http://lists.openstack.org/pipermail/openstack-
dev/2016-November/107384.html
** Changed in: neutron
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1641509
Title:
Creating vpn-service with router which belongs to another tenant
causes invalid condition.
Status in neutron:
Won't Fix
Bug description:
- OpenStack version
master
- how to reproduce
1. to 5. and 12. are operated by TenantA
6. to 11. are operated by TenantB(should be context_is_admin.)
===operating by TenantA===
1.neutron router-create router1
2.neutron net-create network1
3.neutron subnet-create network1 192.168.0.0/24 --name subnet1
4.neutron router-interface-add router1 subnet1
5.neutron router-gateway-set router1 public
===operating by TenantB===
6.neutron vpn-service-create router1 --name vpnservice1
7.neutron vpn-ikepolicy-create ikepolicy1
8.neutron vpn-ipsecpolicy-create ipsecpolicy1
9.neutron vpn-endpoint-group-create --type subnet --value subnet1 --name
endpoint1
10.neutron vpn-endpoint-group-create --type cidr --value 192.168.1.0/24
--name endpoint2
11.neutron ipsec-site-connection-create --vpnservice-id vpnservice1
--ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --local-ep-group
endpoint1 --peer-id 172.24.4.10 --peer-address 172.24.4.10 --psk test
--peer-ep-group endpoint2
===operating by TenantA===
12.neutron router-gateway-clear router1
=> The operation should be failed because vpn_service assumes gw_port is
attached to the router.
However, the operation is passed because
'TenantA' cannot find 'vpn_service' which belongs to 'TenantB' with own
context.
Alternatively, we should block creating vpn_service with router which
belongs to another tenant.
Following errors are caused by procedure 12.
* VPN configuration(enable) is failed.
* 500 error returns when creating additional site-connection for the
vpn_service.
-expected behavior
Procedure 12 by TenantA is blocked because the router is associated with
vpn_service.
This behavior is like network vs port.
- trace in vpn-agent
2016-11-14 05:15:10.863 27930 DEBUG neutron.agent.linux.utils [-] Running
command (rootwrap daemon): ['ip', 'netns', 'exec',
'qrouter-0c80e9f8-e273-4770-8f02-6fc243301ac7', 'ip', 'route', 'get',
'172.24.4.10'] execute_rootwrap_daemon
/opt/stack/neutron/neutron/agent/linux/utils.py:107
2016-11-14 05:15:10.917 27930 ERROR neutron.agent.linux.utils [-] Exit code:
2; Stdin: ; Stdout: ; Stderr: RTNETLINK answers: Network is unreachable
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec [-] Failed to enable vpn
process on router 0c80e9f8-e273-4770-8f02-6fc243301ac7
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call
last):
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 306, in enable
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec self.restart()
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 544, in restart
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec self.start()
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 634, in start
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec ipsec_site_conn['id'])
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 568, in _get_nexthop
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec routes =
self._execute(['ip', 'route', 'get', ip_addr])
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
line 411, in _execute
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec
extra_ok_codes=extra_ok_codes)
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec File
"/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 908, in execute
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec
log_fail_as_error=log_fail_as_error, **kwargs)
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec File
"/opt/stack/neutron/neutron/agent/linux/utils.py", line 146, in execute
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec raise
ProcessExecutionError(msg, returncode=returncode)
2016-11-14 05:15:10.918 27930 ERROR
neutron_vpnaas.services.vpn.device_drivers.ipsec ProcessExecutionError: Exit
code: 2; Stdin: ; Stdout: ; Stderr: RTNETLINK answers: Network is unreachable
- trace in neutron-server
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
[req-5e2f3bb1-2e6b-495a-a327-47b1595668b5 6759f544889746448631792bb12bd2ea
d713c7d4c02541d8b239d6d9761768e5
- - -] create failed: No details.
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource Traceback (most
recent call last):
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/api/v2/resource.py", line 79, in resource
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource result =
method(request=request, **args)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/api/v2/base.py", line 430, in create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource return
self._create(request, body, **kwargs)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/db/api.py", line 83, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource """
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in
__exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in
force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/db/api.py", line 79, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource """Puts a
flag on retriable exceptions so is_retriable returns False.
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 151, in wrapper
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource ectxt.value =
e.inner_exc
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in
__exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in
force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 139, in wrapper
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource return
f(*args, **kwargs)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/db/api.py", line 119, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource # prevent
mutations of complex objects like the context or 'self'
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in
__exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in
force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/db/api.py", line 114, in wrapped
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
@_retry_db_errors
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/api/v2/base.py", line 543, in _create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource obj =
do_create(body)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/api/v2/base.py", line 525, in do_create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
request.context, reservation.reservation_id)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in
__exit__
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
self.force_reraise()
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in
force_reraise
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
six.reraise(self.type_, self.value, self.tb)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron/neutron/api/v2/base.py", line 518, in do_create
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource return
obj_creator(request.context, **kwargs)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/plugin.py", line 78, in
create_ipsec_site_connection
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource context,
ipsec_site_connection)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/db/vpn/vpn_db.py", line 168, in
create_ipsec_site_connection
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
validator.resolve_peer_address(ipsec_sitecon, vpnservice.router)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/db/vpn/vpn_validator.py", line 92, in
resolve_peer_address
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
self._validate_peer_address(ip_version, router)
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource File
"/opt/stack/neutron-vpnaas/neutron_vpnaas/db/vpn/vpn_validator.py", line 70, in
_validate_peer_address
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource for fixed_ip
in router.gw_port['fixed_ips']:
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource TypeError:
'NoneType' object has no attribute '__getitem__'
2016-11-14 05:16:26.939 25357 ERROR neutron.api.v2.resource
2016-11-14 05:16:26.945 25357 INFO neutron.wsgi
[req-5e2f3bb1-2e6b-495a-a327-47b1595668b5 6759f544889746448631792bb12bd2ea
d713c7d4c02541d8b239d6d9761768e5 - - -] 172.16.1.29 - - [14/Nov/2016 05:16:26]
"POST /v2.0/vpn/ipsec-site-connections.json HTTP/1.1" 500 368 0.676061
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1641509/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
