Bug 234648 - security/strongswan: start/stop/reload modern vici-based configurations
Summary: security/strongswan: start/stop/reload modern vici-based configurations
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-06 00:59 UTC by Jose Luis Duran
Modified: 2019-01-17 18:26 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (strongswan)


Attachments
Ugly patch that loads swanctl.conf (811 bytes, patch)
2019-01-06 00:59 UTC, Jose Luis Duran
no flags Details | Diff
Patch set #2 for security/strongswan (2.64 KB, patch)
2019-01-09 07:58 UTC, Sam Chen
no flags Details | Diff
strongswan service test output for patch #2 (4.10 KB, text/plain)
2019-01-09 08:07 UTC, Sam Chen
no flags Details
Use a separate rc.d script (535 bytes, text/plain)
2019-01-12 00:05 UTC, Jose Luis Duran
no flags Details
Use a separate rc.d script (721 bytes, text/plain)
2019-01-15 20:34 UTC, Jose Luis Duran
no flags Details
Patch set type #2 for security/strongswan (rev 1) (4.11 KB, patch)
2019-01-17 13:53 UTC, Sam Chen
no flags Details | Diff
strongswan w/ strongswan_swanctl test output for patch set type #2 (2.78 KB, text/plain)
2019-01-17 13:56 UTC, Sam Chen
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jose Luis Duran 2019-01-06 00:59:33 UTC
Created attachment 200820 [details]
Ugly patch that loads swanctl.conf

Migrating from a legacy, stroke-based configuration to a modern, vici-based (from ipsec.conf to swanctl.conf) I realized that the current rc script does not load the swanctl.conf file, instead one has to manually invoke `swanctl --load-all` to start it.

I am attaching a very ugly patch to the strongswan.in file, however I am confident a more elegant solution will be implemented.

Thanks.
Comment 1 Sam Chen 2019-01-09 07:57:06 UTC
Like Jose, I too recently noticed that rc.d/strongswan had to be modified to load swanctl.conf, and made local changes to the service script.  My version of the ugly patch and a test output is attached.  It mostly passes rclint(8), except the "one-line functions discouraged" errors that I haven't found a good solution.  Please check the code carefully, since I'm new to FreeBSD ports.  Thanks.
Comment 2 Sam Chen 2019-01-09 07:58:24 UTC
Created attachment 200947 [details]
Patch set #2 for security/strongswan
Comment 3 Sam Chen 2019-01-09 08:07:14 UTC
Created attachment 200948 [details]
strongswan service test output for patch #2
Comment 4 Jose Luis Duran 2019-01-12 00:05:19 UTC
Created attachment 201047 [details]
Use a separate rc.d script

I guess it is better to use a separate rc.d script (like upstream is doing it with systemd). The script is still ugly, but the idea is to load charon and then load the configuration using swanctl, avoiding the use of starter.
Comment 5 Jose Luis Duran 2019-01-15 20:34:56 UTC
Created attachment 201171 [details]
Use a separate rc.d script

This version uses daemon(8) to handle charon.
Comment 6 strongswan 2019-01-17 11:37:55 UTC
(In reply to Jose Luis Duran from comment #5)
Thanks Jose.
I will have a look at the script.
Comment 7 Sam Chen 2019-01-17 13:51:47 UTC
Nice work, Jose.  I agree it's a step forward to manage charon under the BSD rc.d framework.  Let me remove my hacked script from Attachments.

Now I think backwards compatibility is important for ipsec config migration.  I've expanded on your earlier rc.d script and added support for enabling both rc.d/strongswan and rc.d/strongswan_swanctl simultaneously.  And added code to extra_commands for "reload statusall".  rc.d/strongswan will start BEFORE (rclist(8)) rc.d/strongswan_swanctl for reason noted in the code--also changed the former to pass rclint.

One code digression is mine removes the command_args "-r" to daemon(8).  Upstream's systemd strongswan-swanctl does not auto-restart charon, nor do almost all BSD ports that use daemon(8).  There could be an issue where ipsec starter.c's 5 sec auto-restart of charon affects BSD daemon(8)'s 1 sec auto-restart interval.

Also between charon invocation and swanctl run I introduced an up-to 5 sec wait loop for charon.pid file.  A fixed 1 sec wait could be just on the edge for that overloaded cloud VM.

Please find the revised "Patch set #2" and test output, attached.  Thanks.
Comment 8 Sam Chen 2019-01-17 13:53:48 UTC
Created attachment 201208 [details]
Patch set type #2 for security/strongswan (rev 1)
Comment 9 Sam Chen 2019-01-17 13:56:40 UTC
Created attachment 201209 [details]
strongswan w/ strongswan_swanctl test output for patch set type #2
Comment 10 Jose Luis Duran 2019-01-17 18:26:44 UTC
(In reply to Sam Chen from comment #7)

Thank you Sam! I agree with most of your suggestions.  I think the maintainer will move this conversation over to Phabricator and we'll take it from there.

Thank you all!