← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1507672] Re: [VPNaaS] failures when updating admin_state of ipsec connections

 

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1507672

Title:
  [VPNaaS] failures when updating admin_state of ipsec connections

Status in neutron:
  Fix Released

Bug description:
  When updating admin_state of a functioning ipsec connection to DOWN,
  it can be seen in vpn agent logs that pluto fails to restart with the
  following error:

  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79']
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases)

  (http://paste.openstack.org/show/476720/)

  And, if we try to update connection's admin_state to UP, pluto doesn't
  start at all due conflict with already existing process:

  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24']
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc
  2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists

  (http://paste.openstack.org/show/476722/)

  The reason is that given connection wasn't included into ipsec.conf
  because it had admin_state_up=False [1]. We have to skip loading such
  connections into pluto on start.

  [1] https://github.com/openstack/neutron-
  vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1507672/+subscriptions


References