yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1502322] [NEW] Ownership of ipsec.secrets causes problems on agent restart

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brent Eagles <beagles@xxxxxxxxxx>
Date: Fri, 02 Oct 2015 20:17:49 -0000
Reply-to: Bug 1502322 <1502322@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

LibreSwan requires that a connection's ipsec.secrets be owned by root.
This was handled in a recent patch. However, normal code flow in
neutron-vpnaas recreates the file on agent restart, which it fails to do
because the file is now owned by root and it can't overwrite it.

The chown operation will also fail the rootwrap match because the file
will be from the previous run and be root, not that of the neutron
service.

Example of log file entry

2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron/callbacks/manager.py", line 143, in _n
otify_loop
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     callback(resource, event, trigger, **kwargs)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/vpn_service.py", l
ine 68, in router_added_actions
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     device_driver.sync(l3_agent.context, [router.router])
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 445, in i
nner
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     return f(*args, **kwargs)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
ec.py", line 806, in sync
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self._sync_vpn_processes(vpnservices, sync_router_ids)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
ec.py", line 822, in _sync_vpn_processes
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     process.update()
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
ec.py", line 233, in update
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self.enable()
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
ec.py", line 251, in enable
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self.ensure_configs()
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/lib
reswan_ipsec.py", line 61, in ensure_configs
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     super(LibreSwanProcess, self).ensure_configs()
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
ec.py", line 347, in ensure_configs
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self.vpnservice)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
ec.py", line 177, in ensure_config_file
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     utils.replace_file(config_file_name, config_str)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 167, in re
place_file
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     tmp_file = tempfile.NamedTemporaryFile('w+', dir=base_dir, delete=False)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib64/python2.7/tempfile.py", line 458, in NamedTemporaryFile
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib64/python2.7/tempfile.py", line 239, in _mkstemp_inner
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     fd = _os.open(file, flags, 0600)
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/eventlet/green/os.py", line 109, in open
2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     fd = __original_open__(file, flags, mode)

2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager OSError: [Errno 13] Permission denied: '/var/lib/neutron/ipsec/64ed0fc3-0f26-4ed9-93bf-
50e205349b4f/etc/tmpuNcM0p'

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1502322

Title:
  Ownership of ipsec.secrets causes problems on agent restart

Status in neutron:
  New

Bug description:
  LibreSwan requires that a connection's ipsec.secrets be owned by root.
  This was handled in a recent patch. However, normal code flow in
  neutron-vpnaas recreates the file on agent restart, which it fails to
  do because the file is now owned by root and it can't overwrite it.

  The chown operation will also fail the rootwrap match because the file
  will be from the previous run and be root, not that of the neutron
  service.

  Example of log file entry

  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron/callbacks/manager.py", line 143, in _n
  otify_loop
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     callback(resource, event, trigger, **kwargs)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/vpn_service.py", l
  ine 68, in router_added_actions
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     device_driver.sync(l3_agent.context, [router.router])
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 445, in i
  nner
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     return f(*args, **kwargs)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
  ec.py", line 806, in sync
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self._sync_vpn_processes(vpnservices, sync_router_ids)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
  ec.py", line 822, in _sync_vpn_processes
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     process.update()
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
  ec.py", line 233, in update
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self.enable()
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
  ec.py", line 251, in enable
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self.ensure_configs()
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/lib
  reswan_ipsec.py", line 61, in ensure_configs
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     super(LibreSwanProcess, self).ensure_configs()
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
  ec.py", line 347, in ensure_configs
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     self.vpnservice)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ips
  ec.py", line 177, in ensure_config_file
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     utils.replace_file(config_file_name, config_str)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 167, in re
  place_file
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     tmp_file = tempfile.NamedTemporaryFile('w+', dir=base_dir, delete=False)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib64/python2.7/tempfile.py", line 458, in NamedTemporaryFile
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib64/python2.7/tempfile.py", line 239, in _mkstemp_inner
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     fd = _os.open(file, flags, 0600)
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager   File "/usr/lib/python2.7/site-packages/eventlet/green/os.py", line 109, in open
  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager     fd = __original_open__(file, flags, mode)

  2015-10-02 14:28:52.605 20843 TRACE neutron.callbacks.manager OSError: [Errno 13] Permission denied: '/var/lib/neutron/ipsec/64ed0fc3-0f26-4ed9-93bf-
  50e205349b4f/etc/tmpuNcM0p'

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1502322/+subscriptions
Follow ups

[Bug 1502322] Re: Ownership of ipsec.secrets causes problems on agent restart
From: Armando Migliaccio, 2016-03-12