[Yahoo-eng-team] [Bug 1456512] [NEW] vpn and l3 agent has a conflict in icehouse.
Public bug reported: The test step: 1. Create subnet named A and B. 2. Create router named A and B. 3. Add subnet A to router A, and set gateway for router A. then do same with B. 4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B. 5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A. then test vpn, the subnet A and B can communicate. But after I restart l3 agent or create a firewall( not rule problems) in the tenant, the subnet A and B can not communicate. I find some issue in the qrouter A or B's iptables nat table: vpn use one chain to prevent the SNAT, but after I restart l3 agent or create a firewall, the chain order has been changed. like this: Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes) pkts bytes target prot opt in out source destination 22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0 28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0 26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-l3-agent-POSTROUTING (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT Chain neutron-postrouting-bottom (1 references) pkts bytes target prot opt in out source destination 22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0 25 1915 neutron-vpn-agen-snat all – * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-l3-agent-snat (1 references) pkts bytes target prot opt in out source destination 22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0 2 168 SNAT all – * * 111.111.111.0/24 0.0.0.0/0 to:12.12.12.54 Chain neutron-vpn-agen-POSTROUTING (1 references) pkts bytes target prot opt in out source destination 1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec 0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT Chain neutron-vpn-agen-POSTROUTING (1 references) pkts bytes target prot opt in out source destination 1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec 0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT so the packet has to snat first, and the vpn is failure. ** Affects: neutron Importance: Undecided Status: New ** Tags: vpnaas ** Description changed: The test step: - 1. Create subnet named A and B. - 2. Create router named A and B. - 3. Add subnet A to router A, and set gateway for router A. then do same with B. - 4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B. - 5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A. - - then test vpn, the subnet A and B can communicate. + 1. Create subnet named A and B. + 2. Create router named A and B. + 3. Add subnet A to router A, and set gateway for router A. then do same with B. + 4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B. + 5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A. - But after I restart l3 agent or create a firewall( not rule - problems) in the tenant, the subnet A and B can not communicate. + then test vpn, the subnet A and B can communicate. - I find some issue in the qrouter A or B's iptables nat table: + But after I restart l3 agent or create a firewall( not rule problems) in + the tenant, the subnet A and B can not communicate. - vpn use one chain to prevent the SNAT, but after I restart l3 agent - or create a firewall, the chain order has been changed. + I find some issue in the qrouter A or B's iptables nat table: - like this: + vpn use one chain to prevent the SNAT, but after I restart l3 agent or + create a firewall, the chain order has been changed. + like this: Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes) - pkts bytes target prot opt in out source destination - 22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0 - 28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0 + pkts bytes target prot opt in out source destination + 22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0 + 28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0 26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-l3-agent-POSTROUTING (1 references) - pkts bytes target prot opt in out source destination + pkts bytes target prot opt in out source destination 0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT Chain neutron-postrouting-bottom (1 references) - pkts bytes target prot opt in out source destination - 22 1699 neutron-l3-agent-snat all – * * 0.0.0.
[Yahoo-eng-team] [Bug 1399114] [NEW] when delete the lb vip, the tap device not be deleted
Public bug reported: Hi all, When I delete the lb vip which is ERROR status, the lbaas namespace tap device not be delete. so when I add a new vip used the same ip address, then It can not access. Because the ip confilict. My neutron version is icehouse. ** Affects: neutron Importance: Undecided Assignee: yangzhenyu (cdyangzhenyu) Status: New ** Changed in: neutron Assignee: (unassigned) => yangzhenyu (cdyangzhenyu) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1399114 Title: when delete the lb vip, the tap device not be deleted Status in OpenStack Neutron (virtual network service): New Bug description: Hi all, When I delete the lb vip which is ERROR status, the lbaas namespace tap device not be delete. so when I add a new vip used the same ip address, then It can not access. Because the ip confilict. My neutron version is icehouse. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1399114/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1398267] [NEW] when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
Public bug reported:
Hi all:
when restart the vpn and l3 agent, the firewall rule apply to all tenants'
router.
step:
1. Create network and router in A and B tenant.
2. Create a firewall in A tenant.
3. Restart vpn and l3 agent serivce.
4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn
Then I find the firewall rule in chain neutron-l3-agent-FORWARD and
neutron-vpn-agen-FORWARD.
So I debug the code,and add some code in
neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
def _process_router_add(self, ri):
"""On router add, get fw with rules from plugin and update driver."""
LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
routers = []
routers.append(ri.router)
router_info_list = self._get_router_info_list_for_tenant(
routers,
ri.router['tenant_id'])
if router_info_list:
# Get the firewall with rules
# for the tenant the router is on.
ctx = context.Context('', ri.router['tenant_id'])
fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
LOG.debug(_("Process router add, fw_list: '%s'"),
[fw['id'] for fw in fw_list])
for fw in fw_list:
+if fw['tenant_id'] == ri.router['tenant_id']:
self._invoke_driver_for_sync_from_plugin(
ctx,
router_info_list,
fw)
My neutron version is icehouse.
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
Hi all:
-when restart the vpn and l3 agent, the firewall rule apply to all
tenants' router.
-step:
-1. Create network and router in A and B tenant.
-2. Create a firewall in A tenant.
-3. Restart vpn and l3 agent serivce.
-4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn
- Then i find the firewall rule in chain neutron-l3-agent-FORWARD and
neutron-vpn-agen-FORWARD.
+ when restart the vpn and l3 agent, the firewall rule apply to all tenants'
router.
+ step:
+ 1. Create network and router in A and B tenant.
+ 2. Create a firewall in A tenant.
+ 3. Restart vpn and l3 agent serivce.
+ 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn Then I
find the firewall rule in chain neutron-l3-agent-FORWARD and
neutron-vpn-agen-FORWARD.
- so I debug the code,and add some code in
neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
-
- def _process_router_add(self, ri):
- """On router add, get fw with rules from plugin and update driver."""
- LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
- routers = []
- routers.append(ri.router)
- router_info_list = self._get_router_info_list_for_tenant(
- routers,
- ri.router['tenant_id'])
- if router_info_list:
- # Get the firewall with rules
- # for the tenant the router is on.
- ctx = context.Context('', ri.router['tenant_id'])
- fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
- LOG.debug(_("Process router add, fw_list: '%s'"),
- [fw['id'] for fw in fw_list])
- for fw in fw_list:
- +++if fw['tenant_id'] == ri.router['tenant_id']:
-self._invoke_driver_for_sync_from_plugin(
- ctx,
- router_info_list,
- fw)
+ so I debug the code,and add some code in
+ neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
+
+ def _process_router_add(self, ri):
+ """On router add, get fw with rules from plugin and update driver."""
+ LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
+ routers = []
+ routers.append(ri.router)
+ router_info_list = self._get_router_info_list_for_tenant(
+ routers,
+ ri.router['tenant_id'])
+ if router_info_list:
+ # Get the firewall with rules
+ # for the tenant the router is on.
+ ctx = context.Context('', ri.router['tenant_id'])
+ fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
+ LOG.debug(_("Process router add, fw_list: '%s'"),
+ [fw['id'] for fw in fw_list])
+ for fw in fw_list:
+ +if fw['tenant_id'] == ri.router['tenant_id']:
+ self._invoke_driver_for_sync_from_plugin(
+ ctx,
+ router_info_list,
+ fw)
+
+ My neutron version is icehouse.
** Description changed:
Hi all:
when restart the vpn and l3 agent, the firewall rule apply to all tenants'
router.
step:
1. Create net
[Yahoo-eng-team] [Bug 1397231] [NEW] Can't create the second vpn-site-conn
Public bug reported:
Hi all,
I can't create the second vpn-site-conn, and restart the vpnaas also has
this error:
==
2014-11-28 01:29:09.791 6215 ERROR neutron.services.vpn.device_drivers.ipsec
[-] Failed to enable vpn process on router e78e9837-4458-48d7-9ab5-e4acdf1789ce
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
Traceback (most recent call last):
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
line 245, in enable
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
self.restart()
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
line 345, in restart
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
self.start()
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
line 390, in start
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
'--virtual_private', virtual_private
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
line 317, in _execute
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
check_exit_code=check_exit_code)
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
File "/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py", line
466, in execute
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
check_exit_code=check_exit_code)
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
File "/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py", line 76,
in execute
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
raise RuntimeError(m)
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
RuntimeError:
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip',
'netns', exec', 'qrouter-e78e9837-4458-48d7-9ab5-e4acdf1789ce', 'ipsec',
'pluto', '--ctlbase',
'/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/var/run/pluto',
'--ipsecdir','/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc',
'--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile',
/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc/ipsec.secrets','--virtual_private',
'%v4:22.22.22.0/24,%v4:11.11.11.0/24']
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
Exit code: 10
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
Stdout: ''
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
Stderr: 'adjusting ipsec.d to
/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc\npluto:lock
file
"/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/var/run/pluto.pid"
already exists\n'
==
My env is openstack icehouse and system is centos 6.5.
I add some code then it is ok:
def stop(self):
#Stop process using whack
#Note this will also stop pluto
self.disconnect()
self._execute([self.binary,
'whack',
'--ctlbase', self.pid_path,
'--shutdown',
])
#delete the pid file
+ pid_file = self.pid_path + '.pid'
+ if os.path.exists(pid_file):
++os.remove(pid_file)
#clean connection_status info
self.connection_status = {}
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
Hi all,
- I can't create the second vpn-site-conn, and restart the vpnaas also
has this error:
+ I can't create the second vpn-site-conn, and restart the vpnaas also
has this error:
+
==
2014-11-28 01:29:09.791 6215 ERROR neutron.services.vpn.device_drivers.ipsec
[-] Failed to enable vpn process on router e78e9837-4458-48d7-9ab5-e4acdf1789ce
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
Traceback (most recent call last):
2014-11-28 01:29:09.791 6215 TRACE neutron.services.vpn.device_drivers.ipsec
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
line 245, in enable
2014-11-28 01:29:09.791 6215 TR
[Yahoo-eng-team] [Bug 1319661] [NEW] baremetal:”tftp prefix“ can cause the “cloud not find kernel image”
Public bug reported: hi, I boot a baremetal instance, but it has a error "could not find a kernel image" in the PXE . I check the file "/tftpboot/UUID/config": label deploy kernel /tftpboot/8cbe34a2-d7d0-44b2-a148-adb7d23bb3fb/deploy_kernel so I modify it : label deploy kernel 8cbe34a2-d7d0-44b2-a148-adb7d23bb3fb/deploy_kernel and then the PXE can work ok. My version is Havana. ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1319661 Title: baremetal:”tftp prefix“ can cause the “cloud not find kernel image” Status in OpenStack Compute (Nova): New Bug description: hi, I boot a baremetal instance, but it has a error "could not find a kernel image" in the PXE . I check the file "/tftpboot/UUID/config": label deploy kernel /tftpboot/8cbe34a2-d7d0-44b2-a148-adb7d23bb3fb/deploy_kernel so I modify it : label deploy kernel 8cbe34a2-d7d0-44b2-a148-adb7d23bb3fb/deploy_kernel and then the PXE can work ok. My version is Havana. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1319661/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
