[openstack-dev] [Neutron] SSL VPN Implemenatation

Clint Byrum clint at fewbar.com
Thu May 1 17:31:04 UTC 2014


I think you'd do something like this (Note that I don't know off the top
of my head the barbican CLI or openvpn cli switches... just
pseudo-code):

oconf=$(mktemp -d /tmp/openvpnconfig.XXXXXX)
mount -o tmpfs $oconf size=1M
barbican get my-secret-openvpn-conf > $oconf/foo.conf
openvpn --config-dir $oconf foo --daemonize
umount $oconf
rmdir $oconf

Excerpts from Nachi Ueno's message of 2014-05-01 10:15:26 -0700:
> Hi Robert
> 
> Thank you for your suggestion.
> so your suggestion is let OpenVPN process download key to memory
> directly from Babican?
> 
> 2014-05-01 9:42 GMT-07:00 Clark, Robert Graham <robert.clark at hp.com>:
> > Excuse me interrupting but couldn't you treat the key as largely
> > ephemeral, pull it down from Barbican, start the OpenVPN process and
> > then purge the key?  It would of course still be resident in the memory
> > of the OpenVPN process but should otherwise be protected against
> > filesystem disk-residency issues.
> >
> >
> >> -----Original Message-----
> >> From: Nachi Ueno [mailto:nachi at ntti3.com]
> >> Sent: 01 May 2014 17:36
> >> To: OpenStack Development Mailing List (not for usage questions)
> >> Subject: Re: [openstack-dev] [Neutron] SSL VPN Implemenatation
> >>
> >> Hi Jarret
> >>
> >> IMO, Zang point is the issue saving plain private key in the
> > filesystem for
> >> OpenVPN.
> >> Isn't this same even if we use Barbican?
> >>
> >>
> >>
> >>
> >>
> >> 2014-05-01 2:56 GMT-07:00 Jarret Raim <jarret.raim at rackspace.com>:
> >> > Zang mentioned that part of the issue is that the private key has to
> >> > be stored in the OpenVPN config file. If the config files are
> >> > generated and can be stored, then storing the whole config file in
> >> > Barbican protects the private key (and any other settings) without
> >> > having to try to deliver the key to the OpenVPN endpoint in some
> > non-
> >> standard way.
> >> >
> >> >
> >> > Jarret
> >> >
> >> > On 4/30/14, 6:08 PM, "Nachi Ueno" <nachi at ntti3.com> wrote:
> >> >
> >> >>> Jarret
> >> >>
> >> >>Thanks!
> >> >>Currently, the config will be generated on demand by the agent.
> >> >>What's merit storing entire config in the Barbican?
> >> >>
> >> >>> Kyle
> >> >>Thanks!
> >> >>
> >> >>2014-04-30 7:05 GMT-07:00 Kyle Mestery
> >> <mestery at noironetworks.com>:
> >> >>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <nachi at ntti3.com>
> >> wrote:
> >> >>>> Hi Clint
> >> >>>>
> >> >>>> Thank you for your suggestion. Your point get taken :)
> >> >>>>
> >> >>>>> Kyle
> >> >>>> This is also a same discussion for LBaaS Can we discuss this in
> >> >>>> advanced service meeting?
> >> >>>>
> >> >>> Yes! I think we should definitely discuss this in the advanced
> >> >>> services meeting today. I've added it to the agenda [1].
> >> >>>
> >> >>> Thanks,
> >> >>> Kyle
> >> >>>
> >> >>> [1]
> >> >>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_f
> >> or_
> >> >>>next
> >> >>>_meeting
> >> >>>
> >> >>>>> Zang
> >> >>>> Could you join the discussion?
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <clint at fewbar.com>:
> >> >>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700:
> >> >>>>>> Hi Kyle
> >> >>>>>>
> >> >>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery
> >> <mestery at noironetworks.com>:
> >> >>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno
> >> <nachi at ntti3.com>
> >> >>>>>>wrote:
> >> >>>>>> >> Hi Zang
> >> >>>>>> >>
> >> >>>>>> >> Thank you for your contribution on this!
> >> >>>>>> >> The private key management is what I want to discuss in the
> >> >>>>>>summit.
> >> >>>>>> >>
> >> >>>>>> > Has the idea of using Barbican been discussed before? There
> > are
> >> >>>>>>many
> >> >>>>>> > reasons why using Barbican for this may be better than
> >> >>>>>> > developing
> >> >>>>>>key
> >> >>>>>> > management ourselves.
> >> >>>>>>
> >> >>>>>> No, however I'm +1 for using Barbican. Let's discuss this in
> >> >>>>>> certificate management topic in advanced service session.
> >> >>>>>>
> >> >>>>>
> >> >>>>> Just a suggestion: Don't defer that until the summit. Sounds
> > like
> >> >>>>>you've  already got some consensus, so you don't need the summit
> >> >>>>>just to rubber  stamp it. I suggest discussing as much as you can
> >> >>>>>right now on the mailing  list, and using the time at the summit
> > to
> >> >>>>>resolve any complicated issues  including any "a or b" things
> > that
> >> >>>>>need crowd-sourced idea making. You  can also use the summit time
> >> >>>>>to communicate your requirements to the  Barbican developers.
> >> >>>>>
> >> >>>>> Point is: just because you'll have face time, doesn't mean you
> >> >>>>> should use it for what can be done via the mailing list.
> >> >>>>>
> >> >>>>> _______________________________________________
> >> >>>>> OpenStack-dev mailing list
> >> >>>>> OpenStack-dev at lists.openstack.org
> >> >>>>>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>>>
> >> >>>> _______________________________________________
> >> >>>> OpenStack-dev mailing list
> >> >>>> OpenStack-dev at lists.openstack.org
> >> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>>
> >> >>> _______________________________________________
> >> >>> OpenStack-dev mailing list
> >> >>> OpenStack-dev at lists.openstack.org
> >> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>
> >> >>_______________________________________________
> >> >>OpenStack-dev mailing list
> >> >>OpenStack-dev at lists.openstack.org
> >> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >
> >> > _______________________________________________
> >> > OpenStack-dev mailing list
> >> > OpenStack-dev at lists.openstack.org
> >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> 



More information about the OpenStack-dev mailing list