Commit Graph

28 Commits

Author SHA1 Message Date
Bodo Petermann 256464aea6 VPNaaS support for OVN
Adds VPNaaS support for OVN.
Add a new stand-alone VPN agent to support OVN+VPN. Add OVN-specific
service and device drivers that support this new VPN agent. This will
have no impact on the existing VPN solution for ML2/OVS, the existing
L3 agent and its VPN extension will still work.

Add a new VPN agent scheduler that will schedule VPN services to VPN
agents on a per-router basis.

Add two new database tables: vpn_ext_gws (to store extra port IDs)
and routervpnagentbindings (to store VPN agent ID per router).

More details see spec (neutron-specs/specs/xena/vpnaas-ovn.rst).

This work is based on work of MingShuan Xian (xianms@cn.ibm.com),
see https://bugs.launchpad.net/networking-ovn/+bug/1586253

Depends-On: https://review.opendev.org/c/openstack/neutron/+/847005
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/847007

Closes-Bug: #1905391
Change-Id: I632f86762d63edbfe225727db11ea21bbb1ffc25
2023-11-16 21:08:50 +01:00
Akihiro Motoki b0c4a6aefb Convert policy.json into policy-in-code
This commit defines the default policies in code. VPNaaS has
no policy.json so far, so all policy definitions are newly created.

Partially Implements: blueprint neutron-policy-in-code

Change-Id: Ic0bf99b69a792197399e38ace6d23ea18874892a
2019-01-07 16:38:16 +00:00
Hunt Xu b6c8ea8a3c Make libreswan driver work with recent versions
LibreSwan 3.19 introduces a new commandline argument '--nssdir' for
pluto which defaults to '/etc/ipsec.d'. As older versions don't
understand such an option, we cannot just add it to the commandline.

The commandline arguments of LibreSwan are not stable enough to rely on.
For example, in 3.19, 'ipsec initnss' has the new argument '--nssdir',
and in 3.20, 'ipsec pluto' also gets this new argument '--nssdir', then
in 3.22, the argument '--ctlbase' is phased out.

In this commit, instead of trying new options and then fallback to old
ones for older versions, the bind-mount method used in StrongSwan driver
is adopted. With /etc and /var/run bind mounted, all the commandline
arguments related to configuration file places can be removed. This
ensures that changes of such arguments between different versions won't
bother as the default places are always used.

This commit also replaces 'auth=' by 'phase2=' in the configuration
template as the former is for a long time an alias of the latter and
removed in LibreSwan 3.19.

The virtual-private argument of 'ipsec pluto' has been put into the
configuration file to avoid commas(,) in the commandline so that the
netns_wrapper can work well.

A new tempest job for running LibreSwan as the device driver on CentOS 7
is also added to avoid regression.

This commit has been simply tested on CentOS 7.4 with the following
versions of LibreSwan provided by the CentOS repo:

  - libreswan-3.12-5.el7.x86_64.rpm
  - libreswan-3.12-10.1.el7_1.x86_64.rpm
  - libreswan-3.15-5.el7_1.x86_64.rpm
  - libreswan-3.15-8.el7.x86_64.rpm
  - libreswan-3.20-3.el7.x86_64.rpm
  - libreswan-3.20-5.el7_4.x86_64.rpm

and different versions of LibreSwan provided by libreswan.org[1]:

[1] https://download.libreswan.org/binaries/rhel/7/x86_64/

Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
Closes-Bug: #1711456
2018-06-22 15:29:48 +08:00
Brian Haley 8d5433fe8f Change back to using vpn_agent.ini
After https://review.openstack.org/#/c/555167/ merged
downstream packaging jobs broke due to the filename
change to l3_agent.ini.  Change it back to vpn_agent.ini
since it could cause an upgrade issue.

Also, since l3_agent.ini is already used in the neutron
tree, having a file with the same name could cause some
confusion, so it's better to use something unique.

Change-Id: I39cf2c0d1c54e7c292dcdf71831c1a3cbc67284a
2018-04-04 11:03:29 -04:00
Akihiro Motoki 38d53da188 Improve docs to follow the standard structure
neutron-vpnaas documentation needed to be updated to the document
structure recommended by the docs team.
This commits add several sections and reorganizes the existing docs.

Change-Id: Iae2704f3d0653e00c18cf1fccdbcb8b926a5b15c
2018-04-02 02:19:04 +00:00
Jeffrey Zhang 65a3e5dfbe Drop the root requirement for LibreSwanDriver
Change-Id: I880ef5dad6723de06da5dd8a424f7158d65b5a35
Closes-Bug: #1644517
2018-01-23 14:59:39 +08:00
gengchc2 3540ab71e8 Fix a typo in vpnaas.filters,filters.template,and etc
TrivialFix

Change-Id: I1f6a5719b3f44914e9922c01b5a585f06bbae168
2016-10-17 16:54:01 +08:00
Thomas Bechtold beff6e945c Copy/remove the strongswan.d config as root
The strongswan.d config dir (usually /etc/strongswan.d) is usually owned
by root but the neutron-vpn-agent may run as non-root so the files need
to be copied as root to not get a "permission denied" error.

Change-Id: I40785f8c89b304efdf0f95469ec5a2d57b0cad60
Closes-Bug: #1586986
2016-05-31 07:05:46 +02:00
Martin Hickey 3e63e570fa Remove Neutron VPNaaS static example configuration files
Oslo config generator was introduced in patch [1] to
automatically generate the sample Neutron VPNaaS configuration
files.

This patch removes the static example configuration files from
the repository as they are now redundant.

[1] https://review.openstack.org/#/c/253399/

Change-Id: Ibf5ed0f1e80d01dd2332a3638974479bca350ecf
Partially-Implements: blueprint autogen-neutron-conf-file
Partial-bug: #1199963
Depends-On: Icef8f7e8f0e8e78bfffa7a5af3f9f2300376b115
2015-12-13 08:48:00 +00:00
Martin Hickey 5c8941eeed Automatically generate neutron VPNaaS configuration files
This adds a new tox environment, genconfig, which generates sample
neutron VPNaaS configuration file using oslo-config-generator.

Updates to some configuration option help messages to reflect useful
details that were missing in the code but were present in config files.

DocImpact: Update the docs that VPNaaS no longer includes static example
configuration files. Instead, use tools/generate_config_file_samples.sh
to generate them and the files generated now end with .sample extension.

Partially-Implements: blueprint autogen-neutron-conf-file

Change-Id: I4a6094b8218dfd320d05bfb1e3bc121e8930c551
Partial-bug: #1199963
2015-12-11 11:03:33 +00:00
Elena Ezhova ff49617ff7 Fix options for pluto per-peer logging
--perpeerlogbase option has no effect without --perpeerlog. [1]
Moreover there is no need to create 'logs' dir as there is a 'log'
dir that can be reused.

Also fixed indentation issue for enable_detailed_logging option
declaration.

[1] http://linux.die.net/man/8/ipsec_pluto

DocImpact
Related-Bug: #1308730
Change-Id: Ie5ef72c2abd83b9b1114d90a6c7294cc34174018
2015-11-16 16:12:02 +03:00
Elena Ezhova a71f30b232 Cleanup .ctl/.pid files for both OpenSwan and LibreSwan
Change I5c215d70c348524979b740f882029f74e400e6d7 introduced cleanup
of pluto ctl/pid files on starting and restarting of pluto daemon
for LibreSwan driver. But the problem with managing these files is
also common for the OpenSwan driver: pluto daemon fails to start if
a pid file it tries to create already exists (see bug report for
details).

This change moves the cleaup functionality to the OpenSwanProcess so
that is will be used by both OpenSwan and LibreSwan drivers.
Also fixed a typo in _cleanup_control_files where it was attempted to
remove pluto.ctl.ctl file instead of pluto.ctl

Changed the name of 'libreswan' configuration section to 'pluto'.

DocImpact

Change-Id: I717e8fcc1add35b7099c977235e4eff5da9e093b
Closes-Bug: #1506794
2015-10-16 14:35:35 +03:00
Brent Eagles d04e5527d9 Make chown rootwrap filter ipsec.secrets file specific
The LibreSwan ipsec driver needs to be able to change the ownership of
generated ipsec.secrets files to root. This modifies the existing
rootwrap filter to allow chown operations only to be performed on files
named ipsec.secrets that have the expected UID.

Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d
Related-bug: #1493492
2015-09-16 15:02:18 -02:30
Brent Eagles fed1a9b927 Set owner to root for ipsec.secrets for LibreSwan
LibreSwan runs as root and needs access to ipsec.secrets. Currently,
ipsec.secrets is not owned by root and has 0600 permissions. This patch
adds a rootwrap filter for the chown operation and sets the
ipsec.secrets ownership to root.

Change-Id: I414b5d9285d7a3ba9d3132bce9d7d5e3af43c37f
Closes-Bug: #1493492
2015-09-11 12:20:15 -02:30
Jenkins 2baf733818 Merge "Manage cleanup of .ctl/.pid files for LibreSwan" 2015-09-08 13:10:10 +00:00
Brent Eagles 00b633d284 Manage cleanup of .ctl/.pid files for LibreSwan
LibreSwan checks for the presence of pid/ctl files when starting up and
will error out if they already exist. However, LibreSwan's usage of the
capabilities library removes the access required to cleanup .ctl and
.pid files on shutdown if any of the directories in the path are missing
explicit permissions for root. This is not considered a bug by the
LibreSwan maintainers, so the LibreSwan driver must work around it by
checking if it is okay to remove the files and removing them on
startup. It must also wait for shutdown to complete before restarting
the daemon on LibreSwanProcess.restart().

Introduces new configuration for retrying check for process shutdown.

DocImpact


Change-Id: I5c215d70c348524979b740f882029f74e400e6d7
Closes-Bug: #1331502
2015-09-03 13:43:56 +00:00
changzhi b003d9a424 Allow enabling detailed logging for OpenSwan
Add log for IPSec pluto process. This log will be useful
to developers for debug IPSec site connection and IPSec
connectivity.

This applies to OpenSwan and Libraswan, and that StrongSwan
has logging that logs to syslog.

DocImpact
Closes-Bug: #1484410
Change-Id: Id150416a179ae4ddeed5bd13d6c50793e6183f55
2015-08-28 10:52:57 +08:00
Doug Wiegley 242dd8507d Revert "Remove default service provider from conf file"
Now that https://review.openstack.org/#/c/213750/ has merged,
which addresses the root issue, this symptom fixer, which has
quite a few side effects, can be reverted until it's addressed
sanely.

This reverts commit f9d5c05057.

Change-Id: Ie013b452457b460de798c5d5d06133784d2f321f
2015-08-18 01:59:04 +00:00
Doug Wiegley f9d5c05057 Remove default service provider from conf file
Partial-bug: #1483266
Depends-On: Ia979fa2fdf25f3c1dbe9e7160d6dde2df51c305e
Change-Id: If04871e4461ad5838a6fd7a3993d4eda1566d145
2015-08-13 17:24:03 +00:00
venkata anil 72e1f670fd Libreswan driver support in VPNaaS
VPNaas is not working on Fedora/centos devstack.
Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec.

Libreswan needs nssdb to be  initialised before
'ipsec pluto' command, otherwise pluto daemon will fail to run

Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69
Closes-bug: #1444017
2015-05-03 10:27:18 +00:00
Wei Hu f8a62b09b6 Provide Fedora support for StrongSwan
The initial release of StrongSwan VPNaaS driver only support Ubuntu.
This patch will provide the Fedora support. The different usage of
StrongSwan between Fedora and Ubuntu are:
- Uses 'strongswan' CLI command instead of 'ipsec'
- Configuration files location is different
- Strongswan.d directory in template directory does not include
  'charon' directory

Change-Id: I27d8518d1d8110453d4674a0c6fb3cb6072a32f0
Closes-bug: 1444776
Closes-bug: 1441788
2015-04-27 16:28:38 +08:00
Zhang Hua 6d55e377ea IPsec strongSwan driver implemention
This patch implements strongSwan driver for VPNaaS, Initial effort
only supports strongSwan >= 5.x and implements an equivalent psk
net-to-net vpn service as openSwan driver did based on recommended
configuration.

Implements blueprint ipsec-strongswan-driver

DocImpact
a, StrongSwan and openSwan cannot be installed at the same time.
   Thus, both cannot be enabled for use. In the future when
   flavors/STF support is available, this will still constrain
   the flavors which can be used together.
b, Adding StrongswanDriver in the file /etc/neutron/vpn_agent.ini
   vpn_device_driver=neutron.services.vpn.device_drivers \
       .strongswan_ipsec.StrongSwanDriver
c, Apparmor can interfere with both creation of tunnels and
   established tunnels, because it controls access to operating
   system resources. Thus we can use below commands to remove
   apparmor definitions from the kernel.
     sudo apparmor_parser -R usr.lib.ipsec.charon
     sudo apparmor_parser -R usr.lib.ipsec.stroke
   However, what we are seeing is that even though we disable the
   profile for charon and stroke, apparmor is re-enabling them
   (at unknown times). As a result, we can directly disable them
   by the following commands:
     sudo ln -s /etc/apparmor.d/usr.lib.ipsec.charon \
         /etc/apparmor.d/disable/
     sudo ln -s /etc/apparmor.d/usr.lib.ipsec.stroke \
         /etc/apparmor.d/disable/
     sudo service apparmor restart
   In a word, you need to take care of your apparmor configurations.
d, Supports Ubuntu only. A separate commit will address Fedora.
e, Other steps are the same with the existing openSwan driver.

This patch is based on patchset67 of nachi's initial vpnaas
implementation, many thanks to nachi.

Change-Id: Ia3eb10a9103bdceb2a29f2372b410b946f3a89cc
2015-03-14 08:20:31 +08:00
Sridhar Ramaswamy e7a4b8f8ac Implementation of Brocade Vyatta VPNaaS Plugin
Introducing new service-driver and device-driver for Vyatta vRouter.
with portions of vRouter parsing code hosted in stackforge/networking-brocade
repo.

Change-Id: I6028283c86849196170ada8b5ebeb1efe4e38ea4
Implements: blueprint brocade-vyatta-vpnaas-plugin
2015-02-18 16:26:38 -08:00
Doug Wiegley df9dd76988 Move config and extensions to service repo
- Some shared exceptions will be left in Neutron, until further l3 refactoring

Depends on neutron change I16b5e5b2bb70717166da14faa975fa2ab9129049

Change-Id: I081b7482776b7294fcafcae6c8610ddd5271cc5e
Partially-Implements: blueprint services-split
2015-02-02 22:00:42 -06:00
Zhang Hua 0cf7671b0a vpn namespace wrapper
strongSwan doesn't support namespace natively, this wrapper
will use "mount --bind" to simulate the ns like this:

sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns \
exec <namespace-id> neutron-netns-wrapper --mount_paths \
=/etc:/var/lib/neutron/vpnaas/<xxxx-id>/etc, \
/var/run:/var/lib/neutron/vpnaas/<xxxx-id>/var/run \
--cmd=ipsec,status

Both sudoers and rootwrap.conf will not exist in the
directory /etc after bind-mount, thus we can't use
utils.execute(cmd, conf.root_helper) in
neutron/agent/linux/utils.py. so implement a function
execte(cmd) in this wrapper as an alternative. then we can
use root_helper to invoke this wrapper to make sure all
commands are still running as root as below code shows.
Finally, also need to check in wrapper if cmd matches
CommandFilter based on the same reason.
ip_wrapper = ip_lib.IPWrapper(root_helper, namespace)
    ip_wrapper.netns.execute(
    [NS_WRAPPER,
    '--mount_paths=/etc:%s/etc,/var/run:%s/var/run' % (
    self.config_dir, self.config_dir),
    '--cmd=%s' % ','.join(cmd)],
    check_exit_code=check_exit_code)

We are using check of net namespace (since linux 3.0),
instead of mount namespace (since Linux 3.8), as older
kernels do not support mount namespace. In addition,
mount --bind has been available since Linux 2.4. so we
don't need to worry kilo's minumum kernel requirement.

This patch is based on patchset67 of nachi's initial
vpnaas implementation, many thanks to nachi.

submit this wrapper as a separate review from [1].

[1] https://review.openstack.org/#/c/144391/

Partially-implements: blueprint ipsec-strongswan-driver

Change-Id: Icc80b9102acb87170f2d1cda06c848fa71bb1634
2015-01-23 09:55:53 +08:00
Ihar Hrachyshka 35843adeea Moved vpnaas.filters from main neutron repo
This file belongs to vpnaas service and hence should be maintained in
neutron-vpnaas repository.

Change-Id: Ide7dafafa3e43b3f27ec3d2dfdb3591ae7328f21
2015-01-05 12:18:45 +01:00
Paul Michali db8de13623 VPNaaS Service Driver for Cisco CSR
This has the service driver part of the vendor specific VPNaaS plugin.
This version DOES NOT rely on the Service Type Framework code, which is
presently under review (client 53602, server 41827) and on hold due to
discussion over flavors. As a result, this changeset has modifications
so that the service driver is not hard-coded in the VPN plugin.

The device driver will be under a separate review and has the REST
client that talks to the Cisco CSR (running out-of-band).

Note: See review 74156 for more details on device driver portion of
      this blueprint.

Change-Id: I39b1475c992b594256f5a28be0caa1ee9398050e
Partially-implements: blueprint vpnaas-cisco-driver
2014-03-05 15:08:39 -05:00
Nachi Ueno 704d67a064 Reference driver implementation (IPsec) for VPNaaS
Implements blueprint ipsec-vpn-reference

This patch implements reference driver implementation for VPNaaS.
The driver uses openswan to manage vpn connections.

Future work: Support ikepolicy and ipsec update
Support service type framework
Intelligent updating of resources

This commit adds jinja2 for requirements.txt for
generating cofig file.

Change-Id: I8c5ed800a71ca014dc7bdbb6a57c4f8d18fa82e0
2013-09-04 00:32:39 -07:00