We only fixed this "by source" as Josh found in comment #1, but I really wanted to see what is going on. So I worked a bit on a repro (which I'd need for an SRU anyway), which is:
0. on a virtual Guest or so
1. Install strongswan (which pulls in libcharon-extra-plugins).
Then edit /etc/strongswan.d/charon/ha.conf to something like:
ha {
load = yes
local = 192.168.122.248
monitor = yes
remote = 192.168.122.94
resync = yes
segment_count = 2
}
With your IP and a peer IP (both KVM guests for me)
As initially reported the deny is on a subtree to the PID now:
AVC apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/11063/net/ipt_CLUSTERIP/" pid=11063 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[LIB] opening directory '/proc/net/ipt_CLUSTERIP' failed: Permission denied
So some weird path remapping takes place and we need the PID path as well (as suggested).
Tested and working - While fixing that I'll spawn also a bug to re-sync both charon profiles (two ways to start it).
We only fixed this "by source" as Josh found in comment #1, but I really wanted to see what is going on. So I worked a bit on a repro (which I'd need for an SRU anyway), which is:
0. on a virtual Guest or so extra-plugins) . .d/charon/ ha.conf to something like:
1. Install strongswan (which pulls in libcharon-
Then edit /etc/strongswan
ha {
load = yes
local = 192.168.122.248
monitor = yes
remote = 192.168.122.94
resync = yes
segment_count = 2
}
With your IP and a peer IP (both KVM guests for me)
sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2 --local-node 1
As initially reported the deny is on a subtree to the PID now: "/usr/lib/ ipsec/charon" name="/ proc/11063/ net/ipt_ CLUSTERIP/ " pid=11063 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 net/ipt_ CLUSTERIP' failed: Permission denied
AVC apparmor="DENIED" operation="open" profile=
[LIB] opening directory '/proc/
So some weird path remapping takes place and we need the PID path as well (as suggested).
Tested and working - While fixing that I'll spawn also a bug to re-sync both charon profiles (two ways to start it).
Settign this bug to open again.