yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #66742
[Bug 1711456] [NEW] libreswan ipsec driver doesn't work with libreswan versions 3.19+
Public bug reported:
VPNaaS agent on RHEL and derivatives uses libreswan as the OpenSwan
replacement.
This integration of the VPN agent with libreswan is handled by
https://github.com/openstack/neutron-
vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
On the Jan 15, 2017 libreswan team released version 3.19 that introduced
a change that requires to specify an additional flag for NSS DB location
if it differs from a default one. Obviously this is an issue for VPNaaS
because the libreswan_ipsec.py still uses the old invocation scheme and
this results in the following:
2017-08-17 16:28:41.000 76497 ERROR neutron.agent.linux.utils [req-
9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791
66500ca68c4042f5b7d5f372cac3e7db - - -] Exit code: 1; Stdin: ; Stdout: ;
Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]
2017-08-17 16:28:41.007 76497 ERROR neutron.agent.linux.utils [req-
9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791
66500ca68c4042f5b7d5f372cac3e7db - - -] Exit code: 1; Stdin: ; Stdout: ;
Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791 66500ca68c4042f5b7d5f372cac3e7db - - -] Failed to enable vpn process on router 376e79e2-51c0-4907-85b3-4ec9af2b0c11
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 304, in enable
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.ensure_configs()
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py", line 61, in ensure_configs
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute([self.binary, 'initnss', self.etc_dir])
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 411, in _execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 912, in execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec log_fail_as_error=log_fail_as_error, **kwargs)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 148, in execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise ProcessExecutionError(msg, returncode=returncode)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec ProcessExecutionError: Exit code: 1; Stdin: ; Stdout: ; Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]
This issue can be easily solved by adding the --nssdir option in lines
59 and 61 of https://github.com/openstack/neutron-
vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
Like this:
try:
--- self._execute([self.binary, 'checknss', self.etc_dir])
+++ self._execute([self.binary, 'checknss', '--nssdir', self.etc_dir])
except RuntimeError:
--- self._execute([self.binary, 'initnss', self.etc_dir])
+++ self._execute([self.binary, 'initnss', '--nssdir', self.etc_dir])
After the change:
2017-08-17 22:53:25.734 863363 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'snat-376e79e2-51c0-4907-85b3-4ec9af2b0c11', 'ipsec', 'checknss
', '--nssdir', '/var/lib/neutron/ipsec/376e79e2-51c0-4907-85b3-4ec9af2b0c11/etc'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:105
2017-08-17 22:53:25.741 863363 DEBUG neutron.agent.linux.utils [-] Exit code: 0 execute /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:150
I propose to commit this fix to the
neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
Alternatively, the code can be changed to include the version check of
libreswan, so that the ipsec nssdb calls could retain backward
compatibility and the possibility to backport this fix.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: ipsec libreswan vpnaas
** Patch added: "libreswan_ipsec.py.patch"
https://bugs.launchpad.net/bugs/1711456/+attachment/4934429/+files/libreswan_ipsec.py.patch
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1711456
Title:
libreswan ipsec driver doesn't work with libreswan versions 3.19+
Status in neutron:
New
Bug description:
VPNaaS agent on RHEL and derivatives uses libreswan as the OpenSwan
replacement.
This integration of the VPN agent with libreswan is handled by
https://github.com/openstack/neutron-
vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
On the Jan 15, 2017 libreswan team released version 3.19 that
introduced a change that requires to specify an additional flag for
NSS DB location if it differs from a default one. Obviously this is an
issue for VPNaaS because the libreswan_ipsec.py still uses the old
invocation scheme and this results in the following:
2017-08-17 16:28:41.000 76497 ERROR neutron.agent.linux.utils [req-
9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791
66500ca68c4042f5b7d5f372cac3e7db - - -] Exit code: 1; Stdin: ; Stdout:
; Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]
2017-08-17 16:28:41.007 76497 ERROR neutron.agent.linux.utils [req-
9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791
66500ca68c4042f5b7d5f372cac3e7db - - -] Exit code: 1; Stdin: ; Stdout:
; Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791 66500ca68c4042f5b7d5f372cac3e7db - - -] Failed to enable vpn process on router 376e79e2-51c0-4907-85b3-4ec9af2b0c11
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 304, in enable
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.ensure_configs()
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py", line 61, in ensure_configs
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute([self.binary, 'initnss', self.etc_dir])
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 411, in _execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 912, in execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec log_fail_as_error=log_fail_as_error, **kwargs)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 148, in execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise ProcessExecutionError(msg, returncode=returncode)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec ProcessExecutionError: Exit code: 1; Stdin: ; Stdout: ; Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]
This issue can be easily solved by adding the --nssdir option in lines
59 and 61 of https://github.com/openstack/neutron-
vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
Like this:
try:
--- self._execute([self.binary, 'checknss', self.etc_dir])
+++ self._execute([self.binary, 'checknss', '--nssdir', self.etc_dir])
except RuntimeError:
--- self._execute([self.binary, 'initnss', self.etc_dir])
+++ self._execute([self.binary, 'initnss', '--nssdir', self.etc_dir])
After the change:
2017-08-17 22:53:25.734 863363 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'snat-376e79e2-51c0-4907-85b3-4ec9af2b0c11', 'ipsec', 'checknss
', '--nssdir', '/var/lib/neutron/ipsec/376e79e2-51c0-4907-85b3-4ec9af2b0c11/etc'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:105
2017-08-17 22:53:25.741 863363 DEBUG neutron.agent.linux.utils [-] Exit code: 0 execute /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:150
I propose to commit this fix to the
neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
Alternatively, the code can be changed to include the version check of
libreswan, so that the ipsec nssdb calls could retain backward
compatibility and the possibility to backport this fix.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1711456/+subscriptions
Follow ups
