Bug#867762: socket activated ssh leaves failed units behind

Marc Haber mh+debian-packages at zugschlus.de
Sun Jul 9 10:23:54 BST 2017 

Package: systemd
Version: 232-25
Severity: normal

Hi,

I am using socket activated ssh since this (a) hopefully reduces the
possibility of not being able to log in in case of a daemon failure, and
socket activation does cleanly shut down the ssh daemon on system
shutdown, what ssh running as a daemon does no longer do on a systemd
system, which makes the ssh client hang around until the system is back
or the session times out client-side.

However, I have found out that socket activated ssh leaves failed
daemons around:

1 [9/1696]mh at gancho:~ $ systemctl cat ssh.socket
# /lib/systemd/system/ssh.socket
[Unit]
Description=OpenBSD Secure Shell server socket
Before=ssh.service
Conflicts=ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Socket]
ListenStream=22
Accept=yes

[Install]
WantedBy=sockets.target
[10/1697]mh at gancho:~ $ systemctl cat ssh at .service
# /lib/systemd/system/ssh at .service
[Unit]
Description=OpenBSD Secure Shell server per-connection daemon
After=auditd.service

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
StandardInput=socket
[11/1698]mh at gancho:~ $ systemctl --failed
  UNIT                                                  LOAD   ACTIVE SUB    DESCRIPTION
● ssh at 11079-176.9.130.66:22-222.186.31.124:4600.service loaded failed failed OpenBSD Secure Shell server per-connection daemon
● ssh at 11080-176.9.130.66:22-222.186.31.124:3592.service loaded failed failed OpenBSD Secure Shell server per-connection daemon
● ssh at 11081-176.9.130.66:22-222.186.31.124:1146.service loaded failed failed OpenBSD Secure Shell server per-connection daemon (222.186.31.124:1146)
● ssh at 11084-176.9.130.66:22-222.186.31.124:4497.service loaded failed failed OpenBSD Secure Shell server per-connection daemon
● ssh at 8099-176.9.130.66:22-221.229.166.74:3712.service  loaded failed failed OpenBSD Secure Shell server per-connection daemon (221.229.166.74:3712)
● ssh at 8102-176.9.130.66:22-221.229.166.74:2037.service  loaded failed failed OpenBSD Secure Shell server per-connection daemon (221.229.166.74:2037)

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

6 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
[12/1699]mh at gancho:~ $ systemctl status ssh at 11079-176.9.130.66:22-222.186.31.124:4600.service
● ssh at 11079-176.9.130.66:22-222.186.31.124:4600.service - OpenBSD Secure Shell server per-connection daemon
   Loaded: loaded (/lib/systemd/system/ssh at .service; static; vendor preset: enabled)
   Active: failed (Result: resources)

Jul 08 07:30:53 gancho systemd[1]: ssh at 11079-176.9.130.66:22-222.186.31.124:4600.service: Failed to run 'start' task: Transport endpoint is not connected
Jul 08 07:30:53 gancho systemd[1]: Failed to start OpenBSD Secure Shell server per-connection daemon.
Jul 08 07:30:53 gancho systemd[1]: ssh at 11079-176.9.130.66:22-222.186.31.124:4600.service: Unit entered failed state.
Jul 08 07:30:53 gancho systemd[1]: ssh at 11079-176.9.130.66:22-222.186.31.124:4600.service: Failed with result 'resources'.
3 [13/1700]mh at gancho:~ $

Please not that those failed ssh instances are all automated zombies
scanning for ssh servers.

What do I do to have systemd properly clean up in this case?

Greetings
Marc


-- Package-specific info:

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.11.8-zgsrv20080 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3+b1
ii  libapparmor1    2.11.0-3
ii  libaudit1       1:2.6.7-2
ii  libblkid1       2.29.2-1
ii  libc6           2.24-11+deb9u1
ii  libcap2         1:2.25-1
ii  libcryptsetup4  2:1.7.3-4
ii  libgcrypt20     1.7.6-2+deb9u1
ii  libgpg-error0   1.26-2
ii  libidn11        1.33-1
ii  libip4tc0       1.6.0+snapshot20161117-6
ii  libkmod2        23-2
ii  liblz4-1        0.0~r131-2+b1
ii  liblzma5        5.2.2-1.2+b1
ii  libmount1       2.29.2-1
ii  libpam0g        1.1.8-3.6
ii  libseccomp2     2.3.1-2.1
ii  libselinux1     2.6-3+b1
ii  libsystemd0     232-25
ii  mount           2.29.2-1
ii  procps          2:3.3.12-3
ii  util-linux      2.29.2-1

Versions of packages systemd recommends:
ii  dbus            1.10.18-1
ii  libpam-systemd  232-25

Versions of packages systemd suggests:
ii  policykit-1        0.105-18
pn  systemd-container  <none>
pn  systemd-ui         <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.130
ii  udev             232-25

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list