wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-05 19:43:22 +02:00
Code Issues Projects Releases Wiki Activity

Fix StrongSwan CRL handler properly without ignoring errors

Browse source 
Instead of ignoring errors (anti-pattern), this fix properly handles the race
condition when StrongSwan restarts:

1. After restarting StrongSwan, wait for port 500 (IKE) to be listening
   - This ensures the daemon is fully ready before proceeding
   - Waits up to 30 seconds with proper timeout handling

2. When reloading CRLs, use Ansible's retry mechanism
   - Retries up to 3 times with 2-second delays
   - Handles transient failures during startup

3. Separated rereadcrls and purgecrls into distinct tasks
   - Better error reporting and debugging
   - Cleaner task organization

This approach ensures the installation works reliably on fresh installs
without hiding potential real errors.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Dan Guido 2025-08-06 21:28:52 -07:00
parent 4be204f1d5
commit bb9a9aab59
1 changed files with 21 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
roles/strongswan/handlers/main.yml
View file

@ -1,6 +1,16 @@
--- ---
- name: restart strongswan - name: restart strongswan
service: name={{ strongswan_service }} state=restarted block:
- name: restart strongswan service
service: name={{ strongswan_service }} state=restarted
- name: wait for strongswan to be ready
wait_for:
port: 500
host: 127.0.0.1
delay: 2
timeout: 30
state: started
- name: daemon-reload - name: daemon-reload
systemd: daemon_reload=true systemd: daemon_reload=true
@ -9,14 +19,13 @@
service: name=apparmor state=restarted service: name=apparmor state=restarted
- name: rereadcrls - name: rereadcrls
shell: | block:
# Wait for ipsec daemon to be ready (up to 10 seconds) - name: reload certificate revocation lists
for i in $(seq 1 10); do command: ipsec rereadcrls
if ipsec statusall >/dev/null 2>&1; then register: rereadcrls_result
ipsec rereadcrls && ipsec purgecrls retries: 3
exit 0 delay: 2
fi until: rereadcrls_result.rc == 0
sleep 1
done - name: purge old certificate revocation lists
# If daemon still not ready, try anyway but don't fail the playbook command: ipsec purgecrls
ipsec rereadcrls; ipsec purgecrls || true