On 1 Nov 2024, at 2:23, Ilya Maximets wrote:
> Until now, functions that needed to call external programs like openssl
> or ipsec commands were using subprocess commands directly. Most of
> these calls had no failure checks or any logging making it hard to
> understand what is happening inside the daemon when something doesn't
> work as intended.
>
> Some commands also had a chance to not read the command output in full.
> That might sound like not a big problem, but in practice it causes
> ovs-monitor-ipsec to deadlock pluto and itself with certain versions of
> Libreswan (mainly Libreswan 5+). The order of events is following:
>
> 1. ovs-monitor-ipsec calls ipsec status redirecting the output
> to a pipe.
> 2. ipsec status calls ipsec whack.
> 3. ipsec whack connects to pluto and asks for status.
> 4. ovs-monitor-ipsec doesn't read the pipe in full.
> 5. ipsec whack blocks on write to the other side of the pipe
> when it runs out of buffer space.
> 6. pluto blocks on sendmsg to ipsec whack for the same reason.
> 7. ovs-monitor-ipsec calls another ipsec command and blocks
> on connection to pluto.
>
> In this scenario the running process is at the mercy of garbage
> collector and it doesn't run because we're blocked on calling another
> ipsec command. All the processes are completely blocked and will not
> do any work until ipsec whack is killed.
>
> With this change we're introducing a new function that will be used
> for all the external process execution commands and will read the full
> output before returning, avoiding the deadlock. It will also log all
> the failures as warnings and the commands themselves at the debug level.
>
> We'll be adding more logic into this function in later commits as well,
> so it will not stay that simple.
>
> Acked-by: Roi Dayan <[email protected]>
> Signed-off-by: Ilya Maximets <[email protected]>
Changes look good to me.
Acked-by: Eelco Chaudron <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
