neutron icehouse vpn bug （一）

来源：互联网发布：数控车削加工编程编辑：程序博客网时间：2024/05/21 10:20

bug描述：当vpn服务重启或者创建新的vpn时，启动ipsec进程失败，查看日志发现错误：

Failed to enable vpn process on router e78e9837-4458-48d7-9ab5-e4acdf1789ce
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 245, in enable
self.restart()
File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 345, in restart
self.start()
File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 390, in start
 '--virtual_private', virtual_private
File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 317, in _execute
check_exit_code=check_exit_code)
 File "/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py", line 466, in execute
check_exit_code=check_exit_code)
File "/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py", line 76, in execute
raise RuntimeError(m)
RuntimeError: 
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 
'qrouter-e78e9837-4458-48d7-9ab5-e4acdf1789ce', 'ipsec', 'pluto', '--ctlbase', 
'/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/var/run/pluto', '--ipsecdir', 
'/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc', '--use-netkey', 
 '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc/ipsec.secrets', 
 '--virtual_private', '%v4:22.22.22.0/24,%v4:11.11.11.0/24']
 Exit code: 10
Stdout: ''
'adjusting ipsec.d to /var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc\npluto: 
lock file "/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/var/run/pluto.pid" already exists\n'

可以发现是因为之前的pid文件存在导致无法重启ipsec进程，通过查看代码得知：

在以下四种情况时都会对vpn进程进行sync：

1) Agent class restarted

2) Failure on process creation

3) VpnService is deleted during agent down

4) RPC failure

sync的代码如下：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
    @lockutils.synchronized('vpn-agent', 'neutron-')
    def sync(self, context, routers):
        """Sync status with server side.
 
        :param context: context object for RPC call
        :param routers: Router objects which is created in this sync event
 
        There could be many failure cases should be
        considered including the followings.
        1) Agent class restarted
        2) Failure on process creation
        3) VpnService is deleted during agent down
        4) RPC failure
 
        In order to handle, these failure cases,
        This driver takes simple sync strategies.
        """
        vpnservices = self.agent_rpc.get_vpn_services_on_host(
            context, self.host)
        router_ids = [vpnservice['router_id'] for vpnservice in vpnservices]
        # Ensure the ipsec process is enabled
        for vpnservice in vpnservices:
            process = self.ensure_process(vpnservice['router_id'],
                                          vpnservice=vpnservice)
            self._update_nat(vpnservice, self.agent.add_nat_rule)
            process.update()
 
        # Delete any IPSec processes that are
        # associated with routers, but are not running the VPN service.
        for router in routers:
            #We are using router id as process_id
            process_id = router['id']
            if process_id not in router_ids:
                process = self.ensure_process(process_id)
                self.destroy_router(process_id)
 
        # Delete any IPSec processes running
        # VPN that do not have an associated router.
        process_ids = [process_id
                       for process_id in self.processes
                       if process_id not in router_ids]
        for process_id in process_ids:
            self.destroy_router(process_id)
        self.report_status(context)

这里会对每个已启动的vpn ipsec进程进行状态更新，保证每个ipsec的进程存活：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
    def update(self):
        """Update Status based on vpnservice configuration."""
        if self.vpnservice and not self.vpnservice['admin_state_up']:
            self.disable()
        else:
            self.enable()
 
        if plugin_utils.in_pending_status(self.vpnservice['status']):
            self.updated_pending_status = True
 
        self.vpnservice['status'] = self.status
        for ipsec_site_conn in self.vpnservice['ipsec_site_connections']:
            if plugin_utils.in_pending_status(ipsec_site_conn['status']):
                conn_id = ipsec_site_conn['id']
                conn_status = self.connection_status.get(conn_id)
                if not conn_status:
                    continue
                conn_status['updated_pending_status'] = True
                ipsec_site_conn['status'] = conn_status['status']

如果是管理员状态（这里的管理员状态在neutron中统一指是否启用该资源），则执行enable

1
2
3
4
5
6
7
8
9
10
11
12
    def enable(self):
        """Enabling the process."""
        try:
            self.ensure_configs()
            if self.active:
                self.restart()
            else:
                self.start()
        except RuntimeError:
            LOG.exception(
                _("Failed to enable vpn process on router %s"),

判断该ipsec进程是否是存活的，如果存活则重启，否则启动：

1
2
3
4
5
    def restart(self):
        """Restart the process."""
        self.stop()
        self.start()
        return

如下红色部分是我添加的代码，这里就是用来解决这个bug的，当停止了ipsec进程后，也将该

进程对应的pid文件删除。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
    def stop(self):
        #Stop process using whack
        #Note this will also stop pluto
        self.disconnect()
        self._execute([self.binary,
                       'whack',
                       '--ctlbase', self.pid_path,
                       '--shutdown',
                       ])
        #delete the pid file
        pid_file = self.pid_path + '.pid'
        if os.path.exists(pid_file):
            os.remove(pid_file)
        #clean connection_status info
        self.connection_status = {}

重启vpn服务进行测试，不会再报之前的错误了。

bug以及解决方法都已提交社区

1 0