Re: [Touch-packages] [Bug 1991592] Re: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config
On Thu, Oct 06, 2022 at 07:32:54AM -, msaxl wrote: > I think the biggest issue is the automatic upgrade from "classic" to > systemd.socket > It is very hard to consistently migrate every configuration. > I was hit by this issue because I had set > /proc/sys/net/ipv6/bindv6only=1, so ipv4 was disabled Please file a separate bug explaining exactly what problem you encountered on upgrade. Setting /proc/sys/net/ipv6/bindv6only=1 (which is not something I consider a sensible deviation from the Ubuntu defaults) should not have caused you to experience upgrade issues, and is independent from the question of using a generator. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1991592 Title: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config Status in openssh package in Ubuntu: Triaged Bug description: A criticism of the existing sshd socket activation implementation is that Port/ListenAddress options are migrated on a one-time basis at package upgrade time, and afterwards users get the surprising behavior that Port/ListenAddress settings added to sshd_config are ignored. A systemd generator could be used to change the ssh socket unit configuration on boot, and on each change of /etc/ssh/sshd_config. Sample implementation from Dimitri: ssh.socket: [Unit] Wants=sshd-config.path # # Note the below defaults are cleared and overriden by #/lib/systemd/system-generators/sshd-generator # based on the sshd config from the sshd -T output # ListenStream=[::]:22 ListenStream=0.0.0.0:22 diff --git a/systemd/sshd-config.path b/systemd/sshd-config.path new file mode 100644 index 0..cfa9674a3 --- /dev/null +++ b/systemd/sshd-config.path @@ -0,0 +1,4 @@ +[Unit] +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run +[Path] +PathChanged=/etc/ssh/sshd_config diff --git a/systemd/sshd-config.service b/systemd/sshd-config.service new file mode 100644 index 0..b009ea52c --- /dev/null +++ b/systemd/sshd-config.service @@ -0,0 +1,5 @@ +[Unit] +Description=Regenerate ssh.socket.d/ssh-listen.conf drop-in + +[Service] +ExecStart=/bin/systemctl daemon-reload diff --git a/systemd/sshd-generator b/systemd/sshd-generator new file mode 100755 index 0..72c6aac04 --- /dev/null +++ b/systemd/sshd-generator @@ -0,0 +1,10 @@ +#!/bin/sh +set -eu +mkdir -p /run/sshd +sshd -t +mkdir -p $1/ssh.socket.d +target="$1/ssh.socket.d/ssh-listen.conf" +echo '[Socket]' > $target +echo 'ListenStream=' >> $target +sshd -T | sed -n 's/^listenaddress /ListenStream=/p' >> $target +rmdir --ignore-fail-on-non-empty /run/sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1991592] Re: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config
On Thu, Oct 06, 2022 at 02:34:40PM -, Corey Reichle wrote: > Nowhere was it documented that sshd now needs two configuration files, > just to tell it to listen on a port, and address it was already told to > do. False. It is documented in the manpage, in the default sshd_config file shipped in the package, and in the kinetic release notes. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1991592 Title: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config Status in openssh package in Ubuntu: Triaged Bug description: A criticism of the existing sshd socket activation implementation is that Port/ListenAddress options are migrated on a one-time basis at package upgrade time, and afterwards users get the surprising behavior that Port/ListenAddress settings added to sshd_config are ignored. A systemd generator could be used to change the ssh socket unit configuration on boot, and on each change of /etc/ssh/sshd_config. Sample implementation from Dimitri: ssh.socket: [Unit] Wants=sshd-config.path # # Note the below defaults are cleared and overriden by #/lib/systemd/system-generators/sshd-generator # based on the sshd config from the sshd -T output # ListenStream=[::]:22 ListenStream=0.0.0.0:22 diff --git a/systemd/sshd-config.path b/systemd/sshd-config.path new file mode 100644 index 0..cfa9674a3 --- /dev/null +++ b/systemd/sshd-config.path @@ -0,0 +1,4 @@ +[Unit] +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run +[Path] +PathChanged=/etc/ssh/sshd_config diff --git a/systemd/sshd-config.service b/systemd/sshd-config.service new file mode 100644 index 0..b009ea52c --- /dev/null +++ b/systemd/sshd-config.service @@ -0,0 +1,5 @@ +[Unit] +Description=Regenerate ssh.socket.d/ssh-listen.conf drop-in + +[Service] +ExecStart=/bin/systemctl daemon-reload diff --git a/systemd/sshd-generator b/systemd/sshd-generator new file mode 100755 index 0..72c6aac04 --- /dev/null +++ b/systemd/sshd-generator @@ -0,0 +1,10 @@ +#!/bin/sh +set -eu +mkdir -p /run/sshd +sshd -t +mkdir -p $1/ssh.socket.d +target="$1/ssh.socket.d/ssh-listen.conf" +echo '[Socket]' > $target +echo 'ListenStream=' >> $target +sshd -T | sed -n 's/^listenaddress /ListenStream=/p' >> $target +rmdir --ignore-fail-on-non-empty /run/sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1991592] Re: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config
On Thu, Oct 06, 2022 at 02:34:40PM -, Corey Reichle wrote: > > Socket activation provides a smoother (runtime) UX for users > > SSHD configuration is not a user issue, but a systems administration > issue. Maybe, but more important is the UX for users of ssh clients who aren't trying to deviate from default configuration, and for users who want density by default and don't need sshd running on every instance. Socket activation provides a smoother UX for these user stories. It sounds like your objections relate to the use of socket activation and how it is implemented in configuration files in general, rather than ssh specifically. The same goes for your ideas about moving daemon configuration into systemd unit files. I think your views on both of these issues contradict the general direction that our entire ecosystem is taking. Essentially you seem to be asking for a complete reversal in direction of how socket activation is used and configured in Debian and Ubuntu. You're entitled to your opinions and I wouldn't want to rule anything out, but this is the wrong venue for these discussions as they are far wider reaching than just ssh. I suggest you use https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss instead. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1991592 Title: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config Status in openssh package in Ubuntu: Triaged Bug description: A criticism of the existing sshd socket activation implementation is that Port/ListenAddress options are migrated on a one-time basis at package upgrade time, and afterwards users get the surprising behavior that Port/ListenAddress settings added to sshd_config are ignored. A systemd generator could be used to change the ssh socket unit configuration on boot, and on each change of /etc/ssh/sshd_config. Sample implementation from Dimitri: ssh.socket: [Unit] Wants=sshd-config.path # # Note the below defaults are cleared and overriden by #/lib/systemd/system-generators/sshd-generator # based on the sshd config from the sshd -T output # ListenStream=[::]:22 ListenStream=0.0.0.0:22 diff --git a/systemd/sshd-config.path b/systemd/sshd-config.path new file mode 100644 index 0..cfa9674a3 --- /dev/null +++ b/systemd/sshd-config.path @@ -0,0 +1,4 @@ +[Unit] +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run +[Path] +PathChanged=/etc/ssh/sshd_config diff --git a/systemd/sshd-config.service b/systemd/sshd-config.service new file mode 100644 index 0..b009ea52c --- /dev/null +++ b/systemd/sshd-config.service @@ -0,0 +1,5 @@ +[Unit] +Description=Regenerate ssh.socket.d/ssh-listen.conf drop-in + +[Service] +ExecStart=/bin/systemctl daemon-reload diff --git a/systemd/sshd-generator b/systemd/sshd-generator new file mode 100755 index 0..72c6aac04 --- /dev/null +++ b/systemd/sshd-generator @@ -0,0 +1,10 @@ +#!/bin/sh +set -eu +mkdir -p /run/sshd +sshd -t +mkdir -p $1/ssh.socket.d +target="$1/ssh.socket.d/ssh-listen.conf" +echo '[Socket]' > $target +echo 'ListenStream=' >> $target +sshd -T | sed -n 's/^listenaddress /ListenStream=/p' >> $target +rmdir --ignore-fail-on-non-empty /run/sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1991592] Re: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config
On Thu, Oct 06, 2022 at 01:04:05PM -, Corey Reichle wrote: > If the point is to increase density, then sshd should just be off, and > not automatically started, unless it's required for work. Socket activation provides a smoother (runtime) UX for users, and is well established as a mechanism to reduce runtime footprint without any impact to users who want to use the service. Why do you think it's preferable to have the daemon not started and without socket activation? > If ssh is selected at install time, to be installed, and listening, then > the user expectation is that it is installed, and listening. Not just > "listening as needed". Why? What user story is broken by socket activation here? > Or, conversely, as I proposed in the original ticket (That somehow got > marked as a duplicate of this ticket, that was created later): Migrate > all configuration for openssh-server out of /etc/ssh/sshd_config, and > into it's unit file. I'm pretty sure this would result in far more pushback from the community than merely enabling socket activation. We'd end up with an order of magnitude more upgrade path issues in doing this, and we'd be diverging from the entire rest of the community. > No, there isn't generally an expectation that you will require two > wholly unconnected places to be configured for something that is only > configured in one place for every other distro, and every other OS that > openssh-server runs on. It's increasingly common to use socket activation on systemd-based distros. Ubuntu may be pushing ahead on the sshd side, but socket activation in general is already in place in various other packages. I accept that the "two different places" configuration issue arises as a consequence of socket activation, and this is poor UX. But the general concept already exists in other areas (eg. After=network-online.service, and AppArmor), and doing otherwise in the general case would require a reversal, or even a "ban", on the use of socket activation across all packages in Ubuntu. I don't think that makes sense, but even if it did, it'd have to be a bigger discussion than just in this bug. As long as socket activation is a generally acceptable pattern in Ubuntu, I see no reason why sshd would be expected to be special and not use it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1991592 Title: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config Status in openssh package in Ubuntu: Triaged Bug description: A criticism of the existing sshd socket activation implementation is that Port/ListenAddress options are migrated on a one-time basis at package upgrade time, and afterwards users get the surprising behavior that Port/ListenAddress settings added to sshd_config are ignored. A systemd generator could be used to change the ssh socket unit configuration on boot, and on each change of /etc/ssh/sshd_config. Sample implementation from Dimitri: ssh.socket: [Unit] Wants=sshd-config.path # # Note the below defaults are cleared and overriden by #/lib/systemd/system-generators/sshd-generator # based on the sshd config from the sshd -T output # ListenStream=[::]:22 ListenStream=0.0.0.0:22 diff --git a/systemd/sshd-config.path b/systemd/sshd-config.path new file mode 100644 index 0..cfa9674a3 --- /dev/null +++ b/systemd/sshd-config.path @@ -0,0 +1,4 @@ +[Unit] +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run +[Path] +PathChanged=/etc/ssh/sshd_config diff --git a/systemd/sshd-config.service b/systemd/sshd-config.service new file mode 100644 index 0..b009ea52c --- /dev/null +++ b/systemd/sshd-config.service @@ -0,0 +1,5 @@ +[Unit] +Description=Regenerate ssh.socket.d/ssh-listen.conf drop-in + +[Service] +ExecStart=/bin/systemctl daemon-reload diff --git a/systemd/sshd-generator b/systemd/sshd-generator new file mode 100755 index 0..72c6aac04 --- /dev/null +++ b/systemd/sshd-generator @@ -0,0 +1,10 @@ +#!/bin/sh +set -eu +mkdir -p /run/sshd +sshd -t +mkdir -p $1/ssh.socket.d +target="$1/ssh.socket.d/ssh-listen.conf" +echo '[Socket]' > $target +echo 'ListenStream=' >> $target +sshd -T | sed -n 's/^listenaddress /ListenStream=/p' >> $target +rmdir --ignore-fail-on-non-empty /run/sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
