[Yahoo-eng-team] [Bug 1988574] Re: vpnaas not working on centos8-stream on xena

Tue, 31 Jan 2023 02:26:49 -0800 

I believe it's a neutron-vpnaas bug, not kolla-ansible bug.

** Also affects: neutron
   Importance: Undecided
       Status: New

** Changed in: kolla-ansible
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1988574

Title:
  vpnaas not working on centos8-stream on xena

Status in kolla-ansible:
  Incomplete
Status in neutron:
  New

Bug description:
  Hello

  After configuring VPN Endpoint, the l3 agent has problem with start
  the vpn service:

  2022-09-02 13:54:02.390 654 ERROR 
neutron_vpnaas.services.vpn.device_drivers.ipsec [-] Failed to enable vpn 
process on router 3659d2d3-5c2e-4097-92dc-08f1567524f5: 
neutron_lib.exceptions.ProcessExecutionError: Exit code: 1; Cmd: ['ip', 
'netns', 'exec', 'qrouter-3659d2d3-5c2e-4097-92dc-08f1567524f5', 
'/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper', 
'--mount_paths=/etc:/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc,/var/run:/var/lib/neutron/ipsec/3659d2d3-5c2e-409
  7-92dc-08f1567524f5/var/run', '--rootwrap_config=/etc/neutron/rootwrap.conf', 
'--cmd=ipsec,_stackmanager,start']; Stdin: ; Stdout: 2022-09-02 13:54:01.673 
88268 INFO neutron.common.config [-] Logging enabled!ESC[00m
  2022-09-02 13:54:01.674 88268 INFO neutron.common.config [-] 
/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version 19.3.1.dev44ESC[00m
  Command: ['mount', '--bind', 
'/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc', '/etc'] Exit 
code: 0 Stdout:  Stderr: 2022-09-02 13:54:01.693 88268 INFO 
neutron_vpnaas.services.vpn.common.netns_wrapper [-] 
/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc has been 
bind-mounted in /etcESC[00m
  Command: ['mount', '--bind', 
'/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run', 
'/var/run'] Exit code: 0 Stdout:  Stderr: 2022-09-02 13:54:01.714 88268 INFO 
neutron_vpnaas.services.vpn.common.netns_wrapper [-] 
/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run has been 
bind-mounted in /var/runESC[00m
  Command: ['ipsec', '_stackmanager', 'start'] Exit code: 1 Stdout:  Stderr: 
cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:3: syntax error, 
unexpected STRING [nat_traversal]
  cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:3: syntax error, 
unexpected STRING [nat_traversal]

  
  So I did the workaround putting into
  
/var/lib/kolla/venv/lib/python3.6/site-packages/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template

  config setup
      #nat_traversal=yes

  After that the second problem appeared:

  2022-09-02 13:41:35.252 35 ERROR 
neutron_vpnaas.services.vpn.device_drivers.ipsec 
[req-aa8d3095-578e-4747-a708-d55d3a4ff889 
7a8ec6fc4ec12049bb7f243a354430b4b5ecc5a3fedcdc1c555f1f1a5ce70eb5 
715cf7f57a6f47119161fe0654ed8a1c - - -] Failed to enable vpn process on router 
3659d2d3-5c2e-4097-92dc-08f1567524f5: 
neutron_lib.exceptions.ProcessExecutionError: Exit code: 1; Cmd: ['ip', 
'netns', 'exec', 'qrouter-3659d2d3-5c2e-4097-92dc-08f1567524f5', 
'/var/lib/kolla/venv/bin/neutron-vpn-netns-w
  rapper', 
'--mount_paths=/etc:/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc,/var/run:/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run',
 '--rootwrap_config=/etc/neutron/rootwrap.conf', 
'--cmd=ipsec,pluto,--use-netkey,--uniqueids']; Stdin: ; Stdout: 2022-09-02 
13:41:34.832 14537 INFO neutron.common.config [-] Logging enabled!ESC[00m
  2022-09-02 13:41:34.834 14537 INFO neutron.common.config [-] 
/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version 19.3.1.dev44ESC[00m
  Command: ['mount', '--bind', 
'/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc', '/etc'] Exit 
code: 0 Stdout:  Stderr: 2022-09-02 13:41:34.845 14537 INFO 
neutron_vpnaas.services.vpn.common.netns_wrapper [-] 
/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/etc has been 
bind-mounted in /etcESC[00m
  Command: ['mount', '--bind', 
'/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run', 
'/var/run'] Exit code: 0 Stdout:  Stderr: 2022-09-02 13:41:34.856 14537 INFO 
neutron_vpnaas.services.vpn.common.netns_wrapper [-] 
/var/lib/neutron/ipsec/3659d2d3-5c2e-4097-92dc-08f1567524f5/var/run has been 
bind-mounted in /var/runESC[00m
  Command: ['ipsec', 'pluto', '--use-netkey', '--uniqueids'] Exit code: 1 
Stdout:  Stderr: /usr/libexec/ipsec/pluto: unrecognized option '--use-netkey'
  For usage information: /usr/libexec/ipsec/pluto --help
  Libreswan 4.5

  So I deployed the second workaround in
  
/var/lib/kolla/venv/lib/python3.6/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py

      def start_pluto(self):
          cmd = ['pluto',
                 '--use-netkey',
                 '--uniqueids']

  And removed --use-netkey:
      def start_pluto(self):
          cmd = ['pluto',
                 '--uniqueids']

  
  After that the vpn endpoint starts working correctly.
  Seems there is some problems with libreswan version.
  Image version:
  quay.io/openstack.kolla/centos-source-neutron-l3-agent
                  "build-date": "20220726",

To manage notifications about this bug go to:
https://bugs.launchpad.net/kolla-ansible/+bug/1988574/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to