Re: [systemd-devel] systemd-socket-proxyd slapd
I have changed proxy-to-directory-400.service as # cat proxy-to-directory-400.service [Unit] Requires=vgp.master-ldap-400.service After=vgp.master-ldap-400.service JoinsNamespaceOf=vgp.master-ldap-400.service [Service] ExecStart=/usr/lib/systemd/systemd-socket-proxyd ${HOSTNAME}:400 PrivateTmp=yes PrivateNetwork=yes But still ldapsearch not working with ${HOSTNAME}:401. Some useful info # systemctl status proxy-to-directory-400.service â proxy-to-directory-400.service Loaded: loaded (/usr/lib/systemd/system/proxy-to-directory-400.service; static) Active: active (running) since Thu 2014-07-17 09:37:36 EEST; 5min ago Main PID: 32744 (systemd-socket-) CGroup: /system.slice/proxy-to-directory-400.service ââ32744 /usr/lib/systemd/systemd-socket-proxyd CLA-0:400 -- # ss -anp | egrep -wi 400|401|402|403|49502|haproxy tcpLISTEN 0 128 169.254.0.4:400 *:* users:((slapd,32743,7)) tcpLISTEN 0 128 :::401 :::* users:((systemd-socket-,32744,3),(systemd,1,26)) Any further help. On Thu, Jul 17, 2014 at 12:53 AM, David Timothy Strauss da...@davidstrauss.net wrote: On Wed, Jul 16, 2014 at 7:29 AM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: This won't work, since proxyd now cannot connect to port 400. There is now a way to make that work with JoinsNamespaceOf= -- Suvendu Mitra GSM - +358504821066 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/3] nspawn: use Barrier API instead of eventfd-util
Hi On Mon, Jul 14, 2014 at 3:28 AM, Djalal Harouni tix...@opendz.org wrote: ppoll is atomic and it is handled by the kernel, so perhaps setting/restoring sigmask can be done easily! and for nspawn: IMO we need to receive SIGCHLD which implies EINTR. I say EINTR since not only for blocking read or infinite poll, but perhaps for all the other functions that the parent may do to setup the environment of the container, currently nspawn will set network interfaces before moving them into the container, it will also register the machine, and perhaps other operations... So having EINTR errors is useful here not only for direct reads, but for all the other calls that might block! IOW I think that nspawn should have an empty sig handler for SIGCHLD. Barrier reads already use poll and pipe to handle remote abortion since it can *not* be done by eventfd, yes this is perfect but for nspawn we can also achieve the same by combining eventfd and SICCHLD! What do you think if we make Barrier use: eventfd+pipe and/or eventfd+SIGCHLD ? Most complex fork/clone code should receive SIGCHLD, and think about nspawn! we do want it to be as lightweigh as possible, having 4 fds by default (2 eventfd + heavy pipe) may hit some resource limits quickly! compared to: 2 eventfd + empty sig handler! My first attempt was to use a signalfd on SIGCHLD + edge-triggered. If I don't read from the signalfd and only use it to wake up and wall waitid(WNOWAIT), I won't interfere with other signalfds. However, this wasn't really more lightweight than the pipe-method so i ditched it. Regarding dropping the pipe: pipe2() is _really_ fast. I mean, we're fork()ing and running like thousands of syscalls just during container setup. I cannot see how dropping one light pipe2 call is beneficial here? We also destroy the pipe before running the real container. So it's really just during setup. And it seems from the patch you are not checking barrier_place() return code, if the remote aborted ? That's fine. Abortions are remembered and the later barrier_sync() call will return immediately. Thanks for the patches, sure the API is really nice, I'll try to comment on #1 Thanks! David ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Unit to test if a domain is reachable
Hi all! Since (from my understanding) systemd devel team did not want to interpret nor force its interpretation of network availability on systemd consumers, we have to use some other services and cross fingers (network.target, systemd- networkd-wait-online.service and so on). However, everything I tried proved an utter failure: target says reached even though it doesn't even have an IP on any link; wait-online obviously didn't even check if I had a DNS whatsoever. In the end, I had to write my own (ugly) service to test if a domain is reachable: /etc/systemd/system/reachable-retry@.service [Unit] Description=Test if %i is reachable # I'm not even sure it's useful, because it doesn't do its job After=systemd-networkd-wait-online.service [Service] Type=forking ExecStart=/usr/bin/ping -c1 %i Restart=on-failure # Needed, else the unit just goes crazy # if there are no links and systemd stops it RestartSec=2 # I don't know if the [Install] part is needed [Install] WantedBy=multi-user.target This works but using the Type=forking is an ugly hack: the result I'm waiting for would be: o Call reachable-retry@ in a unit (Requires and After); o If it fails, try again (seems OK with the Restart directive); o If it succeeds, the unit that needs to reach %i gets launched and my reachable-retry@ *does not* enter SUCCESS or whatever good state you can think of: it just stays asleep until someone else wants to recheck later if the domain is still reachable (e.g. domain goes down, my ISP goes crazy, I suspend my computer...). An other unit I could use would be reachable@ that would simply test whether or not a domain is reachable and: o In case it isn't, prevent a unit from being launched, period. o In case it is, launch the unit and don't enter any SUCCESS or good state. o If an other unit needs to test afterwards, launch the test again. Would Type=oneshot do that? Any input would be greatly appreciated. The issue was also a bit discussed here: https://bbs.archlinux.org/viewtopic.php?id=182717 And here too (in French): https://forums.archlinux.fr/topic15485.html Cheers, -- Moviuro signature.asc Description: This is a digitally signed message part. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Unit to test if a domain is reachable
On Thursday 17 July 2014 12:12:22 you wrote: Why not just use network-online.target? http://www.freedesktop.org/software/systemd/man/systemd.special.html#network -online.target o If it succeeds, the unit that needs to reach %i gets launched and my reachable-retry@ *does not* enter SUCCESS or whatever good state you can think of: it just stays asleep until someone else wants to recheck later if the domain is still reachable (e.g. domain goes down, my ISP goes crazy, I suspend my computer...). network-online.target does not fulfill these requirements. It stays in SUCCESS across suspend/resume cycles. Therefore, it is *not* a correct indicator. -- Moviuro signature.asc Description: This is a digitally signed message part. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Socket activated SSHD service showing up as a failure when the client connection fReply-To:
On Thu, Jul 17, 2014 at 01:37:12PM +1000, Roger Qiu wrote: You mean something like this: ``` $ cat /nix/store/wr8r8jrj204q3i0v4vfav8m63ssnv8w1-unit/sshd@.service [Unit] Description=SSH Daemon [Service] Environment=LD_LIBRARY_PATH=/nix/store/sk3017fxx2vhj69saizk5634y3w6hqhn-systemd-212/lib Environment=LOCALE_ARCHIVE=/nix/store/5jxnz56h6ya1wy0dvcll65vkkx9679g4-glibc-locales-2.19/lib/locale/locale-archive Environment=PATH=/nix/store/2wc50fcn54axkg2kk71jm2r5h0w5rbh6-openssh-6.6p1/bin:/nix/store/qlg0baw29r7fj4isc2x47c05d8q7br2j-gawk-4.1.0/bin:/nix/store/xdswdgz11w9lm9n9bzb6spl7dj45s2x2-coreutils-8.21/bin:/nix/store/sls52f6fkpqfs0kj4w0k525v57zrsz9x-findutils-4.4.2/bin:/nix/store/937i66g191shz0hwzll61vmi0zvy3gwy-gnugrep-2.14/bin:/nix/store/93wabgii15q4d74fqgcpfka1qy42igr4-gnused-4.2.2/bin:/nix/store/sk3017fxx2vhj69saizk5634y3w6hqhn-systemd-212/bin:/nix/store/2wc50fcn54axkg2kk71jm2r5h0w5rbh6-openssh-6.6p1/sbin:/nix/store/qlg0baw29r7fj4isc2x47c05d8q7br2j-gawk-4.1.0/sbin:/nix/store/xdswdgz11w9lm9n9bzb6spl7dj45s2x2-coreutils-8.21/sbin:/nix/store/sls52f6fkpqfs0kj4w0k525v57zrsz9x-findutils-4.4.2/sbin:/nix/store/937i66g191shz0hwzll61vmi0zvy3gwy-gnugrep-2.14/sbin:/nix/store/93wabgii15q4d74fqgcpfka1qy42igr4-gnused-4.2.2/sbin:/nix/store/sk3017fxx2vhj69saizk5634y3w6hqhn-systemd-212/sbin X-StopIfChanged=false ExecStart=/nix/store/2wc50fcn54axkg2kk71jm2r5h0w5rbh6-openssh-6.6p1/sbin/sshd -i -f /nix/store/ai2a554az21b5zhd1kamcznbim4gd924-sshd_config ExecStartPre=/nix/store/i5wnidc4707k3pgcbhyjq3qb4ajgyx5n-unit-script/bin/sshd@-pre-start KillMode=process StandardInput=socket SuccessExitStatus=255 Yes. If I add that in, what about the normal exit status of 0? Would that override the successful exit code of 0? No, it's always in addition to code 0 and signals SIGHUP, SIGINT, SIGTERM, and SIGPIPE. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-socket-proxyd slapd
On Thu, Jul 17, 2014 at 09:43:48AM +0300, Suvendu Mitra wrote: I have changed proxy-to-directory-400.service as # cat proxy-to-directory-400.service [Unit] Requires=vgp.master-ldap-400.service After=vgp.master-ldap-400.service JoinsNamespaceOf=vgp.master-ldap-400.service [Service] ExecStart=/usr/lib/systemd/systemd-socket-proxyd ${HOSTNAME}:400 PrivateTmp=yes PrivateNetwork=yes I'd try without Private* settings. Also, replace /usr/lib/systemd/systemd-socket-proxyd with '/bin/strace -o /tmp/log /usr/lib/systemd/systemd-socket-proxyd' and look at the log file. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Warnings from recent commits
From recent commits I have noticed the following new issues from static analysis with scan-build and with clang. I am not sure how they should be fixed (or even if) but I just though I would let you know. 1) src/shared/barrier.c in barrier_read starting at line 274 if (pfd[1].revents) { len = read(b-them, buf, sizeof(buf)); ... } else if (pfd[0].revents (POLLHUP | POLLERR | POLLNVAL)) { ... buf = BARRIER_ABORTION; } If neither if/else if are true then buf will be used unset. 2) src/resolve/resolved-dns-scope.c in dns_scope_tcp_socket if s-link is null then ifindex will not be set but will be used later in: } else if (srv-family == AF_INET6) { sa.in6.sin6_port = htobe16(53); sa.in6.sin6_addr = srv-address.in6; sa.in6.sin6_scope_id = ifindex; salen = sizeof(sa.in6); 3) I see a couple of these: In file included from src/resolve/resolved-gperf.c:8: In file included from ./src/resolve/resolved.h:34: In file included from ./src/resolve/resolved-dns-query.h:33: In file included from ./src/resolve/resolved-dns-scope.h:33: ./src/resolve/resolved-dns-cache.h:45:3: warning: redefinition of typedef 'DnsCacheItem' is a C11 feature [-Wtypedef-redefinition] } DnsCacheItem; ^ ./src/resolve/resolved-dns-cache.h:31:29: note: previous definition is here typedef struct DnsCacheItem DnsCacheItem; ^ 1 warning generated. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/3] nspawn: use Barrier API instead of eventfd-util
On Thu, Jul 17, 2014 at 11:30:26AM +0200, David Herrmann wrote: Hi On Mon, Jul 14, 2014 at 3:28 AM, Djalal Harouni tix...@opendz.org wrote: ppoll is atomic and it is handled by the kernel, so perhaps setting/restoring sigmask can be done easily! and for nspawn: IMO we need to receive SIGCHLD which implies EINTR. I say EINTR since not only for blocking read or infinite poll, but perhaps for all the other functions that the parent may do to setup the environment of the container, currently nspawn will set network interfaces before moving them into the container, it will also register the machine, and perhaps other operations... So having EINTR errors is useful here not only for direct reads, but for all the other calls that might block! IOW I think that nspawn should have an empty sig handler for SIGCHLD. Barrier reads already use poll and pipe to handle remote abortion since it can *not* be done by eventfd, yes this is perfect but for nspawn we can also achieve the same by combining eventfd and SICCHLD! What do you think if we make Barrier use: eventfd+pipe and/or eventfd+SIGCHLD ? Most complex fork/clone code should receive SIGCHLD, and think about nspawn! we do want it to be as lightweigh as possible, having 4 fds by default (2 eventfd + heavy pipe) may hit some resource limits quickly! compared to: 2 eventfd + empty sig handler! My first attempt was to use a signalfd on SIGCHLD + edge-triggered. If I don't read from the signalfd and only use it to wake up and wall waitid(WNOWAIT), I won't interfere with other signalfds. However, this wasn't really more lightweight than the pipe-method so i ditched it. Ok. Regarding dropping the pipe: pipe2() is _really_ fast. I mean, we're fork()ing and running like thousands of syscalls just during container setup. I cannot see how dropping one light pipe2 call is beneficial here? We also destroy the pipe before running the real container. So it's really just during setup. Yes, compared to fork() and all the other stuff, pipe2() is fast. My concern was about the other resources that pipe needs and the fd limit. Of course, it depends on nspawn future and plans, 2 or 4 fds sure it will affect systems that will run multiple nspawn instances... but perhaps this is not an issue for nspawn! Otherwise I'm ok with having a pipe as a mechanism to detect container failure, and a good point for general cases: it does not interfere with signal handlers Thanks! -- Djalal Harouni http://opendz.org ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Forcing default route as the one provided by one interface
Newbie question: if I have two interfaces (in separate networks) with each of them using DHCP, how can I specify that I want the default route to be the one being obtained by, say, interface A? I read through http://www.freedesktop.org/software/systemd/man/systemd.network.html and did not see any option to specify that a given interface is providing the default gateway. Am I missing something? If such an option does not exist, would it be possible to have a, say, SetDefaultGateway/UseDefaultGateway (boolean) option to do so? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel