[systemd-devel] script assigned via Unit's ExecStartPre= only partially executes, fails to complete ?

jen142 at promessage.com jen142 at promessage.com
Sun Dec 1 00:10:36 PST 2013 

I'm using an openvpn unit,

	cat openvpn.service
		[Unit]
		Description=OpenVPN
		After=syslog.target network.target
		Before=openvpn.target

		[Service]
		PrivateTmp=true
		Environment=PATH="/usr/local/openvpn-unpriv:$PATH"

		Type=forking
		PIDFile=/var/run/openvpn/openvpn.pid
		ExecStartPre=/usr/local/etc/openvpn/up.script
		ExecStart=/usr/local/sbin/openvpn --daemon --writepid
		/var/run/openvpn/openvpn.pid --cd
		/usr/local/etc/openvpn/ --config server.conf
		ExecStopPost=/usr/local/etc/openvpn/down.script

		[Install]
		WantedBy=multi-user.target

with the ExecStartPre= script,

	cat /usr/local/etc/openvpn/up.script

		#!/bin/sh
		/usr/local/sbin/openvpn --rmtun --dev tun1 > /dev/null
		2>&1
		/usr/local/sbin/openvpn --mktun --dev tun1 --dev-type
		tun --user openvpn --group openvpn
		/usr/sbin/iptables -I FORWARD -i eth0 -o tun1 -j ACCEPT
		/usr/sbin/iptables -I FORWARD -i tun1 -o eth0 -j ACCEPT

After boot, checking for the iptables tun1 rules, nothing's been added,

	iptables -L -v -n | grep tun
		(nothing ...)

testing manually @ shell works,

	/usr/sbin/iptables -I FORWARD -i eth0 -o tun1 -j ACCEPT
	iptables -L -v -n | grep tun
	    0     0 ACCEPT     all  --  eth0   tun1    0.0.0.0/0        
	       0.0.0.0/0

journalctl shows the up.script launched, and the tun1 device is broight
up,

	journalctl -xb | egrep -i "up.script|tables"
		Dec 01 00:16:18 test kernel: TCP: Hash tables configured
		(established 16384 bind 16384)
		Dec 01 00:16:18 test kernel: ip_tables: (C) 2000-2006
		Netfilter Core Team
		Dec 01 00:16:18 test kernel: ip6_tables: (C) 2000-2006
		Netfilter Core Team
		Dec 01 00:16:27 test systemd[1]: About to execute:
		/usr/local/etc/openvpn/up.script
		Dec 01 00:16:27 test systemd[1]: Forked
		/usr/local/etc/openvpn/up.script as 1653
		Dec 01 00:16:27 test systemd[1653]: Executing:
		/usr/local/etc/openvpn/up.script
		Dec 01 00:16:28 test up.script[1653]: Sun Dec  1
		00:16:28 2013 TUN/TAP device tun1 opened
		Dec 01 00:16:28 test up.script[1653]: Sun Dec  1
		00:16:28 2013 Persist state set to: ON
		Dec 01 00:16:32 test kernel: Ebtables v2.0 registered

but provides no clue why the iptables rules aren't added.

Is there a problem with a dependency here, or running iptables from a
systemd script?  something else?

JenL

More information about the systemd-devel mailing list