On 1/29/26 6:13 PM, Mike Pattrick wrote: > On Thu, Jan 29, 2026 at 9:10 AM Ilya Maximets <[email protected] > <mailto:[email protected]>> wrote: > > Libreswan 5.3+ emits a warning every time ipsec add/start is called, > because we have auto=route in the ipsec.conf, but when we run simple > ipsec add <conn>, it is not taken into account. However, this is an > expected behavior and the warning itself is a bit misleading, > especially because it is also printed out on stderr for the > ipsec start <conn>. Earlier versions of Libreswan had this message > as well, but it was under the verbose logging, so it wasn't shown to > users who didn't opt into it, but now it is elevated to the warning > level. > > Ignore the warning to avoid polluting the logs: > > 2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr: > b'ipsec addconn: /etc/ipsec.conf:7: warning: > conn ovn-96a9c8-0-in-1: overriding auto=route with auto=add\n' > > > This must be a holdover from python2. We should probably .decode() those log > messages before string format.
Yeah, may be a good thing to do. The printed errors are a little hard to read. Though it should be a separate patch, I suppose. > > > > Signed-off-by: Ilya Maximets <[email protected] > <mailto:[email protected]>> > --- > ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> | 15 > +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > b/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > index 3b22765a9..fa4613b56 100755 > --- a/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > +++ b/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > @@ -77,7 +77,8 @@ RECONCILIATION_INTERVAL = 15 # seconds > TIMEOUT_EXPIRED = 137 # Exit code for a SIGKILL (128 + 9). > > > -def run_command(args, description=None, warn_on_failure=True): > +def run_command(args, description=None, > + warn_on_failure=True, stderr_ignore=[]): > """ This function runs the process args[0] with args[1:] arguments > and returns a tuple: return-code, stdout, stderr. """ > > @@ -99,6 +100,9 @@ def run_command(args, description=None, > warn_on_failure=True): > proc.kill() > ret = TIMEOUT_EXPIRED > > + for ignore in stderr_ignore: > + perr = perr.replace(ignore.encode(), b'') > > > I'm a little confused about this, wouldn't it still result in a log message > like: > > 2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr: > b'ipsec addconn: /etc/ipsec.conf:7: warning: > ' > I may be confused and I haven't actually run the code. But it seems like only > part > of the warning is being suppressed. You're right, that's my bad. I copied a combined keyingtries + auto=route warning message and edited it in the commit message. The actual warning doesn't contain the 'ipsec addconn: /etc/ipsec.conf:7: warning:' part. That one is coming from the keyingtries warning message. I can edit the commit message on commit, unless there will be other comments. Best regards, Ilya Maximets. > > -M > > > + > if (proc.returncode or perr) and warn_on_failure: > vlog.warn("Failed to %s; exit code: %d" > % (description, proc.returncode)) > @@ -877,12 +881,19 @@ conn prevent_unencrypted_vxlan > > def _start_ipsec_connection(self, conn, action): > asynchronous = [] if action == "add" else ["--asynchronous"] > + # Some versions of Libreswan (5.3+) warn that 'auto' in the > config > + # file is not taken into account while calling ipsec add/start. > + # This is expected and we shouldn't warn users about this as the > + # message itself is a bit misleading: > + # https://github.com/libreswan/libreswan/issues/2584 > <https://github.com/libreswan/libreswan/issues/2584> > + ignore = ["conn %s: overriding auto=route with auto=add\n" % > conn] > ret, pout, perr = run_command(self.IPSEC_AUTO + > ["--config", self.ROOT_IPSEC_CONF, > "--ctlsocket", self.IPSEC_CTL, > "--" + action, > *asynchronous, conn], > - "%s %s" % (action, conn)) > + "%s %s" % (action, conn), > + stderr_ignore=ignore) > > if re.match(r".*[F|f]ailed to initiate connection.*", pout): > vlog.err('Failed to initiate connection through' > -- > 2.52.0 > > _______________________________________________ > dev mailing list > [email protected] <mailto:[email protected]> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
