[Pkg-swan-devel] resolvconf update script failure leads to forgotten device

corey kasten coreykasten at gmail.com
Fri May 6 17:28:29 UTC 2016

Hi Tobias:

Thank you for your quick and thoughtful response!

On Fri, May 6, 2016 at 6:03 AM, Tobias Brunner <tobias at strongswan.org>

> Hi Corey,
> >         1. Call "resolvconf --disable-updates"
> >         2. Call resolvconf the way it is currently in
> >         invoke_resolveconf(). This has the effect of installing or
> >         deleting the interface without running the update script, and
> >         the exit code returned by "pclose()" will tell you whether the
> >         resolvconf install succeeded.
> >         3. Call "resolvconf --enable-updates" which will cause the
> >         postponed update scripts to be run, and the errors here can be
> >         ignored or logged with "DBG1()".
> >         4. Return the pclose() return value from ste
> Not sure if that's such a good idea.  Don't failed update scripts
> indicate a serious problem? Actually, resolvconf does not seem to do

much besides some basic checks and writing the passed data to an
> interface file before running the update scripts, of which update.d/libc
> seems to do the main work of actually "installing" the DNS server by
> writing resolv.conf.

Good point. It's not wise to continue as if nothing has gone wrong,
when, as far as we know, it could be the "installing" done within
update.d/libc itself that went wrong, even though, in my case, that
part succeeded, while it was one of the sub-scripts under update-libc.d
which failed. So, it's better and simpler to always return failure.

Also, in order to enhance the debuggability for the case where update
scripts failed, I'd recommend trying to capture stderr of the resolvconf
calls, and sending it to the ike debug log. From my testing, I can see that
the 'run-parts' program (which is called by /sbin/resolvconf in order to run
the update scripts) does a good job of telling you which scripts exited
non-zero, and this would be useful to see in the log alongside the
"[IKE] adding DNS server failed" message, if possible.


So perhaps we could just recursively call
> invoke_resolvconf(FALSE) if pclose() indicates the command failed.  That
> way the interface file is at least removed again.
This seems to be a very good solution. This would definitely fix my case,
where the "install" part in update.d/libc actually succeeded (and the part
that failed was one of the sub-scripts under update-libc.d), since the
follow-up, recursive invoke_resolvconf(FALSE) call would not only delete
the interface file, but also trigger a successful "uninstall" operation
by update.d/libc (even though my failing sub-script in update-libc.d would
still, thereafter, fail, but, if, as mentioned above, stderr is captured,
that would
be easily debugged).

> Regards
> Tobias

Let me know if you need help with anything...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20160506/955e1530/attachment.html>

More information about the Pkg-swan-devel mailing list