[Pkg-systemd-maintainers] Bug#734951: systemd: somehow starts LSB stuff in the wrong order

Uoti Urpala uoti.urpala at pp1.inet.fi
Tue Jan 14 20:19:58 GMT 2014 

Christoph Anton Mitterer wrote:
> I tried it with log level debug now...
> 
> As you can see from there... systemd actually schedules
> iptables-persistend first... but it seems that this get's only executed
> much later (i.e. after fail2ban).

I think the log shows your conclusions were (and are) wrong: this is not
about ordering.

> Jan 14 17:42:53 heisenberg systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.StopUnit() on /org/freedesktop/systemd1
> Jan 14 17:42:53 heisenberg systemd[1]: Trying to enqueue job fail2ban.service/stop/replace
> Jan 14 17:42:53 heisenberg systemd[1]: Job fail2ban.service/start finished, result=canceled

Something on your system is explicitly stopping fail2ban, by calling
"systemctl stop fail2ban.service" or something which maps to that such
as invoke-rc.d. Under sysvinit stopping the service before it has
actually been started would have no noticeable effect, but under systemd
it cancels the queued start action.

If you don't remember adding such a script yourself, you could grep for
fail2ban under /etc or add a long sleep and log output to fail2ban init
script (which should show the issue under sysvinit too).

BTW there's still the ordering cycle caused by broken setserial.


> What I really fear are systems that heavily depend for their security on
> some service being _fully_ started _before_ some others are run.

In general, if you want to make sure that a service cannot start unless
another has been successfully started, add the "Requires" or "Requisite"
field to the unit.


> How can we make sure that these things continue to work safely?
> And I mean this very bug shows, that they don't... fail2ban may not be
> strictly required for other serivces to work... but potentially even the

IMO this is based on wrong assumptions. Nothing needs to be done for
things to continue working at least as safely as they did under sysvinit
(which was not particularly safe); switching to systemd makes things
safer overall. A service such as fail2ban could fail to start under
sysvinit too, and under sysvinit it would be much harder to express that
you don't want certain other services to start in that case.

More information about the Pkg-systemd-maintainers mailing list