[strongSwan] swanctl deadlock

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 18 10:36:44 CET 2020


Hi,

VICI acquires locks to do some stuff, which the updown script also does when it executes to save you the trouble of having to manually/externally serialize all the things you want to do in the updown script.
TL;DR: Don't do that, you get a deadlock with the updown script plugin.

Kind regards

Noel

Am 18.11.20 um 09:32 schrieb Volodymyr Litovka:
> Hi colleagues,
> 
> I'm using call to swanctl in updown script in order to distinguish between deleting connection and IKE rekeying, checking for existence of IKE session and, thus, trying to avoid unnecessary changes to the network:
> 
> # if there are no [re-]established SAs for this connection, then delete networking for this connection
> if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host" ] && [ -z "$(swanctl -l -n -i ${PLUTO_CONNECTION})" ]; then
>   ip link set $intf down
>   ip link del $intf
> fi
> 
> but this creates deadlock when I'm restarting service by 'systemctl restart strongswan': if there are existing sessions, then first and all subsequent calls to swanctl (from updown script) freeze infinitely, stopping charon restart itself - progress possible only by repeatedly killing every launched 'swanctl' using SIGKILL signal. At the same time, any call to vici also freezes - so this isn't a problem with swanctl but with vici interface. It doesn't matter whether I call swanctl with or without '-n' parameter or whether I call vici using "noblock" parameter set (1) or unset (0) ( vici.Session(sock=s).list_sas({"noblock": 1}) )
> 
> This behaviour raises few questions:
> 
> 1) whether vici can be called simultaneously by different processes?
> 2) how is it possible to avoid such deadlocks? Documentation says nothing about number of vici 'listeners' and the basic idea to increase amount of these listeners can't be implemented.
> 
> My environment is:
> 
> OS: Ubuntu 20.04.1
> Strongswan: 5.8.2 (5.8.2-1ubuntu3.1)
> 
> Thank you.
> 
> --
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201118/fed6224b/attachment.sig>


More information about the Users mailing list