12.03.2016 08:18, Orion Poplawski пишет: > Andrei Borzenkov <arvidjaar <at> gmail.com> writes: >> 11.03.2016 00:11, Orion Poplawski пишет: >>> Uoti Urpala <uoti.urpala <at> pp1.inet.fi> writes: >>>> On Thu, 2016-03-10 at 17:51 +0000, Orion Poplawski wrote: >>>>> It appears that this is a trigger for this issue. Removing the >>>>> conflicts=iptables.service removes it. This seems like a bug to me >>>>> though - >>>>> why is iptables being brought in if the PartOf= is a one-way dep? >>>> >>>> I guess it's because it's because firewalld.service has >>>> "Conflicts=iptables.service", and thus (re)starting firewalld.service >>>> stops iptables.service; fail2ban.service has PartOf to both, thus both >>>> the restart and stop are propagated, and conflict. >>> >>> Can't the stop of iptables be dropped because the service is already stopped >>> (or more likely not even present)? >> >> One possible implementation is to have firewall.target and make all >> other services (firewalld, iptables and fail2ban) PartOf this target. >> You would then start/stop firewall.target instead of individual services. > > I tried this, but I get the same problem: > > # systemctl restart firewall.target > Failed to restart firewall.target: Transaction contains conflicting jobs > 'restart' and 'stop' for iptables.service. Probably contradicting > requirement dependencies configured. >
No, you tried something different. You need firewall.target, which then includes *either* firewalld.service *or* iptables.service. You never have them both enabled at the same time. I.e. firewalld.service: PartOf=firewall.target Conflicts=iptables.service iptables.service: PartOf=firewall.target Conflicts=firewalld.service fail2ban.service: PartOf=firewall.target And you probably want to have [Install] WantedBy=firewall.target in all of them. Then you enable either firewalld or iptables together with fail2ban. This works. > Also, this doesn't solve the issue of restarting fail2ban if firewalld is > restarted via "systemctl restart fail2ban" (which someone will do I'm sure), > unless there is some other dependency that needs to be setup between the > various units that I don't understand. Not very familiar with configuring > targets. > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel > _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
