← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1253681] Re: Newly-created VPNaaS objects remain in PENDING_CREATE because neutron vpn agent is unauthorized to run openswan's ipsec command

 

Ohh, thanks for the pointer, now I see the
${neutron_git}/etc/neutron/rootwrap.d/vpnaas.filters and it solves this
issue, closing this bug.

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1253681

Title:
  Newly-created VPNaaS objects remain in PENDING_CREATE because neutron
  vpn agent is unauthorized to run openswan's ipsec command

Status in OpenStack Neutron (virtual network service):
  Invalid

Bug description:
  Version
  =======
  Havana on rhel

  Description
  ===========
  I've created ike and ipsec policies, vpn service and ipsec site connections with almost all params set as default, it seems like the neutron vpn agent fails to run the openswan's ipsec command, the vpn service and the ipsec site connections remain in PENDING_CREATE status:

  
  2013-11-21 17:15:15.526 6112 WARNING neutron.context [-] Arguments dropped when creating context: {'project_id': u'1532b0139c4f49298dee924500761e6d'}
  2013-11-21 17:15:16.635 6112 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router e8b2c574-0b11-4c96-bed4-731ae6cf0a90
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 241, in enable
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec     self.start()
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 382, in start
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec     '--virtual_private', virtual_private
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 311, in _execute
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py", line 458, in execute
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py", line 62, in execute
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError: 
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets', '--virtual_private', '%v4:10.35.214.0/24,%v4:10.35.214.0/24']
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 99
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: ip netns exec qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90 ipsec pluto --ctlbase /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc --use-netkey --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets --virtual_private %v4:10.35.214.0/24,%v4:10.35.214.0/24 (no filter matched)\n'
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1253681/+subscriptions