ipsec: use well known paths of charon daemon

Charon ike daemon path is hardcoded according to its install location in alpine distribution off which is based the flannel image used in standard kubernetes deployment. This commits hardcodes other well known paths of charon daemon in different distributions to improved support in manual execution scenarios or customized flannel images.
flannel-io · Dec 16, 2020 · e5a30da · e5a30da
1 parent 4b015d0
commit e5a30da
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 10 deletions.
diff --git a/backend/ipsec/handle_charon.go b/backend/ipsec/handle_charon.go
@@ -47,8 +47,13 @@ func NewCharonIKEDaemon(ctx context.Context, wg *sync.WaitGroup, espProposal str
 	addr := strings.Split("unix:///var/run/charon.vici", "://")
 	charon.viciUri = Uri{addr[0], addr[1]}
 
-	cmd, err := charon.runBundled("/usr/lib/strongswan/charon")
+	execPath, err := findExecPath()
+	if err != nil {
+		log.Errorf("Charon daemon not found: %v", err)
+		return nil, err
+	}
 
+	cmd, err := charon.run(execPath)
 	if err != nil {
 		log.Errorf("Error starting charon daemon: %v", err)
 		return nil, err
@@ -92,13 +97,9 @@ func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongswanVici.Cl
 	}
 }
 
-func (charon *CharonIKEDaemon) runBundled(execPath string) (cmd *exec.Cmd, err error) {
-	path, err := exec.LookPath(execPath)
-	if err != nil {
-		return nil, err
-	}
+func (charon *CharonIKEDaemon) run(execPath string) (cmd *exec.Cmd, err error) {
 	cmd = &exec.Cmd{
-		Path: path,
+		Path: execPath,
 		SysProcAttr: &syscall.SysProcAttr{
 			Pdeathsig: syscall.SIGTERM,
 		},
@@ -233,3 +234,25 @@ func formatConnectionName(localLease, remoteLease *subnet.Lease) string {
 func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
 	return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
 }
+
+func findExecPath() (string, error) {
+	// try well known charon paths
+	paths := []string{
+		"charon",                         // PATH
+		"/usr/lib/strongswan/charon",     // alpine, arch, flannel container
+		"/usr/lib/ipsec/charon",          // debian/ubuntu
+		"/usr/libexec/strongswan/charon", // centos/rhel
+		"/usr/libexec/ipsec/charon",      // opensuse/sles
+	}
+	for _, path := range paths {
+		path, err := exec.LookPath(path)
+		if err != nil {
+			log.Warningf("No valid charon executable found at path %s: %v", path, err)
+			continue
+		}
+		return path, nil
+	}
+
+	err := fmt.Errorf("No valid charon executable found at paths %v", paths)
+	return "", err
+}
diff --git a/backend/ipsec/ipsec.go b/backend/ipsec/ipsec.go
@@ -32,9 +32,9 @@ import (
 	Flannel's approach to IPSec uses Strongswan to handle the key exchange (using IKEv2) and the kernel to handle the
 	actual encryption.
 
-	Strongswan's "charon" is bundled in the flannel container. Flannel runs it as a child process when the ipsec backend
-	is selected and communicates with it using the "VICI" interface. Strongswan ships a utility "swanctl" which also
-	uses the VICI interface. This utility is bundled in the flannel container and can help with debugging.
+	Flannel runs Strongswan's "charon" as a child process when the ipsec backend is selected and communicates with it
+	using the "VICI" interface. Strongswan ships a utility "swanctl" which also uses the VICI interface. This utility
+	is bundled in the flannel container and can help with debugging.
 
 	The file "handle_charon.go" contains the logic for working with the charon. It supports creating a "CharonIKEDaemon"
 	which supports loading the PSK into the charon and adding and removing connections.