On Tue, May 23, 2017 at 5:44 AM, Paul Wouters <[email protected]> wrote: > On Mon, 22 May 2017, Martin T wrote: > >>> Thanks for reply! I think that pluto is falling to die: >>> >>> # pgrep -la pluto; killall -SIGTERM pluto; sleep 30; pgrep -la pluto >>> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf >>> --nofork >>> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf >>> --nofork > > > I don't know what that is happening, but tempted to blame your > particular system. > >>> Maybe pluto didn't compile correctly? I downloaded >>> >>> download.libreswan.org/binaries/rhel/latest/x86_64/libreswan-3.20-1.el6.src.rpm, >>> modified the spec file and built a RPM for OpenSUSE 42.1. > > > If it compiled, it should work? As long as USE_SECCOMP did not get > enabled, you should be fine. > >> command, then I see those very same log messages shown in my initial >> e-mail with an exception that systemd does not kill the process. In >> other words, the "May 18 18:49:28 host systemd[1]: ipsec.service >> stop-sigterm timed out. Killing." does not happen. When I execute >> "systemctl status ipsec", then its status is "running". If I attach to >> pluto(PID is 12912) process with "strace -f -p 12912" command and then >> execute "killall -SIGTERM pluto", then following is shown: >> >> ) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) >> [pid 12912] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, >> si_pid=13463, si_uid=0} --- >> [pid 12912] rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system >> call) >> [pid 12912] futex(0x7f0e440009a0, FUTEX_WAIT_PRIVATE, 2, NULL > > > I'm not sure what this means. > >> I could add "KillSignal=SIGKILL" to systemd unit file, but I'm not >> sure what are the consequences once the server is used for live IPsec >> connections.. > > > It works, in that we won't send any Delete/Notifies so the other end > won't know you're gone until you are back and try to re-establish the > tunnel (or until their dpd settings kick in) > > Paul
Paul, thanks for reply! When I execute "rpmbuild -ba SPECS/libreswan.spec", then USE_SECCOMP seems to be disabled: + make 'USERCOMPILE=-g -DGCC_LINT -O2 -g -m64 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fPIE -pie ' 'USERLINK=-g -pie -Wl,-z,relro,-z,now ' INITSYSTEM=systemd US E_NM=true USE_XAUTHPAM=true USE_FIPSCHECK=true FIPSPRODUCTCHECK=/etc/system-fips USE_LIBCAP_NG=true USE_LABELED_IPSEC=true USE_LINUX_AUDIT=true USE_LDAP=true USE_LIBCURL=true USE_DNSSEC=true INC_USRLOCAL=/usr FINALLIBDIR=/usr/lib/ipsec FINALLIBEXECDIR=/usr/lib/ipsec MANTREE=/usr/share/man INC_RCDEFAULT=/etc/init.d 'MODPROBE=modprobe -q -b' USE_DH22=true USE_SECCOMP=0 programs Anyway, if there isn't a significant difference if pluto gets killed by SIGTERM or SIGKILL, then I'll simply modify the systemd unit file. thanks, Martin _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
