1034207 – Newly-created VPNaaS objects remain in PENDING_CREATE because the agent is unauthorized to run ipsec command

Bug 1034207 - Newly-created VPNaaS objects remain in PENDING_CREATE because the agent is unauthorized to run ipsec command

Summary: Newly-created VPNaaS objects remain in PENDING_CREATE because the agent is un...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	4.0
Assignee:	Terry Wilson
QA Contact:	Rami Vaknin
Docs Contact:
URL:
Whiteboard:	network
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-25 12:35 UTC by Rami Vaknin
Modified:	2016-04-26 19:21 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-neutron-2013.2-12.el6ost
Doc Type:	Bug Fix
Doc Text:	Previously, the openstack-neutron-vpn-agent package did not install a required rootwrap VPNaaS filters file. This prevented the openstack-neutron-vpn-agent service (provided by the package) from running commands that required authorization on VPNaaS objects. Specifically, such objects remained in a PENDING_CREATE state because the openstack-neutron-vpn-agent was unauthorized to run any further tasks on them. With this relase, the openstack-neutron-vpn-agent package now installs the required rootwrap VPNaaS filters file. This provides the openstack-neutron-vpn-agent with the required rootwrap authorization on VPNaaS objects.
Clone Of:
Environment:
Last Closed:	2013-12-20 00:38:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1257523	None	None	None	Never
OpenStack gerrit	59870	None	None	None	Never
Red Hat Product Errata	RHEA-2013:1859	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2013-12-21 00:01:48 UTC

Description Rami Vaknin 2013-11-25 12:35:24 UTC

Version
=======
rhos 4.0 on rhel6.5, puddle 2013-11-18.8
openstack-neutron-2013.2-9.el6ost
openstack-neutron-vpn-agent-2013.2-9.el6ost


Description
===========
I've created ike and ipsec policies, vpn service and ipsec site connections with almost all params set as default, it seems like the neutron vpn agent fails to run the openswan's ipsec command, the vpn service and the ipsec site connections remain in PENDING_CREATE status:

2013-11-21 17:15:15.526 6112 WARNING neutron.context [-] Arguments dropped when creating context: {'project_id': u'1532b0139c4f49298dee924500761e6d'}
2013-11-21 17:15:16.635 6112 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router e8b2c574-0b11-4c96-bed4-731ae6cf0a90
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 241, in enable
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec self.start()
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 382, in start
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 311, in _execute
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code)
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py", line 458, in execute
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code)
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py", line 62, in execute
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets', '--virtual_private', '%v4:10.35.214.0/24,%v4:10.35.214.0/24']
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 99
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: ip netns exec qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90 ipsec pluto --ctlbase /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc --use-netkey --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets --virtual_private %v4:10.35.214.0/24,%v4:10.35.214.0/24 (no filter matched)\n'
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec

Comment 2 Rami Vaknin 2013-11-30 04:20:04 UTC

Closing the launchpad bug https://bugs.launchpad.net/bugs/1253681, it seems like the openstack-neutron-2013.2-10.el6ost rpm is missing the VPNaaS' filters file which exists in ${neutron_git}/etc/neutron/rootwrap.d/vpnaas.filters


# rpm -ql openstack-neutron | grep filters
/usr/share/neutron/rootwrap/dhcp.filters
/usr/share/neutron/rootwrap/iptables-firewall.filters
/usr/share/neutron/rootwrap/l3.filters
/usr/share/neutron/rootwrap/lbaas-haproxy.filters

Comment 3 Terry Wilson 2013-12-03 23:33:29 UTC

The upstream setup.cfg is missing entries for debug.filters and vpnaas.filters. After that is fixed, then the spec file can be fixed to actually install them properly. I guess until they get that fixed upstream, we can add a patch to the packaging.

Comment 6 Rami Vaknin 2013-12-08 13:53:57 UTC

Verified on rhos 4.0 running on rhel6.5 with 2013-12-06.3 puddle, openstack-neutron-2013.2-13.el6ost.

Comment 9 errata-xmlrpc 2013-12-20 00:38:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.