Anmelden
golang
/
flannel
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

Merge pull request #1386 from jcaamano/charon-execpath

ipsec: use well known paths of charon daemon
Rajat Chopra vor 4 Jahren
Ursprung
06e7635b01 e5a30dae2b
Commit
1c0d9b3ffe
2 geänderte Dateien mit 33 neuen und 10 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 30 7
      backend/ipsec/handle_charon.go
  2. 3 3
      backend/ipsec/ipsec.go

+ 30 - 7
backend/ipsec/handle_charon.go
Datei anzeigen 

@@ -47,8 +47,13 @@ func NewCharonIKEDaemon(ctx context.Context, wg *sync.WaitGroup, espProposal str
 
 	addr := strings.Split("unix:///var/run/charon.vici", "://")
 
 	charon.viciUri = Uri{addr[0], addr[1]}
 
 
-	cmd, err := charon.runBundled("/usr/lib/strongswan/charon")
 
+	execPath, err := findExecPath()
 
+	if err != nil {
 
+		log.Errorf("Charon daemon not found: %v", err)
 
+		return nil, err
 
+	}
 
 
+	cmd, err := charon.run(execPath)
 
 	if err != nil {
 
 		log.Errorf("Error starting charon daemon: %v", err)
 
 		return nil, err
 
@@ -92,13 +97,9 @@ func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongswanVici.Cl
 
 	}
 
 }
 
 
-func (charon *CharonIKEDaemon) runBundled(execPath string) (cmd *exec.Cmd, err error) {
 
-	path, err := exec.LookPath(execPath)
 
-	if err != nil {
 
-		return nil, err
 
-	}
 
+func (charon *CharonIKEDaemon) run(execPath string) (cmd *exec.Cmd, err error) {
 
 	cmd = &exec.Cmd{
 
-		Path: path,
 
+		Path: execPath,
 
 		SysProcAttr: &syscall.SysProcAttr{
 
 			Pdeathsig: syscall.SIGTERM,
 
 		},
 
@@ -233,3 +234,25 @@ func formatConnectionName(localLease, remoteLease *subnet.Lease) string {
 
 func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
 
 	return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
 
 }
 
+
 
+func findExecPath() (string, error) {
 
+	// try well known charon paths
 
+	paths := []string{
 
+		"charon",                         // PATH
 
+		"/usr/lib/strongswan/charon",     // alpine, arch, flannel container
 
+		"/usr/lib/ipsec/charon",          // debian/ubuntu
 
+		"/usr/libexec/strongswan/charon", // centos/rhel
 
+		"/usr/libexec/ipsec/charon",      // opensuse/sles
 
+	}
 
+	for _, path := range paths {
 
+		path, err := exec.LookPath(path)
 
+		if err != nil {
 
+			log.Warningf("No valid charon executable found at path %s: %v", path, err)
 
+			continue
 
+		}
 
+		return path, nil
 
+	}
 
+
 
+	err := fmt.Errorf("No valid charon executable found at paths %v", paths)
 
+	return "", err
 
+}

+ 3 - 3
backend/ipsec/ipsec.go
Datei anzeigen 

@@ -32,9 +32,9 @@ import (
 
 	Flannel's approach to IPSec uses Strongswan to handle the key exchange (using IKEv2) and the kernel to handle the
 
 	actual encryption.
 
 
-	Strongswan's "charon" is bundled in the flannel container. Flannel runs it as a child process when the ipsec backend
 
-	is selected and communicates with it using the "VICI" interface. Strongswan ships a utility "swanctl" which also
 
-	uses the VICI interface. This utility is bundled in the flannel container and can help with debugging.
 
+	Flannel runs Strongswan's "charon" as a child process when the ipsec backend is selected and communicates with it
 
+	using the "VICI" interface. Strongswan ships a utility "swanctl" which also uses the VICI interface. This utility
 
+	is bundled in the flannel container and can help with debugging.
 
 
 	The file "handle_charon.go" contains the logic for working with the charon. It supports creating a "CharonIKEDaemon"
 
 	which supports loading the PSK into the charon and adding and removing connections.