neutron

[VPNAAS] No start possible without rootwrap

Bug #1970948 reported by Justin Lamp
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Confirmed
Undecided
Unassigned

Bug Description

Please bear with me this is my first bug report. :)

When agent.root_helper is not set, the strongswan ipsec device driver will fail to start as the vpn_netns_agent does not like being started with '' as one of the options before --cmd.

The result:
['sudo', 'ip', 'netns', 'exec', 'qvpn-be40f416-99c5-4e58-a568-b8f691caf7c8', '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper', '--mount_paths=/etc:/var/lib/neutron/ipsec/be40f416-99c5-4e58-a568-b8f691caf7c8/etc,/var/run:/var/lib/neutron/ipsec/be40f416-99c5-4e58-a568-b8f691caf7c8/var/run', '', '--cmd=ipsec,start']

The (easy) patch:

diff --git a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
index 708952a1f..c719d3591 100644
--- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@@ -111,15 +111,25 @@ class StrongSwanProcess(ipsec.BaseSwanProcess):
         """
         ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
         ns_wrapper = self.get_ns_wrapper()
- return ip_wrapper.netns.execute(
- [ns_wrapper,
- '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
- self.config_dir, self._strongswan_piddir, self.config_dir),
- ('--rootwrap_config=%s' % self._rootwrap_cfg
- if self._rootwrap_cfg else ''),
- '--cmd=%s' % ','.join(cmd)],
- check_exit_code=check_exit_code,
- extra_ok_codes=extra_ok_codes)
+
+ if self._rootwrap_cfg:
+ return ip_wrapper.netns.execute(
+ [ns_wrapper,
+ '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
+ self.config_dir, self._strongswan_piddir, self.config_dir),
+ '--rootwrap_config=%s' % self._rootwrap_cfg,
+ '--cmd=%s' % ','.join(cmd)],
+ check_exit_code=check_exit_code,
+ extra_ok_codes=extra_ok_codes)
+ else:
+ return ip_wrapper.netns.execute(
+ [ns_wrapper,
+ '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
+ self.config_dir, self._strongswan_piddir, self.config_dir),
+ '--cmd=%s' % ','.join(cmd)],
+ check_exit_code=check_exit_code,
+ extra_ok_codes=extra_ok_codes)
+

     def copy_and_overwrite(self, from_path, to_path):
         # NOTE(toabctl): the agent may run as non-root user, so rm/copy as root

Tags: vpnaas
Justin Lamp (modzilla)
tags: added: vpnaas
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hello Justin:

Thanks for reporting this bug and welcome.

The solution you are providing could be valid as a quick fix for this specific problem. However, my suggestion is try to refactor first the "neutron-vpn-netns-wrapper" script. This is just, if I'm not wrong, a namespace wrapper. We have methods to execute commands inside namespaces and libraries to execute long term scripts that could run inside namespaces.

If I'm not wrong, the "ipsec" commands return immediately (ipsec start, ipsec reload, rereadsecrets, etc.). You can implement those commands using "privsep".

But please, take this as a recommendation, nothing else.

Regards.

Revision history for this message
Justin Lamp (modzilla) wrote :

Hi Rodolfo,

thank you. Yes you're totally right, we since did just that. But it threw us for a loop and had us debugging the code. Since the specific if statement does not work as is, I thought it might be worthwhile to fix it or at least throw out an understandable error. That would have made troubleshooting much much easier. Something like:

WARNING rootwrap is not set, this might result in unexpected behaviour

Best regards

Revision history for this message
Mohammed Naser (mnaser) wrote :

I've pushed up a patch a while back about this, I suggest you look into it.

https://review.opendev.org/c/openstack/neutron-vpnaas/+/749796

Feel free to pick it up from there.

Changed in neutron:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.