systemd and "passive" security dependencies for services?

Christoph Anton Mitterer calestyo at scientia.net
Thu May 22 15:16:33 BST 2014


Hi Tollef,...

Let me see...

On Wed, 2014-05-21 at 16:35 +0200, Tollef Fog Heen wrote: 
> > By looking at that goal (which is a good goal of course) we "loose"
> > however that strict serialisation that we more or less had with
> > sysvinit.
> sysvinit isn't serialised today either.
Sure... I mean we have parallelism as well,... and I guess all what I'm
writing about is less about technical stuff (i.e. what would the
respective init dependency framework allow)... but rather about "how is
it done in practise with the respective scripts/units".

And there I've had the impression that things in sysvinit are set up
more serialised (i.e. that there are things like $network, where de
facto any service depends upon, when it does networking).


> > In sysvinit, each services simply depended e.g. on $network, when he did
> > networking... and by that one could already assure, that iptables rules
> > were in place,... even if the maintainer of the init-script forgot about
> > iptables.
> And with systemd you say After=network.target.
Well I read the documentation of it:
http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
systemd.special(7)

But...
- it seems not really be well defined what it does
- it's a passive unit, so AFAIU it's not to be pulled in by the services
consuming that functionallity (i.e. webserver) but rather the provider)?
- it's more about networking, less about netfilter,... so I think there
are services for which iptables need to be set up before they start
running, but where the interfaces, DNS, etc. don't need to work yet (or
at all, if there is just networking on the loopback)
- there seem to be only few services that do networking which actually
somehow depend on it...

So I guess one thing must be guaranteed... if one uses e.g.
iptables-persitent to load the iptables rules,.. than seervices that do
some networking must start after it,... and ONLY if iptables-persitent
was loaded successfully.

AFAIU systemd, than right now we have e.g.
network.target is before iptables-persistent...
But this doesn't guarantee at all that iptables-persistent is started,
does it?
Wouldn't one need some "Requires" for that?

I think best would be if there were some more such special targets like
network-security or so...
All services that do some networking should Require=/After= that... and
that target in place should pull in those of the installed services like
iptables-persistent...



Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5165 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20140522/ccdc98ae/attachment-0002.bin>


More information about the Pkg-systemd-maintainers mailing list