On Thu, Jan 29, 2026 at 12:28 PM Ilya Maximets <[email protected]> wrote:
> On 1/29/26 6:13 PM, Mike Pattrick wrote: > > On Thu, Jan 29, 2026 at 9:10 AM Ilya Maximets <[email protected] > <mailto:[email protected]>> wrote: > > > > Libreswan 5.3+ emits a warning every time ipsec add/start is called, > > because we have auto=route in the ipsec.conf, but when we run simple > > ipsec add <conn>, it is not taken into account. However, this is an > > expected behavior and the warning itself is a bit misleading, > > especially because it is also printed out on stderr for the > > ipsec start <conn>. Earlier versions of Libreswan had this message > > as well, but it was under the verbose logging, so it wasn't shown to > > users who didn't opt into it, but now it is elevated to the warning > > level. > > > > Ignore the warning to avoid polluting the logs: > > > > 2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr: > > b'ipsec addconn: /etc/ipsec.conf:7: warning: > > conn ovn-96a9c8-0-in-1: overriding auto=route with > auto=add\n' > > > > > > This must be a holdover from python2. We should probably .decode() those > log messages before string format. > > Yeah, may be a good thing to do. The printed errors are a little hard to > read. > Though it should be a separate patch, I suppose. > > > > > > > > > Signed-off-by: Ilya Maximets <[email protected] <mailto: > [email protected]>> > > --- > > ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> | 15 > +++++++++++++-- > > 1 file changed, 13 insertions(+), 2 deletions(-) > > > > diff --git a/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > b/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > > index 3b22765a9..fa4613b56 100755 > > --- a/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > > +++ b/ipsec/ovs-monitor-ipsec.in <http://ovs-monitor-ipsec.in> > > @@ -77,7 +77,8 @@ RECONCILIATION_INTERVAL = 15 # seconds > > TIMEOUT_EXPIRED = 137 # Exit code for a SIGKILL (128 + 9). > > > > > > -def run_command(args, description=None, warn_on_failure=True): > > +def run_command(args, description=None, > > + warn_on_failure=True, stderr_ignore=[]): > > """ This function runs the process args[0] with args[1:] > arguments > > and returns a tuple: return-code, stdout, stderr. """ > > > > @@ -99,6 +100,9 @@ def run_command(args, description=None, > warn_on_failure=True): > > proc.kill() > > ret = TIMEOUT_EXPIRED > > > > + for ignore in stderr_ignore: > > + perr = perr.replace(ignore.encode(), b'') > > > > > > I'm a little confused about this, wouldn't it still result in a log > message like: > > > > 2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr: > > b'ipsec addconn: /etc/ipsec.conf:7: warning: > > ' > > I may be confused and I haven't actually run the code. But it seems like > only part > > of the warning is being suppressed. > > You're right, that's my bad. I copied a combined keyingtries + auto=route > warning message and edited it in the commit message. The actual warning > doesn't contain the 'ipsec addconn: /etc/ipsec.conf:7: warning:' part. > That > one is coming from the keyingtries warning message. > > I can edit the commit message on commit, unless there will be other > comments. > That seems reasonable! > > Best regards, Ilya Maximets. > > > > > -M > > > > > > + > > if (proc.returncode or perr) and warn_on_failure: > > vlog.warn("Failed to %s; exit code: %d" > > % (description, proc.returncode)) > > @@ -877,12 +881,19 @@ conn prevent_unencrypted_vxlan > > > > def _start_ipsec_connection(self, conn, action): > > asynchronous = [] if action == "add" else ["--asynchronous"] > > + # Some versions of Libreswan (5.3+) warn that 'auto' in the > config > > + # file is not taken into account while calling ipsec > add/start. > > + # This is expected and we shouldn't warn users about this > as the > > + # message itself is a bit misleading: > > + # https://github.com/libreswan/libreswan/issues/2584 < > https://github.com/libreswan/libreswan/issues/2584> > > + ignore = ["conn %s: overriding auto=route with auto=add\n" > % conn] > > ret, pout, perr = run_command(self.IPSEC_AUTO + > > ["--config", > self.ROOT_IPSEC_CONF, > > "--ctlsocket", self.IPSEC_CTL, > > "--" + action, > > *asynchronous, conn], > > - "%s %s" % (action, conn)) > > + "%s %s" % (action, conn), > > + stderr_ignore=ignore) > > > > if re.match(r".*[F|f]ailed to initiate connection.*", pout): > > vlog.err('Failed to initiate connection through' > > -- > > 2.52.0 > > > > _______________________________________________ > > dev mailing list > > [email protected] <mailto:[email protected]> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev < > https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > > > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
