Bug 2018547

Summary: 'strongswan restart' breaks ipsec started with strongswan-starter
Product: [Fedora] Fedora EPEL Reporter: Kseniya <ksyblast>
Component: strongswanAssignee: Paul Wouters <paul.wouters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: code, davide, ksyblast, michel, mikhail.zabaluev, paul.wouters, pemensik
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: strongswan-5.9.4-2.fc36 strongswan-5.9.4-2.el8 strongswan-5.9.4-2.fc35 strongswan-5.9.4-2.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-20 00:31:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kseniya 2021-10-29 16:25:37 UTC 
Description of the problem:

Centos 8.4.2105
Linux strongSwan U5.9.4/K4.18.0-305.19.1.el8_4.x86_64

Strongswan command 'strongswan restart' breaks ipsec when strongswan-starter is used to start ipsec with systemctl. It actually happened today when strongswan was upgraded. Strongswan was restarted after package upgrade and it broke ipsec because ipsec was started with strongswan-starter systemd unit. Quick investigation showed that the reason was missing /run/strongswan/ directory after issuing 'strongswan restart' command.

Steps to reproduce:

1. systemctl start strongswan-starter.service

check runtime directory:
ll /run/strongswan/
total 8
srwxrwx--- 1 root root 0 Oct 29 19:14 charon.ctl
srwxrwx--- 1 root root 0 Oct 29 19:14 charon.dck
-rw-r--r-- 1 root root 5 Oct 29 19:14 charon.pid
srwxrwx--- 1 root root 0 Oct 29 19:14 charon.vici
-rw-r--r-- 1 root root 5 Oct 29 19:14 starter.charon.pid

strongswan status shows successful connections

2. strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.4 IPsec [starter]...

ll /run/strongswan/
ls: cannot access '/run/strongswan/': No such file or directory

strongswan status shows no connections

In the logs:
00[DMN] unable to create pidfile '/run/strongswan/charon.pid'

strongswan[1542]: charon stopped after 200 ms
strongswan[1542]: ipsec starter stopped
ipsec_starter[1542]: charon stopped after 200 ms
ipsec_starter[1542]: ipsec starter stopped
systemd[1]: strongswan-starter.service: Succeeded.
ipsec_starter[1589]: Starting strongSwan 5.9.4 IPsec [starter]...
ipsec_starter[1603]: charon has quit: initialization failed
ipsec_starter[1603]: charon refused to be started
ipsec_starter[1603]: ipsec starter stopped

Additional Info:

It looks like 'strongswan restart' terminates the starter process and runtime dir is deleted. Afterwards strongswan cli commands do not work because the directory does not exist. So it looks like strongswan cli commands cannot be used together with systemd strongswan-starter.service. It can cause service interruptions with automatic or manual upgrades when strongswan-starter.service is used to bring up ipsec.
Comment 1 Fedora Update System 2021-11-09 02:01:44 UTC 
FEDORA-2021-e00c405bc8 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e00c405bc8
Comment 2 Fedora Update System 2021-11-09 02:03:52 UTC 
FEDORA-2021-e00c405bc8 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 Paul Wouters 2021-11-09 02:06:20 UTC 
need to do all branches
Comment 4 Fedora Update System 2021-11-11 13:59:39 UTC 
FEDORA-EPEL-2021-3bd1d1c6ce has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-3bd1d1c6ce
Comment 5 Fedora Update System 2021-11-11 20:27:02 UTC 
FEDORA-2021-c282062a4b has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c282062a4b
Comment 6 Fedora Update System 2021-11-11 20:27:26 UTC 
FEDORA-2021-7a68551b6e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7a68551b6e
Comment 7 Fedora Update System 2021-11-12 01:03:22 UTC 
FEDORA-2021-c282062a4b has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c282062a4b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c282062a4b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-11-12 01:21:58 UTC 
FEDORA-EPEL-2021-3bd1d1c6ce has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-3bd1d1c6ce

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-11-12 01:25:07 UTC 
FEDORA-2021-7a68551b6e has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-7a68551b6e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7a68551b6e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2021-11-20 00:31:50 UTC 
FEDORA-EPEL-2021-3bd1d1c6ce has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2021-11-20 01:08:03 UTC 
FEDORA-2021-c282062a4b has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2021-11-20 01:11:20 UTC 
FEDORA-2021-7a68551b6e has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.