Bug#997852: Should dh_systemd_enable --no-enable create a systemd.preset? (fix ssh.socket)

[Trent W. Buck]

I noticed some other things being unexpected enabled by preset-all, e.g.
msmtpd.service, systemd-networkd.socket, reboot.target.

I think this shows relevant packages:


https://codesearch.debian.net/search?q=dh_.*systemd.*--no-enable=0=29=1

$ curl -s 
https://codesearch.debian.net/results/460eb7b7b3635bc8/packages.txt | sort | fmt
2ping 389-ds-base acmetool acpid amavisd-new anope aprx argonaut
argus-clients balboa bdii beanstalkd bind9 bit-babbler bitlbee
booth btrfsmaintenance buildbot burp burrow canid chasquid
conserver consul corosync-qdevice csync2 davmail ddclient debhelper
dhcpy6d direwolf dogtag-pki dovecot drbd-utils fetch-crl fever fio
freeipa fwknop game-data-packager gamemode gfarm globus-gatekeeper
globus-gridftp-server globus-scheduler-event-generator glusterfs
golang-github-containernetworking-plugins gpsd graphite-carbon hdapsd
hylafax ifupdown init-system-helpers interimap ipmitool ipmiutil iwd
jupyter-notebook knockd libcircle-be-perl libosmo-sccp linux lirc
lizardfs logdata-anomaly-miner mailavenger mailgraph mariadb-10.5
mediawiki minissdpd miniupnpd moosefs mopidy mpd msmtp myproxy natlog
netscript-2.4 nextepc nftables nomad nordugrid-arc onak open-iscsi
openbgpd openssh osmo-bsc osmo-bts osmo-ggsn osmo-hlr osmo-iuh
osmo-mgw osmo-msc osmo-pcu osmo-sgsn osmo-trx packagekit pagure pgcluu
phosh pmacct postfwd powertop pptpd prelude-correlator prelude-lml
prelude-manager proftpd-dfsg public-inbox puppet qemu radicale rauc rsync
rtkit rygel sane-backends sanlock sbws slinkwatch sniproxy spamassassin
speech-dispatcher speech-dispatcher-contrib srslte stenographer syncplay
systemd-bootchart tcpcrypt teeworlds thinkfan trojan tryton-server
umtp-responder upower vanguards vdirsyncer voms w1retap wesnoth-1.14
xpra xscreensaver ypbind-mt ypserv zeroc-ice znc zoneminder

That suggests mariadb@.service would be affected, but
testing indicates otherwise:

$ mmdebstrap sid /dev/null --include=init,mariadb-server 
--customize-hook='systemctl --root=$1 preset-all' --logfile=tmp.log
$ grep mariadb tmp.log
[no matches]

So I dunno!

Bug#997852: Should dh_systemd_enable --no-enable create a systemd.preset? (fix ssh.socket)

[Trent W. Buck]

Package: debhelper
Version: 13.3.4
Severity: wishlist
File: /usr/bin/dh_systemd_enable

This is an obscure edge-case for systemd.
I am not an expert.  What I'm proposing might be very silly.
Probably the approriate debian-systemd ML should be CC'd.


Background: what is systemd.preset?
===
You know how when you install a new .service,
you typically do "systemctl enable frobozzd.service",
which runs [Install] WantedBy=multi-user.target?

Well historically,
Debian policy was "if you install frobozzd, it starts right away with sensible 
defaults", but
RHEL policy was "if you install frobozzd, it doesn't start until YOU configure 
& enable it".

To avoid fights over defaults,
systemd has a layer of middleware to opt in/out of "enable frobozzd".
See https://manpages.debian.org/systemd.preset
But for various reasons it isn't really used much.

It is used automatically by systemd "first boot" mode, i.e. when you boot with 
no /etc/machine-id.
It is used manually by calling "systemctl --root=/path/to/chroot preset-all".


Specific issue: openssh
===
The openssh rules file does this:

override_dh_systemd_enable:
dh_systemd_enable -popenssh-server --name ssh ssh.service
dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket

But systemd preset doesn't "see" this, so BOTH units are enabled,
which causes boot-time failures (both bind to *:22 by default).
Here's a minimum recipe to reproduce:

bash5$ mmdebstrap sid /dev/null --include=init,openssh-server 
--customize-hook='systemctl --root=$1 preset-all'
⋮
I: running --customize-hook in shell: sh -c 'systemctl --root=$1 
preset-all' exec /tmp/mmdebstrap.E3rs3TFVsO
⋮
Created symlink 
/tmp/mmdebstrap.E3rs3TFVsO/etc/systemd/system/sockets.target.wants/ssh.socket → 
/usr/lib/systemd/system/ssh.socket.
⋮
I: success in 24.9741 seconds

I think the easy workaround is that "dh_enable_systemd --no-enable" should 
create something like this:

/lib/systemd/system-preset/50-.preset:

# auto-generated by debhelper
disable 

A sysadmin can still override this in /etc/, as is normal for systemd config 
files.

There may be other implications I haven't considered, though!



-- System Information:
Debian Release: 11.0
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 
'stable'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debhelper depends on:
ii  autotools-dev20180224.1+nmu1
ii  dh-autoreconf20
ii  dh-strip-nondeterminism  1.12.0-1
ii  dpkg 1.20.9
ii  dpkg-dev 1.20.9
ii  dwz  0.13+20210201-1
ii  file 1:5.39-3
ii  libdebhelper-perl13.3.4
ii  libdpkg-perl 1.20.9
ii  man-db   2.9.4-2
ii  perl 5.32.1-4+deb11u1
ii  po-debconf   1.0.21+nmu1

debhelper recommends no packages.

Versions of packages debhelper suggests:
pn  dh-make  

-- no debconf information