[openstack-dev] VPNaaS
Paul Michali
pcm at cisco.com
Tue May 28 12:05:40 UTC 2013
On May 27, 2013, at 10:28 AM, Eleouet Francois wrote:
> 2013/5/22 Nachi Ueno <nachi at ntti3.com>
>>
>> Hi Francois, Paul
>>
>> Thank you for your investigation
>>
>> using chroot is may be one option however it sound little bit tricky.
>
> Thanks to excellent pointers provided by Christophe Gouault on strongswan
> ML, it turns out that "ip netns exec" does not only change the network
> namespace of the child process, but also the mount namespace.
>
> The latter is ephemeral and only lives in the child process tree. To
> change strongswan /etc and /run directories, it just has to be launched
> by a tiny wrapper that bind-mounts /var/run and /etc to a specific dir.
>
> Assuming the following script is called nswrap:
>
> #!/bin/sh
> PREFIX=/var/lib/quantum/ipsec
>
> for file in $PREFIX/$1/{run,etc}; do
> [ -d $dir ] || exit
I think you want to test $file, right?
Does sound like we want to use Strongswan, if at all possible. This sounds like it'll do that, huh?
PCM
> done
>
> mount --bind $PREFIX/$1/run /var/run/
> mount --bind $PREFIX/$1/etc /etc
>
> shift
> eval "$@"
>
> You can launch several strongswan instances in netns using:
> ip netns exec netns_name nswrap netns_name ipsec start
>
>> so let's use check openswan has enough functionality for first implementation.
>> ( may be, we can also have strongswan driver in future)
>
> In this context, shouldn't strongswan be reconsidered for first
> implementation?
>
> Francois.
>
> __________________________________
More information about the OpenStack-dev
mailing list