[SOLVED] Most ipsec commands return no output


(ILIV) #1

Ubuntu 18 LTS default container image, i.e. ubuntu:18.04.
strongswan 5.6.2-1ubuntu2.4.

$ ipsec --version
Linux strongSwan U5.6.2/K4.15.0-38-generic

Most ipsec commands like

ipsec status
ipsec statusall
ipsec listalgs

do not return any output.

This seems to happen only in LXD containers running Ubuntu 18 LTS and is reproducible in new unconfigured containers running the same Linux distribution.

The problem does not happen, for example, in KVM virtual machine running Ubuntu 18 LTS and same version of strongswan.

Help! :slight_smile:


#2

Hi!

If you run lxc monitor in a separate terminal, it should give some hints as to way it fails.


(ILIV) #3

Nothing useful at all:

$ lxc monitor --loglevel=debug
metadata:   
  context: {}                         
  level: dbug
  message: 'New event listener: 1d99af82-4ebd-4fbc-b690-95028ff109bc'
timestamp: "2019-02-02T09:33:09.18219161-08:00"
type: logging
                                 

^C

(Stéphane Graber) #4

Try running them under strace -f to see if something obvious is failing.


(ILIV) #5

I don’t see anything like that: https://pastebin.com/5rWTFzHt. Do you?


(ILIV) #6

Okay here’s one at line 830:

[pid 7644] write(1, "Security Associations (0 up, 0 c"..., 51) = -1 EACCES (Permission denied)

This is again a problem with an AppArmor profile.


(Stéphane Graber) #7

Yep, looks that way