← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #49554

[Bug 1571455] [NEW] VPNaaS: pluto should not be restarted when neutron-vpn-agent restart

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Currently, opeswan/libreswan pluto process in each router ns will be
restarted when neutron-vpn-agent restart. Because there is no reload
commands which is supported in strongswan.

This is not good, because it will impact the vpn traffic when vpn-agent
restart.

Solution:
Each time after pluto start, let's keep a backup configuration files for ipsec.conf & ipsec.secrets. named them as ipsec.conf.old & ipsec.secrets.old.
Then when restart is required, let's check if configurations are changed, if not, then restart can be skipped.
With this way, we can simulate a reload method and avoid restart pluto when vpn-agent restart.


Following is the captured from currently devstack setup, we can see pluto process id changed after vpn-agent restart:

stack@VPN-dev-nick:~$ps ax | grep ctlbase
21683 ?        Ss     0:00 /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24


RESTART NEUTRON-VPN-AGENT, CHECK AGAIN:

stack@VPN-dev-nick:~$ps ax | grep ctlbase
22206 ?        Ss     0:00 /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24

** Affects: neutron
     Importance: Undecided
     Assignee: Yi Jing Zhu (nick-zhuyj)
         Status: New


** Tags: vpnaas

** Changed in: neutron
     Assignee: (unassigned) => Yi Jing Zhu (nick-zhuyj)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1571455

Title:
  VPNaaS: pluto should not be restarted when neutron-vpn-agent restart

Status in neutron:
  New

Bug description:
  Currently, opeswan/libreswan pluto process in each router ns will be
  restarted when neutron-vpn-agent restart. Because there is no reload
  commands which is supported in strongswan.

  This is not good, because it will impact the vpn traffic when vpn-
  agent restart.

  Solution:
  Each time after pluto start, let's keep a backup configuration files for ipsec.conf & ipsec.secrets. named them as ipsec.conf.old & ipsec.secrets.old.
  Then when restart is required, let's check if configurations are changed, if not, then restart can be skipped.
  With this way, we can simulate a reload method and avoid restart pluto when vpn-agent restart.

  
  Following is the captured from currently devstack setup, we can see pluto process id changed after vpn-agent restart:

  stack@VPN-dev-nick:~$ps ax | grep ctlbase
  21683 ?        Ss     0:00 /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24

  
  RESTART NEUTRON-VPN-AGENT, CHECK AGAIN:

  stack@VPN-dev-nick:~$ps ax | grep ctlbase
  22206 ?        Ss     0:00 /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1571455/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next