[4.7] FIX Site2SiteVPN on redundant VPC #1276
Conversation
michaelandersen
changed the title
|
Jenkins error is not related:
|
|
Did a code review on this PR and also talked to @michaelandersen on Slack about switching the MASTER router off. With the changes he applied on the Java file it will work fine. Also checked the changes concerning the tests now covering KVM, Xen, VMware and HyperV. Code LGTM and awesome to see it covered by an integration test. Thanks a lot! 👍 Will do some tests, but please check with @remibergsma @DaanHoogland @miguelaferreira to give a second LGTM based on tests because I'm on holidays. :) Cheers, |
|
Good to see additional tests created. I would suggest adding a test that turns one of the routers off, and then seeing if the VPN connection works correctly. I quickly looked through the component testing and didn't find any similar tests. Is there a timing issue possible where both routers would be in the same state? If so, it might be good to throw an exception before doing any operations (i.e. if the loop exits, and no routers were found to be MASTER). Also, should the check to see if the router is the MASTER occur before persisting the vpn connection state on each router? |
| @@ -916,6 +916,9 @@ protected void updateSite2SiteVpnConnectionState(final List<DomainRouterVO> rout | |||
| } | |||
| continue; | |||
| } | |||
| if (router.getIsRedundantRouter() && router.getRedundantState() != RedundantState.MASTER){ | |||
There was a problem hiding this comment.
Should this check be done before the previous 'if'?
There was a problem hiding this comment.
Not per se, as the previous if statement skips the iteration if the router to be checked is not in a running state. And running state is required to do any further state checking.
There was a problem hiding this comment.
after some more thought: You could be right. if the BACKUP is not running and goes through the previous inspection AND has an attached vpn connection will be marked as disconnected.
need to investigate a bit to see what _s2sVpnMgr.getConnectionsForRouter(router) would return for a backup router. It the backup router does not have an attached vpn connection we are good as it will just skip any further vpn connection checking for that iteration.
There was a problem hiding this comment.
ok @pdube so getConnectionsForRouter() returns vpn connections based on the vpcid of the router. As both the backup and master router have the same vpcid assigned and therefore will both return vpn connections, which will then be marked as disconnected if the backup router is not running, it makes sense to first exclude backup routers and then to exclude non-running routers.
I force pushed the change. @pdube could you test?
michaelandersen
force-pushed
the
fix/site2sitevpn
branch
from
f6364fc
to
055d84e
Compare
|
As for:
A dual MASTER state should not be possible, but even if it occurred it would, in this context worst case, trigger a vpn state check on both routers.
This makes sense and i will manually verify and if possible automate this tomorrow. |
| @@ -468,7 +500,7 @@ def get_ssh_client(self, virtual_machine, services, retries): | |||
|
|
|||
| return ssh_client | |||
|
|
|||
| def create_natrule(self, vpc, vm, public_port, private_port, public_ip, network, services=None): | |||
| def _create_natrule(self, vpc, vm, public_port, private_port, public_ip, network, services=None): | |||
There was a problem hiding this comment.
why _create_natrule() and not create_natrule()?
There was a problem hiding this comment.
a matter of style i guess, i consistently changed private methods/non-tests to be prefixed with an underscore.
michaelandersen
force-pushed
the
fix/site2sitevpn
branch
2 times, most recently
from
7e988ff
to
7513fdb
Compare
|
just ran the test again after adding the validateList method: command: results: |
michaelandersen
force-pushed
the
fix/site2sitevpn
branch
from
7513fdb
to
1948e13
Compare
|
ping @DaanHoogland |
|
ping @sanju1010 @wido @terbolous |
michaelandersen
force-pushed
the
fix/site2sitevpn
branch
from
1948e13
to
d1e5230
Compare
michaelandersen
force-pushed
the
fix/site2sitevpn
branch
from
d1e5230
to
435a98c
Compare
|
tested on a two kvm, as in the bubble, setup: LGTM |
|
Ping @remibergsma LGTM, please proceed with merge. Cheers, |
[4.7] FIX Site2SiteVPN on redundant VPCThis PR: - fixes the inability to setup more than one Site2Site VPN connection from a VPC - fixes starting of Site2Site VPN on redundant VPC - fixes Site2Site VPN state checking on redundant VPC - improves the vpc_vpn test to allow multple hypervisors - adds an integration test for Site2Site VPN on redundant VPC Tested it on 4.7 single Xen server zone: command: ``` nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone1-xen1.cfg -a tags=advanced,required_hardware=true /tmp/test_vpc_vpn.py ``` results: ``` Test Site 2 Site VPN Across redundant VPCs ... === TestName: test_01_redundant_vpc_site2site_vpn | Status : SUCCESS === ok Test Remote Access VPN in VPC ... === TestName: test_01_vpc_remote_access_vpn | Status : SUCCESS === ok Test Site 2 Site VPN Across VPCs ... === TestName: test_01_vpc_site2site_vpn | Status : SUCCESS === ok ---------------------------------------------------------------------- Ran 3 tests in 1490.076s OK ``` also performed numerous manual inspections of state of VPN connections and connectivity between VPC's * pr/1276: Fix unable to setup more than one Site2Site VPN Connection FIX S2S VPN rVPC: Check only redundant routers in state MASTER PEP8 of integration/smoke/test_vpc_vpn Add S2S VPN test for Redundant VPC Make integration/smoke/test_vpc_vpn Hypervisor independant FIX VPN: non-working ipsec commands Signed-off-by: Remi Bergsma <github@remi.nl>
This PR:
Tested it on 4.7 single Xen server zone:
command:
results:
also performed numerous manual inspections of state of VPN connections and connectivity between VPC's