VPNaaS Missing Required Entries in Config Files
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Cisco Openstack | Status tracked in Icehouse | |||||
Havana |
Fix Released
|
High
|
Pradeep Kilambi | |||
Icehouse |
Fix Released
|
High
|
Pradeep Kilambi |
Bug Description
In H.2 some of the required entries in various configuration files to enable VPNaaS are not being made.
The entries that are missing include:
/etc/neutron/
[Filters]
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root
/etc/neutron/
[DEFAULT]
interface_driver = neutron.
/etc/neutron/
[service_providers]
service_provider = VPN:Vpn:
service_provider = FIREWALL:
I have verified that after puppet runs that the entries above are not in the files. Perhaps there some of these are not required but during a manual configuration of VPNaaS in H.1, adding these entries to the correctly entered entries that do work in H.2, VPNaaS works well and is stable.
Changed in openstack-cisco: | |
importance: | Undecided → High |
Changed in openstack-cisco: | |
assignee: | Mark T. Voelker (mvoelker) → Pradeep Kilambi (pkilambi) |
Changed in openstack-cisco: | |
status: | Fix Committed → Fix Released |
I got all of the debug/verbose stuff I could turned on and started walking
through the VPN config one item at a time and found this:
When you create and Ipsec connection the log yells about the root wrap: services. vpn.device_ drivers. ipsec Stderr: neutron- rootwrap: Unauthorized command: ip netns exec a0ffb720- 7858-4da8- 89bd-0aab2ca2ce f6 ipsec pluto --ctlbase neutron/ ipsec/a0ffb720- 7858-4da8- 89bd-0aab2ca2ce f6/var/ run/pluto neutron/ ipsec/a0ffb720- 7858-4da8- 89bd-0aab2ca2ce f6/etc neutron/ ipsec/a0ffb720- 7858-4da8- 89bd-0aab2ca2ce f6/etc/ ipsec.secre 10.10.0/ 24,%v4: 10.10.20. 0/24 (no filter
2014-04-03 10:18:27.349 54507 TRACE
neutron.
'/usr/bin/
qrouter-
/var/lib/
--ipsecdir /var/lib/
--use-netkey --uniqueids --nat_traversal --secretsfile
/var/lib/
ts --virtual_private %v4:10.
matched)\n
Our H.2 does not create an entry in rootwrap. d/vpnaas. filters. The working method I had before
/etc/neutron/
had me add this:
[Filters]
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root
The log then changes to a new error I have not seen before which is about neutron- rootwrap" , line 10, in python2. 7/dist- packages/ neutron/ openstack/ common/ rootwrap/ cmd.py" load_filters( config. filters_ path)\n File python2. 7/dist- packages/ neutron/ openstack/ common/ rootwrap/ wrapper read(os. path.join( filterdir, filterfile))\n File python2. 7/ConfigParser. py", line 305, in read\n python2. 7/ConfigParser. py", eaderError( fpname, lineno, rser.MissingSec tionHeaderError : File contains no section rootwrap. d/vpnaas. filters, line:
the format of the vpnaas.filters file:
2014-04-03 10:20:48.273 60068 TRACE neutron Stderr: 'Traceback (most
recent call last):\n File "/usr/bin/
<module>\n sys.exit(main())\n File
"/usr/lib/
, line 109, in main\n filters =
wrapper.
"/usr/lib/
.py", line 114, in load_filters\n
filterconfig.
"/usr/lib/
self._read(fp, filename)\n File "/usr/lib/
line 512, in _read\n raise MissingSectionH
line)\nConfigPa
headers.\nfile: /etc/neutron/
1\n\'lters]\\n\'\n'
2014-04-03 10:20:48.273 60068 TRACE neutron