[systemd-devel] Transaction contains conflicting jobs 'restart' and 'stop'

Andrei Borzenkov arvidjaar at gmail.com
Sat Mar 12 12:51:35 UTC 2016


12.03.2016 08:18, Orion Poplawski пишет:
> Andrei Borzenkov <arvidjaar <at> gmail.com> writes:
>> 11.03.2016 00:11, Orion Poplawski пишет:
>>> Uoti Urpala <uoti.urpala <at> pp1.inet.fi> writes:
>>>> On Thu, 2016-03-10 at 17:51 +0000, Orion Poplawski wrote:
>>>>> It appears that this is a trigger for this issue.  Removing the
>>>>> conflicts=iptables.service removes it.  This seems like a bug to me
>>>>> though -
>>>>> why is iptables being brought in if the PartOf= is a one-way dep?
>>>>
>>>> I guess it's because it's because firewalld.service has
>>>> "Conflicts=iptables.service", and thus (re)starting firewalld.service
>>>> stops iptables.service; fail2ban.service has PartOf to both, thus both
>>>> the restart and stop are propagated, and conflict.
>>>
>>> Can't the stop of iptables be dropped because the service is already stopped
>>> (or more likely not even present)?
>>
>> One possible implementation is to have firewall.target and make all
>> other services (firewalld, iptables and fail2ban) PartOf this target.
>> You would then start/stop firewall.target instead of individual services.
> 
> I tried this, but I get the same problem:
> 
> # systemctl restart firewall.target
> Failed to restart firewall.target: Transaction contains conflicting jobs
> 'restart' and 'stop' for iptables.service. Probably contradicting
> requirement dependencies configured.
> 

No, you tried something different.

You need firewall.target, which then includes *either* firewalld.service
*or* iptables.service. You never have them both enabled at the same
time. I.e.

firewalld.service:

PartOf=firewall.target
Conflicts=iptables.service

iptables.service:

PartOf=firewall.target
Conflicts=firewalld.service

fail2ban.service:

PartOf=firewall.target

And you probably want to have

[Install]
WantedBy=firewall.target

in all of them. Then you enable either firewalld or iptables together
with fail2ban.

This works.

> Also, this doesn't solve the issue of restarting fail2ban if firewalld is
> restarted via "systemctl restart fail2ban" (which someone will do I'm sure),
> unless there is some other dependency that needs to be setup between the
> various units that I don't understand.  Not very familiar with configuring
> targets.
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> 



More information about the systemd-devel mailing list