0cf7671b0a
strongSwan doesn't support namespace natively, this wrapper will use "mount --bind" to simulate the ns like this: sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns \ exec <namespace-id> neutron-netns-wrapper --mount_paths \ =/etc:/var/lib/neutron/vpnaas/<xxxx-id>/etc, \ /var/run:/var/lib/neutron/vpnaas/<xxxx-id>/var/run \ --cmd=ipsec,status Both sudoers and rootwrap.conf will not exist in the directory /etc after bind-mount, thus we can't use utils.execute(cmd, conf.root_helper) in neutron/agent/linux/utils.py. so implement a function execte(cmd) in this wrapper as an alternative. then we can use root_helper to invoke this wrapper to make sure all commands are still running as root as below code shows. Finally, also need to check in wrapper if cmd matches CommandFilter based on the same reason. ip_wrapper = ip_lib.IPWrapper(root_helper, namespace) ip_wrapper.netns.execute( [NS_WRAPPER, '--mount_paths=/etc:%s/etc,/var/run:%s/var/run' % ( self.config_dir, self.config_dir), '--cmd=%s' % ','.join(cmd)], check_exit_code=check_exit_code) We are using check of net namespace (since linux 3.0), instead of mount namespace (since Linux 3.8), as older kernels do not support mount namespace. In addition, mount --bind has been available since Linux 2.4. so we don't need to worry kilo's minumum kernel requirement. This patch is based on patchset67 of nachi's initial vpnaas implementation, many thanks to nachi. submit this wrapper as a separate review from [1]. [1] https://review.openstack.org/#/c/144391/ Partially-implements: blueprint ipsec-strongswan-driver Change-Id: Icc80b9102acb87170f2d1cda06c848fa71bb1634 |
||
---|---|---|
doc/source | ||
etc | ||
neutron_vpnaas | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.pylintrc | ||
.testr.conf | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
MANIFEST.in | ||
README.rst | ||
TESTING.rst | ||
babel.cfg | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Welcome!
This package contains the code for the Neutron VPN as a Service (VPNaaS) service. This includes third-party drivers. This package requires Neutron to run.
External Resources:
The homepage for Neutron is: http://launchpad.net/neutron. Use this site for asking for help, and filing bugs. We use a single Launchpad page for all Neutron projects.
Code is available on git.openstack.org at: <http://git.openstack.org/cgit/openstack/neutron-vpnaas.
Please refer to Neutron documentation for more information: Neutron README.rst