[Swan] "systemctl stop ipsec" does not stop pluto

Martin T m4rtntns at gmail.com
Thu May 18 16:01:07 UTC 2017 

Hi,

I installed Libreswan 3.20 under OpenSUSE 42.1 and it has following
options in ipsec.service unit file:

ExecStart=/usr/lib/ipsec/pluto --leak-detective --config
/etc/ipsec.conf --nofork
ExecStop=/usr/lib/ipsec/whack --shutdown


As I understand, this should mean that pluto should be stopped with
"whack --shutdown" command. However, "systemctl stop ipsec.service"
command hangs until watchdog kicks in and if I execute "whack
--shutdown" manually using "strace -f", then following can be seen:


# strace -f /usr/lib/ipsec/whack --shutdown
execve("/usr/lib/ipsec/whack", ["/usr/lib/ipsec/whack", "--shutdown"],
[/* 55 vars */]) = 0
brk(0)                                  = 0x55e955c9d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7ffbf101b000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=98020, ...}) = 0
mmap(NULL, 98020, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffbf1003000
close(3)                                = 0
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20o\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=137440, ...}) = 0
mmap(NULL, 2213008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7ffbf0bdf000
mprotect(0x7ffbf0bf7000, 2093056, PROT_NONE) = 0
mmap(0x7ffbf0df6000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7ffbf0df6000
mmap(0x7ffbf0df8000, 13456, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffbf0df8000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\34\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1979344, ...}) = 0
mmap(NULL, 3832352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7ffbf0837000
mprotect(0x7ffbf09d5000, 2097152, PROT_NONE) = 0
mmap(0x7ffbf0bd5000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19e000) = 0x7ffbf0bd5000
mmap(0x7ffbf0bdb000, 14880, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffbf0bdb000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7ffbf1002000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7ffbf1001000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7ffbf1000000
arch_prctl(ARCH_SET_FS, 0x7ffbf1001700) = 0
mprotect(0x7ffbf0bd5000, 16384, PROT_READ) = 0
mprotect(0x7ffbf0df6000, 4096, PROT_READ) = 0
mprotect(0x55e954864000, 8192, PROT_READ) = 0
mprotect(0x7ffbf101c000, 4096, PROT_READ) = 0
munmap(0x7ffbf1003000, 98020)           = 0
set_tid_address(0x7ffbf10019d0)         = 12414
set_robust_list(0x7ffbf10019e0, 24)     = 0
rt_sigaction(SIGRTMIN, {0x7ffbf0be59f0, [], SA_RESTORER|SA_SIGINFO,
0x7ffbf0bee870}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7ffbf0be5a80, [],
SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7ffbf0bee870}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
access("/var/run/pluto/pluto.ctl", R_OK|W_OK) = 0
socket(PF_LOCAL, SOCK_STREAM, 0)        = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/pluto/pluto.ctl"}, 26) = 0
write(3, "\31khw\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1450) = 1450
read(3, "002 shutting down\n", 4096)    = 18
write(1, "002 shutting down\n", 18002 shutting down
)     = 18
read(3,


Under CentOS 7.3.1611 "whack --shutdown" does not hang and last 5
lines of "strace -f /usr/libexec/ipsec/whack --shutdown" are:

write(1, "002 shutting down\n", 18002 shutting down
)     = 18
read(3, "", 4096)                       = 0
exit_group(0)                           = ?
+++ exited with 0 +++
[root at centos-512mb-ams3-01]#


Now even if I comment out this "ExecStop=/usr/lib/ipsec/whack
--shutdown" line in "ipsec.service" unit file in OpenSUSE, then ploto
is still not stopped:

May 18 18:47:58 host systemd[1]: Stopping Internet Key Exchange (IKE)
Protocol Daemon for IPsec...
May 18 18:47:58 host pluto[15116]: "v6neighbor-hole-out": deleting
non-instance connection
May 18 18:47:58 host pluto[15116]: "v6neighbor-hole-in": deleting
non-instance connection
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:ec4b:109b:437:bd64:500
May 18 18:47:58 host pluto[15116]: shutting down interface lo/lo ::1:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:a1c6:4ede:f4e8:295b:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:216:3eff:fe76:5b3c:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:555b:2439:e729:2ce7:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:f84b:815b:e99d:9419:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:fdc0:2ad0:c5b9:7a9c:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:ec05:426a:e0f6:5a92:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
2001:db8:1400:1:a81f:c62e:663c:a1ee:500
May 18 18:47:58 host pluto[15116]: shutting down interface lo/lo 127.0.0.1:4500
May 18 18:47:58 host pluto[15116]: shutting down interface lo/lo 127.0.0.1:500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
10.10.10.246:4500
May 18 18:47:58 host pluto[15116]: shutting down interface eth0/eth0
10.10.10.246:500
May 18 18:47:58 host pluto[15116]: leak: EVENT_SD_WATCHDOG, item size: 32
May 18 18:47:58 host pluto[15116]: leak: EVENT_LOG_DAILY, item size: 32
May 18 18:47:58 host pluto[15116]: leak: EVENT_SHUNT_SCAN, item size: 32
May 18 18:47:58 host pluto[15116]: leak: kernel integ, item size: 32
May 18 18:47:58 host pluto[15116]: leak: EVENT_PENDING_PHASE2, item size: 32
May 18 18:47:58 host pluto[15116]: leak: EVENT_PENDING_DDNS, item size: 32
May 18 18:47:58 host pluto[15116]: leak: EVENT_REINIT_SECRET, item size: 32
May 18 18:47:58 host pluto[15116]: leak detective found 7 leaks, total size 224
May 18 18:49:28 host systemd[1]: ipsec.service stop-sigterm timed out. Killing.
May 18 18:49:28 host systemd[1]: ipsec.service: main process exited,
code=killed, status=9/KILL
May 18 18:49:28 host systemd[1]: Stopped Internet Key Exchange (IKE)
Protocol Daemon for IPsec.
May 18 18:49:28 host systemd[1]: Unit ipsec.service entered failed state.


As seen above, "systemctl stop ipsec.service" command hang from
18:47:58 to 18:49:28.


What might cause such behavior?


thanks,
Martin

More information about the Swan mailing list