[Swan] [libreswan] libreswan on GCE(Google Compute Engine) CentOS 6.3 instance (#3)

Paul Wouters paul at nohats.ca
Wed Feb 27 20:08:16 EET 2013


On Wed, 27 Feb 2013, T.J. Yang wrote:

> GCE CentOS has a harden kernel to limit /proc directory access, log showing as follows
> 
> [root at ks3c63 ~]# ipsec version;ipsec setup stop
> Linux Libreswan 3.0 (netkey) on 2.6.39-gcg-201210301000
> Redirecting to: service ipsec stop
> Missing control file /var/run/pluto/pluto.ctl - is pluto still running?
> Opening /proc/modules: No such file or directory
> Opening /proc/modules: No such file or directory
> [root at ks3c63 ~]# 
> 
> Is there a way for libreswan to work with this limitation ?

We are basically trying to unload kernel modules. Would "lsmod" be better?

Can we access /sys/ ?

> Another GCE instance running openswan has no attempt to access /proc/modules.
> 
> [root at ks4c64 ~]# ipsec version;ipsec setup stop
> Linux Openswan U2.6.32/K2.6.39-gcg-201210301000 (netkey)
> See `ipsec --copyright' for copyright information.
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: stop ordered, but IPsec appears to be already stopped!
> ipsec_setup: doing cleanup anyway...
> [root at ks4c64 ~]#

I'm not sure why you are seeing a difference. My guess is the actual
problem happens during: ipsec _stackmanager stop

We cannot use the config file to determine the stack, because the admin
might have changed the protostack= in /etc/ipsec.conf and that's the
reason for restarting. So we always try to unload either stack. Since
they cannot both be loaded at once, if we find netkey, we don't have to
look for klips and vice versa. But if you run "stop" on a stopped
system, we end up needing to check for both. We do that now by looking
at /proc/net/pfkey and /proc/net/pf_key.

Paul


More information about the Swan mailing list