On Tue, Apr 13, 2021 at 01:06:40PM -0400, Mark Gray wrote: > This patch fixes an issue where, depending on timing fluctuations, > each node has not fully loaded all connections before the other > node begins to establish a connection. In this failure case, the > "ovs-monitor-ipsec" instance on the "left" node may `ipsec auto --start` > a connection which then gets rejected by the "right" side. Almost, > simulaneously, the "right" side may initiate a connection that gets > rejected by the "left" side. This can happen as, for all tunnels except > for GRE, each node has two connections (an "in" connection and an "out" > connection) that get added one after the other. If the "in" connection > "starts" on both sides, the "out" connection from the other node > may not be available causing the connection to fail. At this point, > "Libreswan" will wait to retry the connection. In the interim, the > OVS system test times out. This race manifests itself more frequently > in a virtualized environment. > > This patch resolves this issue by waiting for the "left" node to load > all connections before starting the "right" side. This will cause > the "left" side to fail to establish a connection with the "right" > side (as the "right" side connections have not been loaded) but will > cause the "right" side to succeed to establish a connection as all > connections will have been loaded on the "left" side. > > Reported-at: > https://mail.openvswitch.org/pipermail/ovs-dev/2021-April/381857.html > Fixes: 8fc62df8b135 ("ipsec: Introduce IPsec system tests for Libreswan.") > Signed-off-by: Mark Gray <mark.d.g...@redhat.com> > ---
Thanks for following up with a testsuite fix. The patch survived a loop testing (-k ipsec) 500 times. Tested-by: Flavio Leitner <f...@sysclose.org> Acked-by: Flavio Leitner <f...@sysclose.org> fbl _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev