1775548 – Strongswan services missing synchronisation

Bug 1775548 - Strongswan services missing synchronisation

Summary: Strongswan services missing synchronisation

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	strongswan
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Mikhail Zabaluev
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-22 09:14 UTC by Frank MICHEL
Modified:	2019-12-02 09:12 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-12-02 09:12:01 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Frank MICHEL 2019-11-22 09:14:11 UTC

Description of problem:
Strongswan 5.7.2 el7 rpm uses 2 services : strongswan.service (daemon start) and strongswan-swanctl.service (configuration load).
According to our tests, the strongswan-swanctl.service must start first then the strongswan.service.
However, the two services are not synchronized with "Before=" or "After=" clauses. 
It happen that sometimes, at platform boot, the start order is not respected and the IPSEC tunnel is started before the configuration is properly loaded. Therefore, it randomly fails.
Please add a "After=strongswan-swanctl.service" in strongswan.service

Version-Release number of selected component (if applicable):
5.7.2-1

How reproducible:
See description

Steps to Reproduce:
1. Setup an automatic IPSEC tunnel at boot between two plateforms.
2. Reboot both platforms
3. "ipsec status" shows failed start randomly

Actual results:
Randomly failed tunnel initialization.

Expected results:
Deterministic tunnel initialization.

Additional info:
None

Comment 1 Mikhail Zabaluev 2019-11-24 09:09:14 UTC

(In reply to Frank MICHEL from comment #0)
> Description of problem:
> Strongswan 5.7.2 el7 rpm uses 2 services : strongswan.service (daemon start)
> and strongswan-swanctl.service (configuration load).
> According to our tests, the strongswan-swanctl.service must start first then
> the strongswan.service.

The documentation on the wiki suggests that the two .service files are alternative ways to start strongswan:

https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd#Behavior

In strongswan-swanctl.service, there is a directive to load the configuration with swanctl after the daemon start:

ExecStart=@SBINDIR@/charon-systemd

In version 5.8, now in Rawhide, the service files have been renamed: strongswan-swanctl.service is now strongswan.service, and the old strongswan.service, using the legacy starter script, is named strongswan-starter.service.

Please provide additional information explaining the need to start both services in the order suggested.

Comment 2 Mikhail Zabaluev 2019-11-24 09:12:52 UTC

(In reply to Mikhail Zabaluev from comment #1)
> In strongswan-swanctl.service, there is a directive to load the
> configuration with swanctl after the daemon start:
> 
> ExecStart=@SBINDIR@/charon-systemd

Sorry, wrong line was quoted, it is:

ExecStartPost=/usr/sbin/swanctl --load-all --noprompt

Comment 3 Frank MICHEL 2019-11-25 09:17:07 UTC

Hello,
From the page you cited, it is not obvious that services should not be started together.
If so, they should be made incompatible using a systemd configuration and thus the problem requires an update anyway.
We'll redo the testing this week activating only the "strongswan.service".
Thanks for your help

Comment 4 Mikhail Zabaluev 2019-11-25 18:01:58 UTC

See bug #1773381 for a SELinux issue that prevents strongswan-swanctl.service from being used as the intended standalone unit.

Comment 5 Frank MICHEL 2019-12-02 08:46:14 UTC

We successfully tested the ipsec tunnel using only the "strongswan-starter.service".
Consider the case closed. Sorry for distrubing

Note You need to log in before you can comment on or make changes to this bug.