Bug#863802: systemd unit breaks ferm in some setups in jessie->stretch upgrade

Wed, 31 May 2017 04:57:23 -0700 

Package: ferm
Version: 2.3-2
Severity: grave

Ferm is broken in stretch for any rule set which contains resolve() statements.
(There might be others relying on network, didn't check). This got introduced
in 2.3-2, which now uses a Wants:/Before: network-pre.target

In jessie, no systemd unit was provided and the sysvinit script translated to

# systemctl cat ferm
# /run/systemd/generator.late/ferm.service
# Automatically generated by systemd-sysv-generator

[Unit]
SourcePath=/etc/init.d/ferm
Description=LSB: ferm firewall configuration
DefaultDependencies=no
Before=sysinit.target
After=network-online.target remote-fs.target
Wants=network-online.target
 
But since ferm.service is now executed before the network is up, any rule
containing a resolve() statement now leads to a ferm startup failure:

# journalctl -u ferm
-- Logs begin at Wed 2017-05-31 10:53:35 UTC, end at Wed 2017-05-31 11:40:57 
UTC. --
May 31 10:53:38 ms-be2001 ferm[1038]: Starting Firewall: fermError in 
/etc/ferm/conf.d/10_example line 4:
May 31 10:53:38 ms-be2001 ferm[1038]:                 just.example.org
May 31 10:53:38 ms-be2001 ferm[1038]:             )
May 31 10:53:38 ms-be2001 ferm[1038]:
May 31 10:53:38 ms-be2001 ferm[1038]:         )
May 31 10:53:38 ms-be2001 ferm[1038]:         <--
May 31 10:53:38 ms-be2001 ferm[1038]: DNS query for 'just.example.org' failed: 
query timed out
May 31 10:53:38 ms-be2001 ferm[1038]:  failed!
May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Main process exited, 
code=exited, status=101/n/a
May 31 10:53:38 ms-be2001 systemd[1]: Failed to start ferm firewall 
configuration.
May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Unit entered failed state.
May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Failed with result 
'exit-code'.
 
I'm setting severity to "grave" since this breaks existing setups during the 
update
from jessie to stretch.

Possible fixes:
- Revert to the status quo from jessie by reverting the changes from 2.3-2 
(ugly)
- Split into two services, e.g. ferm-base.service loading a base rule set which 
runs on
network-pre.target and ferm-extended.service which runs on nss-lookup.target or
network.target

Cheers,
        Moritz

Reply via email to