neutron icehouse vpn bug (一)
来源:互联网 发布:数控车削加工编程 编辑:程序博客网 时间:2024/05/21 10:20
bug描述:当vpn服务重启或者创建新的vpn时,启动ipsec进程失败,查看日志发现错误:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Failed to enable vpn process on router e78e9837
-
4458
-
48d7
-
9ab5
-
e4acdf1789ce
Traceback (most recent call last):
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py"
, line
245
,
in
enable
self
.restart()
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py"
, line
345
,
in
restart
self
.start()
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py"
, line
390
,
in
start
'--virtual_private'
, virtual_private
File
"/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py"
, line
317
,
in
_execute
check_exit_code
=
check_exit_code)
File
"/usr/lib/python2.6/site-packages/neutron/agent/linux/ip_lib.py"
, line
466
,
in
execute
check_exit_code
=
check_exit_code)
File
"/usr/lib/python2.6/site-packages/neutron/agent/linux/utils.py"
, line
76
,
in
execute
raise
RuntimeError(m)
RuntimeError:
Command: [
'sudo'
,
'neutron-rootwrap'
,
'/etc/neutron/rootwrap.conf'
,
'ip'
,
'netns'
,
'exec'
,
'qrouter-e78e9837-4458-48d7-9ab5-e4acdf1789ce'
,
'ipsec'
,
'pluto'
,
'--ctlbase'
,
'/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/var/run/pluto'
,
'--ipsecdir'
,
'/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc'
,
'--use-netkey'
,
'--uniqueids'
,
'--nat_traversal'
,
'--secretsfile'
,
'/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/etc/ipsec.secrets'
,
'--virtual_private'
,
'%v4:22.22.22.0/24,%v4:11.11.11.0/24'
]
Exit code:
10
Stdout: ''
'adjusting ipsec.d to
/
var
/
lib
/
neutron
/
ipsec
/
e78e9837
-
4458
-
48d7
-
9ab5
-
e4acdf1789ce
/
etc\npluto:
lock
file
"/var/lib/neutron/ipsec/e78e9837-4458-48d7-9ab5-e4acdf1789ce/var/run/pluto.pid"
already exists\n'
可以发现是因为之前的pid文件存在导致无法重启ipsec进程,通过查看代码得知:
在以下四种情况时都会对vpn进程进行sync:
1) Agent class restarted
2) Failure on process creation
3) VpnService is deleted during agent down
4) RPC failure
sync的代码如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
@lockutils.synchronized(
'vpn-agent'
,
'neutron-'
)
def
sync(
self
, context, routers):
"""Sync status with server side.
:param context: context object for RPC call
:param routers: Router objects which is created in this sync event
There could be many failure cases should be
considered including the followings.
1) Agent class restarted
2) Failure on process creation
3) VpnService is deleted during agent down
4) RPC failure
In order to handle, these failure cases,
This driver takes simple sync strategies.
"""
vpnservices
=
self
.agent_rpc.get_vpn_services_on_host(
context,
self
.host)
router_ids
=
[vpnservice[
'router_id'
]
for
vpnservice
in
vpnservices]
# Ensure the ipsec process is enabled
for
vpnservice
in
vpnservices:
process
=
self
.ensure_process(vpnservice[
'router_id'
],
vpnservice
=
vpnservice)
self
._update_nat(vpnservice,
self
.agent.add_nat_rule)
process.update()
# Delete any IPSec processes that are
# associated with routers, but are not running the VPN service.
for
router
in
routers:
#We are using router id as process_id
process_id
=
router[
'id'
]
if
process_id
not
in
router_ids:
process
=
self
.ensure_process(process_id)
self
.destroy_router(process_id)
# Delete any IPSec processes running
# VPN that do not have an associated router.
process_ids
=
[process_id
for
process_id
in
self
.processes
if
process_id
not
in
router_ids]
for
process_id
in
process_ids:
self
.destroy_router(process_id)
self
.report_status(context)
这里会对每个已启动的vpn ipsec进程进行状态更新,保证每个ipsec的进程存活:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
def
update(
self
):
"""Update Status based on vpnservice configuration."""
if
self
.vpnservice
and
not
self
.vpnservice[
'admin_state_up'
]:
self
.disable()
else
:
self
.enable()
if
plugin_utils.in_pending_status(
self
.vpnservice[
'status'
]):
self
.updated_pending_status
=
True
self
.vpnservice[
'status'
]
=
self
.status
for
ipsec_site_conn
in
self
.vpnservice[
'ipsec_site_connections'
]:
if
plugin_utils.in_pending_status(ipsec_site_conn[
'status'
]):
conn_id
=
ipsec_site_conn[
'id'
]
conn_status
=
self
.connection_status.get(conn_id)
if
not
conn_status:
continue
conn_status[
'updated_pending_status'
]
=
True
ipsec_site_conn[
'status'
]
=
conn_status[
'status'
]
如果是管理员状态(这里的管理员状态在neutron中统一指是否启用该资源),则执行enable
1
2
3
4
5
6
7
8
9
10
11
12
def
enable(
self
):
"""Enabling the process."""
try
:
self
.ensure_configs()
if
self
.active:
self
.restart()
else
:
self
.start()
except
RuntimeError:
LOG.exception(
_(
"Failed to enable vpn process on router %s"
),
判断该ipsec进程是否是存活的,如果存活则重启,否则启动:
1
2
3
4
5
def
restart(
self
):
"""Restart the process."""
self
.stop()
self
.start()
return
如下红色部分是我添加的代码,这里就是用来解决这个bug的,当停止了ipsec进程后,也将该
进程对应的pid文件删除。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def
stop(
self
):
#Stop process using whack
#Note this will also stop pluto
self
.disconnect()
self
._execute([
self
.binary,
'whack'
,
'--ctlbase'
,
self
.pid_path,
'--shutdown'
,
])
#delete the pid file
pid_file
=
self
.pid_path
+
'.pid'
if
os.path.exists(pid_file):
os.remove(pid_file)
#clean connection_status info
self
.connection_status
=
{}
重启vpn服务进行测试,不会再报之前的错误了。
bug以及解决方法都已提交社区
1 0
- neutron icehouse vpn bug (一)
- 基于OpenStack(IceHouse+neutron) 部署 CloudFounry v183
- Openstack Icehouse Release (Neutron part)
- icehouse RDO的bug
- neutron VPN介绍
- neutron删除vpn时,iptables规则没有删除的bug修复
- 梳理一下IceHouse Neutron新增加的Blueprint
- Record a little code fragment of Neutron server (IceHouse)
- icehouse版本openstack部署neutron防火墙-fwaas服务
- openstack neutron学习(一) ---- neutron-server入口
- openstack neutron学习(一) ---- neutron-server入口
- 云安全之虚拟专用网(VPN)虚拟化 [How Neutron implements VPN Virtualization]
- 网络(一)vpn
- OpenStack Neutron LoadBalance源码解析(一)
- Neutron LoadBalance源码解析(一)
- Openstack学习(一)---------------网络服务Neutron
- Neutron安全组分析(一)
- neutron-vpnaas之ipsec-vpn学习总结
- spring quartz 时间配置格式
- 最小生成树Prim算法
- 考试排名
- 今年暑假不AC
- nodejs常见的读取文件内容的方法
- neutron icehouse vpn bug (一)
- 设计模式之-单例模式
- Scroll View 居左对其的滑动,可以按需滑动固定值
- FC10vim中 ctags+taglist+cscope的安装以及常用快捷键
- Windows地址(IP)设置批处理
- java—三大框架详解,其发展过程及掌握的Java技术慨括
- vncserver操作
- FZU - 2107 Hua Rong Dao 回溯
- 换种顺序来执行TestCase(Junit适用)