Re: [systemd-devel] Inhibit locks via unit file
On 4/9/24 14:05, SCOTT FIELDS wrote: > What are you trying to accomplish? > > From within a service unit file, doesn't sound like you really mean an > "inhibit lock" action Currently I have: # cat /etc/systemd/system/nwra-update.service [Unit] Description=NWRA Update After=network-online.target [Service] Type=oneshot Nice=19 IOSchedulingClass=2 IOSchedulingPriority=7 Environment="ABRT_IGNORE_PYTHON=1" ExecStart=/bin/systemd-inhibit "--why=NWRA update in progress" --what=shutdown --mode=block /usr/local/sbin/nwra-update ExecStartPost=/usr/local/sbin/needs-restart ExecStartPost=/usr/local/sbin/reboot-if-needed So was thinking that something like: InhibitWhat=shutdown InhibitWhy=NWRA update in progress InhibitMode=block to set the inhibit lock while the service was running might be useful. Though since I may want to reboot in the ExecStartPost perhaps that isn't what I want. > ------ > *From:* systemd-devel on behalf of Orion Poplawski > *Sent:* Tuesday, April 9, 2024 2:46 PM > *To:* Systemd > *Subject:* [EXTERNAL] [systemd-devel] Inhibit locks via unit file > > Is there a way for a service unit to take out inhibit locks via settings in > the unit file? My searches are coming up empty... > > Thanks. > > -- > Orion Poplawski > he/him/his - surely the least important thing about me > Manager of IT Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 https://www.nwra.com/ > <https://www.nwra.com/> -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature
[systemd-devel] Inhibit locks via unit file
Is there a way for a service unit to take out inhibit locks via settings in the unit file? My searches are coming up empty... Thanks. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [systemd-devel] How to automatically decrypt a disk on connection
On 3/28/24 01:30, Andrei Borzenkov wrote: On Wed, Mar 27, 2024 at 9:49 PM Orion Poplawski wrote: Use $kernel in rule and /dev/%I in service. Thank you, that works. udev monitor -p doesn't show the value of KERNEL so I didn't see that as an option. udev documentation lists $kernel when describing substitutions. It does, but it's not clear to me what the value would be: The kernel name for this device. I suppose "sda1" makes total sense, but perhaps some examples would be helpful. But yes, native support for systemd unit name escaping would be nice. -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [systemd-devel] How to automatically decrypt a disk on connection
On 3/27/24 12:22, Andrei Borzenkov wrote:
> On 27.03.2024 20:56, Orion Poplawski wrote:
>> The only thing that's a bit funky with it is that it generates:
>>
>> Invalid unit name "clevis-luks-unlock@/dev/sda1.service" escaped as
>> "clevis-luks-unlock@-dev-sda1.service" (maybe you should use
>> systemd-escape?).
>>
>> But I'm not sure how else to handle it.
>>
>> If I left it as ENV{SYSTEMD_WANTS}="clevis-luks-unlock@" I would get the
>> following instance:
>>
>> sys-devices-pci:00-:00:02.0-:05:00.0-:06:02.0-:08:00.0-usb9-9\x2d1-9\x2d1:1.0-host2-target2:0:0-2:0:0:0-block-sda-sda1
>>
>> which I can unescape with %f but not sure how to get that to the actual
>> device
>> file.
>>
>> Any suggestions?
>>
>>
>
> Use $kernel in rule and /dev/%I in service.
Thank you, that works. udev monitor -p doesn't show the value of KERNEL so I
didn't see that as an option.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [systemd-devel] How to automatically decrypt a disk on connection
On 3/27/24 11:56, Orion Poplawski wrote:
> On 3/27/24 10:22, Mantas Mikulėnas wrote:
>>
>>
>> On Wed, Mar 27, 2024, 16:36 Orion Poplawski > <mailto:or...@nwra.com>> wrote:
>>
>>
>>
>> Can I setup a unit that gets started automatically when a particular
>> dev-disk-by-uuid device becomes present?
>>
>>
>> Just link it under dev-disk-foo.device.wants/ (systemctl enable, or systemctl
>> add-wants).
>>
>> Alternatively, ENV{SYSTEMD_WANTS}="foo.service" from udev will have the same
>> effect.
>
> Thanks for pointing me to that. This is what I've ended up with at the
> moment:
>
> ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition",
> ENV{ID_BUS}=="usb", ENV{ID_FS_TYPE}=="crypto_LUKS",
> ENV{SYSTEMD_WANTS}="clevis-luks-unlock@%E{DEVNAME}.service"
>
> # cat clevis-luks-unlock@.service
> [Unit]
> Description=Clevis decrypt disk %I
> DefaultDependencies=no
>
> [Service]
> Type=oneshot
> RemainAfterExit=yes
> ExecStart=/usr/bin/clevis luks unlock -d %I
>
>
> The only thing that's a bit funky with it is that it generates:
>
> Invalid unit name "clevis-luks-unlock@/dev/sda1.service" escaped as
> "clevis-luks-unlock@-dev-sda1.service" (maybe you should use systemd-escape?).
>
> But I'm not sure how else to handle it.
>
> If I left it as ENV{SYSTEMD_WANTS}="clevis-luks-unlock@" I would get the
> following instance:
>
> sys-devices-pci:00-:00:02.0-:05:00.0-:06:02.0-:08:00.0-usb9-9\x2d1-9\x2d1:1.0-host2-target2:0:0-2:0:0:0-block-sda-sda1
>
> which I can unescape with %f but not sure how to get that to the actual device
> file.
>
> Any suggestions?
>
I tried adding OPTIONS="string_escape=replace" but that gives me _dev_sda1
which %I and %f does not unescape to /dev/sda1. There seems to be a couple of
inconsistencies with how udev and systemd escape things.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [systemd-devel] How to automatically decrypt a disk on connection
On 3/27/24 10:22, Mantas Mikulėnas wrote:
>
>
> On Wed, Mar 27, 2024, 16:36 Orion Poplawski <mailto:or...@nwra.com>> wrote:
>
>
>
> Can I setup a unit that gets started automatically when a particular
> dev-disk-by-uuid device becomes present?
>
>
> Just link it under dev-disk-foo.device.wants/ (systemctl enable, or systemctl
> add-wants).
>
> Alternatively, ENV{SYSTEMD_WANTS}="foo.service" from udev will have the same
> effect.
Thanks for pointing me to that. This is what I've ended up with at the moment:
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition",
ENV{ID_BUS}=="usb", ENV{ID_FS_TYPE}=="crypto_LUKS",
ENV{SYSTEMD_WANTS}="clevis-luks-unlock@%E{DEVNAME}.service"
# cat clevis-luks-unlock@.service
[Unit]
Description=Clevis decrypt disk %I
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/clevis luks unlock -d %I
The only thing that's a bit funky with it is that it generates:
Invalid unit name "clevis-luks-unlock@/dev/sda1.service" escaped as
"clevis-luks-unlock@-dev-sda1.service" (maybe you should use systemd-escape?).
But I'm not sure how else to handle it.
If I left it as ENV{SYSTEMD_WANTS}="clevis-luks-unlock@" I would get the
following instance:
sys-devices-pci:00-:00:02.0-:05:00.0-:06:02.0-:08:00.0-usb9-9\x2d1-9\x2d1:1.0-host2-target2:0:0-2:0:0:0-block-sda-sda1
which I can unescape with %f but not sure how to get that to the actual device
file.
Any suggestions?
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [systemd-devel] How to automatically decrypt a disk on connection
On 3/27/24 07:29, Andrei Borzenkov wrote:
On Wed, Mar 27, 2024 at 12:35 AM Orion Poplawski wrote:
Sorry this isn't strictly devel - but it is a bit non-standard.
I need to automatically unlock an encrypted disk on connection to a machine,
with the caveat that I'm not mounting it - instead I want to connect it to a VM.
On machines that we do mount the filesystem, having an fstab entry seems to be
the key to get the systemd-cryptsetup@luks-UUID service to fire and get the
disk decrypted. But lacking that I'm not sure how to get it to trigger.
I do have an entry for the disk in /etc/crypttab:
luks-16f5b686-8669-407b-920d-427fa8b81328
UUID=16f5b686-8669-407b-920d-427fa8b81328 none _netdev
My current plan had been to use a udev rule to attach the disk to the VM:
ACTION=="change", SUBSYSTEM=="block", ENV{ID_FS_LABEL}=="WEEKLY",
RUN+="/usr/bin/virsh attach-disk VM %E{DEVNAME} sdc --live"
But perhaps if I have a unit that was dependent on the cryptsetup service much
like a mount unit may have(?) that could get cryptsetup to fire as well.
This is with systemd-252-18.el9.x86_64
I tried having a udev rule that started the specific
systemd-cryptsetup@luks-UUID service, but that failed:
You did not show this rule, so it is hard to guess why it fails.
Sorry, here goes:
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition",
ENV{ID_BUS}=="usb", ENV{ID_FS_TYPE}=="crypto_LUKS",
RUN+="cryptsetup-trigger"
# cat /usr/lib/udev/cryptsetup-trigger
#!/bin/bash
/usr/bin/systemctl restart
'systemd-cryptsetup@luks\x2d'${ID_FS_UUID//-/\\x2d}.service
It failed with:
Mar 26 11:49:43 systemd[1]: Unnecessary job was removed for Expansion
Linux\x20filesystem.
Mar 26 11:49:43 systemd[1]:
systemd-cryptsetup@luks\x2d16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.service:
Bound to unit dev-disk-by\x2duuid-16f5b686\x2d
8669\x2d407b\x2d920d\x2d427fa8b81328.device, but unit isn't active.
Mar 26 11:49:43 systemd[1]: Dependency failed for Cryptography Setup for
luks-16f5b686-8669-407b-920d-427fa8b81328.
Mar 26 11:49:43 systemd[1]:
systemd-cryptsetup@luks\x2d16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.service:
Job systemd-cryptsetup@luks\x2d16f5b686\x2d866
9\x2d407b\x2d920d\x2d427fa8b81328.service/start failed with result
'dependency'.
Mar 26 11:49:43 systemd[1]: Reached target Block Device Preparation for
/dev/mapper/luks-16f5b686-8669-407b-920d-427fa8b81328.
Mar 26 11:49:43 systemd[1]: Stopped target Block Device Preparation for
/dev/mapper/luks-16f5b686-8669-407b-920d-427fa8b81328.
Looking at the systemd debug messages for sde1 being attached:
Mar 26 14:27:24 systemd[1]: dev-sde1.device: Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484751 reply_cookie=0 signature=sa{sv}as error-name=n/a
error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484752 reply_cookie=0 signature=sa{sv}as error-name=n/a
error-message=n/a
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2duuid-16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2dpartuuid-a53e8ff9\x2dcc81\x2d468d\x2dbbee\x2db029df8678d8.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-usb\x2dSeagate_Expansion_NA8JP0EX\x2d0:0\x2dpart1.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484753 reply_cookie=0 signature=sa{sv}as error-name=n/a
error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484754 reply_cookie=0 signature=sa{sv}as error-name=n/a
error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2dpartlabel_2dLinux_5cx5cx20filesystem_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484764 reply_cookie=0 signature=sa{sv}as error-name=n/a
error-message=n/a
Mar 2
[systemd-devel] How to automatically decrypt a disk on connection
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484762
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484763
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2dpartlabel_2dLinux_5cx5cx20filesystem_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484764 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2dpartlabel_2dLinux_5cx5cx20filesystem_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484765 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [systemd-devel] Delaying VM startup until block devices are available
On 1/26/24 01:21, Lennart Poettering wrote: > On Do, 25.01.24 16:28, Orion Poplawski (or...@nwra.com) wrote: > >> We have various VMs that are back by luks encrypted LVs. At boot the volumes >> are decrypted by clevis. The problem we are seeing at the moment is that the >> VMs are started before the block devices are decrypted. Our current >> solution is: > > We generally wait for all devices listed in /etc/crypttab, unless you > set noauto or nofail. We are setting 'nofail', because I don't think I want to fail the boot in general. They are not required for the system itself to function, just certain VMs. e.g: luks-backup /dev/vg_root/backup-raw none discard,_netdev,nofail See below for more though. >> # cat /etc/systemd/system/virtqemud.service.d/override.conf >> [Unit] >> After=blockdev@dev-mapper-luks\x2dbackup.target >> blockdev@dev-mapper-luks\x2dvm\x2d01\x2ddisk0.target >> >> Where we list each of the volumes to be decyrpted as blocking the virtqemud >> service. >> >> Does anyone have any better alternatives? My main issue it that it feels >> somewhere in between fine-grained and coarse-grained control. >> >> Ideally I think one would be able to have each individual VM startup >> automatically delayed until the devices each used became available, but I >> don't see how to do this. > > I am not sure how libvirt works, but if it runs every VM in a systemd > unit, then you could just order the device before that unit, or the > unit after the device. > > Really depends on how libvirt splits things up. I'm honestly not sure how libvirt works here either. But there seems to be this: # rpm -qf /usr/lib/systemd/system/virtqemud.service libvirt-daemon-driver-qemu-9.5.0-7.el9_3.alma.2.x86_64 which gets started: Jan 25 14:42:58 systemd[1]: Starting Virtualization qemu daemon... Jan 25 14:42:58 systemd[1]: Started Virtualization qemu daemon. Then the qemu-kvm processes end up in their own scope: ● machine-qemu\x2d1\x2dsrv\x2dmry01.scope - Virtual Machine qemu-1-srv-mry01 Loaded: loaded (/run/systemd/transient/machine-qemu\x2d1\x2dsrv\x2dmry01.scope; transient) Transient: yes Active: active (running) since Thu 2024-01-25 14:42:58 PST; 22h ago Tasks: 6 (limit: 16384) Memory: 15.6G CPU: 1h 15min 44.863s CGroup: /machine.slice/machine-qemu\x2d1\x2dsrv\x2dmry01.scope └─libvirt └─9086 /usr/libexec/qemu-kvm -name guest=... > >> Alternatively it seems like one should be able to delay all VM startup until >> all volumes in /etc/crypttab were unlocked, rather than having to specify >> each >> one. But I don't see a target for that. > > This is default behaviour. Anything listed in /etc/crypttab is ordered > before cryptsetup.target, which is ordered before sysinit.target, > which is ordered before basic.target, which is ordered before regular > services. We are specifying _netdev because they require the network to unlock. This I think puts them under remote-cryptsetup.target, and I used to depend on that. But with EL9 I'm seeing: # j -b -u remote-cryptsetup.target -u 'blockdev@dev-mapper-luks\x2dbackup.target' -u clevis-luks-askpass.service --no-hostname Jan 25 14:42:12 systemd[1]: Reached target Remote Encrypted Volumes. Jan 25 14:42:12 systemd[1]: Started Forward Password Requests to Clevis. Jan 25 14:42:48 clevis-luks-askpass[1706]: Unlocked /dev/vg_root/backup-raw (UUID=d6d25a85-2d43-4780-a312-e0e9b2383807) successfully Jan 25 14:42:54 systemd[1]: Reached target Block Device Preparation for /dev/mapper/luks-backup. Jan 25 14:42:59 systemd[1]: clevis-luks-askpass.service: Deactivated successfully. # systemctl list-dependencies remote-cryptsetup.target remote-cryptsetup.target ● ├─systemd-cryptsetup@luks\x2dbackup.service # j --no-hostname -b -u 'systemd-cryptsetup@luks\x2dbackup.service' Jan 25 14:42:12 systemd[1]: Starting Cryptography Setup for luks-backup... Jan 25 14:42:42 systemd-cryptsetup[1697]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/vg_root/backup-raw. Jan 25 14:42:47 systemd-cryptsetup[1697]: Failed to activate with specified passphrase. (Passphrase incorrect?) Jan 25 14:42:48 systemd-cryptsetup[1697]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/vg_root/backup-raw. Jan 25 14:42:54 systemd[1]: Finished Cryptography Setup for luks-backup. # systemctl show 'systemd-cryptsetup@luks\x2dbackup.service' | grep Type Type=oneshot So, if I'm following things correctly, this doesn't seem right. remote-cryptsetup.target depends on systemd-cryptsetup@luks\x2dbackup.service. This is a oneshot that is considered started after the main process exits, and above is shown as 14:42:54. But we are seeing 'Reached target Remote Encrypted Volumes' at 14:42:12. What am I missing? sy
[systemd-devel] Delaying VM startup until block devices are available
We have various VMs that are back by luks encrypted LVs. At boot the volumes are decrypted by clevis. The problem we are seeing at the moment is that the VMs are started before the block devices are decrypted. Our current solution is: # cat /etc/systemd/system/virtqemud.service.d/override.conf [Unit] After=blockdev@dev-mapper-luks\x2dbackup.target blockdev@dev-mapper-luks\x2dvm\x2d01\x2ddisk0.target Where we list each of the volumes to be decyrpted as blocking the virtqemud service. Does anyone have any better alternatives? My main issue it that it feels somewhere in between fine-grained and coarse-grained control. Ideally I think one would be able to have each individual VM startup automatically delayed until the devices each used became available, but I don't see how to do this. Alternatively it seems like one should be able to delay all VM startup until all volumes in /etc/crypttab were unlocked, rather than having to specify each one. But I don't see a target for that. Thank you for your consideration, Orion -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [systemd-devel] Transaction contains conflicting jobs 'restart' and 'stop'
Andrei Borzenkov gmail.com> writes: > 11.03.2016 00:11, Orion Poplawski пишет: > > Uoti Urpala pp1.inet.fi> writes: > >> On Thu, 2016-03-10 at 17:51 +, Orion Poplawski wrote: > >>> It appears that this is a trigger for this issue. Removing the > >>> conflicts=iptables.service removes it. This seems like a bug to me > >>> though - > >>> why is iptables being brought in if the PartOf= is a one-way dep? > >> > >> I guess it's because it's because firewalld.service has > >> "Conflicts=iptables.service", and thus (re)starting firewalld.service > >> stops iptables.service; fail2ban.service has PartOf to both, thus both > >> the restart and stop are propagated, and conflict. > > > > Can't the stop of iptables be dropped because the service is already stopped > > (or more likely not even present)? > > One possible implementation is to have firewall.target and make all > other services (firewalld, iptables and fail2ban) PartOf this target. > You would then start/stop firewall.target instead of individual services. I tried this, but I get the same problem: # systemctl restart firewall.target Failed to restart firewall.target: Transaction contains conflicting jobs 'restart' and 'stop' for iptables.service. Probably contradicting requirement dependencies configured. Also, this doesn't solve the issue of restarting fail2ban if firewalld is restarted via "systemctl restart fail2ban" (which someone will do I'm sure), unless there is some other dependency that needs to be setup between the various units that I don't understand. Not very familiar with configuring targets. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Transaction contains conflicting jobs 'restart' and 'stop'
Orion Poplawski cora.nwra.com> writes: > > Can someone please explain this to me? > > # systemctl restart firewalld > Failed to restart firewalld.service: Transaction contains conflicting jobs > 'restart' and 'stop' for fail2ban.service. Probably contradicting > requirement dependencies configured. > > # cat /usr/lib/systemd/system/fail2ban.service > [Unit] > PartOf=iptables.service firewalld.service > > # cat /usr/lib/systemd/system/firewalld.service > [Unit] > Conflicts=iptables.service ip6tables.service ebtables.service It appears that this is a trigger for this issue. Removing the conflicts=iptables.service removes it. This seems like a bug to me though - why is iptables being brought in if the PartOf= is a one-way dep? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
