[Swan] "systemctl stop ipsec" does not stop pluto

Martin T m4rtntns at gmail.com
Wed May 24 14:57:31 UTC 2017 

On Tue, May 23, 2017 at 5:44 AM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 22 May 2017, Martin T wrote:
>
>>> Thanks for reply! I think that pluto is falling to die:
>>>
>>> # pgrep -la pluto; killall -SIGTERM pluto; sleep 30; pgrep -la pluto
>>> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf
>>> --nofork
>>> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf
>>> --nofork
>
>
> I don't know what that is happening, but tempted to blame your
> particular system.
>
>>> Maybe pluto didn't compile correctly? I downloaded
>>>
>>> download.libreswan.org/binaries/rhel/latest/x86_64/libreswan-3.20-1.el6.src.rpm,
>>> modified the spec file and built a RPM for OpenSUSE 42.1.
>
>
> If it compiled, it should work? As long as USE_SECCOMP did not get
> enabled, you should be fine.
>
>> command, then I see those very same log messages shown in my initial
>> e-mail with an exception that systemd does not kill the process. In
>> other words, the "May 18 18:49:28 host systemd[1]: ipsec.service
>> stop-sigterm timed out. Killing." does not happen. When I execute
>> "systemctl status ipsec", then its status is "running". If I attach to
>> pluto(PID is 12912) process with "strace -f -p 12912" command and then
>> execute "killall -SIGTERM pluto", then following is shown:
>>
>> ) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
>> [pid 12912] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER,
>> si_pid=13463, si_uid=0} ---
>> [pid 12912] rt_sigreturn({mask=[]})     = -1 EINTR (Interrupted system
>> call)
>> [pid 12912] futex(0x7f0e440009a0, FUTEX_WAIT_PRIVATE, 2, NULL
>
>
> I'm not sure what this means.
>
>> I could add "KillSignal=SIGKILL" to systemd unit file, but I'm not
>> sure what are the consequences once the server is used for live IPsec
>> connections..
>
>
> It works, in that we won't send any Delete/Notifies so the other end
> won't know you're gone until you are back and try to re-establish the
> tunnel (or until their dpd settings kick in)
>
> Paul


Paul,

thanks for reply! When I execute "rpmbuild -ba SPECS/libreswan.spec",
then USE_SECCOMP seems to be disabled:

+ make 'USERCOMPILE=-g -DGCC_LINT -O2 -g -m64 -fmessage-length=0
-D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables  -fPIE -pie ' 'USERLINK=-g -pie
-Wl,-z,relro,-z,now ' INITSYSTEM=systemd US
E_NM=true USE_XAUTHPAM=true USE_FIPSCHECK=true
FIPSPRODUCTCHECK=/etc/system-fips USE_LIBCAP_NG=true
USE_LABELED_IPSEC=true USE_LINUX_AUDIT=true USE_LDAP=true
USE_LIBCURL=true USE_DNSSEC=true INC_USRLOCAL=/usr
FINALLIBDIR=/usr/lib/ipsec FINALLIBEXECDIR=/usr/lib/ipsec
MANTREE=/usr/share/man INC_RCDEFAULT=/etc/init.d 'MODPROBE=modprobe -q
-b' USE_DH22=true USE_SECCOMP=0 programs

Anyway, if there isn't a significant difference if pluto gets killed
by SIGTERM or SIGKILL, then I'll simply modify the systemd unit file.


thanks,
Martin

More information about the Swan mailing list