Bug 2018547 - 'strongswan restart' breaks ipsec started with strongswan-starter
Summary: 'strongswan restart' breaks ipsec started with strongswan-starter
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: strongswan
Version: epel8
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-29 16:25 UTC by Kseniya
Modified: 2021-11-20 01:11 UTC (History)
7 users (show)

Fixed In Version: strongswan-5.9.4-2.fc36 strongswan-5.9.4-2.el8 strongswan-5.9.4-2.fc35 strongswan-5.9.4-2.fc34
Clone Of:
Environment:
Last Closed: 2021-11-20 00:31:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Kseniya 2021-10-29 16:25:37 UTC 
Description of the problem:

Centos 8.4.2105
Linux strongSwan U5.9.4/K4.18.0-305.19.1.el8_4.x86_64

Strongswan command 'strongswan restart' breaks ipsec when strongswan-starter is used to start ipsec with systemctl. It actually happened today when strongswan was upgraded. Strongswan was restarted after package upgrade and it broke ipsec because ipsec was started with strongswan-starter systemd unit. Quick investigation showed that the reason was missing /run/strongswan/ directory after issuing 'strongswan restart' command.

Steps to reproduce:

1. systemctl start strongswan-starter.service

check runtime directory:
ll /run/strongswan/
total 8
srwxrwx--- 1 root root 0 Oct 29 19:14 charon.ctl
srwxrwx--- 1 root root 0 Oct 29 19:14 charon.dck
-rw-r--r-- 1 root root 5 Oct 29 19:14 charon.pid
srwxrwx--- 1 root root 0 Oct 29 19:14 charon.vici
-rw-r--r-- 1 root root 5 Oct 29 19:14 starter.charon.pid

strongswan status shows successful connections

2. strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.4 IPsec [starter]...

ll /run/strongswan/
ls: cannot access '/run/strongswan/': No such file or directory

strongswan status shows no connections

In the logs:
00[DMN] unable to create pidfile '/run/strongswan/charon.pid'

strongswan[1542]: charon stopped after 200 ms
strongswan[1542]: ipsec starter stopped
ipsec_starter[1542]: charon stopped after 200 ms
ipsec_starter[1542]: ipsec starter stopped
systemd[1]: strongswan-starter.service: Succeeded.
ipsec_starter[1589]: Starting strongSwan 5.9.4 IPsec [starter]...
ipsec_starter[1603]: charon has quit: initialization failed
ipsec_starter[1603]: charon refused to be started
ipsec_starter[1603]: ipsec starter stopped

Additional Info:

It looks like 'strongswan restart' terminates the starter process and runtime dir is deleted. Afterwards strongswan cli commands do not work because the directory does not exist. So it looks like strongswan cli commands cannot be used together with systemd strongswan-starter.service. It can cause service interruptions with automatic or manual upgrades when strongswan-starter.service is used to bring up ipsec.
Comment 1 Fedora Update System 2021-11-09 02:01:44 UTC 
FEDORA-2021-e00c405bc8 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e00c405bc8
Comment 2 Fedora Update System 2021-11-09 02:03:52 UTC 
FEDORA-2021-e00c405bc8 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 Paul Wouters 2021-11-09 02:06:20 UTC 
need to do all branches
Comment 4 Fedora Update System 2021-11-11 13:59:39 UTC 
FEDORA-EPEL-2021-3bd1d1c6ce has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-3bd1d1c6ce
Comment 5 Fedora Update System 2021-11-11 20:27:02 UTC 
FEDORA-2021-c282062a4b has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c282062a4b
Comment 6 Fedora Update System 2021-11-11 20:27:26 UTC 
FEDORA-2021-7a68551b6e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7a68551b6e
Comment 7 Fedora Update System 2021-11-12 01:03:22 UTC 
FEDORA-2021-c282062a4b has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c282062a4b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c282062a4b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-11-12 01:21:58 UTC 
FEDORA-EPEL-2021-3bd1d1c6ce has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-3bd1d1c6ce

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-11-12 01:25:07 UTC 
FEDORA-2021-7a68551b6e has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-7a68551b6e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7a68551b6e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2021-11-20 00:31:50 UTC 
FEDORA-EPEL-2021-3bd1d1c6ce has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2021-11-20 01:08:03 UTC 
FEDORA-2021-c282062a4b has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2021-11-20 01:11:20 UTC 
FEDORA-2021-7a68551b6e has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.