Bug#864341: systemd-sysctl: failed to apply sysctl config at bootup

Arturo Borrero Gonzalez aborrero at cica.es
Wed Jun 7 12:13:12 BST 2017 

On 07/06/17 12:57, Michael Biebl wrote:
> How do you load the conntrack kernel module?
> Moritz brought this up on IRC already and from what we could conclude
> this is an ordering issue / race between the kernel module being loaded
> and the sysfs entries being available and the sysctl settings being applied.
>
> Moritz, did your investigations find something?
>
> Afair you might have to apply the settings via a udev rule.
> I don't think there is anything we can do about that in
> systemd-sysctl.service.

Thanks for your quick reply.

This machine works as a firewall, so I think the modules are loaded by 
nftables when the ruleset is loaded at boot time , before network 
interfaces start becoming up:

[...]
[lun jun  5 14:06:47 2017] Netfilter messages via NETLINK v0.30.
[lun jun  5 14:06:47 2017] nf_tables: (c) 2007-2009 Patrick McHardy 
<kaber at trash.net>
[lun jun  5 14:06:47 2017] nf_conntrack version 0.5.0 (16384 buckets, 
65536 max)
[lun jun  5 14:06:47 2017] IPv6: ADDRCONF(NETDEV_UP): eth3: link is not 
ready
[lun jun  5 14:06:47 2017] e1000: eth3 NIC Link is Up 1000 Mbps Full 
Duplex, Flow Control: RX/TX
[lun jun  5 14:06:47 2017] IPv6: ADDRCONF(NETDEV_CHANGE): eth3: link 
becomes ready
[lun jun  5 14:06:47 2017] Ethernet Channel Bonding Driver: v3.7.1 
(April 27, 2011)
[lun jun  5 14:06:47 2017] bond0: Setting xmit hash policy to layer3+4 (1)
[lun jun  5 14:06:47 2017] bond0: Setting MII monitoring interval to 100
[...]

What you said make sense. How would you order sysctl/nftables/network 
services to prevent this issue?
A quick and dirty workaround is to call sysctl in the nftables.service 
file after loading the ruleset,
but I'm looking for something more robust/elegant.

What about running systemd-sysctl the last in the boot order chain?

-- 
Arturo Borrero Gonzalez
Departamento de Seguridad Informatica (nis at cica.es)
Centro Informatico Científico de Andalucia (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 130 384
Consejería de Economia y Conocimiento
Junta de Andalucia

More information about the Pkg-systemd-maintainers mailing list