[Bug 1773956] Re: [apparmor] missing entry for CLUSTERIP (used by strongswan HA plugin)

Tue, 11 Dec 2018 04:31:41 -0800 

** Description changed:

  [Impact]
  
   * when using the ha plugin an apparmor Deny is triggered
  
   * Fix by allowing charon to access CLUSTERIP
  
  [Test Case]
  
   *  get a VM to test this as it might mess up your networking
-  * install strongswan (which pulls in libcharon-extra-plugins)
+  * install strongswan and libcharon-extra-plugins
+    $ sudo apt install strongswan libcharon-extra-plugins
   * Edit /etc/strongswan.d/charon/ha.conf to something like:
            ha {
           load = yes
           local = 192.168.122.248
           monitor = yes
           remote = 192.168.122.94
           resync = yes
           segment_count = 2
       }
     With your IP and a peer IP (both KVM guests for me)
   * $ sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new 
--hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2 --local-node 
1
     Please make sure your network device matches above, the IPs can be kept 
as-is unless you have a collision
   * With that set up restart the service
     $ sudo systemctl restart strongswan
   * Without the fix this will break the ha plugin early based on the
     mentioned apparmor DENY
  
   Note: this does not provide a full ha setup, since this simple setup is
         enough to trigger and verify the issue.
  
  [Regression Potential]
  
   * This is only opening up one more (actually uncommon other than HA
     setups) path to charon, I'd not expect existing functionality to
     regress due to that.
  
  [Other Info]
  
   * n/a
  
  ----
  
  When using the HA plugin, charon-systemd try to read
  '@{PROC}/@{pid}/net/ipt_CLUSTERIP/' and to write in files into
  '@{PROC}/@{pid}/net/ipt_CLUSTERIP/'
  
  So the 2 rules may be append to charon-systemd.apparmor.conf
  
  # Cluster IP
  @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
  @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956

Title:
  [apparmor] missing entry for CLUSTERIP (used by strongswan HA plugin)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1773956/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to