← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #31780

[Bug 1444017] [NEW] [VPNaas] NSS init failing for libreswan

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I am running devstack on Fedora. VPNaas is not working on Fedora/centos
devstack.

"neutron ipsec-site-connection-create" command is failing

q-vpn log -
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-250faac2-167b-4861-9d0c-b5710bf02ee2', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24', '--stderrlog']

FATAL: NSS readonly initialization
("/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-
b5710bf02ee2/etc") failed (err -8015)

Because of this error,  pluto daemon is not running.
So VPNaas is not working on Fedora/centos devstack.

Fedora/centos uses Libreswan for ipsec.

>From the wiki - "Libreswan is a fork of the Openswan IPSEC VPN
implementation created by almost all of the openswan developers after a
lawsuit about the ownership of the Openswan name was filed against Paul
Wouters, then release manager of Openswan, in December 2012."

** Affects: neutron
     Importance: Undecided
     Assignee: venkata anil (anil-venkata)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => venkata anil (anil-venkata)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1444017

Title:
  [VPNaas] NSS init failing for libreswan

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  I am running devstack on Fedora. VPNaas is not working on
  Fedora/centos devstack.

  "neutron ipsec-site-connection-create" command is failing

  q-vpn log -
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-250faac2-167b-4861-9d0c-b5710bf02ee2', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24', '--stderrlog']

  FATAL: NSS readonly initialization
  ("/opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-
  b5710bf02ee2/etc") failed (err -8015)

  Because of this error,  pluto daemon is not running.
  So VPNaas is not working on Fedora/centos devstack.

  Fedora/centos uses Libreswan for ipsec.

  From the wiki - "Libreswan is a fork of the Openswan IPSEC VPN
  implementation created by almost all of the openswan developers after
  a lawsuit about the ownership of the Openswan name was filed against
  Paul Wouters, then release manager of Openswan, in December 2012."

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1444017/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next