yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1782337] [NEW] [vpn] queens vpn still use 'ipsec' since it is replace by 'strongswan'

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: LIU Yulong <yulong@xxxxxxxxxxxxx>
Date: Wed, 18 Jul 2018 10:47:18 -0000
Reply-to: Bug 1782337 <1782337@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

ENV:
neutron stable/queens
python-neutron-vpnaas-12.0.0-1.el7.noarch
openstack-neutron-vpnaas-12.0.0-1.el7.noarch

centos 7
3.10.0-862.3.2.el7.x86_64

Firstly, there is no config guide for queens VPNaaS.
So we use this doc:
https://docs.openstack.org/neutron/latest/admin/vpnaas-scenario.html

Exception 1, vpnaas still use binary `ipsec`, since no such bin after install strongswan:
2018-07-18 17:41:08.442 3205520 ERROR neutron.agent.linux.utils [req-a54ec1e1-dc92-4fdd-b673-126067ceb09a - a890d8d8264640ba9bae20d03e4071fd - - -] Rootwrap error running command: ['ipsec', '--piddir']: RemoteError:
2018-07-18 17:41:08.443 3205520 DEBUG oslo_concurrency.lockutils [req-a54ec1e1-dc92-4fdd-b673-126067ceb09a - a890d8d8264640ba9bae20d03e4071fd - - -] Lock "vpn-agent" released by "neutron_vpnaas.services.vpn.device_drivers.ipsec.sync" :: held 0.077s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:285
2018-07-18 17:41:08.443 3205520 ERROR neutron.agent.l3.agent [req-a54ec1e1-dc92-4fdd-b673-126067ceb09a - a890d8d8264640ba9bae20d03e4071fd - - -] Failed to process compatible router: 13756e9e-ca81-42fe-b232-2daae60043bd: RemoteError:
---------------------------------------------------------------------------
Unserializable message: ('#ERROR', ValueError('I/O operation on closed file',))


Exception 2, the config attributes did not write to the right file:

2018-07-18 18:29:38.183 3320737 ERROR neutron.agent.linux.utils [req-ee26b42a-4ddd-451a-b473-f1ed6e484f68 - a890d8d8264640ba9bae20d03e4071fd - - -] Exit code: 2; Stdin: ; Stdout: 2018-07-18 18:29:38.034 3321275 INFO neutron.common.config [-] Logging enabled!
2018-07-18 18:29:38.035 3321275 INFO neutron.common.config [-] /bin/neutron-vpn-netns-wrapper version 12.0.2.dev3
Command: ['mount', '--bind', '/var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/etc', '/etc'] Exit code: 0 Stdout:  Stderr: 2018-07-18 10:29:38.050 3321275 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/etc has been bind-mounted in /etc
Command: ['mount', '--bind', '/var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/var/run', '/var/run'] Exit code: 0 Stdout:  Stderr: 2018-07-18 10:29:38.058 3321275 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/var/run has been bind-mounted in /var/run
Command: ['ipsec', 'start'] Exit code: 2 Stdout:  Stderr: no files found matching '/etc/strongswan/strongswan.conf'
Starting strongSwan 5.6.3 IPsec [starter]...
no files found matching '/etc/strongswan/ipsec.conf'
failed to open config file '/etc/strongswan/ipsec.conf'
unable to start strongSwan -- fatal errors in config
; Stderr:
2018-07-18 18:29:38.185 3320737 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-ee26b42a-4ddd-451a-b473-f1ed6e484f68 - a890d8d8264640ba9bae20d03e4071fd - - -] Failed to enable vpn process on router 13756e9e-ca81-42fe-b232-2daae60043bd: ProcessExecutionError: Exit code: 2; Stdin: ; Stdout: 2018-07-18 18:29:38.034 3321275 INFO neutron.common.config [-] Logging enabled!

So I think maybe vpnaas should be marked as `not ready`?

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1782337

Title:
  [vpn] queens vpn still use 'ipsec' since it is replace by 'strongswan'

Status in neutron:
  New

Bug description:
  ENV:
  neutron stable/queens
  python-neutron-vpnaas-12.0.0-1.el7.noarch
  openstack-neutron-vpnaas-12.0.0-1.el7.noarch

  centos 7
  3.10.0-862.3.2.el7.x86_64

  Firstly, there is no config guide for queens VPNaaS.
  So we use this doc:
  https://docs.openstack.org/neutron/latest/admin/vpnaas-scenario.html

  Exception 1, vpnaas still use binary `ipsec`, since no such bin after install strongswan:
  2018-07-18 17:41:08.442 3205520 ERROR neutron.agent.linux.utils [req-a54ec1e1-dc92-4fdd-b673-126067ceb09a - a890d8d8264640ba9bae20d03e4071fd - - -] Rootwrap error running command: ['ipsec', '--piddir']: RemoteError:
  2018-07-18 17:41:08.443 3205520 DEBUG oslo_concurrency.lockutils [req-a54ec1e1-dc92-4fdd-b673-126067ceb09a - a890d8d8264640ba9bae20d03e4071fd - - -] Lock "vpn-agent" released by "neutron_vpnaas.services.vpn.device_drivers.ipsec.sync" :: held 0.077s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:285
  2018-07-18 17:41:08.443 3205520 ERROR neutron.agent.l3.agent [req-a54ec1e1-dc92-4fdd-b673-126067ceb09a - a890d8d8264640ba9bae20d03e4071fd - - -] Failed to process compatible router: 13756e9e-ca81-42fe-b232-2daae60043bd: RemoteError:
  ---------------------------------------------------------------------------
  Unserializable message: ('#ERROR', ValueError('I/O operation on closed file',))

  
  Exception 2, the config attributes did not write to the right file:

  2018-07-18 18:29:38.183 3320737 ERROR neutron.agent.linux.utils [req-ee26b42a-4ddd-451a-b473-f1ed6e484f68 - a890d8d8264640ba9bae20d03e4071fd - - -] Exit code: 2; Stdin: ; Stdout: 2018-07-18 18:29:38.034 3321275 INFO neutron.common.config [-] Logging enabled!
  2018-07-18 18:29:38.035 3321275 INFO neutron.common.config [-] /bin/neutron-vpn-netns-wrapper version 12.0.2.dev3
  Command: ['mount', '--bind', '/var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/etc', '/etc'] Exit code: 0 Stdout:  Stderr: 2018-07-18 10:29:38.050 3321275 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/etc has been bind-mounted in /etc
  Command: ['mount', '--bind', '/var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/var/run', '/var/run'] Exit code: 0 Stdout:  Stderr: 2018-07-18 10:29:38.058 3321275 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/13756e9e-ca81-42fe-b232-2daae60043bd/var/run has been bind-mounted in /var/run
  Command: ['ipsec', 'start'] Exit code: 2 Stdout:  Stderr: no files found matching '/etc/strongswan/strongswan.conf'
  Starting strongSwan 5.6.3 IPsec [starter]...
  no files found matching '/etc/strongswan/ipsec.conf'
  failed to open config file '/etc/strongswan/ipsec.conf'
  unable to start strongSwan -- fatal errors in config
  ; Stderr:
  2018-07-18 18:29:38.185 3320737 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-ee26b42a-4ddd-451a-b473-f1ed6e484f68 - a890d8d8264640ba9bae20d03e4071fd - - -] Failed to enable vpn process on router 13756e9e-ca81-42fe-b232-2daae60043bd: ProcessExecutionError: Exit code: 2; Stdin: ; Stdout: 2018-07-18 18:29:38.034 3321275 INFO neutron.common.config [-] Logging enabled!

  So I think maybe vpnaas should be marked as `not ready`?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1782337/+subscriptions