neutron

libreswan ipsec driver doesn't work with libreswan versions 3.19+

Bug #1711456 reported by Justinas Balciunas on 2017-08-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Unassigned

Bug Description

VPNaaS agent on RHEL and derivatives uses libreswan as the OpenSwan replacement.

This integration of the VPN agent with libreswan is handled by https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py

On the Jan 15, 2017 libreswan team released version 3.19 that introduced a change that requires to specify an additional flag for NSS DB location if it differs from a default one. Obviously this is an issue for VPNaaS because the libreswan_ipsec.py still uses the old invocation scheme and this results in the following:

2017-08-17 16:28:41.000 76497 ERROR neutron.agent.linux.utils [req-9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791 66500ca68c4042f5b7d5f372cac3e7db - - -] Exit code: 1; Stdin: ; Stdout: ; Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]

2017-08-17 16:28:41.007 76497 ERROR neutron.agent.linux.utils [req-9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791 66500ca68c4042f5b7d5f372cac3e7db - - -] Exit code: 1; Stdin: ; Stdout: ; Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]

2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-9c23f077-b34c-42d4-adf4-9ff7f3fd3d19 f618a7405223411ea009e40de67f2791 66500ca68c4042f5b7d5f372cac3e7db - - -] Failed to enable vpn process on router 376e79e2-51c0-4907-85b3-4ec9af2b0c11
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 304, in enable
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.ensure_configs()
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py", line 61, in ensure_configs
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute([self.binary, 'initnss', self.etc_dir])
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 411, in _execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 912, in execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec log_fail_as_error=log_fail_as_error, **kwargs)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 148, in execute
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise ProcessExecutionError(msg, returncode=returncode)
2017-08-17 16:28:41.007 76497 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec ProcessExecutionError: Exit code: 1; Stdin: ; Stdout: ; Stderr: usage: ipsec initnss [--nssdir /etc/ipsec.d]

This issue can be easily solved by adding the --nssdir option in lines 59 and 61 of https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py

Like this:

try:
--- self._execute([self.binary, 'checknss', self.etc_dir])
+++ self._execute([self.binary, 'checknss', '--nssdir', self.etc_dir])
except RuntimeError:
--- self._execute([self.binary, 'initnss', self.etc_dir])
+++ self._execute([self.binary, 'initnss', '--nssdir', self.etc_dir])

After the change:

2017-08-17 22:53:25.734 863363 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'snat-376e79e2-51c0-4907-85b3-4ec9af2b0c11', 'ipsec', 'checknss
', '--nssdir', '/var/lib/neutron/ipsec/376e79e2-51c0-4907-85b3-4ec9af2b0c11/etc'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:105
2017-08-17 22:53:25.741 863363 DEBUG neutron.agent.linux.utils [-] Exit code: 0 execute /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:150

I propose to commit this fix to the neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py

Alternatively, the code can be changed to include the version check of libreswan, so that the ipsec nssdb calls could retain backward compatibility and the possibility to backport this fix.

Tags:

Revision history for this message

Justinas Balciunas (justinas-balciunas) wrote on 2017-08-17:

libreswan_ipsec.py.patch Edit (635 bytes, text/plain)

Justinas Balciunas (justinas-balciunas) on 2017-08-18

Changed in neutron:
assignee:	nobody → Justinas Balciunas (justinas-balciunas)

Justinas Balciunas (justinas-balciunas) on 2017-08-18

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-18: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/495107

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-18: Change abandoned on neutron-vpnaas (master)

Change abandoned by Justinas Balciunas (<email address hidden>) on branch: master
Review: https://review.openstack.org/495107
Reason: A new change will be submitted.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-18: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/495284

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-23:

Fix proposed to branch: master
Review: https://review.openstack.org/547347

Changed in neutron:
assignee:	Justinas Balciunas (justinas-balciunas) → Hunt Xu (huntxu)

Cao Xuan Hoang (hoangcx) on 2018-03-15

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-25: Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/547347
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=b6c8ea8a3cca39bb4138bc7063569352faeb612f
Submitter: Zuul
Branch: master

commit b6c8ea8a3cca39bb4138bc7063569352faeb612f
Author: Hunt Xu <email address hidden>
Date: Tue Mar 20 17:52:55 2018 +0800

Make libreswan driver work with recent versions

    LibreSwan 3.19 introduces a new commandline argument '--nssdir' for
    pluto which defaults to '/etc/ipsec.d'. As older versions don't
    understand such an option, we cannot just add it to the commandline.

    The commandline arguments of LibreSwan are not stable enough to rely on.
    For example, in 3.19, 'ipsec initnss' has the new argument '--nssdir',
    and in 3.20, 'ipsec pluto' also gets this new argument '--nssdir', then
    in 3.22, the argument '--ctlbase' is phased out.

    In this commit, instead of trying new options and then fallback to old
    ones for older versions, the bind-mount method used in StrongSwan driver
    is adopted. With /etc and /var/run bind mounted, all the commandline
    arguments related to configuration file places can be removed. This
    ensures that changes of such arguments between different versions won't
    bother as the default places are always used.

    This commit also replaces 'auth=' by 'phase2=' in the configuration
    template as the former is for a long time an alias of the latter and
    removed in LibreSwan 3.19.

    The virtual-private argument of 'ipsec pluto' has been put into the
    configuration file to avoid commas(,) in the commandline so that the
    netns_wrapper can work well.

A new tempest job for running LibreSwan as the device driver on CentOS 7
is also added to avoid regression.

This commit has been simply tested on CentOS 7.4 with the following
versions of LibreSwan provided by the CentOS repo:

      - libreswan-3.12-5.el7.x86_64.rpm
      - libreswan-3.12-10.1.el7_1.x86_64.rpm
      - libreswan-3.15-5.el7_1.x86_64.rpm
      - libreswan-3.15-8.el7.x86_64.rpm
      - libreswan-3.20-3.el7.x86_64.rpm
      - libreswan-3.20-5.el7_4.x86_64.rpm

and different versions of LibreSwan provided by libreswan.org[1]:

[1] https://download.libreswan.org/binaries/rhel/7/x86_64/

Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
Closes-Bug: #1711456

Reviewed:  https://review.openstack.org/547347
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=b6c8ea8a3cca39bb4138bc7063569352faeb612f
Submitter: Zuul
Branch:    master

commit b6c8ea8a3cca39bb4138bc7063569352faeb612f
Author: Hunt Xu <mhuntxu@gmail.com>
Date:   Tue Mar 20 17:52:55 2018 +0800

Make libreswan driver work with recent versions
    
    LibreSwan 3.19 introduces a new commandline argument '--nssdir' for
    pluto which defaults to '/etc/ipsec.d'. As older versions don't
    understand such an option, we cannot just add it to the commandline.
    
    The commandline arguments of LibreSwan are not stable enough to rely on.
    For example, in 3.19, 'ipsec initnss' has the new argument '--nssdir',
    and in 3.20, 'ipsec pluto' also gets this new argument '--nssdir', then
    in 3.22, the argument '--ctlbase' is phased out.
    
    In this commit, instead of trying new options and then fallback to old
    ones for older versions, the bind-mount method used in StrongSwan driver
    is adopted. With /etc and /var/run bind mounted, all the commandline
    arguments related to configuration file places can be removed. This
    ensures that changes of such arguments between different versions won't
    bother as the default places are always used.
    
    This commit also replaces 'auth=' by 'phase2=' in the configuration
    template as the former is for a long time an alias of the latter and
    removed in LibreSwan 3.19.
    
    The virtual-private argument of 'ipsec pluto' has been put into the
    configuration file to avoid commas(,) in the commandline so that the
    netns_wrapper can work well.
    
    A new tempest job for running LibreSwan as the device driver on CentOS 7
    is also added to avoid regression.
    
    This commit has been simply tested on CentOS 7.4 with the following
    versions of LibreSwan provided by the CentOS repo:
    
      - libreswan-3.12-5.el7.x86_64.rpm
      - libreswan-3.12-10.1.el7_1.x86_64.rpm
      - libreswan-3.15-5.el7_1.x86_64.rpm
      - libreswan-3.15-8.el7.x86_64.rpm
      - libreswan-3.20-3.el7.x86_64.rpm
      - libreswan-3.20-5.el7_4.x86_64.rpm
    
    and different versions of LibreSwan provided by libreswan.org[1]:
    
    [1] https://download.libreswan.org/binaries/rhel/7/x86_64/
    
    Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
    Closes-Bug: #1711456

Changed in neutron:
status:	In Progress → Fix Released

LIU Yulong (dragon889) on 2018-07-19

tags:

added: queens-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-20: Fix proposed to neutron-vpnaas (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/584172

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-26: Fix included in openstack/neutron-vpnaas 13.0.0.0b3

This issue was fixed in the openstack/neutron-vpnaas 13.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-06: Fix merged to neutron-vpnaas (stable/queens)

Reviewed: https://review.openstack.org/584172
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=5b48852aaaec1e514978a10d7cec444eab7867db
Submitter: Zuul
Branch: stable/queens

commit 5b48852aaaec1e514978a10d7cec444eab7867db
Author: Hunt Xu <email address hidden>
Date: Tue Mar 20 17:52:55 2018 +0800

Make libreswan driver work with recent versions

    This commit also replaces 'auth=' by 'phase2=' in the configuration
    template as the former is for a long time an alias of the latter and
    removed in LibreSwan 3.19.

    The virtual-private argument of 'ipsec pluto' has been put into the
    configuration file to avoid commas(,) in the commandline so that the
    netns_wrapper can work well.

This commit has been simply tested on CentOS 7.4 with the following
versions of LibreSwan provided by the CentOS repo:

and different versions of LibreSwan provided by libreswan.org[1]:

[1] https://download.libreswan.org/binaries/rhel/7/x86_64/

    Conflicts:
     .zuul.yaml
     neutron_vpnaas/tests/tempest/scenario/test_vpnaas.py
     neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py

    Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
    Closes-Bug: #1711456
    Closes-Bug: #1782337
    (cherry picked from commit b6c8ea8a3cca39bb4138bc7063569352faeb612f)

Reviewed:  https://review.openstack.org/584172
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=5b48852aaaec1e514978a10d7cec444eab7867db
Submitter: Zuul
Branch:    stable/queens

commit 5b48852aaaec1e514978a10d7cec444eab7867db
Author: Hunt Xu <mhuntxu@gmail.com>
Date:   Tue Mar 20 17:52:55 2018 +0800

Make libreswan driver work with recent versions
    
    LibreSwan 3.19 introduces a new commandline argument '--nssdir' for
    pluto which defaults to '/etc/ipsec.d'. As older versions don't
    understand such an option, we cannot just add it to the commandline.
    
    The commandline arguments of LibreSwan are not stable enough to rely on.
    For example, in 3.19, 'ipsec initnss' has the new argument '--nssdir',
    and in 3.20, 'ipsec pluto' also gets this new argument '--nssdir', then
    in 3.22, the argument '--ctlbase' is phased out.
    
    In this commit, instead of trying new options and then fallback to old
    ones for older versions, the bind-mount method used in StrongSwan driver
    is adopted. With /etc and /var/run bind mounted, all the commandline
    arguments related to configuration file places can be removed. This
    ensures that changes of such arguments between different versions won't
    bother as the default places are always used.
    
    This commit also replaces 'auth=' by 'phase2=' in the configuration
    template as the former is for a long time an alias of the latter and
    removed in LibreSwan 3.19.
    
    The virtual-private argument of 'ipsec pluto' has been put into the
    configuration file to avoid commas(,) in the commandline so that the
    netns_wrapper can work well.
    
    This commit has been simply tested on CentOS 7.4 with the following
    versions of LibreSwan provided by the CentOS repo:
    
      - libreswan-3.12-5.el7.x86_64.rpm
      - libreswan-3.12-10.1.el7_1.x86_64.rpm
      - libreswan-3.15-5.el7_1.x86_64.rpm
      - libreswan-3.15-8.el7.x86_64.rpm
      - libreswan-3.20-3.el7.x86_64.rpm
      - libreswan-3.20-5.el7_4.x86_64.rpm
    
    and different versions of LibreSwan provided by libreswan.org[1]:
    
    [1] https://download.libreswan.org/binaries/rhel/7/x86_64/
    
    Conflicts:
    	.zuul.yaml
    	neutron_vpnaas/tests/tempest/scenario/test_vpnaas.py
    	neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
    
    Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
    Closes-Bug: #1711456
    Closes-Bug: #1782337
    (cherry picked from commit b6c8ea8a3cca39bb4138bc7063569352faeb612f)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-06: Fix included in openstack/neutron-vpnaas 12.0.1

#10

This issue was fixed in the openstack/neutron-vpnaas 12.0.1 release.

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2019-12-04: auto-abandon-script

#11

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee:	Hunt Xu (huntxu) → nobody
tags:	added: timeout-abandon

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-04: Change abandoned on neutron-vpnaas (master)

#12

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/495284
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.