← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #49798

[Bug 1571455] Re: VPNaaS: pluto should not be restarted when neutron-vpn-agent restart

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/306899
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=814e3f0c7d7bd8b44be61d8badf127b1c60debbc
Submitter: Jenkins
Branch:    master

commit 814e3f0c7d7bd8b44be61d8badf127b1c60debbc
Author: nick.zhuyj <nick.zhuyj@xxxxxxxxxx>
Date:   Sun Apr 17 21:59:46 2016 -0500

    Openswan/Libreswan: Check config changes before restart
    
    Currently, when neutron-vpn-agent restart, all the pluto process in
    router ns will be restarted too. But actually this is not required
    and will impact the vpn traffic. In this patch, we keep a backup for
    ipsec.conf and ipsec.secrets, and then compare the configurations
    when restart, if no config changes. Restart can be skipped.
    
    Note: this change is DocImpact
    
    Change-Id: I5a7fae909cb56721bd7e4d42999356c7f7464358
    Closes-Bug: #1571455


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1571455

Title:
  VPNaaS: pluto should not be restarted when neutron-vpn-agent restart

Status in neutron:
  Fix Released

Bug description:
  Currently, opeswan/libreswan pluto process in each router ns will be
  restarted when neutron-vpn-agent restart. Because there is no reload
  commands which is supported in strongswan.

  This is not good, because it will impact the vpn traffic when vpn-
  agent restart.

  Solution:
  Each time after pluto start, let's keep a backup configuration files for ipsec.conf & ipsec.secrets. named them as ipsec.conf.old & ipsec.secrets.old.
  Then when restart is required, let's check if configurations are changed, if not, then restart can be skipped.
  With this way, we can simulate a reload method and avoid restart pluto when vpn-agent restart.

  
  Following is the captured from currently devstack setup, we can see pluto process id changed after vpn-agent restart:

  stack@VPN-dev-nick:~$ps ax | grep ctlbase
  21683 ?        Ss     0:00 /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24

  
  RESTART NEUTRON-VPN-AGENT, CHECK AGAIN:

  stack@VPN-dev-nick:~$ps ax | grep ctlbase
  22206 ?        Ss     0:00 /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1571455/+subscriptions

References

  Thread PreviousDate PreviousThread Next