[Yahoo-eng-team] [Bug 1253681] Re: Newly-created VPNaaS objects remain in PENDING_CREATE because neutron vpn agent is unauthorized to run openswan's ipsec command

Rami Vaknin Fri, 29 Nov 2013 20:26:42 -0800

Ohh, thanks for the pointer, now I see the
${neutron_git}/etc/neutron/rootwrap.d/vpnaas.filters and it solves this
issue, closing this bug.


** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1253681

Title:
  Newly-created VPNaaS objects remain in PENDING_CREATE because neutron
  vpn agent is unauthorized to run openswan's ipsec command

Status in OpenStack Neutron (virtual network service):
  Invalid

Bug description:
  Version
  =======
  Havana on rhel

  Description
  ===========
  I've created ike and ipsec policies, vpn service and ipsec site connections 
with almost all params set as default, it seems like the neutron vpn agent 
fails to run the openswan's ipsec command, the vpn service and the ipsec site 
connections remain in PENDING_CREATE status:

  
  2013-11-21 17:15:15.526 6112 WARNING neutron.context [-] Arguments dropped 
when creating context: {'project_id': u'1532b0139c4f49298dee924500761e6d'}
  2013-11-21 17:15:16.635 6112 ERROR neutron.services.vpn.device_drivers.ipsec 
[-] Failed to enable vpn process on router e8b2c574-0b11-4c96-bed4-731ae6cf0a90
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec 
Traceback (most recent call last):
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
 File 
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
 line 241, in enable
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
   self.start()
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
 File 
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
 line 382, in start
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
   '--virtual_private', virtual_private
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
 File 
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py",
 line 311, in _execute
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
   check_exit_code=check_exit_code)
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
 File "/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py", line 
458, in execute
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
   check_exit_code=check_exit_code)
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
 File "/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py", line 62, 
in execute
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec  
   raise RuntimeError(m)
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec 
RuntimeError: 
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec 
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 
'netns', 'exec', 'qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90', 'ipsec', 
'pluto', '--ctlbase', 
'/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto', 
'--ipsecdir', 
'/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc', 
'--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', 
'/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets',
 '--virtual_private', '%v4:10.35.214.0/24,%v4:10.35.214.0/24']
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec 
Exit code: 99
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec 
Stdout: ''
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec 
Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: ip netns exec 
qrouter-e8b2c574-0b11-4c96-bed4-731ae6cf0a90 ipsec pluto --ctlbase 
/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/var/run/pluto 
--ipsecdir /var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc 
--use-netkey --uniqueids --nat_traversal --secretsfile 
/var/lib/neutron/ipsec/e8b2c574-0b11-4c96-bed4-731ae6cf0a90/etc/ipsec.secrets 
--virtual_private %v4:10.35.214.0/24,%v4:10.35.214.0/24 (no filter matched)\n'
  2013-11-21 17:15:16.635 6112 TRACE neutron.services.vpn.device_drivers.ipsec

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1253681/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1253681] Re: Newly-created VPNaaS objects remain in PENDING_CREATE because neutron vpn agent is unauthorized to run openswan's ipsec command

Reply via email to