Re: [strongSwan] swanctl deadlock

Mon, 01 Feb 2021 23:53:07 -0800 

Hi,

just back to the problem and it seems it's possible to use workaround:

if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host" ]; then
    DLY=$(shuf -i2-5 -n1)
    HLPR=$(dirname "$0")/down-helper
    (sleep ${DLY}; $HLPR ${PLUTO_CONNECTION}) &
fi


while down-helper can safely call swanctl and proceed with required action:

if [ -z"$(swanctl -l -n -i${1})" ];then [ ... ] fi


On 18.11.2020 10:32, Volodymyr Litovka wrote:


Hi colleagues,

I'm using call to swanctl in updown script in order to distinguish
between deleting connection and IKE rekeying, checking for existence
of IKE session and, thus, trying to avoid unnecessary changes to the
network:

# if there are no [re-]established SAs for this connection, then
delete networking for this connection
if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host" ] &&
[ -z "$(swanctl -l -n -i ${PLUTO_CONNECTION})" ]; then
  ip link set $intf down
  ip link del $intf
fi

but this creates deadlock when I'm restarting service by 'systemctl
restart strongswan': if there are existing sessions, then first and
all subsequent calls to swanctl (from updown script) freeze
infinitely, stopping charon restart itself - progress possible only by
repeatedly killing every launched 'swanctl' using SIGKILL signal. At
the same time, any call to vici also freezes - so this isn't a problem
with swanctl but with vici interface. It doesn't matter whether I call
swanctl with or without '-n' parameter or whether I call vici using
"noblock" parameter set (1) or unset (0) (
vici.Session(sock=s).list_sas({"noblock": 1}) )

This behaviour raises few questions:

1) whether vici can be called simultaneously by different processes?
2) how is it possible to avoid such deadlocks? Documentation says
nothing about number of vici 'listeners' and the basic idea to
increase amount of these listeners can't be implemented.

My environment is:

OS: Ubuntu 20.04.1
Strongswan: 5.8.2 (5.8.2-1ubuntu3.1)

Thank you.

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison


--
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison

Reply via email to