Bug 1268444
| Summary: | Ownership of ipsec.secrets causes problems on agent restart | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Brent Eagles <beagles> |
| Component: | openstack-neutron-vpnaas | Assignee: | Brent Eagles <beagles> |
| Status: | CLOSED ERRATA | QA Contact: | Eran Kuris <ekuris> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 (Kilo) | CC: | adahms, amuller, apevec, beagles, ihrachys, lhh, mlopes, nyechiel, pwouters, sclewis, sgordon, tfreger |
| Target Milestone: | z5 | Keywords: | ZStream |
| Target Release: | 7.0 (Kilo) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-neutron-vpnaas-2015.1.2-2.el7ost | Doc Type: | Bug Fix |
| Doc Text: |
Changes to assigning ownership to the ipsec.secrets of a connection interfered with the operation of VPNaaS when the service was restarted or connections were updated, causing maintenance and re-establishment of connections to eventually fail. With this update, the ownership of ipsec.secrets by the 'root' user has been removed, allowing the service to re-create an updated ipsec.secrets file as required. This allows service restart and connection update operations to succeed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-13 14:37:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1077162, 1245842, 1262446 | ||
|
Description
Brent Eagles
2015-10-02 20:11:58 UTC
For steps to reproduce (part of which is copy and pasted from https://bugzilla.redhat.com/show_bug.cgi?id=1262446#c5) There currently isn't adequate test coverage to verify this in our functional/system level tests, so manual verification is necessary for now. I did this by configuring a devstack environment and running this script: https://github.com/beagles/oddsnends/blob/master/openstack/vpnaas/test_vpn.sh Equivalent commands can also be used in an OSP environment but a public network and related subnet will need to be created prior to running these commands (in this script the network is "public"). And checking the logs for errors. One important caveat is that the /etc/neutron/vpn_agent.ini file needs to have the vpn_device_driver set as follows: vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver Before the patch, once a connection has been properly setup, restarting the service the logs should show permission errors when restarting the service. After the patch has been applied it should restart normally. In which version it fixed ? According to DEV it's still blocked by problems with CI. and it effect those bugs : Bug 1262446 Bug 1245846 Bug 1245842 This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Can you please fill in the 'Fixed-in-version' field and set to MODIFIED? It looks like the package might not have been built with this fix. Assaf- it looks like you are correct. We merged the patch in January/16 but didn't update the package to include the patch (related note - it's included in 2015.1.3 upstream). I've created a patch for our packaging for review and will update once it goes through. Code is verified in /usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1414 |