[openstack-dev] VPNaaS
Eleouet Francois
f.eleouet at gmail.com
Mon May 27 14:28:48 UTC 2013
2013/5/22 Nachi Ueno <nachi at ntti3.com>
>
> Hi Francois, Paul
>
> Thank you for your investigation
>
> using chroot is may be one option however it sound little bit tricky.
Thanks to excellent pointers provided by Christophe Gouault on strongswan
ML, it turns out that "ip netns exec" does not only change the network
namespace of the child process, but also the mount namespace.
The latter is ephemeral and only lives in the child process tree. To
change strongswan /etc and /run directories, it just has to be launched
by a tiny wrapper that bind-mounts /var/run and /etc to a specific dir.
Assuming the following script is called nswrap:
#!/bin/sh
PREFIX=/var/lib/quantum/ipsec
for file in $PREFIX/$1/{run,etc}; do
[ -d $dir ] || exit
done
mount --bind $PREFIX/$1/run /var/run/
mount --bind $PREFIX/$1/etc /etc
shift
eval "$@"
You can launch several strongswan instances in netns using:
ip netns exec netns_name nswrap netns_name ipsec start
> so let's use check openswan has enough functionality for first implementation.
> ( may be, we can also have strongswan driver in future)
In this context, shouldn't strongswan be reconsidered for first
implementation?
Francois.
More information about the OpenStack-dev
mailing list