[Swan] "systemctl stop ipsec" does not stop pluto

Martin T m4rtntns at gmail.com
Mon May 22 20:31:43 UTC 2017 

On Sat, May 20, 2017 at 4:01 AM, Martin T <m4rtntns at gmail.com> wrote:
> On Fri, May 19, 2017 at 6:22 PM, Paul Wouters <paul at nohats.ca> wrote:
>> On Thu, 18 May 2017, Martin T wrote:
>>
>>> I installed Libreswan 3.20 under OpenSUSE 42.1 and it has following
>>> options in ipsec.service unit file:
>>>
>>> ExecStart=/usr/lib/ipsec/pluto --leak-detective --config
>>> /etc/ipsec.conf --nofork
>>> ExecStop=/usr/lib/ipsec/whack --shutdown
>>>
>>>
>>> As I understand, this should mean that pluto should be stopped with
>>> "whack --shutdown" command. However, "systemctl stop ipsec.service"
>>> command hangs until watchdog kicks in and if I execute "whack
>>> --shutdown" manually using "strace -f", then following can be seen:
>>
>>
>> [hangs]
>>
>> Odd, can you tell me what happens when you run: killall -SIGTERM pluto
>> That should do the same thing as whack --shutdown but won't use the
>> socket. Then we know if it is pluto that's failing to die, or something
>> weird with reading/writing the socket?
>>
>> Is there any apparmor or selinux policies that you could temporarilly
>> disable to see if those are causing this?
>>
>> Paul
>
>
> Thanks for reply! I think that pluto is falling to die:
>
> # pgrep -la pluto; killall -SIGTERM pluto; sleep 30; pgrep -la pluto
> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
> #
>
>
> I'm not running SELinux nor Apparmor:
>
> # systemctl status apparmor
> apparmor.service
>    Loaded: not-found (Reason: No such file or directory)
>    Active: inactive (dead)
>
> # ls -l /etc/apparmor.d
> ls: cannot access /etc/apparmor.d: No such file or directory
> #
>
> Maybe pluto didn't compile correctly? I downloaded
> download.libreswan.org/binaries/rhel/latest/x86_64/libreswan-3.20-1.el6.src.rpm,
> modified the spec file and built a RPM for OpenSUSE 42.1.
>
>
> Any ideas how to troubleshoot this?
>
>
> thanks,
> Martin

Just for information, when I execute the "killall -SIGTERM pluto"
command, then I see those very same log messages shown in my initial
e-mail with an exception that systemd does not kill the process. In
other words, the "May 18 18:49:28 host systemd[1]: ipsec.service
stop-sigterm timed out. Killing." does not happen. When I execute
"systemctl status ipsec", then its status is "running". If I attach to
pluto(PID is 12912) process with "strace -f -p 12912" command and then
execute "killall -SIGTERM pluto", then following is shown:

) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
[pid 12912] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER,
si_pid=13463, si_uid=0} ---
[pid 12912] rt_sigreturn({mask=[]})     = -1 EINTR (Interrupted system call)
[pid 12912] futex(0x7f0e440009a0, FUTEX_WAIT_PRIVATE, 2, NULL

I could add "KillSignal=SIGKILL" to systemd unit file, but I'm not
sure what are the consequences once the server is used for live IPsec
connections..


thanks,
Martin

More information about the Swan mailing list