yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1970948] [NEW] [VPNAAS] No start possible without rootwrap

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Justin Lamp <1970948@xxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Apr 2022 13:51:53 -0000
Reply-to: Bug 1970948 <1970948@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Please bear with me this is my first bug report. :)

When agent.root_helper is not set, the strongswan ipsec device driver
will fail to start as the vpn_netns_agent does not like being started
with '' as one of the options before --cmd.

The result:
['sudo', 'ip', 'netns', 'exec', 'qvpn-be40f416-99c5-4e58-a568-b8f691caf7c8', '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper', '--mount_paths=/etc:/var/lib/neutron/ipsec/be40f416-99c5-4e58-a568-b8f691caf7c8/etc,/var/run:/var/lib/neutron/ipsec/be40f416-99c5-4e58-a568-b8f691caf7c8/var/run', '', '--cmd=ipsec,start']


The (easy) patch:

diff --git a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
index 708952a1f..c719d3591 100644
--- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@@ -111,15 +111,25 @@ class StrongSwanProcess(ipsec.BaseSwanProcess):
         """
         ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
         ns_wrapper = self.get_ns_wrapper()
-        return ip_wrapper.netns.execute(
-            [ns_wrapper,
-             '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
-                 self.config_dir, self._strongswan_piddir, self.config_dir),
-             ('--rootwrap_config=%s' % self._rootwrap_cfg
-                 if self._rootwrap_cfg else ''),
-             '--cmd=%s' % ','.join(cmd)],
-            check_exit_code=check_exit_code,
-            extra_ok_codes=extra_ok_codes)
+
+        if self._rootwrap_cfg:
+            return ip_wrapper.netns.execute(
+                [ns_wrapper,
+                '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
+                    self.config_dir, self._strongswan_piddir, self.config_dir),
+                '--rootwrap_config=%s' % self._rootwrap_cfg,
+                '--cmd=%s' % ','.join(cmd)],
+                check_exit_code=check_exit_code,
+                extra_ok_codes=extra_ok_codes)
+        else:
+            return ip_wrapper.netns.execute(
+                [ns_wrapper,
+                '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
+                    self.config_dir, self._strongswan_piddir, self.config_dir),
+                '--cmd=%s' % ','.join(cmd)],
+                check_exit_code=check_exit_code,
+                extra_ok_codes=extra_ok_codes)
+
 
     def copy_and_overwrite(self, from_path, to_path):
         # NOTE(toabctl): the agent may run as non-root user, so rm/copy as root

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: vpnaas

** Tags added: vpnaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1970948

Title:
  [VPNAAS] No start possible without rootwrap

Status in neutron:
  New

Bug description:
  Please bear with me this is my first bug report. :)

  When agent.root_helper is not set, the strongswan ipsec device driver
  will fail to start as the vpn_netns_agent does not like being started
  with '' as one of the options before --cmd.

  The result:
  ['sudo', 'ip', 'netns', 'exec', 'qvpn-be40f416-99c5-4e58-a568-b8f691caf7c8', '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper', '--mount_paths=/etc:/var/lib/neutron/ipsec/be40f416-99c5-4e58-a568-b8f691caf7c8/etc,/var/run:/var/lib/neutron/ipsec/be40f416-99c5-4e58-a568-b8f691caf7c8/var/run', '', '--cmd=ipsec,start']

  
  The (easy) patch:

  diff --git a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
  index 708952a1f..c719d3591 100644
  --- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
  +++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
  @@ -111,15 +111,25 @@ class StrongSwanProcess(ipsec.BaseSwanProcess):
           """
           ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
           ns_wrapper = self.get_ns_wrapper()
  -        return ip_wrapper.netns.execute(
  -            [ns_wrapper,
  -             '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
  -                 self.config_dir, self._strongswan_piddir, self.config_dir),
  -             ('--rootwrap_config=%s' % self._rootwrap_cfg
  -                 if self._rootwrap_cfg else ''),
  -             '--cmd=%s' % ','.join(cmd)],
  -            check_exit_code=check_exit_code,
  -            extra_ok_codes=extra_ok_codes)
  +
  +        if self._rootwrap_cfg:
  +            return ip_wrapper.netns.execute(
  +                [ns_wrapper,
  +                '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
  +                    self.config_dir, self._strongswan_piddir, self.config_dir),
  +                '--rootwrap_config=%s' % self._rootwrap_cfg,
  +                '--cmd=%s' % ','.join(cmd)],
  +                check_exit_code=check_exit_code,
  +                extra_ok_codes=extra_ok_codes)
  +        else:
  +            return ip_wrapper.netns.execute(
  +                [ns_wrapper,
  +                '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
  +                    self.config_dir, self._strongswan_piddir, self.config_dir),
  +                '--cmd=%s' % ','.join(cmd)],
  +                check_exit_code=check_exit_code,
  +                extra_ok_codes=extra_ok_codes)
  +
   
       def copy_and_overwrite(self, from_path, to_path):
           # NOTE(toabctl): the agent may run as non-root user, so rm/copy as root

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1970948/+subscriptions