Your message dated Sat, 04 Apr 2015 16:34:47 +0000
with message-id <e1yer1z-0001v4...@franck.debian.org>
and subject line Bug#781209: fixed in strongswan 5.2.1-6
has caused the Debian Bug report #781209,
regarding postinst execution order bug confuses systemd
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
781209: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781209
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: strongswan-starter
Version: 5.2.1-5
Severity: grave
strongswan-starter currently ships:
- /etc/init.d/ipsec
- /lib/systemd/system/strongswan.service
With the latter containing Alias=ipsec.service and also calling the
ipsec binary with --nofork as an (implicit) Type=simple unit. This is
all a bit confusing at start but pretty sane in general and the
strongswan rename is a nice move (and also consistent with Ubuntu).
The package's postinst, however, is buggy: it does not use
dh_installinit but calls invoke-rc.d ipsec manually. That would have been
fine, but invoke-rc.d ipsec is called *before* the
dh_systemd_enable/deb-systemd-helper bits.
This means that "invoke-rc.d ipsec start" runs before the systemd unit
is properly installed, which in turn confuses the hell out of systemd
(as, among others, it expects a Type=simple unit), as evidenced by the
following commands run in sequence:
# apt-get install strongswan
[...]
# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled)
Active: active (running) since Thu 2015-03-26 00:50:42 UTC; 6min ago
CGroup: /system.slice/ipsec.service
├─5150 /usr/lib/ipsec/starter --daemon charon
└─5151 /usr/lib/ipsec/charon --use-syslog
[note how starter has been called without --nofork and there is a CGroup called
"ipsec.service", despite the unit called "strongswan.service"]
# systemctl restart strongswan
# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled)
Active: inactive (dead) since Thu 2015-03-26 01:00:59 UTC; 2s ago
Process: 5783 ExecStart=/usr/sbin/ipsec start --nofork (code=exited,
status=0/SUCCESS)
Main PID: 5783 (code=exited, status=0/SUCCESS)
Mar 26 01:00:59 curium systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon
using ipsec.conf.
Mar 26 01:00:59 curium ipsec_starter[5783]: Starting strongSwan 5.2.1 IPsec
[starter]...
Mar 26 01:00:59 curium ipsec_starter[5783]: charon is already running
(/var/run/charon.pid exists) -- skipping daemon start
Mar 26 01:00:59 curium ipsec[5783]: Starting strongSwan 5.2.1 IPsec [starter]...
Mar 26 01:00:59 curium ipsec[5783]: charon is already running
(/var/run/charon.pid exists) -- skipping daemon start
Mar 26 01:00:59 curium ipsec[5783]: starter is already running
(/var/run/starter.charon.pid exists) -- no fork done
[note the inactive/dead after a restart!]
# ps aux |grep ipsec
root 5150 0.0 0.0 17144 968 ? Ss 00:50 0:00
/usr/lib/ipsec/starter --daemon charon
root 5151 0.0 0.0 1275680 5416 ? Ssl 00:50 0:00
/usr/lib/ipsec/charon --use-syslog
Those are lingering/orphan processes, unmanaged by systemd. This won't
happen every time -- it's a race but reproducible, I've managed to
recreate it 5 times here already on two different servers. 19 times out
of 20, no process will stay behind; ipsec won't be running at all, which
is also a bug.
The remaining 1 time, though, the service stays out of systemd's control
and remains unmanageable; systemd thinks it's dead but it really is
running. This is a) confusing to the sysadmin b) means that reloads will
fail, c) means that a package removal won't actually stop the daemons,
d) that tools such as puppet will try to restart it again and again but
failing to do so.
More importantly, though, it triggers a secondary bug in systemd itself.
Continuing right from the execution path above:
# ipsec stop
Stopping strongSwan IPsec...
# grep systemd /var/log/syslog | tail -3
Mar 26 01:02:15 curium systemd[1]: Assertion 'path' failed at
../src/shared/cgroup-util.c:913, function cg_is_empty_recursive(). Aborting.
Mar 26 01:02:15 curium systemd[1]: Caught <ABRT>, dumped core as pid 6916.
Mar 26 01:02:15 curium systemd[1]: Freezing execution.
# systemctl status
^C
At that point, the system barely works; systemctl etc. are not
responding.
I'll be filing the latter separately against systemd. However, the
strongswan's postinst is buggy nevertheless and creates a situation
uncommon enough to trigger this cascaded failure.
Regards,
Faidon
--- End Message ---
--- Begin Message ---
Source: strongswan
Source-Version: 5.2.1-6
We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Francoise <rfranco...@debian.org> (supplier of updated strongswan
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 04 Apr 2015 17:55:38 +0200
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins
libstrongswan-extra-plugins libcharon-extra-plugins strongswan-dbg
strongswan-starter strongswan-libcharon strongswan-charon strongswan-ike
strongswan-nm strongswan-ikev1 strongswan-ikev2 charon-cmd
Architecture: all amd64 source
Version: 5.2.1-6
Distribution: unstable
Urgency: medium
Maintainer: strongSwan Maintainers <pkg-swan-de...@lists.alioth.debian.org>
Changed-By: Romain Francoise <rfranco...@debian.org>
Closes: 781209
Description:
charon-cmd - standalone IPsec client
libcharon-extra-plugins - strongSwan charon library (extra plugins)
libstrongswan-extra-plugins - strongSwan utility and crypto library (extra
plugins)
libstrongswan-standard-plugins - strongSwan utility and crypto library
(standard plugins)
libstrongswan - strongSwan utility and crypto library
strongswan-charon - strongSwan Internet Key Exchange daemon
strongswan-dbg - strongSwan library and binaries - debugging symbols
strongswan-ike - strongSwan Internet Key Exchange daemon (transitional package)
strongswan-ikev1 - strongSwan IKEv1 daemon, transitional package
strongswan-ikev2 - strongSwan IKEv2 daemon, transitional package
strongswan - IPsec VPN solution metapackage
strongswan-libcharon - strongSwan charon library
strongswan-nm - strongSwan plugin to interact with NetworkManager
strongswan-starter - strongSwan daemon starter and configuration file parser
Changes:
strongswan (5.2.1-6) unstable; urgency=medium
.
* Ship /lib/systemd/system/ipsec.service as a symlink to
strongswan.service in strongswan-starter instead of using Alias= in
the service file. This makes the ipsec name available to invoke-rc.d
before the service gets actually enabled, which avoids some confusion
(closes: #781209).
Checksums-Sha1:
5e46efbc559cd405e296fef96d3b1c8321578b32 3379 strongswan_5.2.1-6.dsc
7e1cf1c6ae7cf285c9fec295483b0f45a4df4585 123772
strongswan_5.2.1-6.debian.tar.xz
58cb3c10a99b364fd32515dd255436b9600be7e1 87456 strongswan_5.2.1-6_all.deb
1e0a4dc8bcbad5f45c275b3e82b9bb9a81bea17f 349240 libstrongswan_5.2.1-6_amd64.deb
e2bdc60c33568a5d8e394cc596b0c462067c8d4b 106404
libstrongswan-standard-plugins_5.2.1-6_amd64.deb
82d25c9a29566fe2de619951a5963f85ecb532f0 137592
libstrongswan-extra-plugins_5.2.1-6_amd64.deb
41c692a8427897774a9c74e01278d8cea6a531d6 305950
libcharon-extra-plugins_5.2.1-6_amd64.deb
5bf124e46316ff16de36ebd3bd5efacb98349988 7557348
strongswan-dbg_5.2.1-6_amd64.deb
4e7f0c55680c207ad419aa644134c14cd18109fd 307854
strongswan-starter_5.2.1-6_amd64.deb
bc6fc3a747507befa982323067d4b0ae0b2a4122 252690
strongswan-libcharon_5.2.1-6_amd64.deb
ea91e003408ca28320fae49e952b0af753d815dc 80454
strongswan-charon_5.2.1-6_amd64.deb
e42c8d9fc8e27ade5d6bc704574b77470dbf91f5 71506 strongswan-ike_5.2.1-6_all.deb
2ef355d724a592382b17883dc11f13a196ebbde2 82464 strongswan-nm_5.2.1-6_amd64.deb
f93c047a39c4528efd0bf327784bfc9ddee3d1eb 71520 strongswan-ikev1_5.2.1-6_all.deb
1d471114f69ea514645938af4ce30aa037ef9c16 71508 strongswan-ikev2_5.2.1-6_all.deb
828a9a81f3de1c3924c1d4c88bd7120507509960 82326 charon-cmd_5.2.1-6_amd64.deb
Checksums-Sha256:
a349ef0c6c195b026bd7cc4a530818974d1bb89b98797890b44d2355dd5300c3 3379
strongswan_5.2.1-6.dsc
e21a72c0abf791ee4d82324ec37960ac16c9e853cbf18f1de92821af3f2b77aa 123772
strongswan_5.2.1-6.debian.tar.xz
e870468e9f7be31f4e7c4f80d5a0980e880a61c492bf58beacec6478de37b94c 87456
strongswan_5.2.1-6_all.deb
1192ab0f19fe9d4089b23d16f695d5bf20b8ec373f2f24118ea1da918849c2ac 349240
libstrongswan_5.2.1-6_amd64.deb
e0f229df1c8881b54222ff7055c04365ad522a03d3338bd83b8024f0b1d7ace2 106404
libstrongswan-standard-plugins_5.2.1-6_amd64.deb
a30c2db04a687ba2e6c219206b62455bb2ea7bc2febcb5adcaa5d278c94ac5aa 137592
libstrongswan-extra-plugins_5.2.1-6_amd64.deb
8a397010c6d87ff8816435b2f938f934481ca1ac24e418aed63bab6403509671 305950
libcharon-extra-plugins_5.2.1-6_amd64.deb
01e3d92676495ef4ff418f83e2ba0717a96e2722d7e7548ad7823a9a35561eb0 7557348
strongswan-dbg_5.2.1-6_amd64.deb
61a50c629cd4c23e54c9cf070cb6d6ab545a656c902981fe0e9e82805dc6792f 307854
strongswan-starter_5.2.1-6_amd64.deb
f87fb6d79b9b0b2b6c6b73e1590732e3748037cc9e8b452e24aeeda61ff58148 252690
strongswan-libcharon_5.2.1-6_amd64.deb
c485a897078ed5c1aef1e2445dc9dee5c5fdefe6be2f713fbda717d26c1920ec 80454
strongswan-charon_5.2.1-6_amd64.deb
e8495633b2cc071406787ae1fefab8fae8af95884ca0227e0ce346862864d1e5 71506
strongswan-ike_5.2.1-6_all.deb
d54e0e3b09040f16aaf01ef915f724036d983acd97634e21d2e0e2dd9eae5bf6 82464
strongswan-nm_5.2.1-6_amd64.deb
eb70030786387f82bd8fd0579888b7fa3c81ac54fac9b1d3fa639504e76f6f38 71520
strongswan-ikev1_5.2.1-6_all.deb
3e518de34f2a91e1dd26f531a4ce567dea33a521c3ca0ccafc26c5682333217a 71508
strongswan-ikev2_5.2.1-6_all.deb
3f5766f21cb0d5735bc97816509c58c38a7f3c726f11ff117d07fe893d1ddbf3 82326
charon-cmd_5.2.1-6_amd64.deb
Files:
2abdebb387d5359eda73959b9cb1f8f5 3379 net optional strongswan_5.2.1-6.dsc
5ecc475d7ab99efaab963d67b3a6332d 123772 net optional
strongswan_5.2.1-6.debian.tar.xz
0ef4244d8f511ae220d435701d657faa 87456 net optional strongswan_5.2.1-6_all.deb
0c855f17d47a05bc5d7e4eccf4a92b89 349240 net optional
libstrongswan_5.2.1-6_amd64.deb
53751a2043e32f628ffc90cb59504280 106404 net optional
libstrongswan-standard-plugins_5.2.1-6_amd64.deb
9f3bfa4147622cd6948193026fd03582 137592 net optional
libstrongswan-extra-plugins_5.2.1-6_amd64.deb
683e4d1c1064ae40a5e0d7c132477be3 305950 net optional
libcharon-extra-plugins_5.2.1-6_amd64.deb
fabd3264b50f5c99d0eaa270cc9baab1 7557348 debug extra
strongswan-dbg_5.2.1-6_amd64.deb
52b5a609f6126b4bc5b807ed37da4d42 307854 net optional
strongswan-starter_5.2.1-6_amd64.deb
5eaaae0e71f4fa8febec8188e3c69777 252690 net optional
strongswan-libcharon_5.2.1-6_amd64.deb
a0036dc21b607229f4ed37a2c187cade 80454 net optional
strongswan-charon_5.2.1-6_amd64.deb
44beea22efd16e1177c896300124c8ac 71506 oldlibs extra
strongswan-ike_5.2.1-6_all.deb
25ce917f0c8f76bb96534152e218b55e 82464 net optional
strongswan-nm_5.2.1-6_amd64.deb
d3402f8d608a0f6ca40801d94b3dbc25 71520 oldlibs extra
strongswan-ikev1_5.2.1-6_all.deb
b08643e1f6c6565b6f841e724d62d59f 71508 oldlibs extra
strongswan-ikev2_5.2.1-6_all.deb
8e1d57b79a7582edfa81502376963734 82326 net optional
charon-cmd_5.2.1-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVIA0cAAoJEK0V9DXwX5YtY7QP/iS55Aq4tkPtgptkX0Mew0Hx
6nWNF+b+EWgkAIXFRF1qDLS4HjHxmkpi4RKAqoAmWrp5yzr2AJmc9TsjEddyEPYu
Dk2NrZD+9VXByL6JzMNkoHOsjRrpmEc2vW6tqLXQG1ps2HbAi6Xr0CaJupkYZUyc
avVd1v9GXPATjSssOXdUXYg0UoD1R6f8i6tcjgNlHNJRyTzR2tAxJNgNDbsh6Vgg
f6HC7QZ249nYzHEGDovu62mH5d02ZBhUgWaNznAK+IgDG9SHCPzA38EMWDvzxHZ0
F8LUyovm5BRbea0MFHBRZkhoLgR1XkZdefJnSZZwXUnsBmB6MNbupelbTms3KD4b
pPeg6WgS/mF6ZPNmogpQixkFQzWcpSD17K3lEbMmwQmLRbdp40jNXbaxIvK26yKp
azO3WcgajD66+EQog5JHuY3WppgXcJr5LNEkaXkBVRAfXYRWts5pN2Azylo0Masa
BM6j0z5mLlZS7iX0qc37VCu78bgU8p9SM9ynNu9hdcm3FP4xcEzom0Mcf+DvhtaP
37v0NraLAT2vLIRonAN2AHPeKQnTVFQjUVwa1fljvt6s7PYnot9h36g83gN5yIpx
qwMfN5C50+Yiqx/aCBPI5lesgX3/ZfJPIaeuEzF9ndtKwUQ/9xWWAQdoOj0jSaS8
P/3ya5qZSG/mRA6Yr4uo
=jBY+
-----END PGP SIGNATURE-----
--- End Message ---
