Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1034207

Summary: Newly-created VPNaaS objects remain in PENDING_CREATE because the agent is unauthorized to run ipsec command
Product: Red Hat OpenStack Reporter: Rami Vaknin <rvaknin>
Component: openstack-neutronAssignee: Terry Wilson <twilson>
Status: CLOSED ERRATA QA Contact: Rami Vaknin <rvaknin>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0CC: breeler, chrisw, ddomingo, hateya, oblaut, twilson, yeylon
Target Milestone: rc   
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: network
Fixed In Version: openstack-neutron-2013.2-12.el6ost Doc Type: Bug Fix
Doc Text:
Previously, the openstack-neutron-vpn-agent package did not install a required rootwrap VPNaaS filters file. This prevented the openstack-neutron-vpn-agent service (provided by the package) from running commands that required authorization on VPNaaS objects. Specifically, such objects remained in a PENDING_CREATE state because the openstack-neutron-vpn-agent was unauthorized to run any further tasks on them. With this relase, the openstack-neutron-vpn-agent package now installs the required rootwrap VPNaaS filters file. This provides the openstack-neutron-vpn-agent with the required rootwrap authorization on VPNaaS objects.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-20 00:38:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rami Vaknin 2013-11-25 12:35:24 UTC 
Version
=======
rhos 4.0 on rhel6.5, puddle 2013-11-18.8
openstack-neutron-2013.2-9.el6ost
openstack-neutron-vpn-agent-2013.2-9.el6ost


Description
===========
I've created ike and ipsec policies, vpn service and ipsec site connections with almost all params set as default, it seems like the neutron vpn agent fails to run the openswan's ipsec command, the vpn service and the ipsec site connections remain in PENDING_CREATE status:

2013-11-21 17:15:15.526 6112 WARNING neutron.context [-] Arguments dropped when creating context: {'project_id': u'1532b0139c4f49298dee924500761e6d'}
2013-11-21 17:15:16.635 6112 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router e8b2c574-0b11-4c96-bed4-731ae6cf0a90
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 241, in enable
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec self.start()
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 382, in start
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 311, in _execute
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code)
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py", line 458, in execute
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code)
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py", line 62, in execute
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets', '--virtual_private', '%v4:10.35.214.0/24,%v4:10.35.214.0/24']
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 99
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: ip netns exec qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90 ipsec pluto --ctlbase /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc --use-netkey --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets --virtual_private %v4:10.35.214.0/24,%v4:10.35.214.0/24 (no filter matched)\n'
2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec
Comment 2 Rami Vaknin 2013-11-30 04:20:04 UTC 
Closing the launchpad bug https://bugs.launchpad.net/bugs/1253681, it seems like the openstack-neutron-2013.2-10.el6ost rpm is missing the VPNaaS' filters file which exists in ${neutron_git}/etc/neutron/rootwrap.d/vpnaas.filters


# rpm -ql openstack-neutron | grep filters
/usr/share/neutron/rootwrap/dhcp.filters
/usr/share/neutron/rootwrap/iptables-firewall.filters
/usr/share/neutron/rootwrap/l3.filters
/usr/share/neutron/rootwrap/lbaas-haproxy.filters
Comment 3 Terry Wilson 2013-12-03 23:33:29 UTC 
The upstream setup.cfg is missing entries for debug.filters and vpnaas.filters. After that is fixed, then the spec file can be fixed to actually install them properly. I guess until they get that fixed upstream, we can add a patch to the packaging.
Comment 6 Rami Vaknin 2013-12-08 13:53:57 UTC 
Verified on rhos 4.0 running on rhel6.5 with 2013-12-06.3 puddle, openstack-neutron-2013.2-13.el6ost.
Comment 9 errata-xmlrpc 2013-12-20 00:38:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html