coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS
https://fedoraproject.org/coreos/
264 stars 59 forks source link

New Package Request: libreswan #995

Open djohnston89 opened 3 years ago

djohnston89 commented 3 years ago

Please try to answer the following questions about the package you are requesting:

  1. What, if any, are the additional dependencies on the package? (i.e. does it pull in Python, Perl, etc) unsure

  2. What is the size of the package and its dependencies? unsure

  3. What problem are you trying to solve with this package? Or what functionality does the package provide? This will help connect FCOS nodes to IPsec VPNs for encrypted external connectivity.

  4. Can the software provided by the package be run from a container? Explain why or why not. This is being explored currently.

  5. Can the tool(s) provided by the package be helpful in debugging container runtime issues? unsure

  6. Can the tool(s) provided by the package be helpful in debugging networking issues? unsure

  7. Is it possible to layer the package onto the base OS as a day 2 operation? Explain why or why not. unsure. this is being explored currently also.

  8. In the case of packages providing services and binaries, can the packaging be adjusted to just deliver binaries? unsure

  9. Can the tool(s) provided by the package be used to do things we’d rather users not be able to do in FCOS? (e.g. can it be abused as a Turing complete interpreter?) unsure

  10. Does the software provided by the package have a history of CVEs? unsure

lucab commented 3 years ago

Thanks for the report. Please do note that host networking on FCOS nodes is fully managed by NetworkManager. As such, if you are looking for an host-level VPN tunneling where the FCOS node is a client of a remote hub, you are probably asking for the NetworkManager-libreswan package. Instead, if you are looking for a concentrator service or for tunneling some specific application/container traffic, you'd want a containerized libreswan.

I went ahead and tried to layer NetworkManager-libreswan on current FCOS stable. This is the set of all packages that it brings in:

Added:
  NetworkManager-libreswan-1.2.14-1.fc34.1.x86_64
  crypto-policies-scripts-20210213-1.git5c710c0.fc34.noarch
  gdbm-libs-1:1.19-2.fc34.x86_64
  grubby-8.40-51.fc34.x86_64
  ldns-1.7.1-4.fc34.x86_64
  libreswan-4.5-1.fc34.x86_64
  libxcrypt-compat-4.4.25-1.fc34.x86_64
  nspr-4.32.0-2.fc34.x86_64
  nss-3.71.0-1.fc34.x86_64
  nss-softokn-3.71.0-1.fc34.x86_64
  nss-softokn-freebl-3.71.0-1.fc34.x86_64
  nss-sysinit-3.71.0-1.fc34.x86_64
  nss-tools-3.71.0-1.fc34.x86_64
  nss-util-3.71.0-1.fc34.x86_64
  python-pip-wheel-21.0.1-3.fc34.noarch
  python-setuptools-wheel-53.0.0-2.fc34.noarch
  python-unversioned-command-3.9.7-1.fc34.noarch
  python3-3.9.7-1.fc34.x86_64
  python3-libs-3.9.7-1.fc34.x86_64
  python3-pip-21.0.1-3.fc34.noarch
  python3-setuptools-53.0.0-2.fc34.noarch
  unbound-libs-1.13.2-1.fc34.x86_64
travier commented 3 years ago

From memory, it should be possible to run libreswan/strongswan from a privileged container.

djohnston89 commented 3 years ago

We're exploring running libreswan in a container, but we wanted to explore the package request route in parallel.