Ask Your Question
0

High CPU load VPNaaS and libreswan on CentOS 7

asked 2016-04-24 05:33:51 -0600

Kevin gravatar image

updated 2016-04-25 12:28:04 -0600

sgordon gravatar image

Hi,

when installing libreswan and neutron-vpnaas-agent, I get 100% cpu load on all cores. Problem exists in Liberty and Mitaka deployments via Packstack.

The process consuming the cpu-cycles is "certutil":

certutil -N -d sql:/etc/ipsec.d --empty-password

It spawns serveral times, sometimes the process dies when swap runs full. Running this command on root shell works flawlessly.

I don't get any more debug output, is this a known problem?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2016-05-04 06:56:44 -0600

ETP gravatar image

updated 2016-05-05 23:52:53 -0600

I have same problem (Centos7/Liberty) and after some troubleshooting it seems that ipsec is trying to initialize db in wrong directory (sql:/etc/ipsec.d) instead of router namespace (sql:/var/lib/neutron/ipsec/<routerid>/etc/ipsec.d), changing /sbin/ipsec a bit fixed this for me:

diff -u6 /sbin/ipsec.org /sbin/ipsec

--- /sbin/ipsec.org 2016-05-04 09:51:36.440145790 +0300
+++ /sbin/ipsec 2016-05-04 09:49:52.224502975 +0300
@@ -236,12 +236,13 @@
        # NSS db location
        if [ "${2}" = "-d" -o "${2}" = "--configdir" ]; then
        IPSEC_NSSDIR="${3}"
             else
        IPSEC_NSSDIR="${2}"
        fi
+       IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
    fi
    if [ ! -d "${IPSEC_NSSDIR}" ]; then
        mkdir -p "${IPSEC_NSSDIR}"
    fi
    # if we have old database
    if [ -f "${IPSEC_NSSDIR}/cert8.db" -o \

ipsec --version

Linux Libreswan 3.15 (netkey) on 3.10.0-327.13.1.el7.x86_64

Disclaimer: I haven't fully tested above, if something breaks you can keep all the pieces

edit flag offensive delete link more

Comments

Issue is already fixed on upstream libreswan: https://github.com/libreswan/libreswa...

ETP gravatar imageETP ( 2016-05-05 23:53:54 -0600 )edit
0

answered 2016-10-14 06:28:10 -0600

[root@controller-27-139 ipsec]# ps -ef|grep ipsec

root 32293 31818 0 18:01 ? 00:00:00 /bin/sh /sbin/ipsec checknss /var/lib/neutron/ipsec/415acf48-e0e6-44c4-9dee-9ef39e0003f2/etc root 32294 32293 99 18:01 ? 00:01:32 certutil -N -d sql:/etc/ipsec.d --empty-password root 32536 19768 0 18:03 pts/3 00:00:00 grep --color=auto ipsec

[root@controller-27-139 ipsec]# top

top - 18:03:28 up 62 days, 22:12, 5 users, load average: 2.10, 1.53, 1.24 Tasks: 372 total, 3 running, 369 sleeping, 0 stopped, 0 zombie %Cpu(s): 13.3 us, 15.8 sy, 0.0 ni, 70.7 id, 0.1 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 65747616 total, 52454268 free, 9921012 used, 3372336 buff/cache KiB Swap: 65914876 total, 58083976 free, 7830900 used. 53647092 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
32294 root 20 0 37392 3392 2516 R 99.6 0.0 1:41.02 certutil
31818 root 20 0 3097568 2.371g 4316 S 90.1 3.8 1:31.54 neutron-rootwra
19 root 20 0 0 0 0 S 4.0 0.0 108:21.20 rcuos/0
545 root 20 0 288348 175408 173056 S 3.1 0.3 838:46.60 systemd-journal

its look like this?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2016-04-24 05:33:51 -0600

Seen: 635 times

Last updated: Oct 14 '16