[strongSwan] swanctl deadlock

[Volodymyr Litovka]

Hi colleagues,

I'm using call to swanctl in updown script in order to distinguish
between deleting connection and IKE rekeying, checking for existence of
IKE session and, thus, trying to avoid unnecessary changes to the network:

# if there are no [re-]established SAs for this connection, then delete
networking for this connection
if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host" ] && [
-z "$(swanctl -l -n -i ${PLUTO_CONNECTION})" ]; then
   ip link set $intf down
   ip link del $intf
fi

but this creates deadlock when I'm restarting service by 'systemctl
restart strongswan': if there are existing sessions, then first and all
subsequent calls to swanctl (from updown script) freeze infinitely,
stopping charon restart itself - progress possible only by repeatedly
killing every launched 'swanctl' using SIGKILL signal. At the same time,
any call to vici also freezes - so this isn't a problem with swanctl but
with vici interface. It doesn't matter whether I call swanctl with or
without '-n' parameter or whether I call vici using "noblock" parameter
set (1) or unset (0) ( vici.Session(sock=s).list_sas({"noblock": 1}) )

This behaviour raises few questions:

1) whether vici can be called simultaneously by different processes?
2) how is it possible to avoid such deadlocks? Documentation says
nothing about number of vici 'listeners' and the basic idea to increase
amount of these listeners can't be implemented.

My environment is:

OS: Ubuntu 20.04.1
Strongswan: 5.8.2 (5.8.2-1ubuntu3.1)

Thank you.

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201118/bde237ba/attachment.html>