New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CLOUDSTACK-9296] Start ipsec for client VPN #1423
Conversation
This looks like a sensible fix to me. Code LGTM 👍 |
@syed Can you squash the 2 commits please? |
@kiwiflyer : Rebase done. Here is the log from the VR when I enable client side vpn
earlier we were not starting IPSec |
This should be brought out quickly to community via 4.8.1 release. |
If there's a Marvin integration test for this feature, I'm wondering why it succeeded without this fix. I think we might need to improve the test and show it's broken, then also show this PR fixes it. Anyone feels like fixing the test as well? |
@remibergsma I beleive there is a marvin test for this but I beleive it was failing. I want to test this test but I could not find enough documentaiton on how to do this cleanly. All the more reason for a better CI |
@remibergsma Going through the VPN tests on Marvin, I see that it is not actually testing if VPN is working. It just check if we can enable VPN without any errors but doesn't go to test if the enabled VPN is connectable. |
@syed I have not looked into this. Is it possible for us to improve the test so it actually tests that the VPN works? |
@swill I beleieve we can do a better test. After the VPN is set up we can do something like |
thank you sir. :) |
@swill I have added a marvin test to see if the VPN service starts correctly however I am having trouble getting marvin to work correctly. When I run the test I get the follwing error
Basically marvin is failing to start. Have you had this problem? Also, in my script I use an external dependency |
Introducing an external dependency is probably going to cause some problems. @bhaisaab can you review this and maybe give some feedback on the best way to handle this? |
@swill we'll need to publish a new systemvm template (i.e. we can no longer use the 4.6 systemvm template) if we have a new systemvm dependency; for the marvin test this requires that the host where you're running the test has |
@bhaisaab Ok thanks. Are there other things we want to get into the systemvm template if we do publish a new one? Probably not the best place for this discussion, but maybe this is something we should discuss on dev@? |
@swill we can ask around on ML, afaik in addition to strongswan (provided the strongswan PR gets reviewed and merged before 4.9 freeze) I known of the ospf stuff by @abhinandanprateek which needs zebra and related packages for ospf. Abhi is on leave this week, but we can discuss this next week. In general, we should evaluate and build a new systemvm template based on what new features end up in master until the freeze date in May (as you had shared on dev@). |
Ok, thanks @bhaisaab. So I need to get on the systemvm template stuff asap to try to get those PRs in a good place so we have a little breathing room before the RC date to work out any kinks. Thanks for the help on this. :) |
@bhaisaab Do you have an idea of why Marvin is failing on my dev setup? I've followed the guide mentioned here. I get the following error
Appriciate your help |
@syed looks like marvin plugin is missing; if you've both python 2.6/2.7 (looks like nose is using python 2.6) make sure to install it for the one you use (the default python). Alternatively, try to install using pip with --upgrade; for example, after building cloudstack run: sudo pip install --upgrade tools/marvin/dist/.tar.gz |
LGTM tag:mergeready |
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
@swill Sqashed. I believe this is good to go. |
Thanks @syed. I will get CI run against this. I see we have the required code review, so I just need to get CI run. Thx... |
@syed please close and reopen or repush. we are close to freeze and I want to get some of these PRs in... |
@syed can you provide details for how to add Also, can you repush this or close and reopen? |
CI RESULTS
Summary of the problem(s):
Associated Uploads
Uploads will be available until Comment created by |
@syed can you review this error? It seems to be related to your test. Thanks... |
CI RESULTS
Associated Uploads
Uploads will be available until Comment created by |
This one is ready... |
[CLOUDSTACK-9296] Start ipsec for client VPNThis fix starts the IPSEC daemon when enabling client side vpn * pr/1423: [CLOUDSTACK-9296] Start ipsec for client VPN Signed-off-by: Will Stevens <williamstevens@gmail.com>
After a vRouter is recreated (which happens when a reboot via CloudStack UI for example) and Remote Access VPN enabled, VPN won't work anymore. Here is the abbreviated output of "ipsec auto -status" while we were having the issue: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 %myid = (none) Notice that only eth0 is shown, not the public interface eth1. Because of that ipsec is broken. However, if we manually stopped and started ipsec, then issued a "ipsec auto -status", the abbreviated output would be: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth2/eth2 192.168.1.1 000 interface eth2/eth2 192.168.1.1 000 %myid = (none) eth1 interface IP is masked, but now ipsec sees all the interfaces and VPN works. Looks like this bug was introduced by Pull Request apache#1423 apache#1423 It added code to start ipsec (cloudstack/systemvm/patches/debian/config/opt/cloud/bin/configure.py) if vpnconfig['create']: logging.debug("Enabling remote access vpn on "+ public_ip) CsHelper.start_if_stopped("ipsec") self.configure_l2tpIpsec(public_ip, self.dbag[public_ip]) The issue is that if a reboot is issued from the CloudStack UI (as opposed to manually by logging into the vRouter), the NICS (except eth0) are not added to the VM until the cloud service is running. Since ipsec was started before the nics were added to the VM and before the public IP address is added to the nic, ipsec is not listening on the public IP address and all VPNs are broken. This is not a problem with the Site2Site VPN section of configure.py, because that section does not start ipsec if the public IP is not on the system yet...
After a vRouter is recreated (which happens when a reboot via CloudStack UI for example) and Remote Access VPN enabled, VPN won't work anymore. Here is the abbreviated output of "ipsec auto -status" while we were having the issue: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 %myid = (none) Notice that only eth0 is shown, not the public interface eth1. Because of that ipsec is broken. However, if we manually stopped and started ipsec, then issued a "ipsec auto -status", the abbreviated output would be: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth2/eth2 192.168.1.1 000 interface eth2/eth2 192.168.1.1 000 %myid = (none) eth1 interface IP is masked, but now ipsec sees all the interfaces and VPN works. Looks like this bug was introduced by Pull Request apache#1423 apache#1423 It added code to start ipsec (cloudstack/systemvm/patches/debian/config/opt/cloud/bin/configure.py) if vpnconfig['create']: logging.debug("Enabling remote access vpn on "+ public_ip) CsHelper.start_if_stopped("ipsec") self.configure_l2tpIpsec(public_ip, self.dbag[public_ip]) The issue is that if a reboot is issued from the CloudStack UI (as opposed to manually by logging into the vRouter), the NICS (except eth0) are not added to the VM until the cloud service is running. Since ipsec was started before the nics were added to the VM and before the public IP address is added to the nic, ipsec is not listening on the public IP address and all VPNs are broken. This is not a problem with the Site2Site VPN section of configure.py, because that section does not start ipsec if the public IP is not on the system yet...
…eate (#1966) This makes sure IP address is active. After a vRouter is recreated (e.g. reboot via CloudStack UI) and Remote Access VPN enabled, VPN won't work anymore. Here is the abbreviated output of "ipsec auto -status" while we were having the issue: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 %myid = (none) After this commit, the following occurs and VPNs work: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth2/eth2 192.168.1.1 000 interface eth2/eth2 192.168.1.1 000 %myid = (none) eth1 interface IP is masked, but now ipsec sees all the interfaces and VPN works. Looks like this bug was introduced by Pull Request #1423 It added code to start ipsec (cloudstack/systemvm/patches/debian/config/opt/cloud/bin/configure.py) if vpnconfig['create']: logging.debug("Enabling remote access vpn on "+ public_ip) CsHelper.start_if_stopped("ipsec")
This fix starts the IPSEC daemon when enabling client side vpn