{"id":2003661,"url":"http://patchwork.ozlabs.org/api/covers/2003661/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/cover/20241029101608.2991596-1-i.maximets@ovn.org/","project":{"id":47,"url":"http://patchwork.ozlabs.org/api/projects/47/?format=json","name":"Open vSwitch","link_name":"openvswitch","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"git@github.com:openvswitch/ovs.git","webscm_url":"https://github.com/openvswitch/ovs","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20241029101608.2991596-1-i.maximets@ovn.org>","list_archive_url":null,"date":"2024-10-29T10:14:58","name":"[ovs-dev,0/9] ipsec: Resiliency to Libreswan failures.","submitter":{"id":76798,"url":"http://patchwork.ozlabs.org/api/people/76798/?format=json","name":"Ilya Maximets","email":"i.maximets@ovn.org"},"mbox":"http://patchwork.ozlabs.org/project/openvswitch/cover/20241029101608.2991596-1-i.maximets@ovn.org/mbox/","series":[{"id":430270,"url":"http://patchwork.ozlabs.org/api/series/430270/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/list/?series=430270","date":"2024-10-29T10:14:58","name":"ipsec: Resiliency to Libreswan failures.","version":1,"mbox":"http://patchwork.ozlabs.org/series/430270/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2003661/comments/","headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","ovs-dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp2.osuosl.org;\n dmarc=none (p=none dis=none) header.from=ovn.org"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4Xd5kv02mMz1xwn\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 29 Oct 2024 21:16:21 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 6AD2880BE0;\n\tTue, 29 Oct 2024 10:16:19 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id b1zIbBR_3DeH; Tue, 29 Oct 2024 10:16:18 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp1.osuosl.org (Postfix) with ESMTPS id 37B3580BB3;\n\tTue, 29 Oct 2024 10:16:18 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 167D1C08A6;\n\tTue, 29 Oct 2024 10:16:18 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists.linuxfoundation.org (Postfix) with ESMTP id E7544C08A3\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:16 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id C05CB40B20\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:16 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id IO4k6qPygmLC for <ovs-dev@openvswitch.org>;\n Tue, 29 Oct 2024 10:16:15 +0000 (UTC)","from mail-wm1-f66.google.com (mail-wm1-f66.google.com\n [209.85.128.66])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 1DF5B40B93\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 10:16:14 +0000 (UTC)","by mail-wm1-f66.google.com with SMTP id\n 5b1f17b1804b1-4315eac969aso36910505e9.1\n for <ovs-dev@openvswitch.org>; Tue, 29 Oct 2024 03:16:14 -0700 (PDT)","from im-t490s.redhat.com (ip-86-49-44-151.bb.vodafone.cz.\n [86.49.44.151]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-431b4594ec3sm20279685e9.1.2024.10.29.03.16.12\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 29 Oct 2024 03:16:12 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.9.56;\n helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 37B3580BB3","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1DF5B40B93"],"Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=209.85.128.66;\n helo=mail-wm1-f66.google.com; envelope-from=i.maximets.ovn@gmail.com;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 1DF5B40B93","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1730196973; x=1730801773;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=z3pnvXUB3BwHVCxzmDv42pKKA+rlqSMhDfldbkKIRIU=;\n b=ZO2WoDJrlsMgl0qyWdS42ujMw+ealbsoOF4fDw/9lZ7lrbcfUfsEQJa7B4xhSst0K1\n XV+gEFoyjrrQGb3Vn4dEyPq4DT5vF/DkWBcmfdh1zNuVakH9iCcD7j4hlnQHwi1zJ5QW\n fU4zlhvYvihBP9BD7xOSi2ZmUtEbo1vmelD5A89hgfu9IKBABJtP8kKqeLh8HRJPEqrf\n 75jzzJa1P18c2oaMAJEZSy7fg2CkQXyz95Ch0Ki86M4zwPfiO9cz1xW9LPR4kq4gG/TT\n s+NxpH/VEv463nVRaV08qHvAbP8Gtlg1JA4x7jYSUvxJXFTuHn9aEq9koW8pPKYFXXHY\n ZJBA==","X-Gm-Message-State":"AOJu0YxNr+aVGdNVkS+MTWHqALclPu1ghya5/w/6xEF9bRwb6OMt5Kiz\n nhVBnFIboi7bCxShP6+mFwQFBrTWpUWx/xZAEZxK8FxghRjVmUJ2ISS817At","X-Google-Smtp-Source":"\n AGHT+IGzgeM8EIv0aW0yxxP/YNlciJ6i3mR6bRAa67NJ1BcbAr2CZmDStO2f6jUSo97YYszBhYfy8Q==","X-Received":"by 2002:a05:600c:5487:b0:424:a7f1:ba2 with SMTP id\n 5b1f17b1804b1-431b56364e0mr11787575e9.17.1730196972879;\n Tue, 29 Oct 2024 03:16:12 -0700 (PDT)","From":"Ilya Maximets <i.maximets@ovn.org>","To":"ovs-dev@openvswitch.org","Date":"Tue, 29 Oct 2024 11:14:58 +0100","Message-ID":"<20241029101608.2991596-1-i.maximets@ovn.org>","X-Mailer":"git-send-email 2.46.0","MIME-Version":"1.0","Subject":"[ovs-dev] [PATCH 0/9] ipsec: Resiliency to Libreswan failures.","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","Cc":"Ilya Maximets <i.maximets@ovn.org>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" <ovs-dev-bounces@openvswitch.org>"},"content":"This patch set is a result of debugging different Librewan issues\nfor the past few weeks in an attempt to solve the problem where\novs-monitor-ipsec gets stuck forever while calling ipsec commands\nand cannot progress any further.\n\nMain parts here are the introduction of the reconciliation mechanism\nfor the ipsec connections and termination of the stuck commands on\ntimeout.\n\nThis set also contains a lot of small changes that ultimately fix\ncompatibility with multiple versions of Libreswan as well as improve\nvisibility into what the ovs-monitor-ipsec process is doing by adding\nmore verbose logging.\nFor example, without the fist patch in the set, ovs-monitor-ipsec\ndeadlocks both libreswan and itself with Libreswan 5 pretty easily:\n  https://github.com/libreswan/libreswan/issues/1859\nMore details on addressed issues are in the commit messages.\n\nThe last few patches in the set are adding a system test that stresses\nthe reconciliation and various failure handling paths inside the\nmonitor.  Mainly because we do get a lot of failures from Libreswan\nwhile running the test.  This test is currently actively used by\nLibreswan team to find and fix the root causes of multiple issues that\ntriggered creation of this patch set.\n\nThe intention for this patch set is to be backported to at least\nbranch 3.3.  But further down to 3.1 (or even 2.17 ?) may also be good.\nLuckily, the code is not that different on older branches.\n\nThe set is tested with various versions of Libreswan including\n3.32 (from Ubuntu 22.04), 4.5, 4.6, 4.9, 4.12, 4.14, 4.15 and 5.1.\n\nWithout the set, only 4.5 and below work well enough, 4.9 - 4.15 are\ngetting completely stuck with a few dozens of connections, and 5.1\ndeadlocks easily.\n\nWith the set: 4.5 and below still work well, 5.1 works well, 4.9 - 4.15\ncan get into state with connectivity issues (libreswan issue that cannot\nbe worked around externally), but it is much less likely to end up in\nthis state and it affects only a couple individual connections instead\nof blocking the daemon as a whole.  Also, 4.14 and 4.15 seems noticeably\nharder to get into that state (but still very possible).\n\n\nIlya Maximets (9):\n  ipsec: Add a helper function to run commands from the monitor.\n  ipsec: libreswan: Reconcile missing connections periodically.\n  ipsec: libreswan: Try to bring non-active connections up.\n  ipsec: libreswan: Fix regexp for connections waiting on child SA.\n  ipsec: libreswan: Avoid monitor hanging on stuck ipsec commands.\n  ipsec: Make command timeout configurable.\n  system-tests: Verbose cleanup of ports and namespaces.\n  tests: ipsec: Add NxN + reconciliation test.\n  tests: ipsec: Check that nodes can ping each other in the NxN test.\n\n ipsec/ovs-monitor-ipsec.in    | 483 +++++++++++++++++++---------------\n tests/system-common-macros.at |   7 +-\n tests/system-ipsec.at         | 206 ++++++++++++++-\n 3 files changed, 463 insertions(+), 233 deletions(-)"}