On Wed, 31 May 2017, Moritz Muehlenhoff wrote: > Package: ferm > Version: 2.3-2 > Severity: grave > > Ferm is broken in stretch for any rule set which contains resolve() > statements. > (There might be others relying on network, didn't check). This got introduced > in 2.3-2, which now uses a Wants:/Before: network-pre.target > > In jessie, no systemd unit was provided and the sysvinit script translated to > > # systemctl cat ferm > # /run/systemd/generator.late/ferm.service > # Automatically generated by systemd-sysv-generator > > [Unit] > SourcePath=/etc/init.d/ferm > Description=LSB: ferm firewall configuration > DefaultDependencies=no > Before=sysinit.target > After=network-online.target remote-fs.target > Wants=network-online.target > > But since ferm.service is now executed before the network is up, any rule > containing a resolve() statement now leads to a ferm startup failure: > > # journalctl -u ferm > -- Logs begin at Wed 2017-05-31 10:53:35 UTC, end at Wed 2017-05-31 11:40:57 > UTC. -- > May 31 10:53:38 ms-be2001 ferm[1038]: Starting Firewall: fermError in > /etc/ferm/conf.d/10_example line 4: > May 31 10:53:38 ms-be2001 ferm[1038]: just.example.org > May 31 10:53:38 ms-be2001 ferm[1038]: ) > May 31 10:53:38 ms-be2001 ferm[1038]: > May 31 10:53:38 ms-be2001 ferm[1038]: ) > May 31 10:53:38 ms-be2001 ferm[1038]: <-- > May 31 10:53:38 ms-be2001 ferm[1038]: DNS query for 'just.example.org' > failed: query timed out > May 31 10:53:38 ms-be2001 ferm[1038]: failed! > May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Main process exited, > code=exited, status=101/n/a > May 31 10:53:38 ms-be2001 systemd[1]: Failed to start ferm firewall > configuration. > May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Unit entered failed state. > May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Failed with result > 'exit-code'. > > I'm setting severity to "grave" since this breaks existing setups during the > update > from jessie to stretch. Which is funny. We had a bunch of bugs about ferm starting late where everyone stated it should be up before the network is up.
Someone should decide, which is not me. Therefore I don't think this is grave. Alex
