yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #42494
[Bug 1507672] Re: [VPNaaS] failures when updating admin_state of ipsec connections
** Changed in: neutron
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1507672
Title:
[VPNaaS] failures when updating admin_state of ipsec connections
Status in neutron:
Fix Released
Bug description:
When updating admin_state of a functioning ipsec connection to DOWN,
it can be seen in vpn agent logs that pluto fails to restart with the
following error:
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79']
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases)
(http://paste.openstack.org/show/476720/)
And, if we try to update connection's admin_state to UP, pluto doesn't
start at all due conflict with already existing process:
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24']
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc
2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists
(http://paste.openstack.org/show/476722/)
The reason is that given connection wasn't included into ipsec.conf
because it had admin_state_up=False [1]. We have to skip loading such
connections into pluto on start.
[1] https://github.com/openstack/neutron-
vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1507672/+subscriptions
References