Open Stack

On May 27, 2013, at 10:28 AM, Eleouet Francois wrote:

> 2013/5/22 Nachi Ueno <nachi at ntti3.com>
>> 
>> Hi Francois, Paul
>> 
>> Thank you for your investigation
>> 
>> using chroot is may be one option however it sound little bit tricky.
> 
> Thanks to excellent pointers provided by Christophe Gouault on strongswan
> ML, it turns out that "ip netns exec" does not only change the network
> namespace of the child process, but also the mount namespace.
> 
> The latter is ephemeral and only lives in the child process tree. To
> change strongswan /etc and /run directories, it just has to be launched
> by a tiny wrapper that bind-mounts /var/run and /etc to a specific dir.
> 
> Assuming the following script is called nswrap:
> 
> #!/bin/sh
> PREFIX=/var/lib/quantum/ipsec
> 
> for file in $PREFIX/$1/{run,etc}; do
>    [ -d $dir ] || exit

I think you want to test $file, right?

Does sound like we want to use Strongswan, if at all possible. This sounds like it'll do that, huh?


PCM


> done
> 
> mount --bind $PREFIX/$1/run /var/run/
> mount --bind $PREFIX/$1/etc /etc
> 
> shift
> eval "$@"
> 
> You can launch several strongswan instances in netns using:
> ip netns exec netns_name nswrap netns_name ipsec start
> 
>> so let's use check openswan has enough functionality for first implementation.
>> ( may be, we can also have strongswan driver in future)
> 
> In this context, shouldn't strongswan be reconsidered for first
> implementation?
> 
> Francois.
> 
> __________________________________