handle_charon.go 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258
  1. // Copyright 2017 flannel authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. // +build !windows
  15. package ipsec
  16. import (
  17. "fmt"
  18. "net"
  19. "os"
  20. "os/exec"
  21. "strings"
  22. "sync"
  23. "syscall"
  24. "time"
  25. "github.com/bronze1man/goStrongswanVici"
  26. "github.com/flannel-io/flannel/subnet"
  27. "golang.org/x/net/context"
  28. log "k8s.io/klog"
  29. )
  30. type Uri struct {
  31. network, address string
  32. }
  33. type CharonIKEDaemon struct {
  34. viciUri Uri
  35. espProposal string
  36. ctx context.Context
  37. }
  38. func NewCharonIKEDaemon(ctx context.Context, wg *sync.WaitGroup, espProposal string) (*CharonIKEDaemon, error) {
  39. charon := &CharonIKEDaemon{ctx: ctx, espProposal: espProposal}
  40. addr := strings.Split("unix:///var/run/charon.vici", "://")
  41. charon.viciUri = Uri{addr[0], addr[1]}
  42. execPath, err := findExecPath()
  43. if err != nil {
  44. log.Errorf("Charon daemon not found: %v", err)
  45. return nil, err
  46. }
  47. cmd, err := charon.run(execPath)
  48. if err != nil {
  49. log.Errorf("Error starting charon daemon: %v", err)
  50. return nil, err
  51. } else {
  52. log.Info("Charon daemon started")
  53. }
  54. wg.Add(1)
  55. go func() {
  56. select {
  57. case <-ctx.Done():
  58. cmd.Process.Signal(syscall.SIGTERM)
  59. cmd.Wait()
  60. log.Infof("Stopped charon daemon")
  61. wg.Done()
  62. }
  63. }()
  64. return charon, nil
  65. }
  66. func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongswanVici.ClientConn, err error) {
  67. for {
  68. socket_conn, err := net.Dial(charon.viciUri.network, charon.viciUri.address)
  69. if err == nil {
  70. return goStrongswanVici.NewClientConn(socket_conn), nil
  71. } else {
  72. if wait {
  73. select {
  74. case <-charon.ctx.Done():
  75. log.Error("Cancel waiting for charon")
  76. return nil, err
  77. default:
  78. log.Errorf("ClientConnection failed: %v", err)
  79. }
  80. log.Info("Retrying in a second ...")
  81. time.Sleep(time.Second)
  82. } else {
  83. return nil, err
  84. }
  85. }
  86. }
  87. }
  88. func (charon *CharonIKEDaemon) run(execPath string) (cmd *exec.Cmd, err error) {
  89. cmd = &exec.Cmd{
  90. Path: execPath,
  91. SysProcAttr: &syscall.SysProcAttr{
  92. Pdeathsig: syscall.SIGTERM,
  93. },
  94. Stdout: os.Stdout,
  95. Stderr: os.Stderr,
  96. }
  97. err = cmd.Start()
  98. return
  99. }
  100. func (charon *CharonIKEDaemon) LoadSharedKey(remotePublicIP, password string) error {
  101. var err error
  102. var client *goStrongswanVici.ClientConn
  103. client, err = charon.getClient(true)
  104. if err != nil {
  105. log.Errorf("Failed to acquire Vici client: %v", err)
  106. return err
  107. }
  108. defer client.Close()
  109. sharedKey := &goStrongswanVici.Key{
  110. Typ: "IKE",
  111. Data: password,
  112. Owners: []string{remotePublicIP},
  113. }
  114. for {
  115. err = client.LoadShared(sharedKey)
  116. if err != nil {
  117. log.Errorf("Failed to load my key. Retrying. %v", err)
  118. time.Sleep(time.Second)
  119. } else {
  120. break
  121. }
  122. }
  123. log.Infof("Loaded shared key for: %v", remotePublicIP)
  124. return nil
  125. }
  126. func (charon *CharonIKEDaemon) LoadConnection(localLease, remoteLease *subnet.Lease,
  127. reqID, encap string) error {
  128. var err error
  129. var client *goStrongswanVici.ClientConn
  130. client, err = charon.getClient(true)
  131. if err != nil {
  132. log.Errorf("Failed to acquire Vici client: %s", err)
  133. return err
  134. }
  135. defer client.Close()
  136. childConfMap := make(map[string]goStrongswanVici.ChildSAConf)
  137. childSAConf := goStrongswanVici.ChildSAConf{
  138. Local_ts: []string{localLease.Subnet.String()},
  139. Remote_ts: []string{remoteLease.Subnet.String()},
  140. ESPProposals: []string{charon.espProposal},
  141. StartAction: "start",
  142. CloseAction: "trap",
  143. Mode: "tunnel",
  144. ReqID: reqID,
  145. // RekeyTime: rekeyTime,
  146. InstallPolicy: "no",
  147. }
  148. childSAConfName := formatChildSAConfName(localLease, remoteLease)
  149. childConfMap[childSAConfName] = childSAConf
  150. localAuthConf := goStrongswanVici.AuthConf{
  151. AuthMethod: "psk",
  152. }
  153. remoteAuthConf := goStrongswanVici.AuthConf{
  154. AuthMethod: "psk",
  155. }
  156. ikeConf := goStrongswanVici.IKEConf{
  157. LocalAddrs: []string{localLease.Attrs.PublicIP.String()},
  158. RemoteAddrs: []string{remoteLease.Attrs.PublicIP.String()},
  159. Proposals: []string{"aes256-sha256-modp4096"},
  160. Version: "2",
  161. KeyingTries: "0", //continues to retry
  162. LocalAuth: localAuthConf,
  163. RemoteAuth: remoteAuthConf,
  164. Children: childConfMap,
  165. Encap: encap,
  166. }
  167. ikeConfMap := make(map[string]goStrongswanVici.IKEConf)
  168. connectionName := formatConnectionName(localLease, remoteLease)
  169. ikeConfMap[connectionName] = ikeConf
  170. err = client.LoadConn(&ikeConfMap)
  171. if err != nil {
  172. return err
  173. }
  174. log.Infof("Loaded connection: %v", connectionName)
  175. return nil
  176. }
  177. func (charon *CharonIKEDaemon) UnloadCharonConnection(localLease,
  178. remoteLease *subnet.Lease) error {
  179. client, err := charon.getClient(false)
  180. if err != nil {
  181. log.Errorf("Failed to acquire Vici client: %s", err)
  182. return err
  183. }
  184. defer client.Close()
  185. connectionName := formatConnectionName(localLease, remoteLease)
  186. unloadConnRequest := &goStrongswanVici.UnloadConnRequest{
  187. Name: connectionName,
  188. }
  189. err = client.UnloadConn(unloadConnRequest)
  190. if err != nil {
  191. return err
  192. }
  193. log.Infof("Unloaded connection: %v", connectionName)
  194. return nil
  195. }
  196. func formatConnectionName(localLease, remoteLease *subnet.Lease) string {
  197. return fmt.Sprintf("%s-%s-%s-%s", localLease.Attrs.PublicIP,
  198. localLease.Subnet, remoteLease.Subnet, remoteLease.Attrs.PublicIP)
  199. }
  200. func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
  201. return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
  202. }
  203. func findExecPath() (string, error) {
  204. // try well known charon paths
  205. paths := []string{
  206. "charon", // PATH
  207. "/usr/lib/strongswan/charon", // alpine, arch, flannel container
  208. "/usr/lib/ipsec/charon", // debian/ubuntu
  209. "/usr/libexec/strongswan/charon", // centos/rhel
  210. "/usr/libexec/ipsec/charon", // opensuse/sles
  211. }
  212. for _, path := range paths {
  213. path, err := exec.LookPath(path)
  214. if err != nil {
  215. log.Warningf("No valid charon executable found at path %s: %v", path, err)
  216. continue
  217. }
  218. return path, nil
  219. }
  220. err := fmt.Errorf("No valid charon executable found at paths %v", paths)
  221. return "", err
  222. }