Re: when the sshd hits the fan
On Wed, Sep 23, 2015, at 10:35, Glenn English wrote: > Mildly OT from a profound BSD noob: > > Why is it necessary to have SSH working before the system has finished > booting? That 'Welcome' menu times out, so I can't think of a reason, or > find one from Goggle, for needing console access after a power failure > reboot. What am I unaware of? > My favorite example is when an NFS issue delays boot indefinitely and you can't even SSH in to whack it with a hammer. -- Mark Felder ports-secteam member f...@freebsd.org ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
On Sep 23, 2015, at 1:13 PM, Lowell Gilbert wrote: > Yes; that's done with rcorder(8). The startup order isn't completely > defined, just the dependencies that require being started before (or, > occasionally, after) some other service. Well, that's all that matters, except for getting SSH going before something gets stuck. -- Glenn English ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Glenn English writes: > On Sep 23, 2015, at 10:00 AM, Michael Loftis wrote: > >> That's the most common thing, RC scripts hanging waiting on external >> resources while you're locked out simply because sshd starts >> ridiculously late. Very common problem. > > If properly configed, shouldn't things come up in order, with their > dependencies already running? Or is specifying boot order not possible > on FBSD? Yes; that's done with rcorder(8). The startup order isn't completely defined, just the dependencies that require being started before (or, occasionally, after) some other service. > I can certainly understand the possible need for SSH, just for incase, > but I'd think things could be set to do stuff in the proper > order. Except for cyclic dependencies, of course -- a significant bug > for the maintainers. The discussion here is whether the "proper order" should be changed from the current default. As for cycles in the graph, rcorder already detects that. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
> On 23 September 2015, at 03:44, Kurt Jaeger wrote: > > Hi! > >>> I'm trying to understand why the sshd still starts after local daemons, >>> out-of-the-box, and what it takes to make this extremely vital service >>> to start before non-system (local) ones. I bet I'm not the first one to >>> ask, so why isn't this already done ? Seems quite easy for me. >> >> The fix is quite simple: Add >> >> # BEFORE: mail >> >> to /etc/rc.d/sshd >> >> I tried to submit a PR on that about a year ago, but it never >> seemed to make it into the PR system. > > It did enter the PR system. > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190447 > > I'll have a look at it, it annoys me as well 8-} Thanks. I never could find that PR in the database. Guess I don’t quite understand how to successfully search it ;-) ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
On Sep 23, 2015, at 10:00 AM, Michael Loftis wrote: > Sendmail for one can hang for stupidly long times waiting in dead resolvers > before allowing the system to continue booting. So replace it with Postfix? I've been using it (on Debian Linux) for decades without any problems. AFAIK, it doesn't do anything pathological like that. It just reads its config and starts waiting for email. > That's the most common thing, RC scripts hanging waiting on external > resources while you're locked out simply because sshd starts ridiculously > late. Very common problem. If properly configed, shouldn't things come up in order, with their dependencies already running? Or is specifying boot order not possible on FBSD? I can certainly understand the possible need for SSH, just for incase, but I'd think things could be set to do stuff in the proper order. Except for cyclic dependencies, of course -- a significant bug for the maintainers. -- Glenn English ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Hi. On 23.09.2015 20:35, Glenn English wrote: Mildly OT from a profound BSD noob: Why is it necessary to have SSH working before the system has finished booting? That 'Welcome' menu times out, so I can't think of a reason, or find one from Goggle, for needing console access after a power failure reboot. What am I unaware of? Because in the case of remote server the absence of sshd can prevent yoy from loggin for several minutes, even dozens of minutes, and this can be pretty harmful in a production environment. Eugene. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
On Wed, Sep 23, 2015 at 09:35:09AM -0600, Glenn English wrote: > Mildly OT from a profound BSD noob: > > Why is it necessary to have SSH working before the system has > finished booting? That 'Welcome' menu times out, so I can't think of > a reason, or find one from Goggle, for needing console access after > a power failure reboot. What am I unaware of? For fixing configuration issuse, blocking some services (ordering before sshd). ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Sendmail for one can hang for stupidly long times waiting in dead resolvers before allowing the system to continue booting. That's the most common thing, RC scripts hanging waiting on external resources while you're locked out simply because sshd starts ridiculously late. Very common problem. On Wednesday, September 23, 2015, Glenn English wrote: > Mildly OT from a profound BSD noob: > > Why is it necessary to have SSH working before the system has finished > booting? That 'Welcome' menu times out, so I can't think of a reason, or > find one from Goggle, for needing console access after a power failure > reboot. What am I unaware of? > > -- > Glenn English > > > > ___ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org > " > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Mildly OT from a profound BSD noob: Why is it necessary to have SSH working before the system has finished booting? That 'Welcome' menu times out, so I can't think of a reason, or find one from Goggle, for needing console access after a power failure reboot. What am I unaware of? -- Glenn English ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
On Wed, Sep 23, 2015 at 3:57 AM, Doug Hardie wrote: > >> On 23 September 2015, at 01:44, Eugene M. Zheganin >> wrote: >> >> Hi. >> >> I'm trying to understand why the sshd still starts after local daemons, >> out-of-the-box, and what it takes to make this extremely vital service >> to start before non-system (local) ones. I bet I'm not the first one to >> ask, so why isn't this already done ? Seems quite easy for me. > > The fix is quite simple: Add > > # BEFORE: mail > > to /etc/rc.d/sshd > > I tried to submit a PR on that about a year ago, but it never seemed to make > it into the PR system. Many of my servers are remote and if there is an > issue with a port, I still need a way into the system other than driving for > hours. This works. Sshd is started early in the sequence and I can at least > ssh into the server. It won’t help though if there is a syntax error in > /etc/rc.conf. Those are pretty much fatal. > This technique works. But if you use it, then before you reboot, remember to run "rcorder /etc/rc.d/* /usr/local/etc/rc.d/*" and make sure there aren't any errors about "Circular dependency". If there are, then the service startup order is almost guaranteed to be something you don't want. -Alan ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Hi. On 23.09.2015 18:32, Dag-Erling Smørgrav wrote: "Eugene M. Zheganin" writes: I'm trying to understand why the sshd still starts after local daemons, out-of-the-box, and what it takes to make this extremely vital service to start before non-system (local) ones. I bet I'm not the first one to ask, so why isn't this already done ? Seems quite easy for me. "non-system (local)" services can also be extremely vital: quagga, for instance. In practice, it is probably fine to move sshd before LOGIN. I have spoken with some local FreeBSD gurus and some of the FreeBSD developers. There's two opinions on that: - conservative one: no rcorder modification is required, however, LOGIN target should be splitted in two, for maintaining a working securitylevel feature, LOGIN1 and LOGIN2. And sshd should require LOGIN1. And all the non-base services should require LOGIN2. And this requires modification of all the ports, thus making this way unuseable. - modern one: rcorder coding is required, to start base system services befor the non-base. I have spoke with one of the pkgng authors, he's able to help, but this requires some funding, because he's currently working on pkg and cannot provide more resources on fee-free basis. So, the question is, can we fund this from FreeBSD Foundation or some other sources ? Reading this thread I understand that this question arises quite often, and it seems like noone is willing to code on his own. Eugene. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
On Wed, Sep 23, 2015 at 01:37:30PM +0100, Matt Smith wrote: > If this type of thing is being done on the base system sshd it would > also be useful to look at the port version of ssh as well? I use the > port and it has always annoyed me that I get constant "connection > refused" whilst I'm waiting for the server to fully boot up! Tangential, but in case it's useful to anyone else: until ssh -o ConnectTimeout=2 $host; do sleep 1; done I do this all the time for hosts where I'm waiting on boot. The timeouts and connection refused messages serve as counters so I can do other things while waiting and have an objective measure of whether or not I've waited too long for a host to come up. Also handy is that it will automatically reconnect on anything other than a deliberate log out. -Snow ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
"Eugene M. Zheganin" writes: > I'm trying to understand why the sshd still starts after local daemons, > out-of-the-box, and what it takes to make this extremely vital service > to start before non-system (local) ones. I bet I'm not the first one to > ask, so why isn't this already done ? Seems quite easy for me. "non-system (local)" services can also be extremely vital: quagga, for instance. In practice, it is probably fine to move sshd before LOGIN. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
On Sep 23 12:44, Kurt Jaeger wrote: It did enter the PR system. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190447 I'll have a look at it, it annoys me as well 8-} If this type of thing is being done on the base system sshd it would also be useful to look at the port version of ssh as well? I use the port and it has always annoyed me that I get constant "connection refused" whilst I'm waiting for the server to fully boot up! -- Matt ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Eugene M. Zheganin wrote on 09/23/2015 12:38: I was thinking about this a long time ago and instead of trying to change FreeBSD, But why ? I tried it before with some other changes (e-mails / PRs can be found) without much success so I gave up. I rather keep my changes local without modification of FreeBSD sources. Miroslav Lachman ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Hi! > > I'm trying to understand why the sshd still starts after local daemons, > > out-of-the-box, and what it takes to make this extremely vital service > > to start before non-system (local) ones. I bet I'm not the first one to > > ask, so why isn't this already done ? Seems quite easy for me. > > The fix is quite simple: Add > > # BEFORE: mail > > to /etc/rc.d/sshd > > I tried to submit a PR on that about a year ago, but it never > seemed to make it into the PR system. It did enter the PR system. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190447 I'll have a look at it, it annoys me as well 8-} -- p...@opsec.eu+49 171 3101372 5 years to go ! ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Hi. On 23.09.2015 15:11, Miroslav Lachman wrote: > Eugene M. Zheganin wrote on 09/23/2015 10:44: >> Hi. >> >> I'm trying to understand why the sshd still starts after local daemons, >> out-of-the-box, and what it takes to make this extremely vital service >> to start before non-system (local) ones. I bet I'm not the first one to >> ask, so why isn't this already done ? Seems quite easy for me. > > I was thinking about this a long time ago and instead of trying to > change FreeBSD, But why ? > I just added one simple file on each of our servers: > > > ~/> cat /usr/local/etc/rc.d/sshd_reorder > #!/bin/sh > > # PROVIDE: sshd_reorder > # REQUIRE: LOGIN sshd > > ## this file is just to start sshd earlier on the boot > ## mainly before long starting processes like jails, mysql, apache etc. > ## > ## place this file in to /usr/local/etc/rc.d/sshd_reorder > ## and make it executable chmod 0555 /usr/local/etc/rc.d/sshd_reorder > > > It is not perfect, because some services are still started before sshd. > Yeah, as I said, workaround is quite simple. But I don't see a single reason to avoid committing this (or similar) workaround to the official source tree. This would rid lots of people to reapply this fix during each upgrade cycle, thus making the life easier. Eugene. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
Eugene M. Zheganin wrote on 09/23/2015 10:44: Hi. I'm trying to understand why the sshd still starts after local daemons, out-of-the-box, and what it takes to make this extremely vital service to start before non-system (local) ones. I bet I'm not the first one to ask, so why isn't this already done ? Seems quite easy for me. I was thinking about this a long time ago and instead of trying to change FreeBSD, I just added one simple file on each of our servers: ~/> cat /usr/local/etc/rc.d/sshd_reorder #!/bin/sh # PROVIDE: sshd_reorder # REQUIRE: LOGIN sshd ## this file is just to start sshd earlier on the boot ## mainly before long starting processes like jails, mysql, apache etc. ## ## place this file in to /usr/local/etc/rc.d/sshd_reorder ## and make it executable chmod 0555 /usr/local/etc/rc.d/sshd_reorder It is not perfect, because some services are still started before sshd. Miroslav Lachman ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: when the sshd hits the fan
> On 23 September 2015, at 01:44, Eugene M. Zheganin wrote: > > Hi. > > I'm trying to understand why the sshd still starts after local daemons, > out-of-the-box, and what it takes to make this extremely vital service > to start before non-system (local) ones. I bet I'm not the first one to > ask, so why isn't this already done ? Seems quite easy for me. The fix is quite simple: Add # BEFORE: mail to /etc/rc.d/sshd I tried to submit a PR on that about a year ago, but it never seemed to make it into the PR system. Many of my servers are remote and if there is an issue with a port, I still need a way into the system other than driving for hours. This works. Sshd is started early in the sequence and I can at least ssh into the server. It won’t help though if there is a syntax error in /etc/rc.conf. Those are pretty much fatal. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"