Message ID | 20220207191500.797659-1-mheib@redhat.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] ovs/ipsec: StrongSwan report connection update failures to ovs logs | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/intel-ovs-compilation | success | test: success |
On Mon, Feb 7, 2022 at 2:15 PM Mohammad Heib <mheib@redhat.com> wrote: > > Currently when the user adds an IPsec tunnel port to the > ovs bridge the ovs-monitor-ipsec script will add this tunnel > IPsec-related configuration to the appropriate file and > submit a request to start the IPsec connection for this port > and ignores the request output which can contain an error message. > > This patch captures the request output and prints > the error message to the ovs logs. > > Signed-off-by: Mohammad Heib <mheib@redhat.com> Acked-by: Mike Pattrick <mkp@redhat.com>
On 2/25/22 21:45, Mike Pattrick wrote: > On Mon, Feb 7, 2022 at 2:15 PM Mohammad Heib <mheib@redhat.com> wrote: >> >> Currently when the user adds an IPsec tunnel port to the >> ovs bridge the ovs-monitor-ipsec script will add this tunnel >> IPsec-related configuration to the appropriate file and >> submit a request to start the IPsec connection for this port >> and ignores the request output which can contain an error message. >> >> This patch captures the request output and prints >> the error message to the ovs logs. >> >> Signed-off-by: Mohammad Heib <mheib@redhat.com> > > Acked-by: Mike Pattrick <mkp@redhat.com> Thanks! Applied to master and 2.17. Best regards, Ilya Maximets.
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index a8b0705d9..c8dfa06fd 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -337,7 +337,14 @@ conn prevent_unencrypted_vxlan Once strongSwan vici bindings will be distributed with major Linux distributions this function could be simplified.""" vlog.info("Refreshing StrongSwan configuration") - subprocess.call([self.IPSEC, "update"]) + proc = subprocess.Popen([self.IPSEC, "update"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + outs, errs = proc.communicate() + if proc.returncode != 0: + vlog.err("StrongSwan failed to update configuration:\n" + "%s \n %s" % (str(outs), str(errs))) + subprocess.call([self.IPSEC, "rereadsecrets"]) # "ipsec update" command does not remove those tunnels that were # updated or that disappeared from the ipsec.conf file. So, we have
Currently when the user adds an IPsec tunnel port to the ovs bridge the ovs-monitor-ipsec script will add this tunnel IPsec-related configuration to the appropriate file and submit a request to start the IPsec connection for this port and ignores the request output which can contain an error message. This patch captures the request output and prints the error message to the ovs logs. Signed-off-by: Mohammad Heib <mheib@redhat.com> --- ipsec/ovs-monitor-ipsec.in | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)