On Thu, Jan 29, 2026 at 9:10 AM Ilya Maximets <[email protected]> wrote:
> Libreswan 5.3+ emits a warning every time ipsec add/start is called, > because we have auto=route in the ipsec.conf, but when we run simple > ipsec add <conn>, it is not taken into account. However, this is an > expected behavior and the warning itself is a bit misleading, > especially because it is also printed out on stderr for the > ipsec start <conn>. Earlier versions of Libreswan had this message > as well, but it was under the verbose logging, so it wasn't shown to > users who didn't opt into it, but now it is elevated to the warning > level. > > Ignore the warning to avoid polluting the logs: > > 2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr: > b'ipsec addconn: /etc/ipsec.conf:7: warning: > conn ovn-96a9c8-0-in-1: overriding auto=route with auto=add\n' > This must be a holdover from python2. We should probably .decode() those log messages before string format. > > Signed-off-by: Ilya Maximets <[email protected]> > --- > ipsec/ovs-monitor-ipsec.in | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in > index 3b22765a9..fa4613b56 100755 > --- a/ipsec/ovs-monitor-ipsec.in > +++ b/ipsec/ovs-monitor-ipsec.in > @@ -77,7 +77,8 @@ RECONCILIATION_INTERVAL = 15 # seconds > TIMEOUT_EXPIRED = 137 # Exit code for a SIGKILL (128 + 9). > > > -def run_command(args, description=None, warn_on_failure=True): > +def run_command(args, description=None, > + warn_on_failure=True, stderr_ignore=[]): > """ This function runs the process args[0] with args[1:] arguments > and returns a tuple: return-code, stdout, stderr. """ > > @@ -99,6 +100,9 @@ def run_command(args, description=None, > warn_on_failure=True): > proc.kill() > ret = TIMEOUT_EXPIRED > > + for ignore in stderr_ignore: > + perr = perr.replace(ignore.encode(), b'') > I'm a little confused about this, wouldn't it still result in a log message like: 2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr: b'ipsec addconn: /etc/ipsec.conf:7: warning: ' I may be confused and I haven't actually run the code. But it seems like only part of the warning is being suppressed. -M > + > if (proc.returncode or perr) and warn_on_failure: > vlog.warn("Failed to %s; exit code: %d" > % (description, proc.returncode)) > @@ -877,12 +881,19 @@ conn prevent_unencrypted_vxlan > > def _start_ipsec_connection(self, conn, action): > asynchronous = [] if action == "add" else ["--asynchronous"] > + # Some versions of Libreswan (5.3+) warn that 'auto' in the config > + # file is not taken into account while calling ipsec add/start. > + # This is expected and we shouldn't warn users about this as the > + # message itself is a bit misleading: > + # https://github.com/libreswan/libreswan/issues/2584 > + ignore = ["conn %s: overriding auto=route with auto=add\n" % conn] > ret, pout, perr = run_command(self.IPSEC_AUTO + > ["--config", self.ROOT_IPSEC_CONF, > "--ctlsocket", self.IPSEC_CTL, > "--" + action, > *asynchronous, conn], > - "%s %s" % (action, conn)) > + "%s %s" % (action, conn), > + stderr_ignore=ignore) > > if re.match(r".*[F|f]ailed to initiate connection.*", pout): > vlog.err('Failed to initiate connection through' > -- > 2.52.0 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
