Merge pull request #1386 from jcaamano/charon-execpath

ipsec: use well known paths of charon daemon

backend/ipsec/handle_charon.go

@@ -47,8 +47,13 @@ func NewCharonIKEDaemon(ctx context.Context, wg *sync.WaitGroup, espProposal str
 	addr := strings.Split("unix:///var/run/charon.vici", "://")
 	charon.viciUri = Uri{addr[0], addr[1]}
 
-	cmd, err := charon.runBundled("/usr/lib/strongswan/charon")
+	execPath, err := findExecPath()
+	if err != nil {
+		log.Errorf("Charon daemon not found: %v", err)
+		return nil, err
+	}
 
+	cmd, err := charon.run(execPath)
 	if err != nil {
 		log.Errorf("Error starting charon daemon: %v", err)
 		return nil, err
@@ -92,13 +97,9 @@ func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongswanVici.Cl
 	}
 }
 
-func (charon *CharonIKEDaemon) runBundled(execPath string) (cmd *exec.Cmd, err error) {
-	path, err := exec.LookPath(execPath)
-	if err != nil {
-		return nil, err
-	}
+func (charon *CharonIKEDaemon) run(execPath string) (cmd *exec.Cmd, err error) {
 	cmd = &exec.Cmd{
-		Path: path,
+		Path: execPath,
 		SysProcAttr: &syscall.SysProcAttr{
 			Pdeathsig: syscall.SIGTERM,
 		},
@@ -233,3 +234,25 @@ func formatConnectionName(localLease, remoteLease *subnet.Lease) string {
 func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
 	return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
 }
+
+func findExecPath() (string, error) {
+	// try well known charon paths
+	paths := []string{
+		"charon",                         // PATH
+		"/usr/lib/strongswan/charon",     // alpine, arch, flannel container
+		"/usr/lib/ipsec/charon",          // debian/ubuntu
+		"/usr/libexec/strongswan/charon", // centos/rhel
+		"/usr/libexec/ipsec/charon",      // opensuse/sles
+	}
+	for _, path := range paths {
+		path, err := exec.LookPath(path)
+		if err != nil {
+			log.Warningf("No valid charon executable found at path %s: %v", path, err)
+			continue
+		}
+		return path, nil
+	}
+
+	err := fmt.Errorf("No valid charon executable found at paths %v", paths)
+	return "", err
+}

backend/ipsec/ipsec.go

@@ -32,9 +32,9 @@ import (
 	Flannel's approach to IPSec uses Strongswan to handle the key exchange (using IKEv2) and the kernel to handle the
 	actual encryption.
 
-	Strongswan's "charon" is bundled in the flannel container. Flannel runs it as a child process when the ipsec backend
-	is selected and communicates with it using the "VICI" interface. Strongswan ships a utility "swanctl" which also
-	uses the VICI interface. This utility is bundled in the flannel container and can help with debugging.
+	Flannel runs Strongswan's "charon" as a child process when the ipsec backend is selected and communicates with it
+	using the "VICI" interface. Strongswan ships a utility "swanctl" which also uses the VICI interface. This utility
+	is bundled in the flannel container and can help with debugging.
 
 	The file "handle_charon.go" contains the logic for working with the charon. It supports creating a "CharonIKEDaemon"
 	which supports loading the PSK into the charon and adding and removing connections.