Ask Your Question
0

mitaka libreswan change ipsec.secrets file not allowed

asked 2016-06-20 01:41:16 -0600

eupub gravatar image

Hi Experts,

I am running Mitaka on CentOS7 and trying to setup VPNaaS (using libreswan) and I keep getting this error about chown operation not permitted to ipsec.secrets file. It seems the rootwrap/vpnaas.filters and libreswan_ipsec.py are not effected?

Please advise & Thks!

Regards, Boon Lee

ls -l /var/lib/neutron/ipsec/9aea0cff-e830-4a20-b3f0-33acc462fd6f/etc/

total 12 -rw-r--r--. 1 neutron neutron 1898 Jun 20 14:23 ipsec.conf

drwxr-xr-x. 11 neutron neutron 4096 Jun 20 14:18 ipsec.d

-rw-------. 1 neutron neutron 82 Jun 20 14:23 ipsec.secrets

drwxr-xr-x. 3 neutron neutron 18 Jun 20 14:18 pki

vpn-agent.log:

2016-06-20 14:23:40.502 13103 ERROR neutron.agent.linux.utils [-] Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of ‘/var/lib/neutron/ipsec/9aea0cff-e830-4a20-b3f0-33acc462fd6f/etc/ipsec.secrets’: Operation not permitted

2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 9aea0cff-e830-4a20-b3f0-33acc462fd6f 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 289, in enable 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.ensure_configs() 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py", line 51, in ensure_configs 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec secrets_file]) 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 396, in _execute 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 927, in execute 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec log_fail_as_error=log_fail_as_error, **kwargs) 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 140, in execute 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(msg) 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of \u2018/var/lib/neutron/ipsec/9aea0cff-e830-4a20-b3f0-33acc462fd6f/etc/ipsec.secrets\u2019: Operation not permitted 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-06-20 14:23:40.503 13103 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec

cat /usr/share/neutron/rootwrap/vpnaas.filters

[Filters]

ip: IpFilter, ip, root

ip_exec: IpNetnsExecFilter, ip, root

ipsec: CommandFilter, ipsec, root

strongswan: CommandFilter, strongswan, root

neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root

neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root

chown: RegExpFilter, chown, root, chown, --from=., root.root, ./ipsec.secrets

rpm -qa |grep libreswan

libreswan-3.15-5.el7_1.x86_64

rpm -qa |grep neutron

openstack-neutron-openvswitch-8.1 ... (more)

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2016-07-04 15:39:56 -0600

peter gravatar image

SELinux is currently blocking creation of vpnaas. For more info see https://bugzilla.redhat.com/show_bug.cgi?id=1352710 (https://bugzilla.redhat.com/show_bug....)

As a temporary workaround you can use:

$ semanage permissive -a neutron_t

peter

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-06-20 01:41:16 -0600

Seen: 314 times

Last updated: Jun 20 '16