Merge into ubuntu/devel : lp2119652 : lp:~enr0n/ubuntu/+source/strongswan : Git : Code : strongswan package : Ubuntu

Status:

Merged

Merge reported by:

Nick Rosbrook

Merged at revision:

bf44a65cb73f29cb0cdc2344372acc86444abe1a

Proposed branch:

~enr0n/ubuntu/+source/strongswan:lp2119652

Merge into:

ubuntu/+source/strongswan:ubuntu/devel

Diff against target:

46 lines (+20/-0)

2 files modified

debian/changelog (+6/-0)
debian/tests/host-to-host (+14/-0)

High

Won't Fix

Link a bug report

Reviewer	Review Type	Date Requested	Status
Lukas Märdian (community)		2025-08-19	Approve on 2025-08-19
Review via email: mp+491048@code.launchpad.net

Description of the change

Workaround for LP: #2119652

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2025-08-19:

#

I have tested this in a local autopkgtest setup, but have not taken the full PPA build/test trip.

Revision history for this message

Lukas Märdian (slyon) wrote on 2025-08-19:

#

Download full text (8.7 KiB)

Thanks a lot Nick!

This LGTM and is passing dep8 tests locally:

$ autopkgtest -U -B . --test-name=host-to-host --apt-pocket=proposed=src:systemd -- qemu -- /data/autopkgtest-questing-amd64.img
[...]
autopkgtest [16:34:38]: test host-to-host: [-----------------------
2025-08-19T16:34:45+02:00 INFO Waiting for automatic snapd restart...
lxd (5.21/stable) 5.21.3-c5ae129 from Canonical** installed
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Creating a CA

Generating private key for CA
Generating self-signed certificate for CA
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Here is the CA cert:
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
  subject: "C=CH, O=strongSwan, CN=strongSwan Root CA"
  issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
  validity: not before Aug 19 16:35:16 2025, ok
             not after Aug 29 16:35:16 2025, ok (expires in 9 days)
  serial: 50:02:06:3e:88:28:5a:04
  flags: CA CRLSign self-signed
  subjkeyId: ce:ec:18:8c:49:87:5d:c7:c5:5d:ef:c6:51:89:2e:52:f2:2b:97:2a
  pubkey: ED25519 256 bits
  keyid: 05:f6:19:40:f0:21:a5:11:e7:d9:f9:ce:05:28:42:9e:2f:29:43:e6
  subjkey: ce:ec:18:8c:49:87:5d:c7:c5:5d:ef:c6:51:89:2e:52:f2:2b:97:2a
Generating key and certificate for peer moon
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Generating key and certificate for peer sun
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Setting up host LXD
qemu-system-x86_64: Slirp: external icmpv6 not supported yet
To start your first container, try: lxc launch ubuntu:24.04
Or for a virtual machine: lxc launch ubuntu:24.04 --vm

Creating host containers
Launching container moon with release questing
Waiting for container moon to be ready .....Connection to 10.73.22.38 22 port [tcp/ssh] succeeded!

Copying ...

Thanks a lot Nick!

This LGTM and is passing dep8 tests locally:

$ autopkgtest -U -B . --test-name=host-to-host --apt-pocket=proposed=src:systemd -- qemu -- /data/autopkgtest-questing-amd64.img
[...]
autopkgtest [16:34:38]: test host-to-host: [-----------------------
2025-08-19T16:34:45+02:00 INFO Waiting for automatic snapd restart...
lxd (5.21/stable) 5.21.3-c5ae129 from Canonical** installed
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Creating a CA

Generating private key for CA
Generating self-signed certificate for CA
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Here is the CA cert:
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
  subject:  "C=CH, O=strongSwan, CN=strongSwan Root CA"
  issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA"
  validity:  not before Aug 19 16:35:16 2025, ok
             not after  Aug 29 16:35:16 2025, ok (expires in 9 days)
  serial:    50:02:06:3e:88:28:5a:04
  flags:     CA CRLSign self-signed 
  subjkeyId: ce:ec:18:8c:49:87:5d:c7:c5:5d:ef:c6:51:89:2e:52:f2:2b:97:2a
  pubkey:    ED25519 256 bits
  keyid:     05:f6:19:40:f0:21:a5:11:e7:d9:f9:ce:05:28:42:9e:2f:29:43:e6
  subjkey:   ce:ec:18:8c:49:87:5d:c7:c5:5d:ef:c6:51:89:2e:52:f2:2b:97:2a
Generating key and certificate for peer moon
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Generating key and certificate for peer sun
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'aesni': failed to load - aesni_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
Setting up host LXD
qemu-system-x86_64: Slirp: external icmpv6 not supported yet
To start your first container, try: lxc launch ubuntu:24.04
Or for a virtual machine: lxc launch ubuntu:24.04 --vm

Creating host containers
Launching container moon with release questing
Waiting for container moon to be ready .....Connection to 10.73.22.38 22 port [tcp/ssh] succeeded!

Copying over /etc/apt to container moon
Installing deps in container moon (strongswan-swanctl strongswan-pki libstrongswan-extra-plugins charon-systemd lsb-release libtss2-tcti-tabrmd0 bind9-dnsutils)
Done for container moon
Launching container sun with release questing
Waiting for container sun to be ready ......Connection to 10.73.22.50 22 port [tcp/ssh] succeeded!

Copying over /etc/apt to container sun
Installing deps in container sun (strongswan-swanctl strongswan-pki libstrongswan-extra-plugins charon-systemd lsb-release libtss2-tcti-tabrmd0 bind9-dnsutils)
Done for container sun
Copy certificates to containers
Copying /tmp/tmp.wjHeRfiOeh/strongswanCert.pem to container moon
Pushing /var/lib/snapd/hostfs/tmp/tmp.wjHeRfiOeh/strongswanCert.pem to /etc/swanctl/x509ca/strongswanCert.pem: 100% (1.                                                                                                                       Copying moon cert and key
Copying /tmp/tmp.wjHeRfiOeh/strongswanCert.pem to container sun                                                     
Pushing /var/lib/snapd/hostfs/tmp/tmp.wjHeRfiOeh/strongswanCert.pem to /etc/swanctl/x509ca/strongswanCert.pem: 100% (1.                                                                                                                       Copying sun cert and key
Configuring strongswan in containers                                                                              
Loading creds in container moon                                                                        
loaded certificate from '/etc/swanctl/x509/moonCert.pem'
loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem'
loaded ED25519 key from '/etc/swanctl/private/moonKey.pem'
Loading connections in container moon
loaded connection 'moon-sun'
successfully loaded 1 connections, 0 unloaded
Loading creds in container sun                                                                           
loaded certificate from '/etc/swanctl/x509/sunCert.pem'
loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem'
loaded ED25519 key from '/etc/swanctl/private/sunKey.pem'
Loading connections in container sun
loaded connection 'sun-moon'
successfully loaded 1 connections, 0 unloaded
Generating traffic from moon to sun
PING sun.lxd (10.73.22.50) 56(84) bytes of data.
64 bytes from sun.lxd (10.73.22.50): icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from sun.lxd (10.73.22.50): icmp_seq=2 ttl=64 time=0.179 ms
64 bytes from sun.lxd (10.73.22.50): icmp_seq=3 ttl=64 time=0.171 ms
64 bytes from sun.lxd (10.73.22.50): icmp_seq=4 ttl=64 time=0.122 ms

--- sun.lxd ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3107ms
rtt min/avg/max/mdev = 0.067/0.134/0.179/0.044 ms

Generating traffic from sun to moon
PING moon.lxd (10.73.22.38) 56(84) bytes of data.
64 bytes from moon.lxd (10.73.22.38): icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from moon.lxd (10.73.22.38): icmp_seq=2 ttl=64 time=0.180 ms
64 bytes from moon.lxd (10.73.22.38): icmp_seq=3 ttl=64 time=0.171 ms
64 bytes from moon.lxd (10.73.22.38): icmp_seq=4 ttl=64 time=0.163 ms

--- moon.lxd ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3107ms
rtt min/avg/max/mdev = 0.051/0.141/0.180/0.052 ms

This is the moon SA:
moon-sun: #1, ESTABLISHED, IKEv2, 63419ee13e63a366_i* 2e052d3b32e35e55_r
  local  'C=CH, O=strongswan, CN=moon.strongswan.org' @ 10.73.22.38[4500]
  remote 'C=CH, O=strongswan, CN=sun.strongswan.org' @ 10.73.22.50[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 12s ago, rekeying in 13788s
  moon-sun: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
    installed 12s ago, rekeying in 3314s, expires in 3948s
    in  cc094b8d,    924 bytes,    11 packets,     0s ago
    out c6e5e50b,    924 bytes,    11 packets,     0s ago
    local  10.73.22.38/32
    remote 10.73.22.50/32

Checking SA for:
  established SA: OK
  local DN matches CN=moon.strongswan.org: OK
  remote DN matches CN=sun.strongswan.org: OK
  local IP matches local peer: OK
  remote IP matches remote peer: OK

This is the sun SA:
sun-moon: #1, ESTABLISHED, IKEv2, 63419ee13e63a366_i 2e052d3b32e35e55_r*
  local  'C=CH, O=strongswan, CN=sun.strongswan.org' @ 10.73.22.50[4500]
  remote 'C=CH, O=strongswan, CN=moon.strongswan.org' @ 10.73.22.38[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 12s ago, rekeying in 14040s
  sun-moon: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
    installed 12s ago, rekeying in 3550s, expires in 3948s
    in  c6e5e50b,    924 bytes,    11 packets,     0s ago
    out cc094b8d,    924 bytes,    11 packets,     0s ago
    local  10.73.22.50/32
    remote 10.73.22.38/32

Checking SA for:
  established SA: OK
  local DN matches CN=sun.strongswan.org: OK
  remote DN matches CN=moon.strongswan.org: OK
  local IP matches local peer: OK
  remote IP matches remote peer: OK

This is the moon policy:
moon-sun/moon-sun, TUNNEL
  local:  10.73.22.38/32
  remote: 10.73.22.50/32

Checking policy for:
  we have a tunnel: OK
  tunnel matches local-remote: OK
  local IP matches local peer: OK
  remote IP matches remote peer: OK

This is the sun policy:
sun-moon/sun-moon, TUNNEL
  local:  10.73.22.50/32
  remote: 10.73.22.38/32

Checking policy for:
  we have a tunnel: OK
  tunnel matches local-remote: OK
  local IP matches local peer: OK
  remote IP matches remote peer: OK

autopkgtest [16:39:42]: test host-to-host: -----------------------]
autopkgtest [16:39:43]: test host-to-host:  - - - - - - - - - - results - - - - - - - - - -
host-to-host         PASS
autopkgtest [16:39:44]: @@@@@@@@@@@@@@@@@@@@ summary
host-to-host         PASS

review: Approve

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2025-08-19:

#

Thanks for reviewing this! I have uploaded it.

 diff --git a/debian/changelog b/debian/changelog
 index 8eea4cf..59c83bf 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,9 @@
++strongswan (6.0.1-6ubuntu3) questing; urgency=medium
++
++  * d/t/host-to-host: disable DNSSEC in container during test (LP: #2119652)
++
++ -- Nick Rosbrook <enr0n@ubuntu.com>  Tue, 19 Aug 2025 10:26:51 -0400
++
  strongswan (6.0.1-6ubuntu2) questing; urgency=medium
    * Cherry-pick upstream commits to fix FTBFS with GCC-15 C23.
 diff --git a/debian/tests/host-to-host b/debian/tests/host-to-host
 index 3a76da0..dcb502b 100755
 --- a/debian/tests/host-to-host
 +++ b/debian/tests/host-to-host
@@ -230,6 +230,7 @@ _setup_lxd() {
  _setup_host_containers() {
      local release
      local ip
++    local iface
      local -i result=0
      local -a deps
@@ -242,6 +243,19 @@ _setup_host_containers() {
          echo -en "Waiting for container ${container} to be ready "
          wait_container_ready "${container}"
++
++        # With DNSSEC=allow-downgrade enabled by default in systemd-resolved,
++        # name resolution on the lxd domain fails because the resolver on
++        # lxdbr0 is not configured for DNSSEC. As a workaround, disable DNSSEC
++        # on the container's interfaces during the test (LP: #2119652).
++        iface=$(lxc list --columns=4 --format=csv "${container}" | awk -F'[()]' '{print $2}')
++        output=$(lxc exec "${container}" resolvectl dnssec "${iface}" no ) || {
++            result=$?
++            echo "Failed to disable systemd-resolved DNSSEC on interface ${iface} in container ${container}"
++            echo "${output}"
++            return ${result}
++        }
++
          echo "Copying over /etc/apt to container ${container}"
          lxc exec "${container}" -- rm -rf /etc/apt
          lxc exec "${container}" -- mkdir -p /etc/apt

Ubuntu
strongswan package

Merge ~enr0n/ubuntu/+source/strongswan:lp2119652 into ubuntu/+source/strongswan:ubuntu/devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntustrongswan package

Merge ~enr0n/ubuntu/+source/strongswan:lp2119652 into ubuntu/+source/strongswan:ubuntu/devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
strongswan package