** Description changed:
[Impact]
- * when using the ha plugin an apparmor Deny is triggered
+ * when using the ha plugin an apparmor Deny is triggered
- * Fix by allowing charon to access CLUSTERIP
+ * Fix by allowing charon to access CLUSTERIP
[Test Case]
- * get a VM to test this as it might mess up your networking
- * install strongswan (which pulls in libcharon-extra-plugins)
- * Edit /etc/strongswan.d/charon/ha.conf to something like:
- ha {
- load = yes
- local = 192.168.122.248
- monitor = yes
- remote = 192.168.122.94
- resync = yes
- segment_count = 2
- }
- With your IP and a peer IP (both KVM guests for me)
- * $ sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new
--hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2 --local-node
1
- Please make sure your network device matches above, the IPs can be kept
as-is unless you have a collision
- * With that set up restart the service
- $ sudo restart strongswan
- * Without the fix this will break the ha plugin early based on the
- mentioned apparmor DENY
+ * get a VM to test this as it might mess up your networking
+ * install strongswan (which pulls in libcharon-extra-plugins)
+ * Edit /etc/strongswan.d/charon/ha.conf to something like:
+ ha {
+ load = yes
+ local = 192.168.122.248
+ monitor = yes
+ remote = 192.168.122.94
+ resync = yes
+ segment_count = 2
+ }
+ With your IP and a peer IP (both KVM guests for me)
+ * $ sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new
--hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2 --local-node
1
+ Please make sure your network device matches above, the IPs can be kept
as-is unless you have a collision
+ * With that set up restart the service
+ $ sudo systemctl restart strongswan
+ * Without the fix this will break the ha plugin early based on the
+ mentioned apparmor DENY
- Note: this does not provide a full ha setup, since this simple setup is
- enough to trigger and verify the issue.
+ Note: this does not provide a full ha setup, since this simple setup is
+ enough to trigger and verify the issue.
[Regression Potential]
- * This is only opening up one more (actually uncommon other than HA
- setups) path to charon, I'd not expect existing functionality to
- regress due to that.
+ * This is only opening up one more (actually uncommon other than HA
+ setups) path to charon, I'd not expect existing functionality to
+ regress due to that.
[Other Info]
-
- * n/a
+
+ * n/a
----
-
- When using the HA plugin, charon-systemd try to read
'@{PROC}/@{pid}/net/ipt_CLUSTERIP/' and to write in files into
'@{PROC}/@{pid}/net/ipt_CLUSTERIP/'
+ When using the HA plugin, charon-systemd try to read
+ '@{PROC}/@{pid}/net/ipt_CLUSTERIP/' and to write in files into
+ '@{PROC}/@{pid}/net/ipt_CLUSTERIP/'
So the 2 rules may be append to charon-systemd.apparmor.conf
# Cluster IP
@{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
@{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] missing entry for CLUSTERIP (used by strongswan HA plugin)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1773956/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
