Monday, 25 January 2016

Re: Strongswan merge for Xenial



On Sun, Jan 24, 2016 at 9:38 PM, Simon Deziel <[email protected]> wrote:
Hi Ryan,

Hi Simon,

Thanks for taking a look at this merge.  I really appreciate the help sorting through this merge.
 

On 2016-01-22 11:54 AM, Ryan Harper wrote:
> Hello,
>
> I've been working on merging[1] strongswan from Debian into Ubuntu for
> Xenial.  We've not completed a merge with Debian for some time (Feb 19,
> 2014 was the last time).  Ubuntu has been using version 5.1.2 since then
> but Debian and upstream have moved on.  Ubuntu has collected a large delta
> between Debian and with this merge I'm attempting to reduce the delta to
> ease merging in the future.  In particular, the major change would be to
> no longer create a package per-plugin and instead use the more general
> standard/extra plugin packages as in Debian.  Each plugin has an
> individual conf file which controls settings including whether to load or
> not.  Currently the default template conf files default to loading plugins
> if present;  it's not clear to me if this is a sensible default or if we
> should left them off by default.  Note that Strongswan doesn't currently
> have something akin to apache's a2enmod and a2dismod meaning users will
> need to edit conf as needed.  During this merge, I've also been using a
> git-based merge workflow and the git repo tracking it is available here[3].
>
> Since the delta is large, I want to make sure that we document the changes
> and provide opportunity for users of Strongswan in Ubuntu to provide
> feedback and comments on this merge.  I've updated the package and placed
> it in a PPA[2].

Awesome work!

> The remaining work items are:
>   - Adding in transitional virtual Packages for upgrade from 5.1.2-0ubuntu8
>   - Testing package upgrade

I upgraded one system so far and it went well.

OK.  Do you have any of the plugins installed?
 

>   - Attempting exercise various modes of Strongswan, including the TPM
>   enablement
>   - Continue dropping additional delta no longer needed
>   - Bug fixes (documenting which bugs this merge will resolve)

If you bring in the few changes from [5], almost every bug in LP against
Strongswan should be addressed.

Thanks, I'll go take a look at those changes.
 

> I also plan to discuss many of the Ubuntu changes with Debian maintainers
> to see if we can get some of the changes picked up there as well.

I quickly skimmed Debian bugs and some of them could be closed by
adopting some of the Ubuntu delta:

debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu)
debian #739641: kernel-libipsec support

Great, I'll look at those too.
 

> Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1
> (Debian) release.
>
>     - In Debian 5.3.5, there are 9 Packages defined in debian/control,
> and in
>     Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin
>     in Ubuntu.
>
>     - Ubuntu also enables TNC Client and Server which requires enabling
>     and packaging different binaries and plugins.
>     https://wiki.strongswan.org/projects/1/wiki/TNCC
>
>     - Ubuntu has AppArmor profiles for some binaries
>
>     - Ubuntu updated start/stop scripts to use service instead of
>     invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds
>     pt-tls-client but without TNC (Debian includes it in
>     libcharon-extra-plugins)
>
>     - Ubuntu enables many additional options/features, including TPM support
>     (with-tss=trousers, libtspi-dev) and smartcard access (libpcsclite-dev)
>
>     - Ubuntu enables (but Debian does not)
>         unbound
>         dnscert
>         ipseckey
>         coupling
>         imv-swid
>         imc-swid
>         tnc-ifmap
>         mysql
>         tnc-pdp
>         load-tester
>         whitelist
>         radattr
>         ntru
>         soup
>         sqlite
>         md4
>         eap-*


The acert plugin seems to be missing in your refreshed package. It was
previously enabled in Ubuntu and the provided functionality seems useful
[6].

OK. Will fix.
 


>     - Debian enables (but Ubuntu does not)
>         ha (needs special kernel as per jpds)
>
>     - Builddeps in Debian (but not Ubuntu)
>         clearsilver-dev
>         libfcgi-dev
>
>     - Other Removals from Debian
>         *logcheck* files (not relevant to StrongSwan per jpds)

The logcheck files are really dated (see debian #787156) and I've
accumulated a few rules on my own. Even at the default log level charon
is very verbose so I think it makes sense to have the package shipping
logcheck rules. I'd be happy to provided those.

Yes please.
 

>     - Ubuntu builds with nostrip for integrity checking (TPM)
>
>     - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length key
>     for tests.
>
>
> Some additional changes which have raised some questions to which I don't
> know the answer; any input is helpful here.
>
>     - Ubuntu drops install of debconf managed
>     /var/lib/strongswan/ipsec.conf.inc
>
>     - Ubuntu force-building dhcp/farp instead of keeping under Linux-only

Debian #640928 says it's to support kFreeBSD. Those plugins require
CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation?

OK, I'll explore.  AFAICT, there's nothing wrong with leaving it how Debian has it; that is
Ubuntu Linux still builds those packages as they are and dropping this delta reduces merge burden.
 

>     - Debian still calls dh_installinit with ipsec vs
>     strongswan
>
>     - dropped Debian's enabling IKEv1 and v2 by default?

Upstream's default when no specific version is configured is to use
IKEv2 when initiating and accept both when responding.

Interesting.  Does that seem reasonable?  I imagine that enabling v1 and v2 means
wider compatibility between client/server?  Is this still worth enabling vs keeping things
more secure (I'm asserting v2 is likely more robust than v1, hence a version 2).
 

>     - Ubuntu systemd file differs from Debian and Upstream.
>
>     - Ubuntu disable ha (claim in changelog says requires special kernel)
>
>     - Ubuntu disables fastcgi (libfcgi)
>
>     - Ubuntu disables clearsilver (as per MIR[4] noted discussion with
> upstream)
>
>
> Upstream changes in Strongswan since 5.1.2 that have an impact on the Ubuntu
> changes we're carrying.
>
>     - libpts dropped in 5.2.1, affects tnc-base
>
>     - no updown_espmark, updown manpage

updown_espmark was apparently created to support kernels < 2.6.16.

The updown man page will probably not be missed because the shell script
is well documented on its own.

OK.  Seems like a reasonable drop due to changes upstream.
 

>     - no openac, replaced with pki --acert command.
>     https://wiki.strongswan.org/projects/strongswan/wiki/OpenAc

If the acert plugin functionality is restored I believe this would be a
non issue.

Right.
 

> 1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951
> 2. ppa:raharper/merges
> 3. https://code.launchpad.net/~raharper/ubuntu/+source/strongswan/+git/strongswan
> 4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066

Regards,
Simon


5:
https://github.com/simondeziel/ubuntu-strongswan/tree/new/debian_copy_in_old/debian
6: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiAcert