[systemd-devel] Transaction contains conflicting jobs 'restart' and 'stop'
Andrei Borzenkov
arvidjaar at gmail.com
Fri Mar 11 03:36:45 UTC 2016
11.03.2016 00:11, Orion Poplawski пишет:
> Uoti Urpala <uoti.urpala <at> pp1.inet.fi> writes:
>
>>
>> On Thu, 2016-03-10 at 17:51 +0000, Orion Poplawski wrote:
>>> Orion Poplawski <orion <at> cora.nwra.com> writes:
>>>>
>>>> # systemctl restart firewalld
>>>> Failed to restart firewalld.service: Transaction contains
>>>> conflicting jobs
>>>> 'restart' and 'stop' for fail2ban.service. Probably contradicting
>>>> requirement dependencies configured.
>>
>>> It appears that this is a trigger for this issue. Removing the
>>> conflicts=iptables.service removes it. This seems like a bug to me
>>> though -
>>> why is iptables being brought in if the PartOf= is a one-way dep?
>>
>> I guess it's because it's because firewalld.service has
>> "Conflicts=iptables.service", and thus (re)starting firewalld.service
>> stops iptables.service; fail2ban.service has PartOf to both, thus both
>> the restart and stop are propagated, and conflict.
>
> Can't the stop of iptables be dropped because the service is already stopped
> (or more likely not even present)?
>
>> Claiming a PartOf relationship to both of two conflicting services is
>> the problem here. I doubt such a use case was what PartOf was designed
>> to support.
>
>
> The problem is that fail2ban can work with either iptables.service or
> fail2ban.service, and we don't know which one the use wants to use. And we
> need fail2ban to be restarted if either firewalld or iptables is restarted.
> If there is some other supported way of achieving this, that would be
> welcome. Otherwise this strikes be as something that should be able to be
> handled as is.
One possible implementation is to have firewall.target and make all
otehr services (firewalld, iptables and fail2ban) PartOf this target.
You would then start/stop firewall.target instead of individual services.
More information about the systemd-devel
mailing list