yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58801
[Bug 1641509] Re: Creating vpn-service with router which belongs to another tenant causes invalid condition.
http://lists.openstack.org/pipermail/openstack-
dev/2016-November/107384.html
** Changed in: neutron
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1641509
Title:
Creating vpn-service with router which belongs to another tenant
causes invalid condition.
Status in neutron:
Won't Fix
Bug description:
- OpenStack version
master
- how to reproduce
1. to 5. and 12. are operated by TenantA
6. to 11. are operated by TenantB(should be context_is_admin.)
===operating by TenantA===
1.neutron router-create router1
2.neutron net-create network1
3.neutron subnet-create network1 192.168.0.0/24 --name subnet1
4.neutron router-interface-add router1 subnet1
5.neutron router-gateway-set router1 public
===operating by TenantB===
6.neutron vpn-service-create router1 --name vpnservice1
7.neutron vpn-ikepolicy-create ikepolicy1
8.neutron vpn-ipsecpolicy-create ipsecpolicy1
9.neutron vpn-endpoint-group-create --type subnet --value subnet1 --name endpoint1
10.neutron vpn-endpoint-group-create --type cidr --value 192.168.1.0/24 --name endpoint2
11.neutron ipsec-site-connection-create --vpnservice-id vpnservice1 --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --local-ep-group endpoint1 --peer-id 172.24.4.10 --peer-address 172.24.4.10 --psk test --peer-ep-group endpoint2
===operating by TenantA===
12.neutron router-gateway-clear router1
=> The operation should be failed because vpn_service assumes gw_port is attached to the router.
However, the operation is passed because
'TenantA' cannot find 'vpn_service' which belongs to 'TenantB' with own context.
Alternatively, we should block creating vpn_service with router which belongs to another tenant.
Following errors are caused by procedure 12.
* VPN configuration(enable) is failed.
* 500 error returns when creating additional site-connection for the vpn_service.
-expected behavior
Procedure 12 by TenantA is blocked because the router is associated with vpn_service.
This behavior is like network vs port.
- trace in vpn-agent
2016-11-14 05:15:10.863 27930 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-0c80e9f8-e273-4770-8f02-6fc243301ac7', 'ip', 'route', 'get', '172.24.4.10'] execute_rootwrap_daemon /opt/stack/neutron/neutron/agent/linux/utils.py:107
2016-11-14 05:15:10.917 27930 ERROR neutron.agent.linux.utils [-] Exit code: 2; Stdin: ; Stdout: ; Stderr: RTNETLINK answers: Network is unreachable
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 0c80e9f8-e273-4770-8f02-6fc243301ac7
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 306, in enable
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.restart()
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 544, in restart
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.start()
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 634, in start
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec ipsec_site_conn['id'])
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 568, in _get_nexthop
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec routes = self._execute(['ip', 'route', 'get', ip_addr])
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 411, in _execute
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 908, in execute
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec log_fail_as_error=log_fail_as_error, **kwargs)
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 146, in execute
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise ProcessExecutionError(msg, returncode=returncode)
2016-11-14 05:15:10.918 27930 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec ProcessExecutionError: Exit code: 2; Stdin: ; Stdout: ; Stderr: RTNETLINK answers: Network is unreachable
- trace in neutron-server
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource [req-5e2f3bb1-2e6b-495a-a327-47b1595668b5 6759f544889746448631792bb12bd2ea d713c7d4c02541d8b239d6d9761768e5
- - -] create failed: No details.
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource Traceback (most recent call last):
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 79, in resource
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource result = method(request=request, **args)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 430, in create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource return self._create(request, body, **kwargs)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/db/api.py", line 83, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource """
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/db/api.py", line 79, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource """Puts a flag on retriable exceptions so is_retriable returns False.
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 151, in wrapper
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource ectxt.value = e.inner_exc
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 139, in wrapper
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource return f(*args, **kwargs)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/db/api.py", line 119, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource # prevent mutations of complex objects like the context or 'self'
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/db/api.py", line 114, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource @_retry_db_errors
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 543, in _create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource obj = do_create(body)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 525, in do_create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource request.context, reservation.reservation_id)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 518, in do_create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource return obj_creator(request.context, **kwargs)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/plugin.py", line 78, in create_ipsec_site_connection
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource context, ipsec_site_connection)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron-vpnaas/neutron_vpnaas/db/vpn/vpn_db.py", line 168, in create_ipsec_site_connection
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource validator.resolve_peer_address(ipsec_sitecon, vpnservice.router)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron-vpnaas/neutron_vpnaas/db/vpn/vpn_validator.py", line 92, in resolve_peer_address
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource self._validate_peer_address(ip_version, router)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File "/opt/stack/neutron-vpnaas/neutron_vpnaas/db/vpn/vpn_validator.py", line 70, in _validate_peer_address
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource for fixed_ip in router.gw_port['fixed_ips']:
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource TypeError: 'NoneType' object has no attribute '__getitem__'
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
2016-11-14 05:16:26.945 25357 INFO neutron.wsgi [req-5e2f3bb1-2e6b-495a-a327-47b1595668b5 6759f544889746448631792bb12bd2ea d713c7d4c02541d8b239d6d9761768e5 - - -] 172.16.1.29 - - [14/Nov/2016 05:16:26] "POST /v2.0/vpn/ipsec-site-connections.json HTTP/1.1" 500 368 0.676061
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1641509/+subscriptions
References
