Bug#863802: systemd unit breaks ferm in some setups in jessie->stretch upgrade
On Wed, May 31, 2017 at 02:08:35PM +0200, Alexander Wirt wrote: > Someone should decide, which is not me. Therefore I don't think this is > grave. Feel free to downgrade. I've only marked it RC due to possible jessie-> stretch upgrade problems. I'm attaching a service unit which waits for name resolution (for people rebuilding the package or dropping that one into /etc/systemd/system) Cheers, Moritz [Unit] Description=ferm firewall configuration After=nss-lookup.target network-online.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/ferm start ExecReload=/etc/init.d/ferm reload ExecStop=/etc/init.d/ferm stop [Install] WantedBy=multi-user.target
Bug#863802: systemd unit breaks ferm in some setups in jessie->stretch upgrade
On Wed, 31 May 2017, Moritz Muehlenhoff wrote: > Package: ferm > Version: 2.3-2 > Severity: grave > > Ferm is broken in stretch for any rule set which contains resolve() > statements. > (There might be others relying on network, didn't check). This got introduced > in 2.3-2, which now uses a Wants:/Before: network-pre.target > > In jessie, no systemd unit was provided and the sysvinit script translated to > > # systemctl cat ferm > # /run/systemd/generator.late/ferm.service > # Automatically generated by systemd-sysv-generator > > [Unit] > SourcePath=/etc/init.d/ferm > Description=LSB: ferm firewall configuration > DefaultDependencies=no > Before=sysinit.target > After=network-online.target remote-fs.target > Wants=network-online.target > > But since ferm.service is now executed before the network is up, any rule > containing a resolve() statement now leads to a ferm startup failure: > > # journalctl -u ferm > -- Logs begin at Wed 2017-05-31 10:53:35 UTC, end at Wed 2017-05-31 11:40:57 > UTC. -- > May 31 10:53:38 ms-be2001 ferm[1038]: Starting Firewall: fermError in > /etc/ferm/conf.d/10_example line 4: > May 31 10:53:38 ms-be2001 ferm[1038]: just.example.org > May 31 10:53:38 ms-be2001 ferm[1038]: ) > May 31 10:53:38 ms-be2001 ferm[1038]: > May 31 10:53:38 ms-be2001 ferm[1038]: ) > May 31 10:53:38 ms-be2001 ferm[1038]: <-- > May 31 10:53:38 ms-be2001 ferm[1038]: DNS query for 'just.example.org' > failed: query timed out > May 31 10:53:38 ms-be2001 ferm[1038]: failed! > May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Main process exited, > code=exited, status=101/n/a > May 31 10:53:38 ms-be2001 systemd[1]: Failed to start ferm firewall > configuration. > May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Unit entered failed state. > May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Failed with result > 'exit-code'. > > I'm setting severity to "grave" since this breaks existing setups during the > update > from jessie to stretch. Which is funny. We had a bunch of bugs about ferm starting late where everyone stated it should be up before the network is up. Someone should decide, which is not me. Therefore I don't think this is grave. Alex
Bug#863802: systemd unit breaks ferm in some setups in jessie->stretch upgrade
Package: ferm Version: 2.3-2 Severity: grave Ferm is broken in stretch for any rule set which contains resolve() statements. (There might be others relying on network, didn't check). This got introduced in 2.3-2, which now uses a Wants:/Before: network-pre.target In jessie, no systemd unit was provided and the sysvinit script translated to # systemctl cat ferm # /run/systemd/generator.late/ferm.service # Automatically generated by systemd-sysv-generator [Unit] SourcePath=/etc/init.d/ferm Description=LSB: ferm firewall configuration DefaultDependencies=no Before=sysinit.target After=network-online.target remote-fs.target Wants=network-online.target But since ferm.service is now executed before the network is up, any rule containing a resolve() statement now leads to a ferm startup failure: # journalctl -u ferm -- Logs begin at Wed 2017-05-31 10:53:35 UTC, end at Wed 2017-05-31 11:40:57 UTC. -- May 31 10:53:38 ms-be2001 ferm[1038]: Starting Firewall: fermError in /etc/ferm/conf.d/10_example line 4: May 31 10:53:38 ms-be2001 ferm[1038]: just.example.org May 31 10:53:38 ms-be2001 ferm[1038]: ) May 31 10:53:38 ms-be2001 ferm[1038]: May 31 10:53:38 ms-be2001 ferm[1038]: ) May 31 10:53:38 ms-be2001 ferm[1038]: <-- May 31 10:53:38 ms-be2001 ferm[1038]: DNS query for 'just.example.org' failed: query timed out May 31 10:53:38 ms-be2001 ferm[1038]: failed! May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Main process exited, code=exited, status=101/n/a May 31 10:53:38 ms-be2001 systemd[1]: Failed to start ferm firewall configuration. May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Unit entered failed state. May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Failed with result 'exit-code'. I'm setting severity to "grave" since this breaks existing setups during the update from jessie to stretch. Possible fixes: - Revert to the status quo from jessie by reverting the changes from 2.3-2 (ugly) - Split into two services, e.g. ferm-base.service loading a base rule set which runs on network-pre.target and ferm-extended.service which runs on nss-lookup.target or network.target Cheers, Moritz
