[systemd-devel] making firewalld an early boot service
Andrei Borzenkov
arvidjaar at gmail.com
Wed Mar 9 05:49:26 UTC 2022
On 09.03.2022 00:59, Michael Biebl wrote:
> Hi,
>
> I need help with firewalld issue, specifically
> https://github.com/firewalld/firewalld/issues/414
>
> the TLDR: both firewalld.service and cloud-init-local.service hook
> into network-pre.target and have a Before=network-pre.target ordering.
>
> cloud-init-local.service is an early boot service using
> DefaultDependencies=no and before sysinit.target.
> firewalld.service via DefaultDependencies=yes get's an
> After=sysinit.target ordering.
>
> So we have conflicting requirements and a dependency loop that needs
> to be broken by systemd.
>
Firewalld is red herring here. cloud-init.service has
After=networking.service
Before=sysinit.target
This is a loop which has nothing to do with firewalld.
[ 1.643638] systemd[1]: sysinit.target: Found ordering cycle on
cloud-init.service/start
[ 1.645482] systemd[1]: sysinit.target: Found dependency on
networking.service/start
[ 1.647274] systemd[1]: sysinit.target: Found dependency on
network-pre.target/start
[ 1.649010] systemd[1]: sysinit.target: Found dependency on
firewalld.service/start
[ 1.650718] systemd[1]: sysinit.target: Found dependency on
dbus.service/start
[ 1.652294] systemd[1]: sysinit.target: Found dependency on
basic.target/start
[ 1.654033] systemd[1]: sysinit.target: Found dependency on
sysinit.target/start
[ 1.655528] systemd[1]: sysinit.target: Job cloud-init.service/start
deleted to break ordering cycle starting with sysinit.target/start
...
>
>
> I dropped the After=dbus.service polkit.service orderings, as they are
> either socket or D-Bus activated services, added an explicit
> After=local-fs.target ordering just to be sure and hooked it into
> sysinit.target.
>
> Would you agree that making a firewall service an early boot service
> is a good idea?
Firewalld cannot be socket activated. The whole reason to have firewall
(any firewall) startup service is to instantiate netfilter configuration
before networking becomes available. When exactly it is done does not
matter - it can well be done as early boot service. But it cannot be
delayed until something contacts firewall endpoint. It must be done
before network-pre.target.
> Does the above make sense or have I missed something?
>
> Feedback welcome.
firewalld requires D-Bus so it must be started after D-Bus. You cannot
start it earlier.
More information about the systemd-devel
mailing list