← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #91185

[Bug 1988574] Re: vpnaas not working on centos8-stream on xena

  Thread PreviousDate PreviousThread Next 
I believe it's a neutron-vpnaas bug, not kolla-ansible bug.

** Also affects: neutron
   Importance: Undecided
       Status: New

** Changed in: kolla-ansible
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1988574

Title:
  vpnaas not working on centos8-stream on xena

Status in kolla-ansible:
  Incomplete
Status in neutron:
  New

Bug description:
  Hello

  After configuring VPN Endpoint, the l3 agent has problem with start
  the vpn service:

  2022-09-02 13:54:02.390 654 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 3659d2d3-5c2e-4097-92dc-08f1567524f5: neutron_lib.exceptions.ProcessExecutionError: Exit code: 1; Cmd: ['ip', 'netns', 'exec', 'qrouter-3659d2d3-5c2e-4097-92dc-08f1567524f5', '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper', '--mount_paths=/etc:/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc,/var/run:/var/lib/neutron/ipsec/3659d2d3-5c2e-409
  7-92dc-08f1567524f5/var/run', '--rootwrap_config=/etc/neutron/rootwrap.conf', '--cmd=ipsec,_stackmanager,start']; Stdin: ; Stdout: 2022-09-02 13:54:01.673 88268 INFO neutron.common.config [-] Logging enabled!ESC[00m
  2022-09-02 13:54:01.674 88268 INFO neutron.common.config [-] /var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version 19.3.1.dev44ESC[00m
  Command: ['mount', '--bind', '/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc', '/etc'] Exit code: 0 Stdout:  Stderr: 2022-09-02 13:54:01.693 88268 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc has been bind-mounted in /etcESC[00m
  Command: ['mount', '--bind', '/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run', '/var/run'] Exit code: 0 Stdout:  Stderr: 2022-09-02 13:54:01.714 88268 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run has been bind-mounted in /var/runESC[00m
  Command: ['ipsec', '_stackmanager', 'start'] Exit code: 1 Stdout:  Stderr: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:3: syntax error, unexpected STRING [nat_traversal]
  cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:3: syntax error, unexpected STRING [nat_traversal]

  
  So I did the workaround putting into
  /var/lib/kolla/venv/lib/python3.6/site-packages/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template

  config setup
      #nat_traversal=yes

  After that the second problem appeared:

  2022-09-02 13:41:35.252 35 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-aa8d3095-578e-4747-a708-d55d3a4ff889 7a8ec6fc4ec12049bb7f243a354430b4b5ecc5a3fedcdc1c555f1f1a5ce70eb5 715cf7f57a6f47119161fe0654ed8a1c - - -] Failed to enable vpn process on router 3659d2d3-5c2e-4097-92dc-08f1567524f5: neutron_lib.exceptions.ProcessExecutionError: Exit code: 1; Cmd: ['ip', 'netns', 'exec', 'qrouter-3659d2d3-5c2e-4097-92dc-08f1567524f5', '/var/lib/kolla/venv/bin/neutron-vpn-netns-w
  rapper', '--mount_paths=/etc:/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc,/var/run:/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run', '--rootwrap_config=/etc/neutron/rootwrap.conf', '--cmd=ipsec,pluto,--use-netkey,--uniqueids']; Stdin: ; Stdout: 2022-09-02 13:41:34.832 14537 INFO neutron.common.config [-] Logging enabled!ESC[00m
  2022-09-02 13:41:34.834 14537 INFO neutron.common.config [-] /var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version 19.3.1.dev44ESC[00m
  Command: ['mount', '--bind', '/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc', '/etc'] Exit code: 0 Stdout:  Stderr: 2022-09-02 13:41:34.845 14537 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc has been bind-mounted in /etcESC[00m
  Command: ['mount', '--bind', '/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run', '/var/run'] Exit code: 0 Stdout:  Stderr: 2022-09-02 13:41:34.856 14537 INFO neutron_vpnaas.services.vpn.common.netns_wrapper [-] /var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run has been bind-mounted in /var/runESC[00m
  Command: ['ipsec', 'pluto', '--use-netkey', '--uniqueids'] Exit code: 1 Stdout:  Stderr: /usr/libexec/ipsec/pluto: unrecognized option '--use-netkey'
  For usage information: /usr/libexec/ipsec/pluto --help
  Libreswan 4.5

  So I deployed the second workaround in
  /var/lib/kolla/venv/lib/python3.6/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py

      def start_pluto(self):
          cmd = ['pluto',
                 '--use-netkey',
                 '--uniqueids']

  And removed --use-netkey:
      def start_pluto(self):
          cmd = ['pluto',
                 '--uniqueids']

  
  After that the vpn endpoint starts working correctly.
  Seems there is some problems with libreswan version.
  Image version:
  quay.io/openstack.kolla/centos-source-neutron-l3-agent
                  "build-date": "20220726",

To manage notifications about this bug go to:
https://bugs.launchpad.net/kolla-ansible/+bug/1988574/+subscriptions
  Thread PreviousDate PreviousThread Next