瀏覽代碼

Merge pull request #1386 from jcaamano/charon-execpath

ipsec: use well known paths of charon daemon
Rajat Chopra 4 年之前
父節點
當前提交
1c0d9b3ffe
共有 2 個文件被更改,包括 33 次插入10 次删除
  1. 30 7
      backend/ipsec/handle_charon.go
  2. 3 3
      backend/ipsec/ipsec.go

+ 30 - 7
backend/ipsec/handle_charon.go

@@ -47,8 +47,13 @@ func NewCharonIKEDaemon(ctx context.Context, wg *sync.WaitGroup, espProposal str
 	addr := strings.Split("unix:///var/run/charon.vici", "://")
 	addr := strings.Split("unix:///var/run/charon.vici", "://")
 	charon.viciUri = Uri{addr[0], addr[1]}
 	charon.viciUri = Uri{addr[0], addr[1]}
 
 
-	cmd, err := charon.runBundled("/usr/lib/strongswan/charon")
+	execPath, err := findExecPath()
+	if err != nil {
+		log.Errorf("Charon daemon not found: %v", err)
+		return nil, err
+	}
 
 
+	cmd, err := charon.run(execPath)
 	if err != nil {
 	if err != nil {
 		log.Errorf("Error starting charon daemon: %v", err)
 		log.Errorf("Error starting charon daemon: %v", err)
 		return nil, err
 		return nil, err
@@ -92,13 +97,9 @@ func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongswanVici.Cl
 	}
 	}
 }
 }
 
 
-func (charon *CharonIKEDaemon) runBundled(execPath string) (cmd *exec.Cmd, err error) {
-	path, err := exec.LookPath(execPath)
-	if err != nil {
-		return nil, err
-	}
+func (charon *CharonIKEDaemon) run(execPath string) (cmd *exec.Cmd, err error) {
 	cmd = &exec.Cmd{
 	cmd = &exec.Cmd{
-		Path: path,
+		Path: execPath,
 		SysProcAttr: &syscall.SysProcAttr{
 		SysProcAttr: &syscall.SysProcAttr{
 			Pdeathsig: syscall.SIGTERM,
 			Pdeathsig: syscall.SIGTERM,
 		},
 		},
@@ -233,3 +234,25 @@ func formatConnectionName(localLease, remoteLease *subnet.Lease) string {
 func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
 func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
 	return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
 	return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
 }
 }
+
+func findExecPath() (string, error) {
+	// try well known charon paths
+	paths := []string{
+		"charon",                         // PATH
+		"/usr/lib/strongswan/charon",     // alpine, arch, flannel container
+		"/usr/lib/ipsec/charon",          // debian/ubuntu
+		"/usr/libexec/strongswan/charon", // centos/rhel
+		"/usr/libexec/ipsec/charon",      // opensuse/sles
+	}
+	for _, path := range paths {
+		path, err := exec.LookPath(path)
+		if err != nil {
+			log.Warningf("No valid charon executable found at path %s: %v", path, err)
+			continue
+		}
+		return path, nil
+	}
+
+	err := fmt.Errorf("No valid charon executable found at paths %v", paths)
+	return "", err
+}

+ 3 - 3
backend/ipsec/ipsec.go

@@ -32,9 +32,9 @@ import (
 	Flannel's approach to IPSec uses Strongswan to handle the key exchange (using IKEv2) and the kernel to handle the
 	Flannel's approach to IPSec uses Strongswan to handle the key exchange (using IKEv2) and the kernel to handle the
 	actual encryption.
 	actual encryption.
 
 
-	Strongswan's "charon" is bundled in the flannel container. Flannel runs it as a child process when the ipsec backend
-	is selected and communicates with it using the "VICI" interface. Strongswan ships a utility "swanctl" which also
-	uses the VICI interface. This utility is bundled in the flannel container and can help with debugging.
+	Flannel runs Strongswan's "charon" as a child process when the ipsec backend is selected and communicates with it
+	using the "VICI" interface. Strongswan ships a utility "swanctl" which also uses the VICI interface. This utility
+	is bundled in the flannel container and can help with debugging.
 
 
 	The file "handle_charon.go" contains the logic for working with the charon. It supports creating a "CharonIKEDaemon"
 	The file "handle_charon.go" contains the logic for working with the charon. It supports creating a "CharonIKEDaemon"
 	which supports loading the PSK into the charon and adding and removing connections.
 	which supports loading the PSK into the charon and adding and removing connections.