[systemd-devel] tmpfiles chicken-egg problem
Lennart Poettering
lennart at poettering.net
Wed Aug 26 13:40:31 UTC 2020
On Mi, 26.08.20 08:37, Ulrich Windl (Ulrich.Windl at rz.uni-regensburg.de) wrote:
> Hi!
>
> I see this problem in SLES12 (systemd-228-157.12.5.x86_64): On boot systemd tries to use LDAP to resolve user names, resulting in an error like this:
> systemd-tmpfiles: nss-ldap: do_open: do_start_tls failed:stat=-1
Files and directories managed by systemd-tmpfiles have to be owned by
*system* users and groups. If you declare files/dirs that are owned by
non-system users, then you are on your own, and things will fall apart.
A system user must be resolvable during the entire runtime of the
system, i.e. managed in /etc/passwd and /etc/group, not in LDAP.
This is extensively documented in tmpfiles.d(5) or here:
https://systemd.io/UIDS-GIDS/#notes-on-resolvability-of-user-and-group-names
Hence, if this happens your setup is borked in some way: some entries
in tmpfiles.d/ drop-ins are owned by users/groups managed by LDAP. Fix
that, and everything should be fine.
> Eventually:
> systemd-tmpfiles: nss_ldap: could not search LDAP server - Server is unavailable
>
> And:
> systemd[1]: systemd-tmpfiles-setup.service: Main process exited, code=exited, status=1/FAILURE
>
>
> Aboput 15 minutes later I see this message:
> systemd[1]: Started Cleanup of Temporary Directories.
>
> So Cleanup succeeds while setup failed?
Yes. During early boot systemd-tmpfiles-setup.service runs and creates
some files and dirs and chown()s them. During regular runtime
systemd-tmpfiles-clean.service runs and cleans up temporary files. The
former needs resolvable users, the latter doesn't really since it
doesn#t create stuff, just "ages" out stuff. In addition during early
boot your LDAP will not be available since the network is not up, but
15min later it's likely working.
> OK, basically I have this problem: One of my services implicitly
> requires tmpfiles. So it fails when tmpfiles is unavailable.
> However when I started tmpfiles manually (after network and thus
> LDAP are up), my service did not start automatically. Should I add
> an explicit dependency for tmpfiles?
No.
Don't server system users/groups via LDAP. If you do you are on your own.
> Also, can I re-trigger the tmpfiles once network (and LDAP) are up?
> (In a cluster software we had, yu would just reset the "failure
> flag", and then the software would try a restart (up to the next
> failure)
You can add a hack around everything you like. But I'd suggest fixing
the actual issue instead of taping over it...
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list