[systemd-devel] making firewalld an early boot service
Michael Biebl
mbiebl at gmail.com
Wed Mar 9 07:17:35 UTC 2022
Am Mi., 9. März 2022 um 06:49 Uhr schrieb Andrei Borzenkov
<arvidjaar at gmail.com>:
>
> On 09.03.2022 00:59, Michael Biebl wrote:
> > Hi,
> >
> > I need help with firewalld issue, specifically
> > https://github.com/firewalld/firewalld/issues/414
> >
> > the TLDR: both firewalld.service and cloud-init-local.service hook
> > into network-pre.target and have a Before=network-pre.target ordering.
> >
> > cloud-init-local.service is an early boot service using
> > DefaultDependencies=no and before sysinit.target.
> > firewalld.service via DefaultDependencies=yes get's an
> > After=sysinit.target ordering.
> >
> > So we have conflicting requirements and a dependency loop that needs
> > to be broken by systemd.
> >
>
> Firewalld is red herring here. cloud-init.service has
>
> After=networking.service
> Before=sysinit.target
>
> This is a loop which has nothing to do with firewalld.
Afaics firewalld.service is involved here.
For one, without it installed, there is no such ordering cycle.
To me it looks like cloud-init.service and firewalld.service are tied
together via this cloud-init-local.service
> [ 1.643638] systemd[1]: sysinit.target: Found ordering cycle on
> cloud-init.service/start
> [ 1.645482] systemd[1]: sysinit.target: Found dependency on
> networking.service/start
> [ 1.647274] systemd[1]: sysinit.target: Found dependency on
> network-pre.target/start
> [ 1.649010] systemd[1]: sysinit.target: Found dependency on
> firewalld.service/start
> [ 1.650718] systemd[1]: sysinit.target: Found dependency on
> dbus.service/start
> [ 1.652294] systemd[1]: sysinit.target: Found dependency on
> basic.target/start
> [ 1.654033] systemd[1]: sysinit.target: Found dependency on
> sysinit.target/start
> [ 1.655528] systemd[1]: sysinit.target: Job cloud-init.service/start
> deleted to break ordering cycle starting with sysinit.target/start
>
>
> ...
>
> >
> >
> > I dropped the After=dbus.service polkit.service orderings, as they are
> > either socket or D-Bus activated services, added an explicit
> > After=local-fs.target ordering just to be sure and hooked it into
> > sysinit.target.
> >
> > Would you agree that making a firewall service an early boot service
> > is a good idea?
>
> Firewalld cannot be socket activated. The whole reason to have firewall
> (any firewall) startup service is to instantiate netfilter configuration
> before networking becomes available. When exactly it is done does not
> matter - it can well be done as early boot service. But it cannot be
> delayed until something contacts firewall endpoint. It must be done
> before network-pre.target.
I don't think i said I want firewalld to become socket activated?
What I did was drop After=dbus.service and After=polkit.service.
firewald.service is a Type=dbus service, so already get's an explicit
After=dbus.socket, Requires=dbus.socket which I think should satisfy
firewalld's D-Bus requirements, no?
> > Does the above make sense or have I missed something?
> >
> > Feedback welcome.
>
> firewalld requires D-Bus so it must be started after D-Bus. You cannot
> start it earlier.
See above, being Type=dbus, it has an explicit Requires/After=dbus.socket.
More information about the systemd-devel
mailing list