From e8d4cc09aa1c29cf146d6e83fa64cc1caa3dc1e7 Mon Sep 17 00:00:00 2001 From: Daniel Ding Date: Sat, 8 Jun 2024 12:02:19 +0800 Subject: [PATCH] fix: conn is not active after restart ipsec. --- dist/rootfs/var/openlan/script/install.sh | 43 +++++++------ dist/rootfs/var/openlan/script/ipsec.sh | 7 +++ docker/centos/Dockerfile | 4 +- pkg/switch/network.go | 74 ++++++++++++----------- pkg/switch/switch.go | 2 +- 5 files changed, 72 insertions(+), 58 deletions(-) diff --git a/dist/rootfs/var/openlan/script/install.sh b/dist/rootfs/var/openlan/script/install.sh index 79a5657..e442ce1 100755 --- a/dist/rootfs/var/openlan/script/install.sh +++ b/dist/rootfs/var/openlan/script/install.sh @@ -12,9 +12,9 @@ fi archive=$(grep -a -n "__ARCHIVE_BELOW__:$" $installer | cut -f1 -d:) OS="linux" -if type yum > /dev/null; then +if type yum 2> /dev/null; then OS="centos" -elif type apt > /dev/null; then +elif type apt 2> /dev/null; then OS="ubuntu" fi @@ -40,37 +40,42 @@ function requires() { function install() { echo "Installing files ..." local source=$(find $tmp -maxdepth 1 -name 'openlan-*') - cd $source && { - /usr/bin/env \cp -rf ./{etc,usr,var} / - chmod +x /var/openlan/script/*.sh - /usr/bin/env find ./ -type f > /usr/share/openlan.db - } + pushd $source + /usr/bin/env \cp -rf ./{etc,usr,var} / + chmod +x /var/openlan/script/*.sh + /usr/bin/env find ./ -type f > /usr/share/openlan.db + popd } function post() { - echo "Initlizing ..." + echo "Initializing ..." if [ x"$DOCKER" == x"no" ] || [ x"$DOCKER" == x"" ]; then sysctl -p /etc/sysctl.d/90-openlan.conf fi - [ -e "/etc/openlan/switch/switch.json" ] || { - cp -rf /etc/openlan/switch/switch.json.example /etc/openlan/switch/switch.json - } - [ -e "/var/openlan/openvpn/dh.pem" ] || { - openssl dhparam -out /var/openlan/openvpn/dh.pem 2048 - } - [ -e "/var/openlan/openvpn/ta.key" ] || { - openvpn --genkey --secret /var/openlan/openvpn/ta.key - } if [ "$OS"x == "centos"x ]; then + ## Prepare openvpn. + [ -e "/var/openlan/openvpn/dh.pem" ] || { + openssl dhparam -out /var/openlan/openvpn/dh.pem 1024 + } + [ -e "/var/openlan/openvpn/ta.key" ] || { + openvpn --genkey --secret /var/openlan/openvpn/ta.key + } + ## Install CA. cp -rf /var/openlan/cert/ca.crt /etc/pki/ca-trust/source/anchors/OpenLAN_CA.crt update-ca-trust elif [ "$OS"x == "ubuntu"x ]; then + ## Prepare openvpn. + [ -e "/var/openlan/openvpn/dh.pem" ] || { + openssl dhparam -out /var/openlan/openvpn/dh.pem 2048 + } + [ -e "/var/openlan/openvpn/ta.key" ] || { + openvpn --genkey > /var/openlan/openvpn/ta.key + } + ## Install CA. cp -rf /var/openlan/cert/ca.crt /usr/local/share/ca-certificates/OpenLAN_CA.crt update-ca-certificates fi - ## Initialize NSS database - certutil -N -d sql:/var/lib/ipsec/nss --empty-password } function finish() { diff --git a/dist/rootfs/var/openlan/script/ipsec.sh b/dist/rootfs/var/openlan/script/ipsec.sh index 4e5e52f..010f2c9 100644 --- a/dist/rootfs/var/openlan/script/ipsec.sh +++ b/dist/rootfs/var/openlan/script/ipsec.sh @@ -2,8 +2,15 @@ set -ex +## Clear xfrm /sbin/ip xfrm policy flush /sbin/ip xfrm state flush +## Checking ipsec /usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig + +/usr/libexec/ipsec/_stackmanager start +/usr/sbin/ipsec --checknss + +## Start pluto /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork \ No newline at end of file diff --git a/docker/centos/Dockerfile b/docker/centos/Dockerfile index 33d6611..12ebbac 100755 --- a/docker/centos/Dockerfile +++ b/docker/centos/Dockerfile @@ -4,9 +4,7 @@ ARG linux_bin WORKDIR /root -RUN yum update -y && \ - yum install -y epel-release centos-release-openstack-train && \ - yum install -y rdma-core libibverbs +RUN yum update -y && yum install -y epel-release ADD ${linux_bin} /tmp RUN DOCKER=yes /tmp/${linux_bin} diff --git a/pkg/switch/network.go b/pkg/switch/network.go index 207e5dc..0ed5a39 100755 --- a/pkg/switch/network.go +++ b/pkg/switch/network.go @@ -322,7 +322,6 @@ func (w *WorkerImpl) loadRoute(rt co.PrefixRoute) { w.out.Info("WorkerImpl.loadRoute: %v success", rt_c.String()) return nil }) - } func (w *WorkerImpl) loadRoutes() { @@ -1014,16 +1013,13 @@ func (w *WorkerImpl) findRoute(rt co.PrefixRoute) (co.PrefixRoute, int) { } func (w *WorkerImpl) AddRoute(route *schema.PrefixRoute, switcher api.Switcher) error { - rt := w.correctRoute(route) - if _, index := w.findRoute(rt); index != -1 { w.out.Warn("WorkerImpl.AddRoute: route exist") return nil } w.cfg.Routes = append(w.cfg.Routes, rt) - w.out.Info("WorkerImpl.AddRoute: %v", rt) w.addIpSet(rt) @@ -1039,9 +1035,7 @@ func (w *WorkerImpl) AddRoute(route *schema.PrefixRoute, switcher api.Switcher) } func (w *WorkerImpl) DelRoute(route *schema.PrefixRoute, switcher api.Switcher) error { - correctRt := w.correctRoute(route) - delRt, index := w.findRoute(correctRt) if index == -1 { w.out.Warn("WorkerImpl.DelRoute: route not found") @@ -1049,7 +1043,6 @@ func (w *WorkerImpl) DelRoute(route *schema.PrefixRoute, switcher api.Switcher) } w.cfg.Routes = append(w.cfg.Routes[:index], w.cfg.Routes[index+1:]...) - w.delIpSet(delRt) if inet, err := libol.ParseNet(delRt.Prefix); err == nil { w.delVPNSet(inet.String()) @@ -1091,7 +1084,7 @@ const ( vxlanConn = ` conn vxlan{{ .Segment }}-in keyingtries=%forever - auto=route + auto=start ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist @@ -1104,7 +1097,7 @@ conn vxlan{{ .Segment }}-in conn vxlan{{ .Segment }}-out keyingtries=%forever - auto=route + auto=start ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist @@ -1118,7 +1111,7 @@ conn vxlan{{ .Segment }}-out greConn = ` conn gre{{ .Segment }} keyingtries=%forever - auto=route + auto=start ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist @@ -1134,6 +1127,35 @@ conn gre{{ .Segment }} ` ) +func (w *WorkerImpl) saveSec(name, tmpl string, data interface{}) error { + file := fmt.Sprintf("/etc/ipsec.d/%s", name) + out, err := libol.CreateFile(file) + if err != nil || out == nil { + return err + } + defer out.Close() + if obj, err := template.New("main").Parse(tmpl); err != nil { + return err + } else { + if err := obj.Execute(out, data); err != nil { + return err + } + } + return nil +} + +func (w *WorkerImpl) startSecConn(name string) { + promise := libol.NewPromise() + promise.Go(func() error { + if out, err := libol.Exec("ipsec", "auto", "--start", "--asynchronous", name); err != nil { + w.out.Warn("WorkerImpl.startSecConn: %v %s", out, err) + return err + } + w.out.Info("WorkerImpl.startSecConn: %v success", name) + return nil + }) +} + func (w *WorkerImpl) addSecConn(port *LinuxPort) error { connTmpl := "" secTmpl := "" @@ -1149,40 +1171,22 @@ func (w *WorkerImpl) addSecConn(port *LinuxPort) error { } if secTmpl != "" { - file := fmt.Sprintf("/etc/ipsec.d/%s.secrets", name) - out, err := libol.CreateFile(file) - if err != nil || out == nil { + if err := w.saveSec(name+".secrets", secTmpl, data); err != nil { + w.out.Error("WorkerImpl.addSecConn %s", err) return err } - defer out.Close() - if tmpl, err := template.New("main").Parse(secTmpl); err != nil { - return err - } else { - if err := tmpl.Execute(out, data); err != nil { - return err - } - } libol.Exec("ipsec", "auto", "--rereadsecrets") } if connTmpl != "" { - file := fmt.Sprintf("/etc/ipsec.d/%s.conf", name) - out, err := libol.CreateFile(file) - if err != nil || out == nil { + if err := w.saveSec(name+".conf", connTmpl, data); err != nil { + w.out.Error("WorkerImpl.addSecConn %s", err) return err } - defer out.Close() - if tmpl, err := template.New("main").Parse(connTmpl); err != nil { - return err - } else { - if err := tmpl.Execute(out, data); err != nil { - return err - } - } if data.Protocol == "vxlan" { - libol.Exec("ipsec", "auto", "--start", "--asynchronous", name+"-in") - libol.Exec("ipsec", "auto", "--start", "--asynchronous", name+"-out") + w.startSecConn(name + "-in") + w.startSecConn(name + "-out") } else if data.Protocol == "gre" { - libol.Exec("ipsec", "auto", "--start", "--asynchronous", name) + w.startSecConn(name) } } diff --git a/pkg/switch/switch.go b/pkg/switch/switch.go index 2a72f50..3162829 100755 --- a/pkg/switch/switch.go +++ b/pkg/switch/switch.go @@ -211,7 +211,7 @@ func (v *Switch) GetPort(listen string) string { func (v *Switch) openPorts() { port := v.GetPort(v.cfg.Listen) UdpPorts := []string{"500", "4500", "8472", "4789", port} - TcpPorts := []string{"10000", port} + TcpPorts := []string{port} if v.cfg.Http != nil { TcpPorts = append(TcpPorts, v.GetPort(v.cfg.Http.Listen)) }