vpnaas not working after enabling vpnaas extension

Bug #2000783 reported by Jacolex
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
kolla-ansible
New
Undecided
Unassigned

Bug Description

Xena version with vpnaas enabled error:

2022-12-30 13:12:14.631 35 ERROR neutron.agent.linux.utils [-] Exit code: 10; Cmd: ['ip', 'netns', 'exec', 'qrouter-e184ada3-748b-41e4-ac68-20fc393d0c67', '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper', '--mount_paths=/etc:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/etc,/var/run:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/var/run', '--rootwrap_config=/etc/neutron/rootwrap.conf', '--cmd=ipsec,pluto,--uniqueids']; Stdin: ; Stdout: 2022-12-30 13:12:14.249 9581 INFO neutron.common.config [-] Logging enabled!ESC[00m
2022-12-30 13:12:14.251 9581 INFO neutron.common.config [-] /var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version 19.4.1.dev56ESC[00m
Command: ['ipsec', 'pluto', '--uniqueids'] Exit code: 10 Stdout: Stderr: FATAL ERROR: /usr/libexec/ipsec/pluto: lock file "/run/pluto/pluto.pid" already exists
; Stderr:
2022-12-30 13:12:14.631 35 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router e184ada3-748b-41e4-ac68-20fc393d0c67: neutron_lib.exceptions.ProcessExecutionError: Exit code: 10; Cmd: ['ip', 'netns', 'exec', 'qrouter-e184ada3-748b-41e4-ac68-20fc393d0c67', '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper', '--mount_paths=/etc:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/etc,/var/run:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/var/run', '--rootwrap_config=/etc/neutron/rootwrap.conf', '--cmd=ipsec,pluto,--uniqueids']; Stdin: ; Stdout: 2022-12-30 13:12:14.249 9581 INFO neutron.common.config [-] Logging enabled!ESC[00m
2022-12-30 13:12:14.251 9581 INFO neutron.common.config [-] /var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version 19.4.1.dev56ESC[00m
Command: ['ipsec', 'pluto', '--uniqueids'] Exit code: 10 Stdout: Stderr: FATAL ERROR: /usr/libexec/ipsec/pluto: lock file "/run/pluto/pluto.pid" already exists

Workaround:
disable vpnaas extension in l3-agent.ini. Anyway the vpnaas service will be working ok.

Tags: neutron vpnaas
Jacolex (jacolex)
description: updated
Revision history for this message
Jacolex (jacolex) wrote :

After upgrade to yoga bug still is affecting.

The above workaround is not working for a newly created vpn endpoints.

So I found the new workaround: after restart neutron_l3_agent run commands:
docker exec -t -u root neutron_l3_agent rm -f /run/pluto/pluto.ctl
docker exec -t -u root neutron_l3_agent rm -f /run/pluto/pluto.pid
docker exec -t -u root neutron_l3_agent /usr/libexec/ipsec/_plutorun

Revision history for this message
bjolo (bjorn-lofdahl) wrote :

I have the same issue on yoga 14.6 source centos. The workaround(s) from Jacolex does not do the trick either.

Revision history for this message
Jacolex (jacolex) wrote :

Hi @bjolo
Try the workaround of the second issue:

https://bugs.launchpad.net/kolla-ansible/+bug/1988574

Revision history for this message
Jacolex (jacolex) wrote :

Also try
docker exec -t -u root neutron_l3_agent chmod 777 /run/pluto/pluto.ctl

Revision history for this message
bjolo (bjorn-lofdahl) wrote : Re: [Bug 2000783] Re: vpnaas not working after enabling vpnaas extension

thanks for the tip :)
Will try them out

bjolo

On Mon, Feb 20, 2023 at 4:22 PM Jacolex <email address hidden> wrote:

> Also try
> docker exec -t -u root neutron_l3_agent chmod 777 /run/pluto/pluto.ctl
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2000783
>
> Title:
> vpnaas not working after enabling vpnaas extension
>
> Status in kolla-ansible:
> New
>
> Bug description:
> Xena version with vpnaas enabled error:
>
> 2022-12-30 13:12:14.631 35 ERROR neutron.agent.linux.utils [-] Exit
> code: 10; Cmd: ['ip', 'netns', 'exec',
> 'qrouter-e184ada3-748b-41e4-ac68-20fc393d0c67',
> '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper',
> '--mount_paths=/etc:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/etc,/var/run:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/var/run',
> '--rootwrap_config=/etc/neutron/rootwrap.conf',
> '--cmd=ipsec,pluto,--uniqueids']; Stdin: ; Stdout: 2022-12-30 13:12:14.249
> 9581 INFO neutron.common.config [-] Logging enabled!ESC[00m
> 2022-12-30 13:12:14.251 9581 INFO neutron.common.config [-]
> /var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version
> 19.4.1.dev56ESC[00m
> Command: ['ipsec', 'pluto', '--uniqueids'] Exit code: 10 Stdout:
> Stderr: FATAL ERROR: /usr/libexec/ipsec/pluto: lock file
> "/run/pluto/pluto.pid" already exists
> ; Stderr:
> 2022-12-30 13:12:14.631 35 ERROR
> neutron_vpnaas.services.vpn.device_drivers.ipsec [-] Failed to enable vpn
> process on router e184ada3-748b-41e4-ac68-20fc393d0c67:
> neutron_lib.exceptions.ProcessExecutionError: Exit code: 10; Cmd: ['ip',
> 'netns', 'exec', 'qrouter-e184ada3-748b-41e4-ac68-20fc393d0c67',
> '/var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper',
> '--mount_paths=/etc:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/etc,/var/run:/var/lib/neutron/ipsec/e184ada3-748b-41e4-ac68-20fc393d0c67/var/run',
> '--rootwrap_config=/etc/neutron/rootwrap.conf',
> '--cmd=ipsec,pluto,--uniqueids']; Stdin: ; Stdout: 2022-12-30 13:12:14.249
> 9581 INFO neutron.common.config [-] Logging enabled!ESC[00m
> 2022-12-30 13:12:14.251 9581 INFO neutron.common.config [-]
> /var/lib/kolla/venv/bin/neutron-vpn-netns-wrapper version
> 19.4.1.dev56ESC[00m
> Command: ['ipsec', 'pluto', '--uniqueids'] Exit code: 10 Stdout:
> Stderr: FATAL ERROR: /usr/libexec/ipsec/pluto: lock file
> "/run/pluto/pluto.pid" already exists
>
>
> Workaround:
> disable vpnaas extension in l3-agent.ini. Anyway the vpnaas service will
> be working ok.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/kolla-ansible/+bug/2000783/+subscriptions
>
>

Revision history for this message
Jacolex (jacolex) wrote :

I must admit that this bug happened on production, so my customers are experiencing problems with vpnaas since the upgrade. So I wonder how do you handle with this problem, maybe in some other way?

Revision history for this message
Smee Mcgee (smeemcgee) wrote :

Any further information on this?
docker exec -t -u root neutron_l3_agent rm -f /run/pluto/pluto.ctl
docker exec -t -u root neutron_l3_agent rm -f /run/pluto/pluto.pid
docker exec -t -u root neutron_l3_agent /usr/libexec/ipsec/_plutorun
docker exec -t -u root neutron_l3_agent chmod 777 /run/pluto/pluto.ctl

doesnt seem to work for me.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.