Bug#759001: Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Hello Mike, On Sun, 24 Aug 2014 00:31:09 +0200 Michael Biebl bi...@debian.org wrote: As far as insserv overrides go in systemd (#759001): Apparently there are only two packages using that mechanism: krb5-kdc-ldap and debian-edu-config (and the latter is very special in any case). So I'm not convinced spending time on teaching systemd about insserv overrides with the limited ressources we have, is a good idea when we can just as well write one (or two service files). Therefore I'm inclined to tag #759001 as wontfix as far as myself goes. Except that insserv overrides are also usefull for a local admin. At my work, we use them for two specific purposes: - for vendor-provided scripts without LSB headers, or with wrong LSB headers (this way we don't touch their garbage) - for clustering. When a service is started by ctdb or corosync/pacemaker. This is needed because invoke-rc.d disable * don't edit the headers, and then insserv complain. Point 2 is probably gone with systemd, but I don't know how to fix #1 in a systemd way. Thanks for your hard work Mathieu -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: Bug#759001: Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Hi Sam Am 24.08.2014 01:53, schrieb Sam Hartman: Well, I'll definitely be fixing the krb5-kdc-ldap issue by including units. Thanks! If you need help with writing service units for krb5 or want review/feedback regarding systemd support, feel free to poke use at pkg-systemd-maintain...@lists.alioth.debian.org Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Michael == Michael Biebl bi...@debian.org writes: Michael b/ make krb5-kdc-ship a drop-in snippet as Michael /lib/systemd/system/krb5-kcd.service.d/foo.conf which Michael augments the krb5-kcd.service with the necessary Michael dependencies/orderings. Hmm. How will this work if an administrator overrides /lib/systemd/system/krb5-kdc.service with /etc/systemd/system/krb5-kdc.service? will /lib/systemd/system/krb5-kdc.service.d be looked at in this case? If so, that seems to violate policy's requirements regarding configuration files, because a user might well want to override whatever we put in foo.conf and possibly override it with nothing. If krb5-kdc.service.d will be ignored from /lib/systemd/system if we have it in /etc/systemd/system then I think all will be fine. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: Bug#759001: Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Am 24.08.2014 19:44, schrieb Sam Hartman: Michael == Michael Biebl bi...@debian.org writes: Michael b/ make krb5-kdc-ship a drop-in snippet as Michael /lib/systemd/system/krb5-kcd.service.d/foo.conf which Michael augments the krb5-kcd.service with the necessary Michael dependencies/orderings. Hmm. How will this work if an administrator overrides /lib/systemd/system/krb5-kdc.service with /etc/systemd/system/krb5-kdc.service? will /lib/systemd/system/krb5-kdc.service.d be looked at in this case? I think so, yes. Haven't tested this though. The override mechanism afaik only works on objects of the same name. If so, that seems to violate policy's requirements regarding configuration files, because a user might well want to override whatever we put in foo.conf and possibly override it with nothing. Well, one could argue that the user also needs to override the drop-in snippet via a file in /etc/systemd/system/krb5-kdc.service.d in this case. This can be an empty file. The extension mechanism via foo.service.d drop-ins is usually used for local modifications. So yeah, maybe this is the wrong tool for this particular case. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Package: krb5-kdc-ldap Version: 1.12.1+dfsg-7 Severity: important Dear Maintainer, when testing the current jessie installation (with systemd) in a debian-lan setup, the kerberos kdc fails to start because slapd is not ready yet. This problem has happened before in wheezy from time to time, but seems so be reproducible now with systemd as init system. Taking a closer look shows that slapd is started after the kdc (because of the identical time stamps I checked this in the syslog): root@mainserver:~# systemctl status -l krb5-kdc krb5-admin-server slapd krb5-kdc.service - LSB: MIT Kerberos KDC Loaded: loaded (/etc/init.d/krb5-kdc) Active: active (exited) since Sat 2014-08-23 16:43:21 CEST; 11min ago Process: 866 ExecStart=/etc/init.d/krb5-kdc start (code=exited, status=0/SUCCESS) Aug 23 16:43:21 mainserver systemd[1]: Starting LSB: MIT Kerberos KDC... Aug 23 16:43:21 mainserver krb5-kdc[866]: Starting Kerberos KDC: krb5kdckrb5kdc: cannot initialize realm INTERN - see log file for details Aug 23 16:43:21 mainserver krb5-kdc[866]: failed! Aug 23 16:43:21 mainserver systemd[1]: Started LSB: MIT Kerberos KDC. krb5-admin-server.service - LSB: MIT Kerberos KDC administrative daemon Loaded: loaded (/etc/init.d/krb5-admin-server) Active: active (exited) since Sat 2014-08-23 16:43:21 CEST; 11min ago Process: 980 ExecStart=/etc/init.d/krb5-admin-server start (code=exited, status=0/SUCCESS) Aug 23 16:43:21 mainserver systemd[1]: Starting LSB: MIT Kerberos KDC administrative daemon... Aug 23 16:43:21 mainserver systemd[1]: Started LSB: MIT Kerberos KDC administrative daemon. Aug 23 16:43:22 mainserver krb5-admin-server[980]: Starting Kerberos administrative servers: kadmindkadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=kadmin,cn=kerberos,dc=intern': Can't contact LDAP server while initializing, aborting Aug 23 16:43:22 mainserver krb5-admin-server[980]: failed! slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol) Loaded: loaded (/etc/init.d/slapd) Active: active (running) since Sat 2014-08-23 16:43:22 CEST; 11min ago Process: 854 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS) CGroup: /system.slice/slapd.service └─1104 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d Aug 23 16:43:21 mainserver systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Aug 23 16:43:21 mainserver slapd[954]: @(#) $OpenLDAP: slapd (Mar 17 2014 22:34:49) @borges:/home/devel/openldap/build-area/openldap-2.4.39/debian/build/servers/slapd Aug 23 16:43:22 mainserver slapd[1104]: slapd starting Aug 23 16:43:22 mainserver slapd[854]: Starting OpenLDAP: slapd. Aug 23 16:43:22 mainserver systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). With systemV in place, '/etc/insserv/overrides/krb5-kdc' was used to make sure slapd is running before the kdc is started, this seems to fail with systemd. (This did not work in all cases, as slapd sometimes wasn't ready although started ...). However, it would be nice to solve this problem reliably with systemd by providing a proper integration making sure the dependent services are available when needed. Best regards, Andi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Russ, thoughts on what is the right way to manage the dependency between krb5-kdc-ldap and slapd in systemd? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
control: clone -1 -2 control: retitle -2 Systemd needs to respect /etc/innserv/overrides control: reassign -2 systemd control: severity -2 important control: found -2 systemd/208-6 justification: Breaks unrelated packages at boot. That should be RC except that I think innserv overrides are probably uncommon enough that that would be excessive. However this definitely will create situations where upgrading to systemd breaks working systems. If you are using Kerberos and LDAP together, it is important (generally) for Kerberos to start after ldap. However, if you are not, you probably want Kerberos to start before LDAP. The plugin that performs the integration installs an innserv override to accomplish this. However, systemd does not respect that and gets the wrong lsb dependency information. I suspect we'll be installing systemd units prior to Jessie release, but the current behavior is a regression. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Sam Hartman hartm...@debian.org writes: Russ, thoughts on what is the right way to manage the dependency between krb5-kdc-ldap and slapd in systemd? Well, socket activation for slapd would probably make this problem go away completely, so I think that would be the ideal solution. Failing that, could krb5-kdc-ldap introduce a somewhat artificial service that exists solely to be Before krb5-kdc and After slapd, thus forcing the ordering constraint? I think that would be the native systemd equivalent of an insserv override. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Russ == Russ Allbery r...@debian.org writes: Russ Failing that, could krb5-kdc-ldap introduce a somewhat Russ artificial service that exists solely to be Before krb5-kdc Russ and After slapd, thus forcing the ordering constraint? I Russ think that would be the native systemd equivalent of an Russ insserv override. Can we have a service without ExecStart? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
On Sat, Aug 23, 2014 at 11:19:44AM -0700, Russ Allbery wrote: Sam Hartman hartm...@debian.org writes: Russ, thoughts on what is the right way to manage the dependency between krb5-kdc-ldap and slapd in systemd? Well, socket activation for slapd would probably make this problem go away completely, so I think that would be the ideal solution. Nod Failing that, could krb5-kdc-ldap introduce a somewhat artificial service that exists solely to be Before krb5-kdc and After slapd, thus forcing the ordering constraint? I think that would be the native systemd equivalent of an insserv override. Two more suggestions: a/ let krb5-kdc-ldap ship a service file (with the proper dependencies and orderings) which conflicts with the krb5-kdc service. This will remove krb5-kdc from the start sequence. b/ make krb5-kdc-ship a drop-in snippet as /lib/systemd/system/krb5-kcd.service.d/foo.conf which augments the krb5-kcd.service with the necessary dependencies/orderings. As far as insserv overrides go in systemd (#759001): Apparently there are only two packages using that mechanism: krb5-kdc-ldap and debian-edu-config (and the latter is very special in any case). So I'm not convinced spending time on teaching systemd about insserv overrides with the limited ressources we have, is a good idea when we can just as well write one (or two service files). Therefore I'm inclined to tag #759001 as wontfix as far as myself goes. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758992: Bug#759001: Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Am 24.08.2014 00:31, schrieb Michael Biebl: b/ make krb5-kdc-ship a drop-in snippet as ^ meant krb5-kdc-ldap here -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#758992: Bug#759001: Bug#758992: krb5-kdc-ldap: please add systemd integration to ensure reliable startup
Well, I'll definitely be fixing the krb5-kdc-ldap issue by including units. I had no idea that innserv-overrides were quite that unused. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org