[systemd-devel] Transaction contains conflicting jobs 'restart' and 'stop'

Colin Guthrie colin at mageia.org
Fri Mar 11 11:17:29 UTC 2016 

Andrei Borzenkov wrote on 11/03/16 03:36:
> 11.03.2016 00:11, Orion Poplawski пишет:
>> Uoti Urpala <uoti.urpala <at> pp1.inet.fi> writes:
>>
>>>
>>> On Thu, 2016-03-10 at 17:51 +0000, Orion Poplawski wrote:
>>>> Orion Poplawski <orion <at> cora.nwra.com> writes:
>>>>>  
>>>>> # systemctl restart firewalld
>>>>> Failed to restart firewalld.service: Transaction contains
>>>>> conflicting jobs
>>>>> 'restart' and 'stop' for fail2ban.service. Probably contradicting
>>>>> requirement dependencies configured.
>>>
>>>> It appears that this is a trigger for this issue.  Removing the
>>>> conflicts=iptables.service removes it.  This seems like a bug to me
>>>> though -
>>>> why is iptables being brought in if the PartOf= is a one-way dep?
>>>
>>> I guess it's because it's because firewalld.service has
>>> "Conflicts=iptables.service", and thus (re)starting firewalld.service
>>> stops iptables.service; fail2ban.service has PartOf to both, thus both
>>> the restart and stop are propagated, and conflict.
>>
>> Can't the stop of iptables be dropped because the service is already stopped
>> (or more likely not even present)?
>>
>>> Claiming a PartOf relationship to both of two conflicting services is
>>> the problem here. I doubt such a use case was what PartOf was designed
>>> to support.
>>
>>
>> The problem is that fail2ban can work with either iptables.service or
>> fail2ban.service, and we don't know which one the use wants to use.  And we
>> need fail2ban to be restarted if either firewalld or iptables is restarted.
>> If there is some other supported way of achieving this, that would be
>> welcome.  Otherwise this strikes be as something that should be able to be
>> handled as is.
> 
> 
> One possible implementation is to have firewall.target and make all
> otehr services (firewalld, iptables and fail2ban) PartOf this target.
> You would then start/stop firewall.target instead of individual services.

That's certainly more the kind of configuration PartOf= was originally
developed to support. I wasn't even aware you could use it with .service
units, thought it was only for .targets if I'm honest.

Col


-- 

Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

More information about the systemd-devel mailing list