[systemd-bugs] [Bug 80169] RFE: please introduce more special targets for facilities like entropy, or netfilter rules

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Jun 20 12:43:11 PDT 2014


https://bugs.freedesktop.org/show_bug.cgi?id=80169

--- Comment #7 from Christoph Anton Mitterer <calestyo at scientia.net> ---
>please make very specific, concise requests about
>additional targets and we will consider them.
Well I've explained most of the reasons and workings already in my previous
post so here the short action points:


1) possibly drop network-pre.target again,... it seems to be largely motivated
by the same what I want here, but has a much too generic name and definition
which will just lead to what you try to prevent ("We really have to strike the
balance here between being generic and being to complex. And complexity starts
already with dumping too many unused and weakly defined unit names on them.")


2) Introduce a new target e.g. called "network-secured.target", with the
meaning, that anything that needs networking to be secured, must depend on it.
And anything that actually secures the network must be depended on by it.
Give examples of what this this typically involves:
- Things that depend on secured network:
  - user sessions (since any networking programs may run in there)
  - daemons
- Things that secure the network:
  - programs that load netfilter rules (netfilter-persistent, ferm, shorewall)
  - fail2ban
  - Things that are usually not counted here:
    - strongswan, openvpn, other things that set up secured connections
      Why? Cause people should rather secure this via netfilter.

3) Make it "softly" started by early boot process (literally ANY system that
has any such facilities that secure the network, will want to have it started
anyway always):
I'd suggest something like WantedBy=sysinit.target + Before=sysinit.target.
=> things providing network-secured.target are started early and everything
benefits from it.
=> If it fails, the system still continues to boot (since it's only a
WantedBy).
=> If there is nothing that network-secured.target is depended by... fine...
nothing happens


4) Teach people to GENERALLY always add Requires=network-secured.target +
After=network-secured.target ... to any service/unit which does any networking.


5) Providers of network-security (fail2ban, netfilter-persistent)... should
give either a ReuiqredBy=network-secured.target (suggested default) or
WantedBy=network-secured.target  + Before=network-secured.target.
=> admins can easily switch, whether they want their daemons to be started or
not, when any such provider (fail2ban, netfilter-persistent) failed to load.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20140620/bf430b12/attachment.html>


More information about the systemd-bugs mailing list