[Yahoo-eng-team] [Bug 1637972] [NEW] VPNaaS: report_state fails by key error 'tenant_id'
Public bug reported:
When creating ipsec-site-connection, the error KeyError: 'tenant_id'
occurred in vpn agent.
Operation:
$ neutron ipsec-site-connection-create --peer-cidr 192.168.91.0/24 --peer-id
192.168.7.4 --peer-address 192.168.7.4 --psk ps --vpnservice-id service1
--ikepolicy-id ike1 --ipsecpolicy-id ipsec1 --name test1 --dpd action=disabled
Created a new ipsec_site_connection:
+---++
| Field | Value |
+---++
| admin_state_up| True |
| auth_mode | psk|
| description ||
| dpd | {"action": "disabled", "interval": 30, "timeout": 120} |
| id| 298a689b-428b-45fd-a868-2d4738d59eb1 |
| ikepolicy_id | be1f92ab-8064-4328-8862-777ae6878691 |
| initiator | bi-directional |
| ipsecpolicy_id| 09c67ae8-6ede-47ca-a15b-c52be1d7feaf |
| local_ep_group_id ||
| local_id ||
| mtu | 1500 |
| name | test1 |
| peer_address | 192.168.7.4|
| peer_cidrs| 192.168.91.0/24|
| peer_ep_group_id ||
| peer_id | 192.168.7.4|
| project_id| 068a47c758ae4b5d9fab059539e57740 |
| psk | ps |
| route_mode| static |
| status| PENDING_CREATE |
| tenant_id | 068a47c758ae4b5d9fab059539e57740 |
| vpnservice_id | 4f82612c-5e3a-4699-aafa-bdfa5ede31fe |
+---++
Error log in vpn agent:
2016-10-31 19:24:15.591 ERROR oslo_messaging.rpc.server
[req-169503b5-edbc-46a9-8ded-03b5b5d278ea demo
068a47c758ae4b5d9fab059539e57740] Exception during message handling
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server Traceback (most recent
call last):
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/server.py", line
155, in _process_incoming
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server res =
self.dispatcher.dispatch(message)
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line
225, in dispatch
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server return
self._do_dispatch(endpoint, method, ctxt, args)
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line
195, in _do_dispatch
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server result = func(ctxt,
**new_args)
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 884, in vpnservice_updated
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server self.sync(context,
[router] if router else [])
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py", line
271, in inner
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server return f(*args,
**kwargs)
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 1050, in sync
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server
self.report_status(context)
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 1006, in report_status
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server if not
self.should_be_reported(context, process):
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 1000, in should_be_reported
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server
process.vpnservice["tenant_id"] == context.tenant_id):
2016-10-31 19:24:15.591 TRACE oslo_messaging.rpc.server KeyError: 'tenant_id'
2016-10-31 1
[Yahoo-eng-team] [Bug 1633941] [NEW] VPNaaS: peer-cidr validation is invalid
Public bug reported:
When creating ipsec-site-connection in VPNaaS, it looks peer-cidr validation is
invalid.
The cidr format like "10/8" should be rejected like cidr in subnet resources
but it is accepted like the following:
$ neutron ipsec-site-connection-create --vpnservice-id service1 --ikepolicy-id
ike1 --ipsecpolicy-id ipsec1 --peer-id 192.168.7.1 --peer-address 192.168.7.1
--peer-cidr 10/8 --psk pass
Created a new ipsec_site_connection:
+---++
| Field | Value |
+---++
| admin_state_up| True |
| auth_mode | psk|
| description ||
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id| 2bed308f-5462-45bb-ae79-5cb9003424ef |
| ikepolicy_id | be1f92ab-8064-4328-8862-777ae6878691 |
| initiator | bi-directional |
| ipsecpolicy_id| 09c67ae8-6ede-47ca-a15b-c52be1d7feaf |
| local_ep_group_id ||
| local_id ||
| mtu | 1500 |
| name ||
| peer_address | 192.168.7.1|
| peer_cidrs| 10/8 |
| peer_ep_group_id ||
| peer_id | 192.168.7.1|
| project_id| 068a47c758ae4b5d9fab059539e57740 |
| psk | pass |
| route_mode| static |
| status| PENDING_CREATE |
| tenant_id | 068a47c758ae4b5d9fab059539e57740 |
| vpnservice_id | 4f82612c-5e3a-4699-aafa-bdfa5ede31fe |
+---++
I think this is because _validate_subnet_list_or_none method in
neutron_vpnaas.extensions.vpnaas doesn't return the result.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: vpnaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1633941
Title:
VPNaaS: peer-cidr validation is invalid
Status in neutron:
New
Bug description:
When creating ipsec-site-connection in VPNaaS, it looks peer-cidr validation
is invalid.
The cidr format like "10/8" should be rejected like cidr in subnet resources
but it is accepted like the following:
$ neutron ipsec-site-connection-create --vpnservice-id service1
--ikepolicy-id ike1 --ipsecpolicy-id ipsec1 --peer-id 192.168.7.1
--peer-address 192.168.7.1 --peer-cidr 10/8 --psk pass
Created a new ipsec_site_connection:
+---++
| Field | Value |
+---++
| admin_state_up| True |
| auth_mode | psk|
| description ||
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id| 2bed308f-5462-45bb-ae79-5cb9003424ef |
| ikepolicy_id | be1f92ab-8064-4328-8862-777ae6878691 |
| initiator | bi-directional |
| ipsecpolicy_id| 09c67ae8-6ede-47ca-a15b-c52be1d7feaf |
| local_ep_group_id ||
| local_id ||
| mtu | 1500 |
| name ||
| peer_address | 192.168.7.1|
| peer_cidrs| 10/8 |
| peer_ep_group_id ||
| peer_id | 192.168.7.1|
| project_id| 068a47c758ae4b5d9fab059539e57740 |
| psk | pass |
| route_mode| static
[Yahoo-eng-team] [Bug 1501661] Re: devstack launches lbaas agent unnecessarily
I think LBaaS devstack plugin should have a parameter in order to disable LBaaS agent for service drivers which don't need the agent like Midonet. ** Also affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1501661 Title: devstack launches lbaas agent unnecessarily Status in networking-midonet: Confirmed Status in neutron: New Bug description: devstack launches neutron lbaas agent unnecessarily. the agent is not necessary for midonet. To manage notifications about this bug go to: https://bugs.launchpad.net/networking-midonet/+bug/1501661/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1478604] [NEW] VPNaaS: openswan process isn't stopped at removing the router from l3 agent
Public bug reported:
When removing a router from l3 agent, the openswan process on its router isn't
stopped though the router's network namespace is deleted. I think the process
should be stopped at least because it increases abandoned openswan processes.
Reproduce procedure:
I found this problem at the following devstack environment:
stack@ubuntu-com1:~/devstack$ git show
commit 9cdde34319feffc7f1e27a4ffea43eae40eb6536
The operation I did is as follows:
1) Crete "IPsecSiteConnection" resource
The namespaces including the openswan process was as follows:
root@ubuntu-com1:~# ip netns | grep 82174423-af6a-4c0d-b637-d34fa7a6b24b
qrouter-82174423-af6a-4c0d-b637-d34fa7a6b24b
The openswan process on 82174423-af6a-4c0d-b637-d34fa7a6b24b was running like
the following:
root@ubuntu-com1:~# ps aux | grep ipsec/82174423-af6a-4c0d-b637-d34fa7a6b24b
root 5183 0.0 0.0 94072 3992 ? Ss 18:46 0:00 /usr/lib/ipsec/pluto --ctlbase
/opt/stack/data/neutron/ipsec/82174423-af6a-4c0d-b637-d34fa7a6b24b/var/run/p
luto --ipsecdir /opt/stack/data/neutron/ipsec/82174423-af6a-4c0d-b637-d34fa7
a6b24b/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack
/data/neutron/ipsec/82174423-af6a-4c0d-b637-d34fa7a6b24b/etc/ipsec.secrets -
-virtual_private %v4:172.16.200.0/24,%v4:172.16.100.0/24
root 12553 0.0 0.0 11884 2204 pts/18 S+ 23:19 0:00 grep --color=auto ipsec/8
2174423-af6a-4c0d-b637-d34fa7a6b24
2) Remove router which includes the 1)'s resource from the l3 agent
I removed 82174423-af6a-4c0d-b637-d34fa7a6b24b from the l3 agent by "neutron
l3-agent-router-remove" cli.
The namespaces on the node are as follows:
stack@ubuntu-com1:~$ ip netns | grep 82174423-af6a-4c0d-b637-d34fa7a6b24b
stack@ubuntu-com1:~$
3) Check processes on the node with 2)'s l3 agent
The openswan process was still running like the following:
stack@ubuntu-com1:~$ ps aux | grep
ipsec/82174423-af6a-4c0d-b637-d34fa7a6b24b
root 5183 0.0 0.0 94072 3992 ? Ss 18:46 0:00 /usr/lib/ipsec/pluto --ctlbase
/opt/stack/data/neutron/ipsec/82174423-af6a-4c0d-b637-d34fa7a6b24b/var/run/p
luto --ipsecdir /opt/stack/data/neutron/ipsec/82174423-af6a-4c0d-b637-d34fa7
a6b24b/etc --use-netkey --uniqueids --nat_traversal --secretsfile /opt/stack
/data/neutron/ipsec/82174423-af6a-4c0d-b637-d34fa7a6b24b/etc/ipsec.secrets -
-virtual_private %v4:172.16.200.0/24,%v4:172.16.100.0/24
In the vpn agent log, the following error message was outputed:
2015-07-27 23:20:57.415 ^[[00;32mDEBUG oslo_concurrency.lockutils Releasing
semaphore "iptables-qrouter-82174423-af6a-4c0d-b637-d34fa7a6b24b" from (pid=
19216) lock /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutil
s.py:210
2015-07-27 23:20:57.415 ERROR neutron.callbacks.manager Error during notific
ation for neutron_vpnaas.services.vpn.vpn_service.router_removed_actions rou
ter, after_delete
.
2015-07-27 23:20:57.415 TRACE neutron.callbacks.manager Command: ['ip', 'net
ns', 'exec', u'qrouter-82174423-af6a-4c0d-b637-d34fa7a6b24b', 'iptables-save
', '-c']
2015-07-27 23:20:57.415 TRACE neutron.callbacks.manager Exit code: 1
2015-07-27 23:20:57.415 TRACE neutron.callbacks.manager Stdin:
2015-07-27 23:20:57.415 TRACE neutron.callbacks.manager Stdout:
2015-07-27 23:20:57.415 TRACE neutron.callbacks.manager Stderr: Cannot open
network namespace "qrouter-82174423-af6a-4c0d-b637-d34fa7a6b24b": No such fi
le or directory
** Affects: neutron
Importance: Undecided
Assignee: Hiroyuki Ito (ito-hiroyuki-01)
Status: New
** Changed in: neutron
Assignee: (unassigned) => Hiroyuki Ito (ito-hiroyuki-01)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1478604
Title:
VPNaaS: openswan process isn't stopped at removing the router from l3
agent
Status in neutron:
New
Bug description:
When removing a router from l3 agent, the openswan process on its router isn't
stopped though the router's network namespace is deleted. I think the process
should be stopped at least because it increases abandoned openswan processes.
Reproduce procedure:
I found this problem at the following devstack environment:
stack@ubuntu-com1:~/devstack$ git show
commit 9cdde34319feffc7f1e27a4ffea43eae40eb6536
The operation I did is as follows:
1) Crete "IPsecSiteConnection" resource
The namespaces including the openswan process was as follows:
root@ubuntu-com1:~# ip netns | grep 82174423-af6a-4c0d-b637-d34fa7a6b24b
qrouter-82174423-af6a-4c0d-b637-d34fa7a6b24b
The openswan process on 82174423-af6a-4c0d-b637-d34fa7a6b24b was running like
t
