neutron

VPNaas: ipsec process residue

Bug #1714434 reported by XieYingYun
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

   When I deleted the ipsec-site-connection and vpn service, I found the ipsec process residue at the network node. The ipsec configuration file in the directory / var / lib / neutron / ipsec has been deleted, but the ipsec process still exists.
   I think there is a problem in the process of deleting the process. process the state is wrong, did not stop the porcess, then the implementation of the deletion of the configuration file.

XieYingYun (smokony)
Changed in neutron:
assignee: nobody → XieYingYun (smokony)
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: New → In Progress
Revision history for this message
Cao Xuan Hoang (hoangcx) wrote :

Which device driver are you using to test?

tags: added: vpnaas
Revision history for this message
Lingxian Kong (kong) wrote :

Hi,

Could you please provide more information about the bug? e.g. the neutron/neutron-vpnaas version, the driver, the steps to reproduce the issue, and the neccessary logs, etc.

We are running openswan in our production instead of libswan, but I'm keen to know the root cause of this problem.

Revision history for this message
XieYingYun (smokony) wrote :

The neutron version we use is stable newton ,the vpnaas version is stable newton. The IPSec driver I use is libreswan.
VPN configuration file: etc/neutron/vpn_agent.ini
[vpnagent]
vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver

I created a lot of IPSec connections,then I execute neutron ipsec-site-connection-delete ,neutron vpn-service-delete and delete router .The list operation shows that the IPSec connections have been deleted,but the IPSec Pluto process is still present at the network node.In directory :/var/lib/neutron/ipsec/ ,all of these IPSec profiles have been deleted.
The process information is as follows:

root 19349 1 0 Aug29 ? 00:00:03 /usr/libexec/ipsec/pluto --ctlbase /var/lib/neutron/ipsec/0e87b985-c3f8-4c39-9118-8b98d5d1daec/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/0e87b985-c3f8-4c39-9118-8b98d5d1daec/etc --use-netkey --debug-all --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/0e87b985-c3f8-4c39-9118-8b98d5d1daec/etc/ipsec.secrets --virtual_private %v4:192.168.102.0/24,%v4:192.168.12.0/24 --perpeerlog --perpeerlogbase /var/lib/neutron/ipsec/0e87b985-c3f8-4c39-9118-8b98d5d1daec/log
root 20101 1 0 Aug29 ? 00:00:03 /usr/libexec/ipsec/pluto --ctlbase /var/lib/neutron/ipsec/dcd11b64-7ae3-40a6-8b5c-5e1b20bb192a/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/dcd11b64-7ae3-40a6-8b5c-5e1b20bb192a/etc --use-netkey --debug-all --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/dcd11b64-7ae3-40a6-8b5c-5e1b20bb192a/etc/ipsec.secrets --virtual_private %v4:192.168.30.0/24,%v4:192.168.120.0/24 --perpeerlog --perpeerlogbase /var/lib/neutron/ipsec/dcd11b64-7ae3-40a6-8b5c-5e1b20bb192a/log
root 21571 1 0 Aug29 ? 00:00:03 /usr/libexec/ipsec/pluto --ctlbase /var/lib/neutron/ipsec/988a84e3-3f42-4c06-99a6-ed7ddc34bed4/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/988a84e3-3f42-4c06-99a6-ed7ddc34bed4/etc --use-netkey --debug-all --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/988a84e3-3f42-4c06-99a6-ed7ddc34bed4/etc/ipsec.secrets --virtual_private %v4:192.168.15.0/24,%v4:192.168.105.0/24 --perpeerlog --perpeerlogbase /var/lib/neutron/ipsec/988a84e3-3f42-4c06-99a6-ed7ddc34bed4/log
root 21577 1 0 Aug29 ? 00:00:03 /usr/libexec/ipsec/pluto --ctlbase /var/lib/neutron/ipsec/26fd8b38-d97e-48a9-8cef-31daffedd172/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/26fd8b38-d97e-48a9-8cef-31daffedd172/etc --use-netkey --debug-all --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/26fd8b38-d97e-48a9-8cef-31daffedd172/etc/ipsec.secrets --virtual_private %v4:192.168.26.0/24,%v4:192.168.116.0/24 --perpeerlog --perpeerlogbase /var/lib/neutron/ipsec/26fd8b38-d97e-48a9-8cef-31daffedd172/log

Revision history for this message
stan.pao (cough.syrup) wrote :

Actually,I find the same problem today.
[openstack version:kilo]
Totally I created one vpn-service and build 2 site-to-site ipsec-site-connection which stay active.
Then I deleted these 2 site-connections that may lead to pluto-process-deleting but the result is that nothing exists under dir /var/lib/neutron/ipsec but "ps -ef|grep pluto" indicates that there are still 4 entries of single-side pluto.
I am not sure if this is a bug or a not-impact detailed issue.

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: XieYingYun (smokony) → nobody
status: In Progress → New
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-vpnaas (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/499929
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.