[strongSwan] swanctl deadlock

Volodymyr Litovka doka.ua at gmx.com
Tue Feb 2 08:52:49 CET 2021 

Hi,

just back to the problem and it seems it's possible to use workaround:

if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host" ]; then
     DLY=$(shuf -i2-5 -n1)
     HLPR=$(dirname "$0")/down-helper
     (sleep ${DLY}; $HLPR ${PLUTO_CONNECTION}) &
fi


while down-helper can safely call swanctl and proceed with required action:

if [ -z"$(swanctl -l -n -i${1})" ];then [ ... ] fi


On 18.11.2020 10:32, Volodymyr Litovka wrote:
>
> Hi colleagues,
>
> I'm using call to swanctl in updown script in order to distinguish
> between deleting connection and IKE rekeying, checking for existence
> of IKE session and, thus, trying to avoid unnecessary changes to the
> network:
>
> # if there are no [re-]established SAs for this connection, then
> delete networking for this connection
> if [ $PLUTO_VERB = "down-client" ] || [ $PLUTO_VERB = "down-host" ] &&
> [ -z "$(swanctl -l -n -i ${PLUTO_CONNECTION})" ]; then
>   ip link set $intf down
>   ip link del $intf
> fi
>
> but this creates deadlock when I'm restarting service by 'systemctl
> restart strongswan': if there are existing sessions, then first and
> all subsequent calls to swanctl (from updown script) freeze
> infinitely, stopping charon restart itself - progress possible only by
> repeatedly killing every launched 'swanctl' using SIGKILL signal. At
> the same time, any call to vici also freezes - so this isn't a problem
> with swanctl but with vici interface. It doesn't matter whether I call
> swanctl with or without '-n' parameter or whether I call vici using
> "noblock" parameter set (1) or unset (0) (
> vici.Session(sock=s).list_sas({"noblock": 1}) )
>
> This behaviour raises few questions:
>
> 1) whether vici can be called simultaneously by different processes?
> 2) how is it possible to avoid such deadlocks? Documentation says
> nothing about number of vici 'listeners' and the basic idea to
> increase amount of these listeners can't be implemented.
>
> My environment is:
>
> OS: Ubuntu 20.04.1
> Strongswan: 5.8.2 (5.8.2-1ubuntu3.1)
>
> Thank you.
>
> --
> Volodymyr Litovka
>    "Vision without Execution is Hallucination." -- Thomas Edison

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210202/731fc56b/attachment.html>

More information about the Users mailing list