strongSwan doesn't support namespace natively, this wrapper
will use "mount --bind" to simulate the ns like this:
sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns \
exec <namespace-id> neutron-netns-wrapper --mount_paths \
=/etc:/var/lib/neutron/vpnaas/<xxxx-id>/etc, \
/var/run:/var/lib/neutron/vpnaas/<xxxx-id>/var/run \
--cmd=ipsec,status
Both sudoers and rootwrap.conf will not exist in the
directory /etc after bind-mount, thus we can't use
utils.execute(cmd, conf.root_helper) in
neutron/agent/linux/utils.py. so implement a function
execte(cmd) in this wrapper as an alternative. then we can
use root_helper to invoke this wrapper to make sure all
commands are still running as root as below code shows.
Finally, also need to check in wrapper if cmd matches
CommandFilter based on the same reason.
ip_wrapper = ip_lib.IPWrapper(root_helper, namespace)
ip_wrapper.netns.execute(
[NS_WRAPPER,
'--mount_paths=/etc:%s/etc,/var/run:%s/var/run' % (
self.config_dir, self.config_dir),
'--cmd=%s' % ','.join(cmd)],
check_exit_code=check_exit_code)
We are using check of net namespace (since linux 3.0),
instead of mount namespace (since Linux 3.8), as older
kernels do not support mount namespace. In addition,
mount --bind has been available since Linux 2.4. so we
don't need to worry kilo's minumum kernel requirement.
This patch is based on patchset67 of nachi's initial
vpnaas implementation, many thanks to nachi.
submit this wrapper as a separate review from [1].
[1] https://review.openstack.org/#/c/144391/
Partially-implements: blueprint ipsec-strongswan-driver
Change-Id: Icc80b9102acb87170f2d1cda06c848fa71bb1634
0cf7671b0a