Bug#812561: fail2ban: systemd fails to notice when fail2ban fails to start

Sun, 24 Jan 2016 19:27:48 -0800 

Package: fail2ban
Version: 0.8.13-1
Severity: normal

Hello,

Having just experienced the delightful "feature" described in #771549 for
myself, I noticed that systemd gets confused in the presence of either a
failed start, or a force-start (two things that often occur in close
succession):

    root@sebastian:/var/log# pgrep -l fail
    4369 fail2ban-server
    root@sebastian:/var/log# service fail2ban stop
    root@sebastian:/var/log# service fail2ban status
    ● fail2ban.service - LSB: Start/stop fail2ban
       Loaded: loaded (/etc/init.d/fail2ban)
       Active: inactive (dead) since Mon 2016-01-25 10:41:54 AWST; 7s ago
      Process: 5729 ExecStop=/etc/init.d/fail2ban stop (code=exited, 
status=0/SUCCESS)
      Process: 4359 ExecStart=/etc/init.d/fail2ban start (code=exited, 
status=0/SUCCESS)

So far so good. Now let's make it fail to start:

    root@sebastian:/var/log# service fail2ban status
    ● fail2ban.service - LSB: Start/stop fail2ban
       Loaded: loaded (/etc/init.d/fail2ban)
       Active: active (exited) since Mon 2016-01-25 10:43:01 AWST; 3s ago
      Process: 5729 ExecStop=/etc/init.d/fail2ban stop (code=exited, 
status=0/SUCCESS)
      Process: 5769 ExecStart=/etc/init.d/fail2ban start (code=exited, 
status=0/SUCCESS)
    root@sebastian:/var/log# /etc/init.d/fail2ban start;echo $?
    Starting fail2ban (via systemctl): fail2ban.service.
    0
    root@sebastian:/var/log# pgrep -l fail
    root@sebastian:/var/log#

Active? I disagree. :P

My guess is that the init script exiting with zero status (despite failure)
has convinced systemd thinks that there is no problem. This is the first issue.

Let's try to fix the service:

    root@sebastian:/var/log# service fail2ban force-start
    Starting authentication failure monitor: fail2banSocket file 
/var/run/fail2ban/fail2ban.sock is present ... failed!
    Starting anyway as requested.
    .
    root@sebastian:/var/log# pgrep -l fail
    5840 fail2ban-server
    root@sebastian:/var/log# service fail2ban status
    ● fail2ban.service - LSB: Start/stop fail2ban
       Loaded: loaded (/etc/init.d/fail2ban)
       Active: active (exited) since Mon 2016-01-25 10:43:01 AWST; 3min 55s ago
      Process: 5729 ExecStop=/etc/init.d/fail2ban stop (code=exited, 
status=0/SUCCESS)
      Process: 5769 ExecStart=/etc/init.d/fail2ban start (code=exited, 
status=0/SUCCESS)

The service is now running, but systemd thinks it's still exited! It's as if 
the force-start was a no-op.

    root@sebastian:/var/log# service fail2ban restart
    root@sebastian:/var/log# service fail2ban status
    ● fail2ban.service - LSB: Start/stop fail2ban
       Loaded: loaded (/etc/init.d/fail2ban)
       Active: active (running) since Mon 2016-01-25 10:48:20 AWST; 2s ago
      Process: 5858 ExecStop=/etc/init.d/fail2ban stop (code=exited, 
status=0/SUCCESS)
      Process: 5871 ExecStart=/etc/init.d/fail2ban start (code=exited, 
status=0/SUCCESS)
       CGroup: /system.slice/fail2ban.service
               └─5882 /usr/bin/python /usr/bin/fail2ban-server -b -s 
/var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

Only now is everything as it should be.

The second issue is that force-start doesn't actually convince systemd that the 
service has started:

    root@sebastian:/var/log# service fail2ban stop
    root@sebastian:/var/log# service fail2ban status
    ● fail2ban.service - LSB: Start/stop fail2ban
       Loaded: loaded (/etc/init.d/fail2ban)
       Active: inactive (dead) since Mon 2016-01-25 11:04:03 AWST; 4min 13s ago
      Process: 7029 ExecStop=/etc/init.d/fail2ban stop (code=exited, 
status=0/SUCCESS)
      Process: 7002 ExecStart=/etc/init.d/fail2ban start (code=exited, 
status=0/SUCCESS)
    root@sebastian:/var/log# service fail2ban force-start
    Starting authentication failure monitor: fail2ban.
    root@sebastian:/var/log# service fail2ban status
    ● fail2ban.service - LSB: Start/stop fail2ban
       Loaded: loaded (/etc/init.d/fail2ban)
       Active: inactive (dead) since Mon 2016-01-25 11:04:03 AWST; 4min 26s ago
      Process: 7029 ExecStop=/etc/init.d/fail2ban stop (code=exited, 
status=0/SUCCESS)
      Process: 7002 ExecStart=/etc/init.d/fail2ban start (code=exited, 
status=0/SUCCESS)
    root@sebastian:/var/log# pgrep -l fail
    7080 fail2ban-server

I'm unsure whether this bit is also the init script's fault, or because
systemd unavoidably considers a 'force-start' to not count as a 'start'.

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 
'stable'), (500, 'oldstable'), (487, 'testing-updates'), (487, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fail2ban depends on:
ii  lsb-base    4.1+Debian13+nmu1
pn  python:any  <none>

Versions of packages fail2ban recommends:
ii  iptables          1.4.21-2+b1
pn  python-pyinotify  <none>
pn  whois             <none>

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20141216cvs-2
pn  python-gamin                 <none>
ii  rsyslog [system-log-daemon]  8.4.2-1+deb8u1

-- no debconf information

Reply via email to