Your message dated Sat, 04 Apr 2015 16:34:47 +0000 with message-id <[email protected]> and subject line Bug#781209: fixed in strongswan 5.2.1-6 has caused the Debian Bug report #781209, regarding postinst execution order bug confuses systemd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 781209: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781209 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: strongswan-starter Version: 5.2.1-5 Severity: grave strongswan-starter currently ships: - /etc/init.d/ipsec - /lib/systemd/system/strongswan.service With the latter containing Alias=ipsec.service and also calling the ipsec binary with --nofork as an (implicit) Type=simple unit. This is all a bit confusing at start but pretty sane in general and the strongswan rename is a nice move (and also consistent with Ubuntu). The package's postinst, however, is buggy: it does not use dh_installinit but calls invoke-rc.d ipsec manually. That would have been fine, but invoke-rc.d ipsec is called *before* the dh_systemd_enable/deb-systemd-helper bits. This means that "invoke-rc.d ipsec start" runs before the systemd unit is properly installed, which in turn confuses the hell out of systemd (as, among others, it expects a Type=simple unit), as evidenced by the following commands run in sequence: # apt-get install strongswan [...] # systemctl status strongswan ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/lib/systemd/system/strongswan.service; enabled) Active: active (running) since Thu 2015-03-26 00:50:42 UTC; 6min ago CGroup: /system.slice/ipsec.service ├─5150 /usr/lib/ipsec/starter --daemon charon └─5151 /usr/lib/ipsec/charon --use-syslog [note how starter has been called without --nofork and there is a CGroup called "ipsec.service", despite the unit called "strongswan.service"] # systemctl restart strongswan # systemctl status strongswan ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/lib/systemd/system/strongswan.service; enabled) Active: inactive (dead) since Thu 2015-03-26 01:00:59 UTC; 2s ago Process: 5783 ExecStart=/usr/sbin/ipsec start --nofork (code=exited, status=0/SUCCESS) Main PID: 5783 (code=exited, status=0/SUCCESS) Mar 26 01:00:59 curium systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Mar 26 01:00:59 curium ipsec_starter[5783]: Starting strongSwan 5.2.1 IPsec [starter]... Mar 26 01:00:59 curium ipsec_starter[5783]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start Mar 26 01:00:59 curium ipsec[5783]: Starting strongSwan 5.2.1 IPsec [starter]... Mar 26 01:00:59 curium ipsec[5783]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start Mar 26 01:00:59 curium ipsec[5783]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done [note the inactive/dead after a restart!] # ps aux |grep ipsec root 5150 0.0 0.0 17144 968 ? Ss 00:50 0:00 /usr/lib/ipsec/starter --daemon charon root 5151 0.0 0.0 1275680 5416 ? Ssl 00:50 0:00 /usr/lib/ipsec/charon --use-syslog Those are lingering/orphan processes, unmanaged by systemd. This won't happen every time -- it's a race but reproducible, I've managed to recreate it 5 times here already on two different servers. 19 times out of 20, no process will stay behind; ipsec won't be running at all, which is also a bug. The remaining 1 time, though, the service stays out of systemd's control and remains unmanageable; systemd thinks it's dead but it really is running. This is a) confusing to the sysadmin b) means that reloads will fail, c) means that a package removal won't actually stop the daemons, d) that tools such as puppet will try to restart it again and again but failing to do so. More importantly, though, it triggers a secondary bug in systemd itself. Continuing right from the execution path above: # ipsec stop Stopping strongSwan IPsec... # grep systemd /var/log/syslog | tail -3 Mar 26 01:02:15 curium systemd[1]: Assertion 'path' failed at ../src/shared/cgroup-util.c:913, function cg_is_empty_recursive(). Aborting. Mar 26 01:02:15 curium systemd[1]: Caught <ABRT>, dumped core as pid 6916. Mar 26 01:02:15 curium systemd[1]: Freezing execution. # systemctl status ^C At that point, the system barely works; systemctl etc. are not responding. I'll be filing the latter separately against systemd. However, the strongswan's postinst is buggy nevertheless and creates a situation uncommon enough to trigger this cascaded failure. Regards, Faidon
--- End Message ---
--- Begin Message ---Source: strongswan Source-Version: 5.2.1-6 We believe that the bug you reported is fixed in the latest version of strongswan, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Francoise <[email protected]> (supplier of updated strongswan package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 04 Apr 2015 17:55:38 +0200 Source: strongswan Binary: strongswan libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins strongswan-dbg strongswan-starter strongswan-libcharon strongswan-charon strongswan-ike strongswan-nm strongswan-ikev1 strongswan-ikev2 charon-cmd Architecture: all amd64 source Version: 5.2.1-6 Distribution: unstable Urgency: medium Maintainer: strongSwan Maintainers <[email protected]> Changed-By: Romain Francoise <[email protected]> Closes: 781209 Description: charon-cmd - standalone IPsec client libcharon-extra-plugins - strongSwan charon library (extra plugins) libstrongswan-extra-plugins - strongSwan utility and crypto library (extra plugins) libstrongswan-standard-plugins - strongSwan utility and crypto library (standard plugins) libstrongswan - strongSwan utility and crypto library strongswan-charon - strongSwan Internet Key Exchange daemon strongswan-dbg - strongSwan library and binaries - debugging symbols strongswan-ike - strongSwan Internet Key Exchange daemon (transitional package) strongswan-ikev1 - strongSwan IKEv1 daemon, transitional package strongswan-ikev2 - strongSwan IKEv2 daemon, transitional package strongswan - IPsec VPN solution metapackage strongswan-libcharon - strongSwan charon library strongswan-nm - strongSwan plugin to interact with NetworkManager strongswan-starter - strongSwan daemon starter and configuration file parser Changes: strongswan (5.2.1-6) unstable; urgency=medium . * Ship /lib/systemd/system/ipsec.service as a symlink to strongswan.service in strongswan-starter instead of using Alias= in the service file. This makes the ipsec name available to invoke-rc.d before the service gets actually enabled, which avoids some confusion (closes: #781209). Checksums-Sha1: 5e46efbc559cd405e296fef96d3b1c8321578b32 3379 strongswan_5.2.1-6.dsc 7e1cf1c6ae7cf285c9fec295483b0f45a4df4585 123772 strongswan_5.2.1-6.debian.tar.xz 58cb3c10a99b364fd32515dd255436b9600be7e1 87456 strongswan_5.2.1-6_all.deb 1e0a4dc8bcbad5f45c275b3e82b9bb9a81bea17f 349240 libstrongswan_5.2.1-6_amd64.deb e2bdc60c33568a5d8e394cc596b0c462067c8d4b 106404 libstrongswan-standard-plugins_5.2.1-6_amd64.deb 82d25c9a29566fe2de619951a5963f85ecb532f0 137592 libstrongswan-extra-plugins_5.2.1-6_amd64.deb 41c692a8427897774a9c74e01278d8cea6a531d6 305950 libcharon-extra-plugins_5.2.1-6_amd64.deb 5bf124e46316ff16de36ebd3bd5efacb98349988 7557348 strongswan-dbg_5.2.1-6_amd64.deb 4e7f0c55680c207ad419aa644134c14cd18109fd 307854 strongswan-starter_5.2.1-6_amd64.deb bc6fc3a747507befa982323067d4b0ae0b2a4122 252690 strongswan-libcharon_5.2.1-6_amd64.deb ea91e003408ca28320fae49e952b0af753d815dc 80454 strongswan-charon_5.2.1-6_amd64.deb e42c8d9fc8e27ade5d6bc704574b77470dbf91f5 71506 strongswan-ike_5.2.1-6_all.deb 2ef355d724a592382b17883dc11f13a196ebbde2 82464 strongswan-nm_5.2.1-6_amd64.deb f93c047a39c4528efd0bf327784bfc9ddee3d1eb 71520 strongswan-ikev1_5.2.1-6_all.deb 1d471114f69ea514645938af4ce30aa037ef9c16 71508 strongswan-ikev2_5.2.1-6_all.deb 828a9a81f3de1c3924c1d4c88bd7120507509960 82326 charon-cmd_5.2.1-6_amd64.deb Checksums-Sha256: a349ef0c6c195b026bd7cc4a530818974d1bb89b98797890b44d2355dd5300c3 3379 strongswan_5.2.1-6.dsc e21a72c0abf791ee4d82324ec37960ac16c9e853cbf18f1de92821af3f2b77aa 123772 strongswan_5.2.1-6.debian.tar.xz e870468e9f7be31f4e7c4f80d5a0980e880a61c492bf58beacec6478de37b94c 87456 strongswan_5.2.1-6_all.deb 1192ab0f19fe9d4089b23d16f695d5bf20b8ec373f2f24118ea1da918849c2ac 349240 libstrongswan_5.2.1-6_amd64.deb e0f229df1c8881b54222ff7055c04365ad522a03d3338bd83b8024f0b1d7ace2 106404 libstrongswan-standard-plugins_5.2.1-6_amd64.deb a30c2db04a687ba2e6c219206b62455bb2ea7bc2febcb5adcaa5d278c94ac5aa 137592 libstrongswan-extra-plugins_5.2.1-6_amd64.deb 8a397010c6d87ff8816435b2f938f934481ca1ac24e418aed63bab6403509671 305950 libcharon-extra-plugins_5.2.1-6_amd64.deb 01e3d92676495ef4ff418f83e2ba0717a96e2722d7e7548ad7823a9a35561eb0 7557348 strongswan-dbg_5.2.1-6_amd64.deb 61a50c629cd4c23e54c9cf070cb6d6ab545a656c902981fe0e9e82805dc6792f 307854 strongswan-starter_5.2.1-6_amd64.deb f87fb6d79b9b0b2b6c6b73e1590732e3748037cc9e8b452e24aeeda61ff58148 252690 strongswan-libcharon_5.2.1-6_amd64.deb c485a897078ed5c1aef1e2445dc9dee5c5fdefe6be2f713fbda717d26c1920ec 80454 strongswan-charon_5.2.1-6_amd64.deb e8495633b2cc071406787ae1fefab8fae8af95884ca0227e0ce346862864d1e5 71506 strongswan-ike_5.2.1-6_all.deb d54e0e3b09040f16aaf01ef915f724036d983acd97634e21d2e0e2dd9eae5bf6 82464 strongswan-nm_5.2.1-6_amd64.deb eb70030786387f82bd8fd0579888b7fa3c81ac54fac9b1d3fa639504e76f6f38 71520 strongswan-ikev1_5.2.1-6_all.deb 3e518de34f2a91e1dd26f531a4ce567dea33a521c3ca0ccafc26c5682333217a 71508 strongswan-ikev2_5.2.1-6_all.deb 3f5766f21cb0d5735bc97816509c58c38a7f3c726f11ff117d07fe893d1ddbf3 82326 charon-cmd_5.2.1-6_amd64.deb Files: 2abdebb387d5359eda73959b9cb1f8f5 3379 net optional strongswan_5.2.1-6.dsc 5ecc475d7ab99efaab963d67b3a6332d 123772 net optional strongswan_5.2.1-6.debian.tar.xz 0ef4244d8f511ae220d435701d657faa 87456 net optional strongswan_5.2.1-6_all.deb 0c855f17d47a05bc5d7e4eccf4a92b89 349240 net optional libstrongswan_5.2.1-6_amd64.deb 53751a2043e32f628ffc90cb59504280 106404 net optional libstrongswan-standard-plugins_5.2.1-6_amd64.deb 9f3bfa4147622cd6948193026fd03582 137592 net optional libstrongswan-extra-plugins_5.2.1-6_amd64.deb 683e4d1c1064ae40a5e0d7c132477be3 305950 net optional libcharon-extra-plugins_5.2.1-6_amd64.deb fabd3264b50f5c99d0eaa270cc9baab1 7557348 debug extra strongswan-dbg_5.2.1-6_amd64.deb 52b5a609f6126b4bc5b807ed37da4d42 307854 net optional strongswan-starter_5.2.1-6_amd64.deb 5eaaae0e71f4fa8febec8188e3c69777 252690 net optional strongswan-libcharon_5.2.1-6_amd64.deb a0036dc21b607229f4ed37a2c187cade 80454 net optional strongswan-charon_5.2.1-6_amd64.deb 44beea22efd16e1177c896300124c8ac 71506 oldlibs extra strongswan-ike_5.2.1-6_all.deb 25ce917f0c8f76bb96534152e218b55e 82464 net optional strongswan-nm_5.2.1-6_amd64.deb d3402f8d608a0f6ca40801d94b3dbc25 71520 oldlibs extra strongswan-ikev1_5.2.1-6_all.deb b08643e1f6c6565b6f841e724d62d59f 71508 oldlibs extra strongswan-ikev2_5.2.1-6_all.deb 8e1d57b79a7582edfa81502376963734 82326 net optional charon-cmd_5.2.1-6_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVIA0cAAoJEK0V9DXwX5YtY7QP/iS55Aq4tkPtgptkX0Mew0Hx 6nWNF+b+EWgkAIXFRF1qDLS4HjHxmkpi4RKAqoAmWrp5yzr2AJmc9TsjEddyEPYu Dk2NrZD+9VXByL6JzMNkoHOsjRrpmEc2vW6tqLXQG1ps2HbAi6Xr0CaJupkYZUyc avVd1v9GXPATjSssOXdUXYg0UoD1R6f8i6tcjgNlHNJRyTzR2tAxJNgNDbsh6Vgg f6HC7QZ249nYzHEGDovu62mH5d02ZBhUgWaNznAK+IgDG9SHCPzA38EMWDvzxHZ0 F8LUyovm5BRbea0MFHBRZkhoLgR1XkZdefJnSZZwXUnsBmB6MNbupelbTms3KD4b pPeg6WgS/mF6ZPNmogpQixkFQzWcpSD17K3lEbMmwQmLRbdp40jNXbaxIvK26yKp azO3WcgajD66+EQog5JHuY3WppgXcJr5LNEkaXkBVRAfXYRWts5pN2Azylo0Masa BM6j0z5mLlZS7iX0qc37VCu78bgU8p9SM9ynNu9hdcm3FP4xcEzom0Mcf+DvhtaP 37v0NraLAT2vLIRonAN2AHPeKQnTVFQjUVwa1fljvt6s7PYnot9h36g83gN5yIpx qwMfN5C50+Yiqx/aCBPI5lesgX3/ZfJPIaeuEzF9ndtKwUQ/9xWWAQdoOj0jSaS8 P/3ya5qZSG/mRA6Yr4uo =jBY+ -----END PGP SIGNATURE-----
--- End Message ---
