Skip to content

Fix StrongSwan test failures due to blocking connection thread #339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
neubauerf merged 2 commits into from
Mar 18, 2017
Merged

Fix StrongSwan test failures due to blocking connection thread #339

neubauerf merged 2 commits into from
Mar 18, 2017

Conversation

@eliasgomes
Copy link
Contributor

@eliasgomes eliasgomes commented Mar 17, 2017
edited by remibergsma
Loading

The StrongSwan VPN config would be rewritten too often. We removed ipsec.conf editing, as this file can be changed directly on the systemvm.iso which is more efficient.

Next to that the StrongSwan code would kick in on any command that would also require iptables config. That isn't a problem on its own, but it was executing a stop/start of the connection all the time. This results in downtime of the VPN connection, but more important it leads to a blocking thread (for 30s max). That resulted sometimes in a timeout when processing a non-VPN json file (as we've seen with the cleanup failures) because this timeout was also 30s.

First I changed it to a non-blocking start, but then realised since we have auto=start we simply have to reload the config and ipsec will take care of the rest on its own. Fast & easy!

BTW, it's now clear why we only saw it on the routers with Strongswan. Furthermore, the reason we only saw it on one of the two routers is due to the passive flag. It would only execute the restart when passive=false.

Thanks @eliasgomes for your help debugging this :-)

@remibergsma remibergsma changed the title Not touching the ipsec.conf file on every run Fix StrongSwan test failures due to blocking connection thread Mar 17, 2017
@neubauerf neubauerf merged commit 34d9fc6 into master Mar 18, 2017
@neubauerf neubauerf deleted the fix/ipsec-restart branch March 18, 2017 14:40
borisroman
borisroman reviewed Mar 19, 2017
View reviewed changes
cosmic-core/systemvm/patches/debian/config/opt/cloud/bin/configure.py

# Strongswan is included in the systemvm template 17.3.12 and newer
# Strongswan is included in the systemvm template 17.3.13 and newer
if get_systemvm_version() > 170312:
Copy link
Contributor

@borisroman borisroman Mar 19, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@remibergsma Why was only the comment adjusted?

Copy link
Member

@remibergsma remibergsma Mar 19, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@borisroman because the code >17.3.12 and the comment were not in sync. Version 17.3.12 still has OpenSwan.

@swill swill mentioned this pull request Apr 24, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@remibergsma remibergsma remibergsma left review comments

+1 more reviewer

@borisroman borisroman borisroman left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@eliasgomes @remibergsma @borisroman @neubauerf