[Swan] Fwd: Re: Cannot start ipsec service using systemd

Elison Niven elison.niven at cyberoam.com
Wed Jan 9 13:01:37 EET 2013


Hi,

Fedora 17 introduced https://fedoraproject.org/wiki/Features/UsrMove

This patch will solve this issue :

--- initsystems/systemd/ipsec.service.in	2013-01-02 10:35:37.000000000 
+0530
+++ initsystems/systemd/ipsec.service.in.2	2013-01-09 
16:29:10.766584179 +0530
@@ -15,7 +15,7 @@
 #
 ExecStartPre=@FINALSBINDIR@/ipsec addconn --config @FINALCONFFILE@ 
--checkconfig
 ExecStartPre=@FINALLIBDIR@/_stackmanager start
-ExecStart=/usr/bin/sh -c 'eval `@FINALLIBEXECDIR@/pluto --config 
@FINALCONFFILE@ --nofork $PLUTO_OPTIONS`'
+ExecStart=/bin/sh -c 'eval `@FINALLIBEXECDIR@/pluto --config 
@FINALCONFFILE@ --nofork $PLUTO_OPTIONS`'
 ExecStop=@FINALSBINDIR@/ipsec whack --shutdown
 ExecStopPost=/sbin/ip xfrm policy flush
 ExecStopPost=/sbin/ip xfrm state flush

On Wednesday 09 January 2013 04:24:23 PM IST, Philippe Vouters wrote:
> Dear Wes,
>
> Perhaps we can do something better with the ipsec.service to take into
> account both Elison's experience and my last reply to him. What about
> replacing /usr/bin/sh with /bin/sh for
> /lib/systemd/system/ipsec.service ? On HP-UX systems (a Unix system),
> sh is usually found in /bin. What about other Linux distributions ?
>
> If I consider what others do on my Fedora computer, they tend to
> specify /bin/sh instead of /usr/bin/sh as per hereafter:
>
> [philippe at victor libreswan]$ sudo find /lib/systemd/system/ -name
> \*.service -exec grep /bin/sh {} \; -print
> ConditionPathExists=!/run/initramfs/bin/sh
> /lib/systemd/system/dracut-shutdown.service
> ConditionPathExists=!/run/initramfs/bin/sh
> /lib/systemd/system/shutdown.target.wants/dracut-shutdown.service
> ExecStart=/bin/sh -c "exec /usr/libexec/netatalk/netatalk.sh"
> /lib/systemd/system/netatalk.service
> ExecReload=*/bin/sh* -c '/usr/sbin/rndc reload > /dev/null 2>&1 ||
> /bin/kill -HUP $MAINPID'
> ExecStop=*/bin/sh* -c '/usr/sbin/rndc stop > /dev/null 2>&1 ||
> /bin/kill -TERM $MAINPID'
> */lib/systemd/system/named.service*
> ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
> /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
> /lib/systemd/system/ipsec.service
> ExecStart=*/bin/sh* -c '/bin/dmesg | /usr/bin/abrt-dump-oops -xD; exec
> /usr/bin/abrt-watch-log -F "`/usr/bin/abrt-dump-oops -m`"
> /var/log/messages -- /usr/bin/abrt-dump-oops -xD'
> */lib/systemd/system/abrt-oops.service*
> grep:
> /lib/systemd/system/anaconda.target.wants/anaconda-shell at tty2.service:
> No such file or directory
> grep: /lib/systemd/system/anaconda.target.wants/anaconda at tty2.service:
> No such file or directory
> grep: /lib/systemd/system/anaconda.target.wants/anaconda at tty1.service:
> No such file or directory
> ExecStart=*/bin/sh* -c 'exec /usr/bin/abrt-watch-log -F
> "`/usr/bin/abrt-dump-xorg -m`" /var/log/Xorg.0.log --
> /usr/bin/abrt-dump-xorg -xD'
> */lib/systemd/system/abrt-xorg.service*
> ExecStartPre=*/bin/sh* -c '/usr/bin/vncserver -kill %i > /dev/null
> 2>&1 || :'
> */lib/systemd/system/vncserver at .service*
> [philippe at victor libreswan]$
>
>
>
> -------- Message original --------
> Sujet: 	Re: [Swan] Cannot start ipsec service using systemd
> Date : 	Wed, 09 Jan 2013 12:58:34 +0530
> De : 	Elison Niven <elison.niven at cyberoam.com>
> Pour : 	Philippe Vouters <philippe.vouters at laposte.net>
> Copie à : 	Paul Wouters <pwouters at redhat.com>, swan at lists.libreswan.org
>
>
>
> Hi,
>
> Found the culprit. My systemd unit file had this line :
> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
> /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>
> But in Fedora 16 :
> # which sh
> /bin/sh
>
> Therefore it was only required to change it to :
> ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
> /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>
> Thanks !
>
> On Friday 04 January 2013 08:49:40 PM IST, Philippe Vouters wrote:
> > Paul,
> >
> > Pluto should NOT be running as per Elison's ipsec verify output
> >
> > Philippe Vouters (Fontainebleau/France)
> > URL:http://vouters.dyndns.org/
> > SIP:sip:Vouters at sip.linphone.org
> >
> > Le 04/01/2013 16:16, Paul Wouters a écrit :
> >> On Fri, 4 Jan 2013, Elison Niven wrote:
> >>
> >> Why is it that "stop" is failing? Was there perhaps an openswan pluto
> >> running instead of a libreswan pluto, which confused "whack"?
> >>
> >> Can you "killall -9 pluto" and then run "systemctl start
> >> ipsec.service" ?
> >>
> >> Paul
> >> _______________________________________________
> >> Swan mailing list
> >>Swan at lists.libreswan.org
> >>https://lists.libreswan.org/mailman/listinfo/swan
> >>
> >
> >
> >
>
> --
> Best Regards,
> Elison Niven
>
>
>
>

--
Best Regards,
Elison Niven



More information about the Swan mailing list