FS#33202 - [ipsec-tools] ipsec.service does not load policy

Attached to Project: Community Packages
Opened by Holoduke (Holoduke) - Tuesday, 25 December 2012, 19:44 GMT
Last edited by Sergej Pupykin (sergej) - Thursday, 10 January 2013, 09:10 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

ipsec.service included in ipsec-tools 0.8.0-5 does not load the policy. I don't know why but I guess ExecStop gets executed for some reason, because the service type is wrong.

This seems to work (Type changed, RemainAfterExit added):

[Unit]
Description=Load IPSec Security Policy Database
After=syslog.target network.target

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/sbin/setkey -f /etc/ipsec.conf
ExecStop=/usr/sbin/setkey -F -P ; /usr/sbin/setkey -F

[Install]
WantedBy=multi-user.target
This task depends upon

Closed by  Sergej Pupykin (sergej)
Thursday, 10 January 2013, 09:10 GMT
Reason for closing:  Fixed
Comment by A Web (aweb) - Tuesday, 01 January 2013, 00:41 GMT
This burned me, too. I can confirm both the bug and the fix, and hope the fix can be integrated quickly given its simplicity. Note, however, that Type=oneshot is not necessary. It works just fine with Type=simple. The important thing is adding RemainAfterExit=True so systemd does not interpret a setkey exit as the service not running. I thought oneshot was more for services like ntpdate that don't need to be "turned off" ever, but admitedly I don't see the difference in this case.


Comment by Holoduke (Holoduke) - Tuesday, 01 January 2013, 11:17 GMT
From the man page: "Behavior of oneshot is similar to simple, however it is expected that the process has to exit before systemd starts follow-up units."
So, if the type is simple and not oneshot, follow-up VPN services that depend on ipsec.service will be started at the same time and might be up before setkey has finished. Don't know whether that would really cause a problem in practice, but I'd say that oneshot is the correct choice here.
Comment by A Web (aweb) - Tuesday, 01 January 2013, 17:29 GMT
Okay, thanks. I agree with your reasoning. It should be Type=oneshot. Otherwise, it would be hard to create dependencies on ipsec, and in the worst case there could be a tiny window of vulnerability after some other service is started but before the SPD is initialized.

Loading...