Public bug reported:
Currently, opeswan/libreswan pluto process in each router ns will be
restarted when neutron-vpn-agent restart. Because there is no reload
commands which is supported in strongswan.
This is not good, because it will impact the vpn traffic when vpn-agent
restart.
Solution:
Each time after pluto start, let's keep a backup configuration files for
ipsec.conf & ipsec.secrets. named them as ipsec.conf.old & ipsec.secrets.old.
Then when restart is required, let's check if configurations are changed, if
not, then restart can be skipped.
With this way, we can simulate a reload method and avoid restart pluto when
vpn-agent restart.
Following is the captured from currently devstack setup, we can see pluto
process id changed after vpn-agent restart:
stack@VPN-dev-nick:~$ps ax | grep ctlbase
21683 ? Ss 0:00 /usr/lib/ipsec/pluto --ctlbase
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto
--ipsecdir
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc
--use-netkey --uniqueids --nat_traversal --secretsfile
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24
RESTART NEUTRON-VPN-AGENT, CHECK AGAIN:
stack@VPN-dev-nick:~$ps ax | grep ctlbase
22206 ? Ss 0:00 /usr/lib/ipsec/pluto --ctlbase
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto
--ipsecdir
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc
--use-netkey --uniqueids --nat_traversal --secretsfile
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24
** Affects: neutron
Importance: Undecided
Assignee: Yi Jing Zhu (nick-zhuyj)
Status: New
** Tags: vpnaas
** Changed in: neutron
Assignee: (unassigned) => Yi Jing Zhu (nick-zhuyj)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1571455
Title:
VPNaaS: pluto should not be restarted when neutron-vpn-agent restart
Status in neutron:
New
Bug description:
Currently, opeswan/libreswan pluto process in each router ns will be
restarted when neutron-vpn-agent restart. Because there is no reload
commands which is supported in strongswan.
This is not good, because it will impact the vpn traffic when vpn-
agent restart.
Solution:
Each time after pluto start, let's keep a backup configuration files for
ipsec.conf & ipsec.secrets. named them as ipsec.conf.old & ipsec.secrets.old.
Then when restart is required, let's check if configurations are changed, if
not, then restart can be skipped.
With this way, we can simulate a reload method and avoid restart pluto when
vpn-agent restart.
Following is the captured from currently devstack setup, we can see pluto
process id changed after vpn-agent restart:
stack@VPN-dev-nick:~$ps ax | grep ctlbase
21683 ? Ss 0:00 /usr/lib/ipsec/pluto --ctlbase
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto
--ipsecdir
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc
--use-netkey --uniqueids --nat_traversal --secretsfile
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24
RESTART NEUTRON-VPN-AGENT, CHECK AGAIN:
stack@VPN-dev-nick:~$ps ax | grep ctlbase
22206 ? Ss 0:00 /usr/lib/ipsec/pluto --ctlbase
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/var/run/pluto
--ipsecdir
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc
--use-netkey --uniqueids --nat_traversal --secretsfile
/opt/stack/data/neutron/ipsec/a83ba62a-5f97-42a3-b489-80c1465a083a/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.2.0/24
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1571455/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
