn't support namespace natively, this wrapper
will use "mount --bind" to simulate the ns like this:
sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns \
exec <namespace-id> neutron-netns-wrapper --mount_paths \
=/etc:/var/lib/neutron/vpnaas/<xxxx-id>/etc, \
/var/run:/var/lib/neutron/vpnaas/<xxxx-id>/var/run \
--cmd=ipsec,status
Both sudoers and rootwrap.conf will not exist in the
directory /etc after bind-mount, thus we can't use
utils.execute(cmd, conf.root_helper) in
neutron/agent/linux/utils.py. so implement a function
execte(cmd) in this wrapper as an alternative. then we can
use root_helper to invoke this wrapper to make sure all
commands are still running as root as below code shows.
Finally, also need to check in wrapper if cmd matches
CommandFilter based on the same reason.
ip_wrapper = ip_lib.IPWrapper(root_helper, namespace)
ip_wrapper.netns.execute(
[NS_WRAPPER,
'--mount_paths=/etc:%s/etc,/var/run:%s/var/run' % (
self.config_dir, self.config_dir),
'--cmd=%s' % ','.join(cmd)],
check_exit_code=check_exit_code)
We are using check of net namespace (since linux 3.0),
instead of mount namespace (since Linux 3.8), as older
kernels do not support mount namespace. In addition,
mount --bind has been available since Linux 2.4. so we
don't need to worry kilo's minumum kernel requirement.
This patch is based on patchset67 of nachi's initial
vpnaas implementation, many thanks to nachi.
submit this wrapper as a separate review from [1].
[1] https://review.openstack.org/#/c/144391/
Partially-implements: blueprint ipsec-strongswan-driver
Change-Id: Icc80b9102acb87170f2d1cda06c848fa71bb1634
This has the service driver part of the vendor specific VPNaaS plugin.
This version DOES NOT rely on the Service Type Framework code, which is
presently under review (client 53602, server 41827) and on hold due to
discussion over flavors. As a result, this changeset has modifications
so that the service driver is not hard-coded in the VPN plugin.
The device driver will be under a separate review and has the REST
client that talks to the Cisco CSR (running out-of-band).
Note: See review 74156 for more details on device driver portion of
this blueprint.
Change-Id: I39b1475c992b594256f5a28be0caa1ee9398050e
Partially-implements: blueprint vpnaas-cisco-driver
Implements blueprint ipsec-vpn-reference
This patch implements reference driver implementation for VPNaaS.
The driver uses openswan to manage vpn connections.
Future work: Support ikepolicy and ipsec update
Support service type framework
Intelligent updating of resources
This commit adds jinja2 for requirements.txt for
generating cofig file.
Change-Id: I8c5ed800a71ca014dc7bdbb6a57c4f8d18fa82e0