latest strongswan update is broken in 18.10

Bug #1811610 reported by heynnema
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

A lot of `strongswan` files got updated this morning. It breaks strongswan because it can't find `/etc/ipsec.conf`. Sure enough, it's missing. The package file indicates that it's there, but it doesn't get installed.

I went to packages.ubuntu.com and downloaded `strongswan-starter_5.6.3-1ubuntu4.1_amd64.deb` and manually reinstalled it, and IT didn't install /etc/ipsec.conf either!

I manually extracted ipsec.conf from the .deb file, copied it to /etc/ipsec.conf, chmod 600 /etc/ipsec.conf, and made sure it was root:root, then `sudo systemctl restart ipsec`.

`sudo systemctl status ipsec` now shows correctly.

The /etc/ipsec.conf file looks like this...

    # ipsec.conf - strongSwan IPsec configuration file

    # basic configuration

    config setup
     # strictcrlpolicy=yes
     # uniqueids = no

    # Add connections here.

    # Sample VPN connections

    #conn sample-self-signed
    # leftsubnet=10.1.0.0/16
    # leftcert=selfCert.der
    # leftsendcert=never
    # right=192.168.0.2
    # rightsubnet=10.2.0.0/16
    # rightcert=peerCert.der
    # auto=start

    #conn sample-with-ca-cert
    # leftsubnet=10.1.0.0/16
    # leftcert=myCert.pem
    # right=192.168.0.2
    # rightsubnet=10.2.0.0/16
    # rightid="C=CH, O=Linux strongSwan CN=peer name"
    # auto=start

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: strongswan-starter 5.6.3-1ubuntu4.1
ProcVersionSignature: Ubuntu 4.18.0-13.14-generic 4.18.17
Uname: Linux 4.18.0-13-generic x86_64
ApportVersion: 2.20.10-0ubuntu13.1
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Sun Jan 13 11:31:11 2019
InstallationDate: Installed on 2014-05-10 (1709 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.ipsec.conf: [inaccessible: [Errno 13] Permission denied: '/etc/ipsec.conf']
modified.conffile..etc.ipsec.secrets: [inaccessible: [Errno 13] Permission denied: '/etc/ipsec.secrets']

Revision history for this message
heynnema (heynnema) wrote :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

If installing the package doesn't restore ipsec.conf, then it's because it was removed outside the package's control, usually.

Could you check /var/log/apt/history.log to backtrack the packages you installed and upgrade to see if there is a clear way to reproduce this problem?

That being said, these error messages are intriguing:
modified.conffile..etc.ipsec.conf: [inaccessible: [Errno 13] Permission denied: '/etc/ipsec.conf']
modified.conffile..etc.ipsec.secrets: [inaccessible: [Errno 13] Permission denied: '/etc/ipsec.secrets']

That means at least at the time the bug was reported, the file existed.

Changed in strongswan (Ubuntu):
status: New → Incomplete
Revision history for this message
heynnema (heynnema) wrote :

I checked /var/log/apt/history.log and /var/log/apt/history.log.1.gz and only found references to when I tried to reinstall strongswan-starter_5.6.3-1ubuntu4.1_amd64.deb on Jan 13. I had tried Synaptic, and the .deb file downloaded from packages.ubuntu.com. Neither reinstalled the missing /etc/ipsec.conf file.

As far as I know strongswan/ipsec was running fine, as I monitor syslog closely. And it wasn't until the current updates that I saw it was broken. If /etc/ipsec.conf WAS missing, wouldn't a reinstall replace the missing file?

I missed the permissions messages. After manually restoring /etc/ipsec.conf from the .deb file, I set the permissions to 600, similar to the existing /etc/ipsec.secrets. I guess that must be wrong. I just changed them both to 644, similar to other files in /etc/ipsec.d.

If you need more information, please feel free to ask.

Revision history for this message
heynnema (heynnema) wrote :

I forgot to mention... when I submitted the bug report, I had already manually restored /etc/ipsec.conf, so that's why it found that file.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Restoring config files from debs is not straightforward. We won't now know what removed it, but, for example, if a mistake happened and for some reason "rm -f /etc/ipsec.conf" was run, special flags have to be given to dpkg to restore a missing config.

Since you restored it already, there is nothing else to do here, but for future reference, this could help: https://askubuntu.com/questions/66533/how-can-i-restore-configuration-files

Revision history for this message
heynnema (heynnema) wrote :

Why wouldn't reinstalling a package restore a .conf file, when the file is clearly in the .deb package, or when done via Synaptic?

I hadn't touched or deleted /etc/ipsec.conf. I only discovered the problem after strongswan updates were performed, and I noticed errors in my daily logwatch report.

Thanks for the link. But... boy are those methods complicated!

Revision history for this message
Karl Stenerud (kstenerud) wrote :

The problem comes when a file's existence or non-existence affects how a package behaves (such as /etc/defense-package/autorun/launch_nuclear_missiles). If the user removes such a file to control package behavior, and then an update re-adds the files, it would change the package behavior in a way the user doesn't want, each and every time the package gets a security update.

So, since we can't know if the file removal was intentional or not, debian packaging errs on the side of caution, and doesn't re-add the file.

In this particular case, of course, a missing conf file breaks the whole thing, but debian packaging doesn't have the level of sophistication to know the difference.

As to what actually caused the conf file to go missing in your case, there are unfortunately no logs or traces to help track down what actually happened, so unless it happens again in future and we can get more info, we don't really have a way to find a solution :/

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.]

Changed in strongswan (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.