From 95bbbb8bed92a60a320ff255c8b8656145f3c540 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 24 Jun 2021 19:40:36 +0200 Subject: ipsec: T3643: move swanctl.conf to /run This is the completion of commit 50a742b5 ("IPSec: T3643: Fix path for swanctl.conf file") that moves the generated swanctl file from non-volatile to a volatile (tmpfs backed) storage like we do for all out configuration files. Thus it is ensured after a reboot or service deprecation there are no accidential leftovers from previous configurations stored on the system. --- smoketest/scripts/cli/test_vpn_ipsec.py | 4 ++-- src/conf_mode/vpn_ipsec.py | 2 +- src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook | 2 +- src/etc/systemd/system/ipsec.service.d/override.conf | 7 +++++++ src/op_mode/vpn_ipsec.py | 4 ++-- 5 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 src/etc/systemd/system/ipsec.service.d/override.conf diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index b27ed3ca5..b7e9d8dcf 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -28,7 +28,7 @@ nhrp_path = ['protocols', 'nhrp'] base_path = ['vpn', 'ipsec'] dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting' -swanctl_file = '/etc/swanctl/swanctl.conf' +swanctl_file = '/run/swanctl/swanctl.conf' class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): def tearDown(self): @@ -250,7 +250,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): 'secret = secret' ] - tmp_swanctl_conf = read_file('/etc/swanctl/swanctl.conf') + tmp_swanctl_conf = read_file(swanctl_file) for line in swanctl_lines: self.assertIn(line, tmp_swanctl_conf) diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 433c51e7e..535e633ed 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -386,7 +386,7 @@ def generate(ipsec): render("/etc/ipsec.conf", "ipsec/ipsec.conf.tmpl", data) render("/etc/ipsec.secrets", "ipsec/ipsec.secrets.tmpl", data) render("/etc/strongswan.d/interfaces_use.conf", "ipsec/interfaces_use.conf.tmpl", data) - render("/etc/swanctl/swanctl.conf", "ipsec/swanctl.conf.tmpl", data) + render("/run/swanctl/swanctl.conf", "ipsec/swanctl.conf.tmpl", data) def resync_l2tp(ipsec): if ipsec and not ipsec['l2tp_exists']: diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook index a7a9a2ce6..7b3a18afa 100755 --- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook +++ b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook @@ -38,7 +38,7 @@ import re from vyos.util import call from vyos.util import cmd -SWANCTL_CONF="/etc/swanctl/swanctl.conf" +SWANCTL_CONF="/run/swanctl/swanctl.conf" def getlines(file): with open(file, 'r') as f: diff --git a/src/etc/systemd/system/ipsec.service.d/override.conf b/src/etc/systemd/system/ipsec.service.d/override.conf new file mode 100644 index 000000000..e8c0872b5 --- /dev/null +++ b/src/etc/systemd/system/ipsec.service.d/override.conf @@ -0,0 +1,7 @@ +[Unit] +ConditionPathExists=/run/swanctl/swanctl.conf +After= +After=vyos-router.service + +[Service] +Environment="SWANCTL_DIR=/run/swanctl" diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py index dd5a85ed3..68eb5e473 100755 --- a/src/op_mode/vpn_ipsec.py +++ b/src/op_mode/vpn_ipsec.py @@ -33,7 +33,7 @@ X509_CONFIG_PATH = '/etc/ipsec.d/key-pair.template' X509_PATH = '/config/auth/' IPSEC_CONF = '/etc/ipsec.conf' -SWANCTL_CONF = '/etc/swanctl/swanctl.conf' +SWANCTL_CONF = '/run/swanctl/swanctl.conf' def migrate_to_vyatta_key(path): with open(path, 'r') as f: @@ -90,7 +90,7 @@ def generate_x509_pair(name): return result = os.system(f'openssl req -new -nodes -keyout {X509_PATH}{name}.key -out {X509_PATH}{name}.csr -config {X509_CONFIG_PATH}') - + if result != 0: print(f'Could not generate x509 key-pair: {result}') return -- cgit v1.2.3