| Summary: | Newly-created VPNaaS objects remain in PENDING_CREATE because the agent is unauthorized to run ipsec command | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Rami Vaknin <rvaknin> |
| Component: | openstack-neutron | Assignee: | Terry Wilson <twilson> |
| Status: | CLOSED ERRATA | QA Contact: | Rami Vaknin <rvaknin> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.0 | CC: | breeler, chrisw, ddomingo, hateya, oblaut, twilson, yeylon |
| Target Milestone: | rc | ||
| Target Release: | 4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | network | ||
| Fixed In Version: | openstack-neutron-2013.2-12.el6ost | Doc Type: | Bug Fix |
| Doc Text: |
Previously, the openstack-neutron-vpn-agent package did not install a required rootwrap VPNaaS filters file. This prevented the openstack-neutron-vpn-agent service (provided by the package) from running commands that required authorization on VPNaaS objects. Specifically, such objects remained in a PENDING_CREATE state because the openstack-neutron-vpn-agent was unauthorized to run any further tasks on them.
With this relase, the openstack-neutron-vpn-agent package now installs the required rootwrap VPNaaS filters file. This provides the openstack-neutron-vpn-agent with the required rootwrap authorization on VPNaaS objects.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-20 00:38:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Closing the launchpad bug https://bugs.launchpad.net/bugs/1253681, it seems like the openstack-neutron-2013.2-10.el6ost rpm is missing the VPNaaS' filters file which exists in ${neutron_git}/etc/neutron/rootwrap.d/vpnaas.filters # rpm -ql openstack-neutron | grep filters /usr/share/neutron/rootwrap/dhcp.filters /usr/share/neutron/rootwrap/iptables-firewall.filters /usr/share/neutron/rootwrap/l3.filters /usr/share/neutron/rootwrap/lbaas-haproxy.filters The upstream setup.cfg is missing entries for debug.filters and vpnaas.filters. After that is fixed, then the spec file can be fixed to actually install them properly. I guess until they get that fixed upstream, we can add a patch to the packaging. Verified on rhos 4.0 running on rhel6.5 with 2013-12-06.3 puddle, openstack-neutron-2013.2-13.el6ost. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html |
Version ======= rhos 4.0 on rhel6.5, puddle 2013-11-18.8 openstack-neutron-2013.2-9.el6ost openstack-neutron-vpn-agent-2013.2-9.el6ost Description =========== I've created ike and ipsec policies, vpn service and ipsec site connections with almost all params set as default, it seems like the neutron vpn agent fails to run the openswan's ipsec command, the vpn service and the ipsec site connections remain in PENDING_CREATE status: 2013-11-21 17:15:15.526 6112 WARNING neutron.context [-] Arguments dropped when creating context: {'project_id': u'1532b0139c4f49298dee924500761e6d'} 2013-11-21 17:15:16.635 6112 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router e8b2c574-0b11-4c96-bed4-731ae6cf0a90 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 241, in enable 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec self.start() 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 382, in start 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 311, in _execute 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code) 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py", line 458, in execute 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code) 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py", line 62, in execute 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError: 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets', '--virtual_private', '%v4:10.35.214.0/24,%v4:10.35.214.0/24'] 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 99 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: '' 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: ip netns exec qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90 ipsec pluto --ctlbase /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc --use-netkey --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets --virtual_private %v4:10.35.214.0/24,%v4:10.35.214.0/24 (no filter matched)\n' 2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec