[strongSwan] swanctl deadlock

Volodymyr Litovka doka.ua at gmx.com
Wed Nov 18 10:54:39 CET 2020


Hi Noel,

thank you. Two questions on this:

1) does it mean that deadlock can happen if, for example, two swanctl
processes will be launched at the same time? Or this is only updown's
issue and in any other scenarios there will be no impact?
2) are there ways to work around this issue in order to achieve what I'm
trying to achieve - detect IKE rekeying rather than downing connection
to avoid unnecessary changes to network?

Thank you.

On 18.11.2020 11:36, Noel Kuntze wrote:
> Hi,
>
> VICI acquires locks to do some stuff, which the updown script also does when it executes to save you the trouble of having to manually/externally serialize all the things you want to do in the updown script.
> TL;DR: Don't do that, you get a deadlock with the updown script plugin.
>
> Kind regards
>
> Noel
>
> Am 18.11.20 um 09:32 schrieb Volodymyr Litovka:
>> Hi colleagues,
>>
>> I'm using call to swanctl in updown script in order to distinguish between deleting connection and IKE rekeying, checking for existence of IKE session and, thus, trying to avoid unnecessary changes to the network:
>>
>> # if there are no [re-]established SAs for this connection, then delete networking for this connection
>> if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host" ] && [ -z "$(swanctl -l -n -i ${PLUTO_CONNECTION})" ]; then
>>    ip link set $intf down
>>    ip link del $intf
>> fi
>>
>> but this creates deadlock when I'm restarting service by 'systemctl restart strongswan': if there are existing sessions, then first and all subsequent calls to swanctl (from updown script) freeze infinitely, stopping charon restart itself - progress possible only by repeatedly killing every launched 'swanctl' using SIGKILL signal. At the same time, any call to vici also freezes - so this isn't a problem with swanctl but with vici interface. It doesn't matter whether I call swanctl with or without '-n' parameter or whether I call vici using "noblock" parameter set (1) or unset (0) ( vici.Session(sock=s).list_sas({"noblock": 1}) )
>>
>> This behaviour raises few questions:
>>
>> 1) whether vici can be called simultaneously by different processes?
>> 2) how is it possible to avoid such deadlocks? Documentation says nothing about number of vici 'listeners' and the basic idea to increase amount of these listeners can't be implemented.
>>
>> My environment is:
>>
>> OS: Ubuntu 20.04.1
>> Strongswan: 5.8.2 (5.8.2-1ubuntu3.1)
>>
>> Thank you.
>>
>> --
>> Volodymyr Litovka
>>    "Vision without Execution is Hallucination." -- Thomas Edison
>>
--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201118/5eef1447/attachment.html>


More information about the Users mailing list