← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #40373

[Bug 1507672] [NEW] [VPNaaS] failures when updating admin_state of ipsec connections

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When updating admin_state of a functioning ipsec connection to DOWN, it
can be seen in vpn agent logs that pluto fails to restart with the
following error:

2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79']
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases)

(http://paste.openstack.org/show/476720/)

And, if we try to update connection's admin_state to UP, pluto doesn't
start at all due conflict with already existing process:

2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24']
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists

(http://paste.openstack.org/show/476722/)

The reason is that given connection wasn't included into ipsec.conf
because it had admin_state_up=False [1]. We have to skip loading such
connections into pluto on start.

[1] https://github.com/openstack/neutron-
vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8

** Affects: neutron
     Importance: Undecided
     Assignee: Elena Ezhova (eezhova)
         Status: New


** Tags: vpnaas

** Tags added: vpnaas

** Changed in: neutron
     Assignee: (unassigned) => Elena Ezhova (eezhova)

** Description changed:

- When updating admin_state of functioning ipsec connection to DOWN, it
+ When updating admin_state of a functioning ipsec connection to DOWN, it
  can be seen in vpn agent logs that pluto fails to restart with the
  following error:
  
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79']
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases)
  
  (http://paste.openstack.org/show/476720/)
  
  And, if we try to update connection's admin_state to UP, pluto doesn't
  start at all due conflict with already existing process:
  
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24']
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists
  
  (http://paste.openstack.org/show/476722/)
  
- 
- The reason is that given connection wasn't included into ipsec.conf because it had admin_state_up=False [1]. We have to skip loading such connections into pluto on start.
+ The reason is that given connection wasn't included into ipsec.conf
+ because it had admin_state_up=False [1]. We have to skip loading such
+ connections into pluto on start.
  
  [1] https://github.com/openstack/neutron-
  vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1507672

Title:
  [VPNaaS] failures when updating admin_state of ipsec connections

Status in neutron:
  New

Bug description:
  When updating admin_state of a functioning ipsec connection to DOWN,
  it can be seen in vpn agent logs that pluto fails to restart with the
  following error:

  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79']
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases)

  (http://paste.openstack.org/show/476720/)

  And, if we try to update connection's admin_state to UP, pluto doesn't
  start at all due conflict with already existing process:

  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24']
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists

  (http://paste.openstack.org/show/476722/)

  The reason is that given connection wasn't included into ipsec.conf
  because it had admin_state_up=False [1]. We have to skip loading such
  connections into pluto on start.

  [1] https://github.com/openstack/neutron-
  vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1507672/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next