RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1353351 - vpnaas doesn't work
Summary: vpnaas doesn't work
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: RDO
Classification: Community
Component: openstack-neutron
Version: Mitaka
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: trunk
Assignee: Assaf Muller
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-06 21:16 UTC by Peter Schiffer
Modified: 2017-06-18 21:48 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-06-18 21:48:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Peter Schiffer 2016-07-06 21:16:07 UTC 
Description of problem:
at first, there is a selinux issue - BZ#1352710

then, trying to create ipsec site connection fails with log (in vpn-agent.log):
2016-07-06 22:17:52.255 21166 ERROR neutron.agent.linux.utils [req-72dd7b11-afae-4ac5-b289-4f88d8bd488e afe71561c9854f6ba4a1bf00d6ff2240 6f6ac5ede161442ba83f97963ceefb8a - - -] Exit code: 255; Stdin: ; Stdout: Warning: options --defaultroute and --defaultroutenexthop are obsolete and were ignored
; Stderr: connect(pluto_ctl) failed: No such file or directory

2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-72dd7b11-afae-4ac5-b289-4f88d8bd488e afe71561c9854f6ba4a1bf00d6ff2240 6f6ac5ede161442ba83f97963ceefb8a - - -] Failed to enable vpn process on router dd50fd6b-d84e-430b-9b5c-b7b5e30b0f9d
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 293, in enable
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 590, in start
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     ipsec_site_conn['id']
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 396, in _execute
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 927, in execute
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     log_fail_as_error=log_fail_as_error, **kwargs)
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 140, in execute
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(msg)
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: Exit code: 255; Stdin: ; Stdout: Warning: options --defaultroute and --defaultroutenexthop are obsolete and were ignored
2016-07-06 22:17:52.259 21166 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec ; Stderr: connect(pluto_ctl) failed: No such file or directory

googling took me to https://bugs.launchpad.net/neutron/+bug/1452205 and indeed, comment 6 https://bugs.launchpad.net/neutron/+bug/1452205/comments/6 helped resolve this issue.

But now, I'm still not able to create ipsec site connection, because when I try, the '/usr/bin/python2 /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf' process eats all of my memory and the 'certutil -N -d sql:/etc/ipsec.d --empty-password' process eats all of my cpu.. I don't know how to proceed further. There are no interesting logs in /var/lib/neutron regarding this.


Version-Release number of selected component (if applicable):
openstack-neutron-8.1.2-1.el7.noarch
openstack-neutron-common-8.1.2-1.el7.noarch
openstack-neutron-fwaas-8.0.0-3.el7.noarch
openstack-neutron-lbaas-8.0.0-1.el7.noarch
openstack-neutron-metering-agent-8.1.2-1.el7.noarch
openstack-neutron-ml2-8.1.2-1.el7.noarch
openstack-neutron-openvswitch-8.1.2-1.el7.noarch
openstack-neutron-vpnaas-8.0.0-1.el7.noarch
python-neutron-8.1.2-1.el7.noarch
python-neutronclient-4.1.1-2.el7.noarch
python-neutron-fwaas-8.0.0-3.el7.noarch
python-neutron-lbaas-8.0.0-1.el7.noarch
python-neutron-lib-0.0.2-1.el7.noarch
python-neutron-vpnaas-8.0.0-1.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. deploy openstack with packstack and enable vpnaas in answers.txt file
2. try to create vpnaas

Actual results:
it fails

Expected results:
it doesn't fail

Additional info:
Comment 1 Christopher Brown 2017-06-18 11:55:08 UTC 
Hi Peter,

It looks like you haven't had answers to any of these which isn't great.

Is this one still a problem for you?
Comment 2 Peter Schiffer 2017-06-18 20:27:18 UTC 
I'm sorry, I didn't use it in the end, and I'm way over with my PoC :-)
Note You need to log in before you can comment on or make changes to this bug.