[systemd-devel] Request for clarification of use & implementation of new (systemd >= v214) "network-pre.target"

[Andrei Borzenkov]

В Fri, 10 Oct 2014 10:14:47 -0700
PGNd <dev at pgnd.us> пишет:

> systemd v214 introduced the new network-related target, "network-pre.target".
> 
> It cleanly provides a convenient and timley pre-network state trigger for Before= use in unit ordering.
> 
> As originally conceived, and currently implemented, it's of particular use for secure, early init of firewalls,
> 
> 	http://lists.freedesktop.org/archives/systemd-commits/2014-June/006332.html
> 		commit a4a878d04045b46fa9783664e3643a890b356790
> 		Author: Lennart Poettering <lennart at poettering.net>
> 		Date:   Wed Jun 11 11:33:02 2014 +0200
> 
> 		    units: introduce network-pre.target as place to hook in firewalls
> 		...
> 
> This target, specifically, started interest/discussion in its correct use for shorewall
> 
> 	SW 4.6.4+' systemd service files' Before=/After= dependency on 'network.target' -- should that be 'network-pre.target' and 'network-online.target'?
> 	http://comments.gmane.org/gmane.comp.security.shorewall/31879
> 
> It was pointed out later in that same thread,
> 
> 	http://permalink.gmane.org/gmane.comp.security.shorewall/31885
> 
> that not all distros have currently, nor in the immediate future, plans for up-to-date systemd.
> 
> openSUSE, e.g., has available, &/or will use, v210 for openSUSE versions 13.1, 13.2 & Factory.
> 
> Reviewing the commit implementing network-pre.target, above, it looks relatively simple, and was suggested in #systemd to apply the change as a patch to existing systemd implementation.
> 
> To that end, I raised a request at the distro to do so,
> 
> 	https://bugzilla.suse.com/show_bug.cgi?id=900505
> 	Bug 900505 - Base:System/systemd: Bug Request to add upstream's patch to include v214's new 'network-pre.target' for early/secure pre-network dependency activation of firewall services
> 
> Atm in that discussion, there's some confusion.  If there's any possibilty of participation from here at/about that bug to help clarify what can/should be done, it'd be appreciated.
> 
> At the very least, it'd be helpful to get some specific clarification here re:
> 
> (1) Can the aforementioned patch be safely/cleanly applied to a v210 tree?

I'd say yes, all that it does is adding couple of dependencies to
existing targets. Actually, for openSUSE the only relevant one is
network.target

Note that commit has some seemingly unrelated changes.

> (2) Is systemd-networkd service required to be active to correctly support/detect network state on system startup, and properly trigger network-pre.target at the right time?  It does not appear to be required for either network.target, or network-online.target ...

No. As explained in accompanying documentation patch,
network-pre.target must be pulled in by consumer - if service wants to
be started before network it is expected to say so by using
Wants=network-pre.target, Before=network-pre.target.

Of course, any actual implementation of networking (like
systemd-networkd.service) must also be ordered *after*
network-pre.target. Above commit alone does not do it for openSUSE
specific services (like wicked).

> (3) This
> 
> 	https://wiki.archlinux.org/index.php/systemd-networkd
> 
> but not these
> 
> 	http://www.freedesktop.org/software/systemd/man/systemd-networkd.service.html 
> 	http://www.freedesktop.org/software/systemd/man/systemd.network.html
> 
> explicitly states that 
> 
> 	" ...
> 	This service (systemd-networkd) can run alongside your usual network management tool
> 	... "
> 
> IIUC, that suggests that systemd-networkd can be started in a detect-only mode, e.g., if no .network or .netdev are specified, leaving network & interface startup to ohter mechanisms (not theat I see the benefit in doing so; nonetheless ...).  Is that correct?
> 

May be, but this is irrelevant.

> Thanks.
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel