Support systemd socket activation for charon

[paulmenzel]

Using Debian sid/unstable with strongswan-starter 5.9.13-2, the package ships a systemd service unit:

$ systemctl cat strongswan-starter.service
# /usr/lib/systemd/system/strongswan-starter.service
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
After=network-online.target

[Service]
ExecStart=/usr/sbin/ipsec start --nofork
ExecReload=/usr/sbin/ipsec reload
Restart=on-abnormal

[Install]
WantedBy=multi-user.target
$ journalctl -o short-precise -u strongswan-starter -b
[…]    
Jan 21 09:14:08.388796 abreu systemd[1]: Started strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 21 09:14:08.414845 abreu ipsec[1478]: Starting strongSwan 5.9.13 IPsec [starter]...
Jan 21 09:14:08.414881 abreu ipsec_starter[1478]: Starting strongSwan 5.9.13 IPsec [starter]...
Jan 21 09:14:08.421317 abreu charon[1485]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.13, Linux 6.7-amd64, x86_64)
Jan 21 09:14:08.435197 abreu charon[1485]: 00[LIB] providers loaded by OpenSSL: legacy default
Jan 21 09:14:08.441006 abreu charon[1485]: 00[CFG] install DNS servers in '/etc/resolv.conf'
Jan 21 09:14:08.502690 abreu charon[1485]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 21 09:14:08.503131 abreu charon[1485]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 21 09:14:08.503343 abreu charon[1485]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 21 09:14:08.503533 abreu charon[1485]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 21 09:14:08.503716 abreu charon[1485]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 21 09:14:08.503910 abreu charon[1485]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 21 09:14:08.504580 abreu charon[1485]: 00[CFG] expanding file expression '/etc/ipsec.d/ipsec.nm-l2tp.secrets' failed
Jan 21 09:14:08.504783 abreu charon[1485]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jan 21 09:14:08.504875 abreu charon[1485]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 21 09:14:08.504908 abreu charon[1485]: 00[JOB] spawning 16 worker threads
Jan 21 09:14:08.516203 abreu ipsec[1478]: charon (1485) started after 100 ms
Jan 21 09:14:08.516210 abreu ipsec_starter[1478]: charon (1485) started after 100 ms
[…]
$ ps aux | grep charon
root       40608  0.0  0.0   6580  2944 ?        Ss   10:16   0:00 /usr/lib/ipsec/starter --daemon charon --nofork
root       40612  0.0  0.2 1195580 42108 ?       Ssl  10:16   0:00 /usr/lib/ipsec/charon

It would be nice, if the daemon could be started via systemd socket activation.

PS: It looks like there was a discussion about this already ten years ago in the mailing list in the thread strongSwan, swanctl and systemd.

[yueguobin]

I remember in 2023 I still used systemctl start strongswan to start strongswan. Later, I didn't notice when it was started with the OS upgrade, and it became systemctl start strongswan-starter

[Thermi]

there's already systemd integration using charon-systemd. It doesn't use socket activation, but daemon status reporting. Isn't that enough?

[paulmenzel]

Thank you for your comment. Indeed I missed the Debian package charon-systemd, shipping:

$ systemctl cat strongswan
# /usr/lib/systemd/system/strongswan.service
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
After=network-online.target

[Service]
Type=notify
ExecStart=/usr/sbin/charon-systemd
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
ExecReload=/usr/sbin/swanctl --reload
ExecReload=/usr/sbin/swanctl --load-all --noprompt
Restart=on-abnormal

[Install]
WantedBy=multi-user.target
Alias=strongswan-swanctl.service

In Debian that seems to be installed next to strongswan-starter, that cannot be purged without removing all the other strongSwan packages.

It doesn't use socket activation, but daemon status reporting. Isn't that enough?

Both units have After=network-online.target, which is not optimal. Lennart’s article systemd for Administrators, Part XX goes into the advantages.