search

rancher / image-build-flannel

Apache License 2.0
2 stars 20 forks source link

Strongswan install silently fails #7

Open AbrohamLincoln opened 3 years ago

AbrohamLincoln commented 3 years ago

The Strongswan package is not installed. This prevents the use of the IPSEC flannel backend.

% docker run --rm -it docker.io/rancher/hardened-flannel:v0.13.0-rancher1-build20210223 /bin/bash
bash-4.2# yum list installed strongswan
ubi-7                                                                                                                                                                                                                | 3.8 kB  00:00:00
ubi-7-rhah                                                                                                                                                                                                           | 3.7 kB  00:00:00
ubi-7-server-extras-rpms                                                                                                                                                                                             | 3.7 kB  00:00:00
ubi-7-server-optional-rpms                                                                                                                                                                                           | 3.8 kB  00:00:00
ubi-server-rhscl-7-rpms                                                                                                                                                                                              | 3.8 kB  00:00:00
(1/15): ubi-7/x86_64/updateinfo                                                                                                                                                                                      |   92 B  00:00:00
(2/15): ubi-7/x86_64/primary_db                                                                                                                                                                                      | 798 kB  00:00:00
(3/15): ubi-7-rhah/x86_64/updateinfo                                                                                                                                                                                 |   92 B  00:00:00
(4/15): ubi-7/x86_64/group                                                                                                                                                                                           |  124 B  00:00:00
(5/15): ubi-7-rhah/x86_64/primary_db                                                                                                                                                                                 | 2.5 kB  00:00:00
(6/15): ubi-7-rhah/x86_64/group                                                                                                                                                                                      |  124 B  00:00:00
(7/15): ubi-7-server-extras-rpms/x86_64/updateinfo                                                                                                                                                                   |   92 B  00:00:00
(8/15): ubi-7-server-extras-rpms/x86_64/primary_db                                                                                                                                                                   | 6.8 kB  00:00:00
(9/15): ubi-7-server-extras-rpms/x86_64/group                                                                                                                                                                        |  124 B  00:00:02
(10/15): ubi-7-server-optional-rpms/x86_64/updateinfo                                                                                                                                                                |   92 B  00:00:02
(11/15): ubi-7-server-optional-rpms/x86_64/primary_db                                                                                                                                                                |  14 kB  00:00:00
(12/15): ubi-7-server-optional-rpms/x86_64/group                                                                                                                                                                     |  124 B  00:00:02
(13/15): ubi-server-rhscl-7-rpms/x86_64/updateinfo                                                                                                                                                                   |   92 B  00:00:00
(14/15): ubi-server-rhscl-7-rpms/x86_64/primary_db                                                                                                                                                                   | 383 kB  00:00:00
(15/15): ubi-server-rhscl-7-rpms/x86_64/group                                                                                                                                                                        |  124 B  00:00:00
Error: No matching Packages to list

If I build the image, the build succeeds but strongswan is not installed: 

#6 [stage-2 1/3] RUN microdnf update -y          &&     microdnf install -y yum     &&     yum install -y ca-certificates     strongswan net-tools which  &&     rm -rf /var/cache/yum
#6 sha256:44bb389a1c4749e5a7aaffb27ad2a66ff591f634866a91c6c181973773b86574
#6 19.07 --------------------------------------------------------------------------------
#6 19.07 Total                                              7.0 MB/s |  24 MB  00:03
#6 19.07 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
#6 19.08 Importing GPG key 0xFD431D51:
#6 19.08  Userid     : "Red Hat, Inc. (release key 2) <security@redhat.com>"
#6 19.08  Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
#6 19.08  Package    : redhat-release-server-7.9-6.el7_9.x86_64 (installed)
#6 19.08  From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
#6 19.08 Importing GPG key 0x2FA658E0:
#6 19.08  Userid     : "Red Hat, Inc. (auxiliary key) <security@redhat.com>"
#6 19.08  Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
#6 19.08  Package    : redhat-release-server-7.9-6.el7_9.x86_64 (installed)
#6 19.08  From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
#6 19.12 Running transaction check
#6 19.15 Running transaction test
#6 19.19 Transaction test succeeded
#6 19.19 Running transaction
#6 19.26   Installing : gzip-1.5-10.el7.x86_64                                      1/33
#6 19.41   Installing : cracklib-2.9.0-11.el7.x86_64                                2/33
#6 20.17   Installing : cracklib-dicts-2.9.0-11.el7.x86_64                          3/33
#6 20.39   Installing : pam-1.1.8-23.el7.x86_64                                     4/33
#6 20.63   Installing : libpwquality-1.2.3-5.el7.x86_64                             5/33
#6 20.87   Installing : xz-5.2.2-1.el7.x86_64                                       6/33
#6 20.97   Installing : libuser-0.60-9.el7.x86_64                                   7/33
#6 21.19   Installing : ustr-1.0.4-16.el7.x86_64                                    8/33
#6 21.40   Installing : libsemanage-2.5-14.el7.x86_64                               9/33
#6 21.89   Installing : 2:shadow-utils-4.6-5.el7.x86_64                            10/33
#6 22.09   Installing : libutempter-1.1.6-4.el7.x86_64                             11/33
#6 22.42   Installing : 1:hardlink-1.0-19.el7.x86_64                               12/33
#6 22.59   Installing : 2:tar-1.26-35.el7.x86_64                                   13/33
#6 22.81   Installing : kmod-libs-20-28.el7.x86_64                                 14/33
#6 24.22   Installing : binutils-2.27-44.base.el7.x86_64                           15/33
#6 24.49   Installing : qrencode-libs-3.4.1-3.el7.x86_64                           16/33
#6 24.80   Installing : acl-2.2.51-15.el7.x86_64                                   17/33
#6 25.23   Installing : util-linux-2.23.2-65.el7_9.1.x86_64                        18/33
#6 25.52   Installing : procps-ng-3.3.10-28.el7.x86_64                             19/33
#6 25.71   Installing : kpartx-0.4.9-134.el7_9.x86_64                              20/33
#6 25.75   Installing : 7:device-mapper-1.02.170-6.el7_9.4.x86_64                  21/33
#6 26.07   Installing : dracut-033-572.el7.x86_64                                  22/33
#6 26.12   Installing : kmod-20-28.el7.x86_64                                      23/33
#6 26.17   Installing : 7:device-mapper-libs-1.02.170-6.el7_9.4.x86_64             24/33
#6 26.47   Installing : cryptsetup-libs-2.0.3-6.el7.x86_64                         25/33
#6 26.74   Installing : elfutils-libs-0.176-5.el7.x86_64                           26/33
#6 27.07   Installing : systemd-libs-219-78.el7_9.3.x86_64                         27/33
#6 27.30   Installing : 1:dbus-libs-1.10.24-15.el7.x86_64                          28/33
#6 28.42   Installing : systemd-219-78.el7_9.3.x86_64                              29/33
#6 28.84 Failed to get D-Bus connection: Operation not permitted
#6 28.85   Installing : elfutils-default-yama-scope-0.176-5.el7.noarch             30/33
#6 29.20   Installing : 1:dbus-1.10.24-15.el7.x86_64                               31/33
#6 29.25   Installing : net-tools-2.0-0.25.20131004git.el7.x86_64                  32/33
#6 29.40   Installing : which-2.20-7.el7.x86_64                                    33/33
#6 29.72   Verifying  : acl-2.2.51-15.el7.x86_64                                    1/33
#6 29.73   Verifying  : gzip-1.5-10.el7.x86_64                                      2/33
#6 29.73   Verifying  : 2:shadow-utils-4.6-5.el7.x86_64                             3/33
#6 29.74   Verifying  : kpartx-0.4.9-134.el7_9.x86_64                               4/33
#6 29.75   Verifying  : pam-1.1.8-23.el7.x86_64                                     5/33
#6 29.75   Verifying  : elfutils-default-yama-scope-0.176-5.el7.noarch              6/33
#6 29.76   Verifying  : dracut-033-572.el7.x86_64                                   7/33
#6 29.77   Verifying  : 1:dbus-libs-1.10.24-15.el7.x86_64                           8/33
#6 29.78   Verifying  : cryptsetup-libs-2.0.3-6.el7.x86_64                          9/33
#6 29.78   Verifying  : systemd-libs-219-78.el7_9.3.x86_64                         10/33
#6 29.79   Verifying  : which-2.20-7.el7.x86_64                                    11/33
#6 29.79   Verifying  : qrencode-libs-3.4.1-3.el7.x86_64                           12/33
#6 29.80   Verifying  : net-tools-2.0-0.25.20131004git.el7.x86_64                  13/33
#6 29.81   Verifying  : systemd-219-78.el7_9.3.x86_64                              14/33
#6 29.81   Verifying  : util-linux-2.23.2-65.el7_9.1.x86_64                        15/33
#6 29.82   Verifying  : kmod-20-28.el7.x86_64                                      16/33
#6 29.83   Verifying  : 7:device-mapper-1.02.170-6.el7_9.4.x86_64                  17/33
#6 29.83   Verifying  : 1:dbus-1.10.24-15.el7.x86_64                               18/33
#6 29.84   Verifying  : binutils-2.27-44.base.el7.x86_64                           19/33
#6 29.84   Verifying  : xz-5.2.2-1.el7.x86_64                                      20/33
#6 29.85   Verifying  : libsemanage-2.5-14.el7.x86_64                              21/33
#6 29.86   Verifying  : kmod-libs-20-28.el7.x86_64                                 22/33
#6 29.86   Verifying  : 2:tar-1.26-35.el7.x86_64                                   23/33
#6 29.87   Verifying  : procps-ng-3.3.10-28.el7.x86_64                             24/33
#6 29.88   Verifying  : 7:device-mapper-libs-1.02.170-6.el7_9.4.x86_64             25/33
#6 29.88   Verifying  : cracklib-dicts-2.9.0-11.el7.x86_64                         26/33
#6 29.89   Verifying  : libuser-0.60-9.el7.x86_64                                  27/33
#6 29.89   Verifying  : 1:hardlink-1.0-19.el7.x86_64                               28/33
#6 29.90   Verifying  : cracklib-2.9.0-11.el7.x86_64                               29/33
#6 29.91   Verifying  : libpwquality-1.2.3-5.el7.x86_64                            30/33
#6 29.91   Verifying  : ustr-1.0.4-16.el7.x86_64                                   31/33
#6 29.92   Verifying  : libutempter-1.1.6-4.el7.x86_64                             32/33
#6 29.92   Verifying  : elfutils-libs-0.176-5.el7.x86_64                           33/33
#6 29.96
#6 29.96 Installed:
#6 29.96   net-tools.x86_64 0:2.0-0.25.20131004git.el7     which.x86_64 0:2.20-7.el7
#6 29.96
#6 29.96 Dependency Installed:
#6 29.96   acl.x86_64 0:2.2.51-15.el7
#6 29.96   binutils.x86_64 0:2.27-44.base.el7
#6 29.96   cracklib.x86_64 0:2.9.0-11.el7
#6 29.96   cracklib-dicts.x86_64 0:2.9.0-11.el7
#6 29.96   cryptsetup-libs.x86_64 0:2.0.3-6.el7
#6 29.96   dbus.x86_64 1:1.10.24-15.el7
#6 29.96   dbus-libs.x86_64 1:1.10.24-15.el7
#6 29.96   device-mapper.x86_64 7:1.02.170-6.el7_9.4
#6 29.96   device-mapper-libs.x86_64 7:1.02.170-6.el7_9.4
#6 29.96   dracut.x86_64 0:033-572.el7
#6 29.96   elfutils-default-yama-scope.noarch 0:0.176-5.el7
#6 29.96   elfutils-libs.x86_64 0:0.176-5.el7
#6 29.96   gzip.x86_64 0:1.5-10.el7
#6 29.96   hardlink.x86_64 1:1.0-19.el7
#6 29.96   kmod.x86_64 0:20-28.el7
#6 29.96   kmod-libs.x86_64 0:20-28.el7
#6 29.96   kpartx.x86_64 0:0.4.9-134.el7_9
#6 29.96   libpwquality.x86_64 0:1.2.3-5.el7
#6 29.96   libsemanage.x86_64 0:2.5-14.el7
#6 29.96   libuser.x86_64 0:0.60-9.el7
#6 29.96   libutempter.x86_64 0:1.1.6-4.el7
#6 29.96   pam.x86_64 0:1.1.8-23.el7
#6 29.96   procps-ng.x86_64 0:3.3.10-28.el7
#6 29.96   qrencode-libs.x86_64 0:3.4.1-3.el7
#6 29.96   shadow-utils.x86_64 2:4.6-5.el7
#6 29.96   systemd.x86_64 0:219-78.el7_9.3
#6 29.96   systemd-libs.x86_64 0:219-78.el7_9.3
#6 29.96   tar.x86_64 2:1.26-35.el7
#6 29.96   ustr.x86_64 0:1.0.4-16.el7
#6 29.96   util-linux.x86_64 0:2.23.2-65.el7_9.1
#6 29.96   xz.x86_64 0:5.2.2-1.el7
#6 29.96
#6 29.96 Complete!
#6 DONE 30.1s

It appears as though two things need to happen for the strongswan package to be linstalled:

  1. Install/enable the EPEL repo.
  2. Install the trousers package (which requires a RHEL subscription to install from RH repos)

https://github.com/rancher/image-build-flannel/blob/f3f20870d28b32f11bad3438cd3432f0f2aee370/Dockerfile#L37

mddamato commented 3 years ago

8 might solve

dweomer commented 3 years ago

@mddamato should we consider using strongswan from k3s-root? see https://github.com/k3s-io/k3s-root/tree/v0.9.1/package/strongswan

dgiebert commented 2 years ago

@dweomer I think using the binary from k3os-root is the better approach, I can create a PR in the next days.

Is there a way to get the executables in a similar manner to this line?

dweomer commented 2 years ago

@dweomer I think using the binary from k3os-root is the better approach, I can create a PR in the next days.

Is there a way to get the executables in a similar manner to this line?

$ curl -fsSL https://github.com/k3s-io/k3s-root/releases/download/v0.10.1/k3s-root-amd64.tar | tar tv | grep swan
-rwxr-xr-x root/root    934304 2021-11-15 09:10 ./bin/swanctl
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/strongswan.d/
-rw-r--r-- root/root      2105 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon-logging.conf
-rw-r--r-- root/root        65 2021-11-15 09:10 ./etc/strongswan/strongswan.d/pki.conf
-rw-r--r-- root/root       151 2021-11-15 09:10 ./etc/strongswan/strongswan.d/swanctl.conf
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/
-rw-r--r-- root/root       270 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/drbg.conf
-rw-r--r-- root/root       383 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-tls.conf
-rw-r--r-- root/root       131 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/sha1.conf
-rw-r--r-- root/root       147 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-simaka-pseudonym.conf
-rw-r--r-- root/root       346 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-tnc.conf
-rw-r--r-- root/root       131 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/sha2.conf
-rw-r--r-- root/root       879 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-ttls.conf
-rw-r--r-- root/root       139 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-mschapv2.conf
-rw-r--r-- root/root       297 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/updown.conf
-rw-r--r-- root/root      3093 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-radius.conf
-rw-r--r-- root/root       133 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/pkcs12.conf
-rw-r--r-- root/root       131 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/mgf1.conf
-rw-r--r-- root/root       131 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/x509.conf
-rw-r--r-- root/root       130 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/pem.conf
-rw-r--r-- root/root       131 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/hmac.conf
-rw-r--r-- root/root       133 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/pubkey.conf
-rw-r--r-- root/root       144 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-simaka-reauth.conf
-rw-r--r-- root/root       130 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/aes.conf
-rw-r--r-- root/root       269 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-dynamic.conf
-rw-r--r-- root/root       139 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-identity.conf
-rw-r--r-- root/root       130 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/rc2.conf
-rw-r--r-- root/root       132 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/pkcs7.conf
-rw-r--r-- root/root       986 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/stroke.conf
-rw-r--r-- root/root       136 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/tnc-tnccs.conf
-rw-r--r-- root/root       615 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/tnccs-20.conf
-rw-r--r-- root/root       138 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/constraints.conf
-rw-r--r-- root/root       340 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/resolve.conf
-rw-r--r-- root/root       131 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/xcbc.conf
-rw-r--r-- root/root       130 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/md5.conf
-rw-r--r-- root/root       140 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/tnccs-dynamic.conf
-rw-r--r-- root/root       491 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/socket-default.conf
-rw-r--r-- root/root       135 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/counters.conf
-rw-r--r-- root/root       425 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/random.conf
-rw-r--r-- root/root       140 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/xauth-generic.conf
-rw-r--r-- root/root       131 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/cmac.conf
-rw-r--r-- root/root       132 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/pkcs8.conf
-rw-r--r-- root/root      2449 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/kernel-netlink.conf
-rw-r--r-- root/root       132 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/nonce.conf
-rw-r--r-- root/root       133 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/af-alg.conf
-rw-r--r-- root/root       183 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-simaka-sql.conf
-rw-r--r-- root/root       133 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/dnskey.conf
-rw-r--r-- root/root       132 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/pkcs1.conf
-rw-r--r-- root/root       134 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-md5.conf
-rw-r--r-- root/root       283 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/revocation.conf
-rw-r--r-- root/root       164 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-aka.conf
-rw-r--r-- root/root       362 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/attr.conf
-rw-r--r-- root/root       133 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/sshkey.conf
-rw-r--r-- root/root       777 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-peap.conf
-rw-r--r-- root/root       130 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/des.conf
-rw-r--r-- root/root       130 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/pgp.conf
-rw-r--r-- root/root       164 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-sim.conf
-rw-r--r-- root/root       215 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-gtc.conf
-rw-r--r-- root/root       137 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/curve25519.conf
-rw-r--r-- root/root       130 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/gmp.conf
-rw-r--r-- root/root       221 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/vici.conf
-rw-r--r-- root/root       231 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/tnccs-11.conf
-rw-r--r-- root/root       139 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-sim-file.conf
-rw-r--r-- root/root       262 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/eap-aka-3gpp2.conf
-rw-r--r-- root/root       135 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon/fips-prf.conf
-rw-r--r-- root/root       173 2021-11-15 09:10 ./etc/strongswan/strongswan.d/starter.conf
-rw-r--r-- root/root     11396 2021-11-15 09:10 ./etc/strongswan/strongswan.d/charon.conf
-rw-r--r-- root/root       113 2021-11-15 09:10 ./etc/strongswan/strongswan.d/tnc.conf
-rw-r--r-- root/root       281 2021-11-15 09:10 ./etc/strongswan/strongswan.conf
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/pubkey/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/x509crl/
drwxr-x--- root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/private/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/x509ocsp/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/conf.d/
drwxr-x--- root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/pkcs8/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/x509ca/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/x509aa/
-rw-r----- root/root     16058 2021-11-15 09:10 ./etc/strongswan/swanctl/swanctl.conf
drwxr-x--- root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/ecdsa/
drwxr-x--- root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/rsa/
drwxr-x--- root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/pkcs12/
drwxr-x--- root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/bliss/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/x509ac/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/swanctl/x509/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/crls/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/reqs/
drwxr-x--- root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/private/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/cacerts/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/certs/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/acerts/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/ocspcerts/
drwxr-xr-x root/root         0 2021-11-15 09:10 ./etc/strongswan/ipsec.d/aacerts/
-rw------- root/root        48 2021-11-15 09:10 ./etc/strongswan/ipsec.secrets
-rw-r--r-- root/root       608 2021-11-15 09:10 ./etc/strongswan/ipsec.conf
dgiebert commented 2 years ago

Thanks you for the pointer to the files @dweomer

The k3s version especially the needed charon daemon seems out of the box not compatible with flannel

00[LIB] no files found matching '/var/lib/rancher/k3s/agent/strongswan/strongswan.conf'
00[LIB] abort initialization due to invalid configuration

I also tested the PR #8 which in the end did not find the needed binary (charon)

I assume changing the image to alpine is not an option, as this snippet e.g. works and establishes a connection?

FROM alpine:3.15
RUN  apk add --no-cache ca-certificates strongswan net-tools
COPY --from=builder /opt/xtables/bin/ /usr/sbin/
COPY --from=builder /usr/local/bin/ /opt/bin/
manuelbuil commented 2 years ago

Sorry, I missed this issue! Are you running k3s or rke2?

dgiebert commented 2 years ago

Currently running an rke2 cluster, but for the sake of simplicity in terms of flannel switched to wireguard, so probably not going to pursue this any further.