11.03.2016 00:11, Orion Poplawski пишет: > Uoti Urpala <uoti.urpala <at> pp1.inet.fi> writes: > >> >> On Thu, 2016-03-10 at 17:51 +0000, Orion Poplawski wrote: >>> Orion Poplawski <orion <at> cora.nwra.com> writes: >>>> >>>> # systemctl restart firewalld >>>> Failed to restart firewalld.service: Transaction contains >>>> conflicting jobs >>>> 'restart' and 'stop' for fail2ban.service. Probably contradicting >>>> requirement dependencies configured. >> >>> It appears that this is a trigger for this issue. Removing the >>> conflicts=iptables.service removes it. This seems like a bug to me >>> though - >>> why is iptables being brought in if the PartOf= is a one-way dep? >> >> I guess it's because it's because firewalld.service has >> "Conflicts=iptables.service", and thus (re)starting firewalld.service >> stops iptables.service; fail2ban.service has PartOf to both, thus both >> the restart and stop are propagated, and conflict. > > Can't the stop of iptables be dropped because the service is already stopped > (or more likely not even present)? > >> Claiming a PartOf relationship to both of two conflicting services is >> the problem here. I doubt such a use case was what PartOf was designed >> to support. > > > The problem is that fail2ban can work with either iptables.service or > fail2ban.service, and we don't know which one the use wants to use. And we > need fail2ban to be restarted if either firewalld or iptables is restarted. > If there is some other supported way of achieving this, that would be > welcome. Otherwise this strikes be as something that should be able to be > handled as is.
One possible implementation is to have firewall.target and make all otehr services (firewalld, iptables and fail2ban) PartOf this target. You would then start/stop firewall.target instead of individual services. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
