[Bug 1773956] Re: [apparmor] missing entry for CLUSTERIP (used by strongswan HA plugin)

Mon, 10 Dec 2018 00:17:44 -0800 

** Description changed:

- When using the HA plugin, charon-systemd try to read
- '@{PROC}/@{pid}/net/ipt_CLUSTERIP/' and to write in files into
- '@{PROC}/@{pid}/net/ipt_CLUSTERIP/'
+ [Impact]
+ 
+  * when using the ha plugin an apparmor Deny is triggered
+ 
+  * Fix by allowing charon to access CLUSTERIP
+ 
+ [Test Case]
+ 
+  *  get a VM to test this as it might mess up your networking
+  * install strongswan (which pulls in libcharon-extra-plugins)
+  * Edit /etc/strongswan.d/charon/ha.conf to something like:
+           ha {
+          load = yes
+          local = 192.168.122.248
+          monitor = yes
+          remote = 192.168.122.94
+          resync = yes
+          segment_count = 2
+      }
+    With your IP and a peer IP (both KVM guests for me)
+  * $ sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new 
--hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2 --local-node 
1
+    Please make sure your network device matches above, the IPs can be kept 
as-is unless you have a collision
+  * With that set up restart the service
+    $ sudo restart strongswan
+  * Without the fix this will break the ha plugin early based on the 
+    mentioned apparmor DENY
+ 
+  Note: this does not provide a full ha setup, since this simple setup is 
+        enough to trigger and verify the issue.
+ 
+ [Regression Potential]
+ 
+  * This is only opening up one more (actually uncommon other than HA 
+    setups) path to charon, I'd not expect existing functionality to 
+    regress due to that.
+ 
+ [Other Info]
+  
+  * n/a
+ 
+ ----
+ 
+ 
+ When using the HA plugin, charon-systemd try to read 
'@{PROC}/@{pid}/net/ipt_CLUSTERIP/' and to write in files into 
'@{PROC}/@{pid}/net/ipt_CLUSTERIP/'
  
  So the 2 rules may be append to charon-systemd.apparmor.conf
  
  # Cluster IP
  @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
  @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956

Title:
  [apparmor] missing entry for CLUSTERIP (used by strongswan HA plugin)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1773956/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to