testing: Fix route-based/net2net-xfrmi-ike scenario
On newer systems, the upper hard limit for open file descriptors (see `ulimit -H -n`) was increased from 4096 to 524288. Due to how python-daemon closes potentially open file descriptors (basically stores them in a set, removes those excluded by config, and loops through all of them), the updown script was either killed immediately (by the OOM killer) or not ready yet when updown events occurred.
This commit is contained in:
parent
1496991078
commit
210c1e2628
|
@ -1,3 +1,4 @@
|
|||
sun::cat /var/log/daemon.log::charon-updown.*connected to charon-systemd::YES
|
||||
moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16].*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
|
||||
sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32].*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
|
|
|
@ -6,6 +6,7 @@ import daemon
|
|||
import logging
|
||||
from logging.handlers import SysLogHandler
|
||||
import subprocess
|
||||
import resource
|
||||
|
||||
|
||||
logger = logging.getLogger('updownLogger')
|
||||
|
@ -54,6 +55,13 @@ def install_routes(ike_sa):
|
|||
subprocess.call(["ip", "route", "add", ts, "dev", ifname_out])
|
||||
|
||||
|
||||
# the hard limit (second number) is the value used by python-daemon when closing
|
||||
# potentially open file descriptors while daemonizing. since the default is
|
||||
# 524288 on newer systems, this can take quite a while, and due to how this
|
||||
# range of FDs is handled internally (as set) it can even trigger the OOM killer
|
||||
resource.setrlimit(resource.RLIMIT_NOFILE, (256, 256))
|
||||
|
||||
|
||||
# daemonize and run parallel to the IKE daemon
|
||||
with daemon.DaemonContext():
|
||||
logger.debug("starting Python updown listener")
|
||||
|
|
Loading…
Reference in New Issue