neutron

vpnaas pluto.pid file path wrong

Bug #1872940 reported by Jie Li
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

currently, class OpenSwanProcess weil define

self.pid_file = '%s.pid' % self.pid_path

print pid_file in log file:
e.g:
/opt/stack/data/neutron/ipsec/4d97aa64-10c1-42ab-9d49-0aeb682e3d8f/var/run/pluto.pid

but the cmd to start pluto process

sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec snat-4d97aa64-10c1-42ab-9d49-0aeb682e3d8f neutron-vpn-netns-wrapper --mount_paths=/etc:/var/lib/neutron/ipsec/4d97aa64-10c1-42ab-9d49-0aeb682e3d8f/etc,/var/run:/var/lib/neutron/ipsec/4d97aa64-10c1-42ab-9d49-0aeb682e3d8f/var/run --rootwrap_config=/etc/neutron/rootwrap.conf --cmd=ipsec,pluto,--use-netkey,--uniqueids,--perpeerlog,--perpeerlogbase,/var/lib/neutron/ipsec/4d97aa64-10c1-42ab-9d49-0aeb682e3d8f/log

will generate pid file:
/opt/stack/data/neutron/ipsec/4d97aa64-10c1-42ab-9d49-0aeb682e3d8f/var/run/pluto/pluto.pid

means self.pid_file defined in class OpenSwanProcess is wrong.

and in the function def _cleanup_control_files(self), determination of file exist or not will always get False, pid file will not be cleaned. and ctl_file defined in this function is also wrong.

if the pluto.pid not been deleted, when we start neutron-l3-agent, we will get an error, pluto.pid exists, and the pluto process will fail to start.

Tags: vpnaas
Revision history for this message
Ian Kumlien (pomac) wrote :

Yes, the current code (since 2015) states:
        return ip_wrapper.netns.execute(
            [ns_wrapper,
             '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
                 self.config_dir, self._strongswan_piddir, self.config_dir),
             ('--rootwrap_config=%s' % self._rootwrap_cfg
                 if self._rootwrap_cfg else ''),
             '--cmd=%s' % ','.join(cmd)],
--

But it should be /run not /var/run but due to legacy we can't say if /var/run should be removed...

Would something like this work:
--- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@@ -113,8 +113,8 @@ class StrongSwanProcess(ipsec.BaseSwanProcess):
         ns_wrapper = self.get_ns_wrapper()
         return ip_wrapper.netns.execute(
             [ns_wrapper,
- '--mount_paths=/etc:%s/etc,%s:%s/var/run' % (
- self.config_dir, self._strongswan_piddir, self.config_dir),
+ '--mount_paths=/etc:%s/etc,%s:%s/var/run,%s:%s/run' % (
+ self.config_dir, self._strongswan_piddir, self.config_dir, self._strongswan_piddir, self.config_dir),
              ('--rootwrap_config=%s' % self._rootwrap_cfg
                  if self._rootwrap_cfg else ''),
              '--cmd=%s' % ','.join(cmd)],

---

Completely untested.

Revision history for this message
Ian Kumlien (pomac) wrote :

Sorry, that was wrong - i don't know about strongswan but the path is wrong for libreswan

Revision history for this message
Ian Kumlien (pomac) wrote :

So, doing something like:
--- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
@@ -39,7 +39,8 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
         """
         ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
         mount_paths = {'/etc': '%s/etc' % self.config_dir,
- '/var/run': '%s/var/run' % self.config_dir}
+ '/var/run': '%s/var/run' % self.config_dir,
+ '/run': '%s/run' % self.config_dir}
         mount_paths_str = ','.join(
             "%s:%s" % (source, target)
             for source, target in mount_paths.items())
---

Doesn't seem to be the solution -- I suspect that in my case it's a bad error message?... or something... Since any change that causes ipsec to run in a netns instead results in thousands of spawned pluto processes.. (and more error messages)

So it becomes a issue of knowing what error messages can be ignored...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.