upstream/oracle/userland-gate: comparison components/openstack/neutron/files/services/vpn/device_drivers/solaris

equal deleted inserted replaced

-:12498e4ad8f9
+:9d70f1e25eba
 vpn_tunnels.append(ifname)
 return vpn_tunnels
-def disable_services():
+def disable_smf_services():
 """Disable IPsec Policy/IKE smf(5) services using rad(1).
 """
 ike_svc = "network/ipsec/ike"
 ipsec_svc = "network/ipsec/policy"
 global restarting
 # configured or not. The easiest way to determine if VPNaaS is
 # configured is to check if there are any IP tunnels configured.
 ifs = get_vpn_interfaces()
 if ifs:
 whack_ike_rules()
-disable_services()
+disable_smf_services()
 delete_tunnels(ifs, False)
 def whack_ike_rules():
 cmd = ['/usr/bin/pfexec', '/usr/sbin/ikeadm', '-n', 'dump', 'rule']
 self.ipsec_svc = "network/ipsec/policy"
 self.packet_logging = cfg.CONF.solaris.packet_logging
 self.logging_level = cfg.CONF.solaris.logger_level
 self.generate_config(vpnservice)
 self.dump_config()
-LOG.info("Configuring vpn-service: %s." % vpnservice)
+LOG.debug("Configuring router: %s" % process_id)
+LOG.debug("Configuring vpn-service: %s." % vpnservice)
 def dump_config(self):
 if not self.vpnservice:
-LOG.warn("No VPNs configured.")
+LOG.info("No VPNs configured.")
 return
 connections = self.vpnservice['ipsec_site_connections']
-LOG.warn("New VPN configuration:")
+LOG.info("New VPN configuration:")
 for site in connections:
 LOG.info("Site ID: \"%s\"" % site['id'])
 LOG.info("\tTenant ID: \"%s\"" % site['tenant_id'])
 LOG.info("\tIKE policy ID: \"%s\"" % site['ikepolicy_id'])
 LOG.info("\tIPsec policy ID: \"%s\"" % site['ipsecpolicy_id'])
 LOG.info("\tStatus: \"%s\"" % site['status'])
 def translate_dialect(self):
 if not self.vpnservice:
 return
-LOG.warn("Generating Solaris IKE/IPsec config files.")
+LOG.info("Generating Solaris IKE/IPsec config files.")
 for ipsec_site_conn in self.vpnservice['ipsec_site_connections']:
 self._dialect(ipsec_site_conn, 'initiator')
 self._dialect(ipsec_site_conn['ikepolicy'], 'ike_version')
 for key in ['encryption_algorithm', 'auth_algorithm', 'pfs']:
 self._dialect(ipsec_site_conn['ikepolicy'], key)
 def gen_config_content(self, template_file, vpnservice):
 """Generate IPsec configuration files using templates.
 """
 template = _get_template(template_file)
 return template.render(
 {'vpnservice': vpnservice,
 'state_path': cfg.CONF.state_path})
 @abc.abstractmethod
 The l3_agent is being shutdown.
 """
 LOG.debug("Getting status of IKE daemon")
 global being_shutdown
 if being_shutdown:
-LOG.warn("VPNaaS being shutdown")
+LOG.info("VPNaaS being shutdown")
 return False
 # IKE is running. Update status of all connections
 # IKE knows about.
 self.get_connection_status()
 it back again.
 This should be revisited if we support more than one router.
 """
 if not self.vpnservice:
-LOG.warn("No VPNs configured.")
+LOG.info("No VPNs configured.")
 return
 status_changed_vpn_services = []
 new_status = self.copy_process_status(self)
 LOG.info("Marking all site connections %s" % new_state)
 for conn in new_status[IPSEC_CONNS]:
 new_status[IPSEC_CONNS][conn] = {
 'status': new_state,
 'updated_pending_status': True
 }
 status_changed_vpn_services.append(new_status)
 self.agent_rpc.update_status(
 self.context,
 status_changed_vpn_services)
 def get_connection_status(self):
 LOG.debug("Getting Connection Status")
 global being_shutdown
 global restarting
 if not self.vpnservice:
-LOG.warn("No VPNs configured.")
+LOG.info("No VPNs configured.")
 return True
 if restarting:
-LOG.warn("IKE restarting")
+LOG.info("IKE restarting")
 return True
 self.ike_was_running = self.ike_running
 if not self.get_status():
 if being_shutdown:
 self.ikeadm_fails = 0
 else:
-LOG.warn("IKE daemon is not running.")
+LOG.info("IKE daemon is not running.")
 self.ikeadm_fails += 1
 if self.ikeadm_fails > self.ikeadm_maxfails:
-LOG.warn("IKE daemon still not running, something's wrong.")
+LOG.info("IKE daemon still not running, something's wrong.")
 restarting = True
 being_shutdown = True
 self.mark_connections(constants.DOWN)
 restarting = False
 being_shutdown = False
 self.ike_running = False
 return False
 if self.ike_running and not self.ike_was_running:
-LOG.warn("IKE daemon has been restarted")
+LOG.info("IKE daemon has been restarted")
 self.mark_connections(constants.ACTIVE)
 return True
 for connection_id in self.connection_ids:
 if not self.connection_status.get(connection_id):
 self.connection_status[connection_id] = {
 Solaris commands mentioned above are called directly using pfexec(1).
 """
 def __init__(self, conf, process_id,
 vpnservice, namespace):
-LOG.warn("Configuring IPsec/IKE")
+LOG.info("Configuring IPsec/IKE")
 super(SolarisIPsecProcess, self).__init__(
 conf, process_id,
 vpnservice, namespace)
 self.secrets_file = os.path.join(
 self.etc_dir, 'secret/ike.preshared')
 self.generate_config_file(
 'ike/ikev2.preshared',
 self.conf.solaris.ikev2_secret_template,
 self.vpnservice)
+def start_ipsec(self):
+self.service_setprops()
+self.enable_smf_services()
 def add_tunnels(self):
 """Add tunnel interfaces using dladm(1m) and
 ipadm(1m).
 """
 try:
 stdout, stderr = processutils.execute(*cmd)
 except processutils.ProcessExecutionError as stderr:
 m = re.search('object already exists', str(stderr))
 if m:
-LOG.warn("Tunnel with Outer IP: %s -> %s, Inner: "
+LOG.info("Tunnel with Outer IP: %s -> %s, Inner: "
 "%s -> %s already exists."
 % (o_local, o_remote, i_local, i_remote))
 else:
-LOG.warn("Error adding tunnel - Outer IP: %s -> %s,"
+LOG.info("Error adding tunnel - Outer IP: %s -> %s,"
 "Inner: %s -> %s"
 % (o_local, o_remote, i_local, i_remote))
-LOG.warn("\"%s\"" % stderr)
+LOG.info("\"%s\"" % stderr)
 self.badboys.append(site)
 continue
 LOG.info(
 "Added tunnel - Outer IP: %s -> %s, Inner: %s -> %s"
 cmd = ['/usr/bin/pfexec', 'ipadm', 'create-ip', '-t', tun_name]
 try:
 stdout, stderr = processutils.execute(*cmd)
 except processutils.ProcessExecutionError as stderr:
 if re.search('Interface already exists', str(stderr)):
-LOG.warn("Tunnel interface: '%s' already exists." %
+LOG.info("Tunnel interface: '%s' already exists." %
 tun_name)
 else:
-LOG.warn("Error creating tunnel")
+LOG.info("Error creating tunnel")
-LOG.warn("\"%s\"" % stderr)
+LOG.info("\"%s\"" % stderr)
 self.badboys.append(site)
 continue
 cmd = ['/usr/bin/pfexec', 'ipadm', 'create-addr', '-t',  '-T',
 'static', '-a', "local=%s,remote=%s" % (i_local, i_remote),
 tun_name]
 try:
 stdout, stderr = processutils.execute(*cmd)
 except processutils.ProcessExecutionError as stderr:
-LOG.warn("Error creating tunnel")
+LOG.info("Error creating tunnel")
-LOG.warn("\"%s\"" % stderr)
+LOG.info("\"%s\"" % stderr)
 self.badboys.append(site)
 continue
 cmd = ['/usr/bin/pfexec', 'route', '-n', 'add', 'net', peer_cidr,
 i_remote]
 try:
 stdout, stderr = processutils.execute(*cmd)
 except processutils.ProcessExecutionError as stderr:
 m = re.search('entry exists', str(stderr))
 if m:
-LOG.warn("Route already exists.")
+LOG.info("Route already exists.")
 else:
-LOG.warn("Error adding route.")
+LOG.info("Error adding route.")
 self.badboys.append(site)
 continue
 # Now for some Policy Based Routing (PBR) voodoo. When a Neutron
 # subnet is added to a Neutron router, it adds a PBR rule that
 addrobj_addr.startswith('l3i')):
 addrobj = addrobj_addr.split(':')[0]
 ifname = addrobj.split('/')[0]
 break
 if not ifname:
-LOG.warn("Failed to find IP interface corresponding to "
+LOG.info("Failed to find IP interface corresponding to "
 "VPN subnet: %s. Skipping bypass rule for '%s'" %
 (subnet['cidr'], tun_name))
 continue
 label = 'vpn_%s_%s' % (ifname, peer_cidr.replace('/', '_'))
 LOG.debug("Looking for IPsec site connections.")
 cmd = ['/usr/bin/pfexec', '/usr/sbin/ikeadm', '-n', 'dump', 'rule']
 try:
 status, stderr = processutils.execute(*cmd)
 except processutils.ProcessExecutionError as stderr:
-LOG.warn("IKE daemon does not appear to be running.")
+LOG.info("IKE daemon does not appear to be running.")
 LOG.debug("\"%s\"" % stderr)
 return False
 self.ikeadm_fails = 0
 self.connection_ids = []
 """Restart VPNaaS.
 Some optimization possible here, a restart does not
 require property setting. If we are not running, we
 don't need to disable stuff. See self.start(), self.stop()
 """
-LOG.warn("Restarting VPNaaS")
+LOG.info("Restarting VPNaaS")
 self.stop()
 self.start()
 return
 def start(self):
 """Start VPNaaS.
 """
-LOG.warn("Start")
+LOG.info("Start")
 if not self.vpnservice:
-LOG.warn("No VPNs configured.")
+LOG.info("No VPNs configured.")
 return
-LOG.warn("Starting VPNaaS")
+LOG.info("Starting VPNaaS")
 self.ensure_configs()
-self.service_setprops()
-self.enable_services()
 self.add_tunnels()
 def stop(self):
 self.connection_status = {}
 self.get_status()
 self.flush_sas()
 self.mark_connections(constants.DOWN)
 LOG.debug("Disable IPsec policy and IKE SMF(5) services")
-disable_services()
+disable_smf_services()
 def flush_sas(self):
 """Flush IPsec SAs, this should be done with rad(1) eventually.
 For disable ignore any errors.
 """
 [self.logging_level])
 instance.refresh()
 rad_connection.close()
-def enable_services(self):
+def enable_smf_services(self):
 """Enable IPsec Policy/IKE smf(5) services using rad(1).
 """
 LOG.info("Enabling IPsec policy.")
 rad_connection = rad.connect.connect_unix()
 instance = rad_connection.get_object(
 rad.client.ADRGlobPattern({'service': self.ike_svc,
 'instance': self.ike_version}))
 instance.enable(True)
 if self.packet_logging:
-LOG.warn("Enabling IPsec packet logger.")
+LOG.info("Enabling IPsec packet logger.")
 instance = rad_connection.get_object(
 smfb.Instance(),
 rad.client.ADRGlobPattern({'service': self.ipsec_svc,
 'instance': 'logger'}))
 instance.enable(True)
 LOG.info(
 "Status of router ID: \"%s\" has changed." % process.id)
 new_status = self.copy_process_status(process)
 if not self.check_connection_cache(process, new_status):
-LOG.debug("Connection Cache stale.")
+LOG.debug("Connection Cache has been updated.")
 status_changed_vpn_services.append(new_status)
+self.unset_updated_pending_status(process)
+self.unset_cache_status(process)
 self.process_status_cache[process.id] = (
 self.copy_process_status(process))
-self.unset_updated_pending_status(process)
 if status_changed_vpn_services:
-LOG.warn("Updating VPN Site status in database.")
+LOG.info("Status of VPN services have changed %s" %
+status_changed_vpn_services)
 self.agent_rpc.update_status(context, status_changed_vpn_services)
 @lockutils.synchronized('vpn-agent', 'neutron-')
 @abc.abstractmethod
 def create_process(self, process_id, vpnservice, namespace):
 def enable_vpn(self, process_id, vpnservice=None):
 """Configure IPsec, IKE, tunnels on this router.
 """
 LOG.info("Configuring VPNaaS on router: \"%s\"" % process_id)
+if not vpnservice:
+LOG.info("No VPNs configured")
+return
 process = self.processes.get(process_id)
 if not process or not process.namespace:
 namespace = ""
 process = self.create_process(
 process_id,
 vpnservice,
 namespace)
 self.processes[process_id] = process
 elif vpnservice:
 process.generate_config(vpnservice)
 return process
 def create_router(self, process_id):
 """"Handling create router event.
 """
 process.status *calls* active.
 There is a lot of debug here, because if this function fails
 nothing gets updated.
 """
 if process.updated_pending_status:
-LOG.debug("updated_pending_status: True")
+LOG.debug("Status of VPN services have changed")
 return True
 if process.status != previous_status['status']:
 LOG.debug("Current Router status != Previous status")
+LOG.debug("%s/%s" % (process.status, previous_status['status']))
 return True
 ps = previous_status['ipsec_site_connections']
 if process.connection_status != ps:
 LOG.debug("Current VPN status != Previous status")
+LOG.debug("%s/%s" % (process.connection_status, ps))
 return True
 found_previous_connection = False
 ps = previous_status['ipsec_site_connections']
 ps[ipsec_site_conn]['updated_pending_status']))
 found_previous_connection = False
 for new_ipsec_site_conn in process.connection_ids:
 if ipsec_site_conn == new_ipsec_site_conn:
-LOG.debug("Found entry for ID: '%s'" %
+LOG.debug("Found existing entry for ID: '%s'" %
 new_ipsec_site_conn)
 found_previous_connection = True
 if not found_previous_connection:
-LOG.debug("Unable to find entry for ID: '%s'" %
+LOG.debug("Unable to find existing entry for ID: '%s'" %
 ipsec_site_conn)
+ps[ipsec_site_conn]['status'] = constants.DOWN
+ps[ipsec_site_conn]['updated_pending_status'] = True
 return True
 continue
 return False
+def unset_cache_status(self, process):
+self.process_status_cache[process.id]['updated_pending_status'] = False
+cache = self.process_status_cache[process.id]
+for pending in cache['ipsec_site_connections'].values():
+pending['updated_pending_status'] = False
 def unset_updated_pending_status(self, process):
 process.updated_pending_status = False
 for connection_status in process.connection_status.values():
+LOG.debug("Unset Pending Status %s" % connection_status)
 connection_status['updated_pending_status'] = False
 def copy_process_status(self, process):
 return {
 'id': process.vpnservice['id'],
 if process_id in self.process_status_cache:
 LOG.debug(
 "Checking connection cache of router ID: \"%s\"" % process_id)
 stale_entries = []
 cache = self.process_status_cache[process_id]
+if not cache[IPSEC_CONNS]:
+LOG.debug("No cache")
+return False
 for site_conn in cache[IPSEC_CONNS]:
 status = cache[IPSEC_CONNS][site_conn]['status']
 LOG.debug(
 "Cache has [%s] entry for site ID: \"%s\""
 % (status, site_conn))
 if site_conn not in process.connection_ids:
-LOG.warn(
+LOG.info(
 "Site connection \"%s\" appears to have been deleted."
 % site_conn)
 return_value = False
 new_status[IPSEC_CONNS][site_conn] = {
 'status': constants.DOWN,
 'updated_pending_status': True
 }
 stale_entries.append(site_conn)
-for badboy in stale_entries:
+if stale_entries:
-cache[IPSEC_CONNS].pop(badboy)
+for badboy in stale_entries:
+LOG.debug("Remove stale entry from connection cache: %s" %
-return return_value
+badboy)
+cache[IPSEC_CONNS].pop(badboy)
+return return_value
 @lockutils.synchronized('vpn-agent', 'neutron-')
 def sync(self, context, routers):
 """Sync is called by the server side of neutron.
 This will be called whenever new configuration is
 vpn_0_site_2/v4 static    ok   -- 192.168.90.1->192.168.100.1
 vpn_0_site_2/v4a static   ok   -- 192.168.90.1->192.168.101.1
 vpn_0_site_2/v4b static   ok   -- 192.168.80.1->192.168.100.1
 vpn_0_site_2/v4c static   ok   -- 192.168.80.1->192.168.101.1
 """
-LOG.warn("Neutron: Syncing VPN configuration.")
 try:
+LOG.info("Getting VPN configuration from neutron")
 vpnservices = self.agent_rpc.get_vpn_services_on_host(
 context, self.host)
 except:
-LOG.warn("No VPN")
+LOG.info("VPNaaS not enabled.")
 return
 router_ids = [vpnservice['router_id'] for vpnservice in vpnservices]
 global existing_tunnels
 delete_tunnels(existing_tunnels)
+whack_ike_rules()
 existing_tunnels = []
-# This is a list of one or more vpn-service objects.
-vpnservices = self.agent_rpc.get_vpn_services_on_host(
-context, self.host)
 # Remove old configuration files.
 try:
 shutil.rmtree(os.path.join(cfg.CONF.solaris.config_base_dir,
 vpnservice['router_id']))
 # Add tunnel_id's
 local_ips = {}
 remote_ips = {}
 vpn_cnt = 0
 site_cnt = 0
+# If there are no vpn-services defined, we can bail out here.
+# But we still need to check and delete any sub-processes that
+# may have been created last time sync() was called.
+if not vpnservices:
+LOG.info("No VPNs configured")
+for process in self.processes:
+del process
+self.process_status_cache['process_id'] = {}
+self.processes = {}
+disable_smf_services()
+return
 for vpnservice in vpnservices:
 ex_ip = vpnservice['external_ip']
 l_id = local_ips.get(ex_ip)
 (tun_name, vpnservice['id']))
 # Next time we restart, these tunnels will be removed.
 if tun_name not in existing_tunnels:
 existing_tunnels.append(tun_name)
+new_vpnservice_status = []
 for vpnservice in vpnservices:
 process = self.enable_vpn(
 vpnservice['router_id'], vpnservice=vpnservice)
+self.vpnservice = vpnservice
 process.update()
+new_status = {
-for router in routers:
+'id': vpnservice['id'],
-# We are using router id as process_id
+'status': constants.ACTIVE,
-process_id = router['id']
+'updated_pending_status': True,
-if process_id not in router_ids:
+'ipsec_site_connections': {}
-process = self.enable_vpn(process_id)
+}
-self.destroy_router(process_id)
+new_vpnservice_status.append(new_status)
-process_ids = [process_id
+LOG.debug("Updating status of all vpnservices: %s" %
-for process_id in self.processes
+new_vpnservice_status)
-if process_id not in router_ids]
+self.agent_rpc.update_status(
-for process_id in process_ids:
+self.context, new_vpnservice_status)
-LOG.info("Deleting VPNaaS on router: \"%s\"" % process_id)
-self.destroy_router(process_id)
+# Call start routine that sets up tunnels and
+# enables smf(5) services.
+process.start_ipsec()
 class SolarisIPsecDriver(IPsecDriver):
 def create_process(self, process_id, vpnservice, namespace):
 LOG.debug("SolarisIPsec Driver loaded.")

changeset 6378	9d70f1e25eba
parent 5630	dff517d5c829
child 6848	8e252a37ed0d