[systemd-devel] Transaction contains conflicting jobs 'restart' and 'stop'

[Marcos Mello]

Orion Poplawski <orion <at> cora.nwra.com> writes:

> 
> Andrei Borzenkov <arvidjaar <at> gmail.com> writes:
> > 11.03.2016 00:11, Orion Poplawski пишет:
> > > Uoti Urpala <uoti.urpala <at> pp1.inet.fi> writes:
> > >> On Thu, 2016-03-10 at 17:51 +0000, Orion Poplawski wrote:
> > >>> It appears that this is a trigger for this issue.  Removing the
> > >>> conflicts=iptables.service removes it.  This seems like a bug to me
> > >>> though -
> > >>> why is iptables being brought in if the PartOf= is a one-way dep?
> > >>
> > >> I guess it's because it's because firewalld.service has
> > >> "Conflicts=iptables.service", and thus (re)starting firewalld.service
> > >> stops iptables.service; fail2ban.service has PartOf to both, thus both
> > >> the restart and stop are propagated, and conflict.
> > > 
> > > Can't the stop of iptables be dropped because the service is already
stopped
> > > (or more likely not even present)?
> > 
> > One possible implementation is to have firewall.target and make all
> > other services (firewalld, iptables and fail2ban) PartOf this target.
> > You would then start/stop firewall.target instead of individual services.
> 
> I tried this, but I get the same problem:
> 
> # systemctl restart firewall.target
> Failed to restart firewall.target: Transaction contains conflicting jobs
> 'restart' and 'stop' for iptables.service. Probably contradicting
> requirement dependencies configured.
> 
> Also, this doesn't solve the issue of restarting fail2ban if firewalld is
> restarted via "systemctl restart fail2ban" (which someone will do I'm sure),
> unless there is some other dependency that needs to be setup between the
> various units that I don't understand.  Not very familiar with configuring
> targets.


# /usr/lib/systemd/system/firewall.target
[Unit]
Description=Firewall
StopWhenUnneeded=yes

[Install]
WantedBy=basic.target


# /usr/lib/systemd/system/firewalld.service
[Unit]
Description=firewalld - dynamic firewall daemon
Before=network.target
Before=libvirtd.service
Before=NetworkManager.service
After=dbus.service
After=polkit.service
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
PartOf=firewall.target

[Service]
EnvironmentFile=-/etc/sysconfig/firewalld
ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
ExecReload=/bin/kill -HUP $MAINPID
# supress to log debug and error output also to /var/log/messages
StandardOutput=null
StandardError=null
Type=dbus
BusName=org.fedoraproject.FirewallD1

[Install]
WantedBy=firewall.target
Alias=dbus-org.fedoraproject.FirewallD1.service


# /usr/lib/systemd/system/fail2ban.service
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service firewalld.service
PartOf=firewall.target

[Service]
Type=forking
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=always

[Install]
WantedBy=multi-user.target


Then enable firewall.target and make all firewall services be
WantedBy=firewall.target instead of basic.target.

However it is troublesome, because users will not restart firewall.target.
They will restart firewalld.service, or iptables.service, or whatever.

Each firewall package could drop a snippet adding a reverse PartOf=
dependency in firewall.target:

# /usr/lib/systemd/system/firewall.target.d/firewalld.conf
[Unit]
PartOf=firewalld.service

This works, as firewalld.service restart will trigger firewall.target
restart and finally fail2ban.service restart. But do not you think it is too
much?

Cannot the restart job for the conflict units be dropped? IMO this is a
valid use case and would make things a lot easier for packagers.