[ovs-dev] [PATCH] ipsec: Fix race in system tests

[Flavio Leitner]

On Tue, Apr 13, 2021 at 01:06:40PM -0400, Mark Gray wrote:
> This patch fixes an issue where, depending on timing fluctuations,
> each node has not fully loaded all connections before the other
> node begins to establish a connection. In this failure case, the
> "ovs-monitor-ipsec" instance on the "left" node may `ipsec auto --start`
> a connection which then gets rejected by the "right" side. Almost,
> simulaneously, the "right" side may initiate a connection that gets
> rejected by the "left" side. This can happen as, for all tunnels except
> for GRE, each node has two connections (an "in" connection and an "out"
> connection) that get added one after the other. If the "in" connection
> "starts" on both sides, the "out" connection from the other node
> may not be available causing the connection to fail. At this point,
> "Libreswan" will wait to retry the connection. In the interim, the
> OVS system test times out. This race manifests itself more frequently
> in a virtualized environment.
> 
> This patch resolves this issue by waiting for the "left" node to load
> all connections before starting the "right" side. This will cause
> the "left" side to fail to establish a connection with the "right"
> side (as the "right" side connections have not been loaded) but will
> cause the "right" side to succeed to establish a connection as all
> connections will have been loaded on the "left" side.
> 
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2021-April/381857.html
> Fixes: 8fc62df8b135 ("ipsec: Introduce IPsec system tests for Libreswan.")
> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
> ---

Thanks for following up with a testsuite fix.

The patch survived a loop testing (-k ipsec) 500 times.

Tested-by: Flavio Leitner <fbl at sysclose.org>
Acked-by: Flavio Leitner <fbl at sysclose.org>

fbl