<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi colleagues,</p>
<p>I'm using call to swanctl in updown script in order to
distinguish between deleting connection and IKE rekeying, checking
for existence of IKE session and, thus, trying to avoid
unnecessary changes to the network:</p>
<p># if there are no [re-]established SAs for this connection, then
delete networking for this connection<br>
if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host"
] && [ -z "$(swanctl -l -n -i ${PLUTO_CONNECTION})" ];
then<br>
ip link set $intf down<br>
ip link del $intf<br>
fi<br>
</p>
<p>but this creates deadlock when I'm restarting service by
'systemctl restart strongswan': if there are existing sessions,
then first and all subsequent calls to swanctl (from updown
script) freeze infinitely, stopping charon restart itself -
progress possible only by repeatedly killing every launched
'swanctl' using SIGKILL signal. At the same time, any call to vici
also freezes - so this isn't a problem with swanctl but with vici
interface. It doesn't matter whether I call swanctl with or
without '-n' parameter or whether I call vici using "noblock"
parameter set (1) or unset (0) ( vici.Session(sock=s).list_sas({"noblock":
1}) )<br>
</p>
<p>This behaviour raises few questions:</p>
<p>1) whether vici can be called simultaneously by different
processes?<br>
2) how is it possible to avoid such deadlocks? Documentation says
nothing about number of vici 'listeners' and the basic idea to
increase amount of these listeners can't be implemented.<br>
</p>
<p>My environment is:<br>
</p>
<p>OS: Ubuntu 20.04.1<br>
Strongswan: 5.8.2 (5.8.2-1ubuntu3.1)<br>
</p>
<p>Thank you.<br>
</p>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>