yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58794
[Bug 1549295] Re: Strongswan Driver is not getting invoked 1+1 Node setup on Liberty/ Ubuntu 14.04
http://lists.openstack.org/pipermail/openstack-
dev/2016-November/107384.html
** Changed in: neutron
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1549295
Title:
Strongswan Driver is not getting invoked 1+1 Node setup on Liberty/
Ubuntu 14.04
Status in neutron:
Won't Fix
Bug description:
We are trying to configure the vpn tunnels with strongswan. We are
getting the following error :
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.start()
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute(cmd)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
We were able to configure the tunnels with openswan(after uninstalling
strongswan and making configuration changes for openswan) with the
same setup. With strongswan(after uninstalling Openswan and making
configuration changes for strongswan driver) , the tunnels remain in
PENDING_CREATE state and do not become ACTIVE.
We have the following configuration:
1. We have openstack (liberty) installed on the ubuntu 14.04LTS on 1+1 node setup and we are trying to create IKEv1 and IKEv2 tunnels between 2 openstack public clouds.
2. We have installed neutron_vpn-agent along with strongswan package
Output of dpkg list for strongswan pakages.
-------------------------------------------------------------------------
root@controller:/var/log/neutron# dpkg -l | grep -i strongswan
ii libstrongswan 5.1.2-0ubuntu2.4 amd64 strongSwan utility and crypto library
ii strongswan 5.1.2-0ubuntu2.4 all IPsec VPN solution metapackage
ii strongswan-ike 5.1.2-0ubuntu2.4 amd64 strongSwan Internet Key Exchange (v2) daemon
ii strongswan-plugin-openssl 5.1.2-0ubuntu2.4 amd64 strongSwan plugin for OpenSSL
ii strongswan-starter 5.1.2-0ubuntu2.4 amd64 strongSwan daemon starter and configuration file parser
Output of dpkg list for neutron-vpn-agent
-----------------------------------------------------------------------
root@controller:/var/log/neutron# dpkg -l | grep -i vpn-agent
ii neutron-vpn-agent 2:7.0.0-0ubuntu1~cloud0 all Neutron is a virtual network service for Openstack - VPN agent
3. The nova-service list and neutron service list are all up and running.
Output of nova service-list
root@controller:/var/log/neutron# nova service-list
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
| 1 | nova-cert | controller | internal | enabled | up | 2016-02-24T05:42:34.000000 | - |
| 2 | nova-consoleauth | controller | internal | enabled | up | 2016-02-24T05:42:34.000000 | - |
| 3 | nova-scheduler | controller | internal | enabled | up | 2016-02-24T05:42:38.000000 | - |
| 4 | nova-conductor | controller | internal | enabled | up | 2016-02-24T05:42:41.000000 | - |
| 7 | nova-compute | compute | nova | enabled | up | 2016-02-24T05:42:35.000000 | - |
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
Output of neutron agent-list
root@controller:/var/log/neutron# neutron agent-list
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| id | agent_type | host | alive | admin_state_up | binary |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| 0b2327b7-12b6-425f-af8d-3fe637106d19 | DHCP agent | controller | :-) | True | neutron-dhcp-agent |
| 21acf20a-7c20-48ee-b79a-fe6df7c84c69 | Linux bridge agent | controller | :-) | True | neutron-linuxbridge-agent |
| 8878cfd5-81e6-4094-94d0-c54930f04acb | Metadata agent | controller | :-) | True | neutron-metadata-agent |
| c1a819d8-81be-423c-a60e-ac4b36cf7d4f | L3 agent | controller | :-) | True | neutron-vpn-agent |
| c59f8895-082d-4f41-a1d9-71fb74ec81ff | Loadbalancer agent | controller | :-) | True | neutron-lbaas-agent |
| e4bf21cf-48c9-4cdd-a02c-b63e02ec740c | Linux bridge agent | compute | :-) | True | neutron-linuxbridge-agent |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
Note:
As per our observation, strongswan 5.1.x does not have separate pluto interface for IKEv1 policies. It's single binary Charon takes cares of
both IKEv1 and IKEv2 policies. However, it appears to us, that somehow strongswan driver(despite the 5.1.X) is still dependent on pluto interface.
This is the reason we are getiing message "unknown IPsec command `pluto'" since no pluto is present in 5.1.x.
Ideally both IKEv1 and IKEv2 policies should be allowed to be processed independently by strongswan driver with any dependency on openswan.
Please let us know if we are missing something and configuring something wrong.
Other configuration/logs information given below
======================================================================================================
vpn_agent.ini Configuration file given as follows
----------------------------------------------------
[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
debug=True
[vpnagent]
# vpn device drivers which vpn agent will use
# If we want to use multiple drivers, we need to define this option multiple times.
# NOTE: StrongSwan and openSwan cannot be installed at the same time. Thus, both cannot
# be enabled for use. In the future when flavors/STF support is available,
# this will still constrain the flavors which can be used together.
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.ipsec.OpenSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
# vpn_device_driver=another_driver
[ipsec]
# Status check interval
# ipsec_status_check_interval=60
# Enable detail logging for ipsec pluto process.
# If the flag set to True, the detailed logging will
# be written into config_base_dir/<pid>/logs."
# NOTE: this applies to OpenSwan and Libraswan, and
# that StrongSwan has logging that logs to syslog.
# enable_detailed_logging=False
[strongswan]
# For fedora use:
# default_config_area=/usr/share/strongswan/templates/config/strongswan.d
# Default is for ubuntu use, /etc/strongswan.d
# default_config_area=/etc/strongswan.d
[libreswan]
# Initial interval in seconds for checking if pluto daemon is shutdown
# shutdown_check_timeout=1
#
# The maximum number of retries for checking for pluto daemon shutdown
# shutdown_check_retries=5
#
# A factor to increase the retry interval for each retry
# shutdown_check_back_off=1.5
============================================================================================================================
vpnaas_filter file given as follows
-----------------------------------------------------------------------------
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
strongswan: CommandFilter, strongswan, root
ipsec: CommandFilter, ipsec, root
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
============================================================================================================================
vpn_agent logs given as follows
-----------------------------------------------------------------------------
2016-02-24 10:02:13.567 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin:
Stdout:
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)
2016-02-24 10:02:13.632 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
Exit code: 2
Stdin:
Stdout:
Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.start()
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute(cmd)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin:
Stdout:
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)
2016-02-24 10:02:13.760 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin:
Stdout:
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)
2016-02-24 10:02:13.840 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin:
Stdout:
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)
2016-02-24 10:02:13.921 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-7861b7af-e95f-4fe2-9739-068a9aab1022', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/7861b7af-e95f-4fe2-9739-068a9aab1022/var/run/pluto', '--status']
Exit code: 2
Stdin:
Stdout:
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)
-------------Keeps on repeating--------------------------
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1549295/+subscriptions
References
