Andrei Borzenkov wrote on 11/03/16 03:36: > 11.03.2016 00:11, Orion Poplawski пишет: >> Uoti Urpala <uoti.urpala <at> pp1.inet.fi> writes: >> >>> >>> On Thu, 2016-03-10 at 17:51 +0000, Orion Poplawski wrote: >>>> Orion Poplawski <orion <at> cora.nwra.com> writes: >>>>> >>>>> # systemctl restart firewalld >>>>> Failed to restart firewalld.service: Transaction contains >>>>> conflicting jobs >>>>> 'restart' and 'stop' for fail2ban.service. Probably contradicting >>>>> requirement dependencies configured. >>> >>>> It appears that this is a trigger for this issue. Removing the >>>> conflicts=iptables.service removes it. This seems like a bug to me >>>> though - >>>> why is iptables being brought in if the PartOf= is a one-way dep? >>> >>> I guess it's because it's because firewalld.service has >>> "Conflicts=iptables.service", and thus (re)starting firewalld.service >>> stops iptables.service; fail2ban.service has PartOf to both, thus both >>> the restart and stop are propagated, and conflict. >> >> Can't the stop of iptables be dropped because the service is already stopped >> (or more likely not even present)? >> >>> Claiming a PartOf relationship to both of two conflicting services is >>> the problem here. I doubt such a use case was what PartOf was designed >>> to support. >> >> >> The problem is that fail2ban can work with either iptables.service or >> fail2ban.service, and we don't know which one the use wants to use. And we >> need fail2ban to be restarted if either firewalld or iptables is restarted. >> If there is some other supported way of achieving this, that would be >> welcome. Otherwise this strikes be as something that should be able to be >> handled as is. > > > One possible implementation is to have firewall.target and make all > otehr services (firewalld, iptables and fail2ban) PartOf this target. > You would then start/stop firewall.target instead of individual services.
That's certainly more the kind of configuration PartOf= was originally developed to support. I wasn't even aware you could use it with .service units, thought it was only for .targets if I'm honest. Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
