[ovs-dev] [PATCH 3/4] ipsec: libreswan: Silence warning about overriding auto=route in v5.3.

[Ilya Maximets]

Libreswan 5.3+ emits a warning every time ipsec add/start is called,
because we have auto=route in the ipsec.conf, but when we run simple
ipsec add <conn>, it is not taken into account.  However, this is an
expected behavior and the warning itself is a bit misleading,
especially because it is also printed out on stderr for the
ipsec start <conn>.  Earlier versions of Libreswan had this message
as well, but it was under the verbose logging, so it wasn't shown to
users who didn't opt into it, but now it is elevated to the warning
level.

Ignore the warning to avoid polluting the logs:

  2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr:
    b'ipsec addconn: /etc/ipsec.conf:7: warning:
        conn ovn-96a9c8-0-in-1: overriding auto=route with auto=add\n'

Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
---
 ipsec/ovs-monitor-ipsec.in | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
index 3b22765a9..fa4613b56 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -77,7 +77,8 @@ RECONCILIATION_INTERVAL = 15  # seconds
 TIMEOUT_EXPIRED = 137  # Exit code for a SIGKILL (128 + 9).
 
 
-def run_command(args, description=None, warn_on_failure=True):
+def run_command(args, description=None,
+                warn_on_failure=True, stderr_ignore=[]):
     """ This function runs the process args[0] with args[1:] arguments
     and returns a tuple: return-code, stdout, stderr. """
 
@@ -99,6 +100,9 @@ def run_command(args, description=None, 
warn_on_failure=True):
         proc.kill()
         ret = TIMEOUT_EXPIRED
 
+    for ignore in stderr_ignore:
+        perr = perr.replace(ignore.encode(), b'')
+
     if (proc.returncode or perr) and warn_on_failure:
         vlog.warn("Failed to %s; exit code: %d"
                   % (description, proc.returncode))
@@ -877,12 +881,19 @@ conn prevent_unencrypted_vxlan
 
     def _start_ipsec_connection(self, conn, action):
         asynchronous = [] if action == "add" else ["--asynchronous"]
+        # Some versions of Libreswan (5.3+) warn that 'auto' in the config
+        # file is not taken into account while calling ipsec add/start.
+        # This is expected and we shouldn't warn users about this as the
+        # message itself is a bit misleading:
+        #   https://github.com/libreswan/libreswan/issues/2584
+        ignore = ["conn %s: overriding auto=route with auto=add\n" % conn]
         ret, pout, perr = run_command(self.IPSEC_AUTO +
                                       ["--config", self.ROOT_IPSEC_CONF,
                                       "--ctlsocket", self.IPSEC_CTL,
                                       "--" + action,
                                       *asynchronous, conn],
-                                      "%s %s" % (action, conn))
+                                      "%s %s" % (action, conn),
+                                      stderr_ignore=ignore)
 
         if re.match(r".*[F|f]ailed to initiate connection.*", pout):
             vlog.err('Failed to initiate connection through'
-- 
2.52.0

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev