On Thu, 15.07.10 11:52, Simo Sorce (ssorce@xxxxxxxxxx) wrote: > > > How are the SSH host keys supposed to be generated with systemd? > > > Currently the initscript creates them, if they do not exist. > > > > Well, I believe the right place to create them would be in sshd > > itself. I don't think the current approach to do this manually in the > > shell is a good idea. > > What you believe conflicts with reality, I think reality wins for now. > Try to not get in too many battles at once. Whether you like it or not > there are still a lot of programs that *assume* init scripts are > available and things can be done there, and not just setting > environment variables. Well, I already mentioned that this isn't realistic for now. Don't bash me for something I relativized right-away. > We have a bug open with CUPS trying to generate SSL certs on the first > connections, being too slow and causing the client to timeout. > So no, you can't make assumptions here. Well, Apple as CUPS upstream manages to pull this off, and so should we. Maybe another option is to create those certs and keys at install time instead of first boot/use. Should we one day go for a read-only root dir doing key generation on first boot/use won't fly anyway. I am aware that doing things during package installation instead of first-boot is problematic for system images that are distributed and booted from multiple machines. Maybe for those cases (where r/o root isn't doable) we should provide some easy infrastructure to generate all keys on boot, controlled by some central switch. > So you are just re-invented sysconfig ? > sysconfig was added exactly so that admins could change configurations > without touching init scripts so that rpm updates would be able to > deploy new init scripts without blowing away customizations. > > Why re-inventing the wheel here ? It's not "reinventing". It's just simpler. I mean, my reading of this is that historically init scripts where considered configuration, that's why they are in /etc. Then people noticed that they are actually more code than configuration and hence created sysconfig, to seperate both things. But since native systemd unit files removed all the "code" part from the startup files it should be fine to edit them directly and consider that configuration. But anway, I have no strong opinions on this. As mentioned we have a bit of support for sysconfig. All I am asking for is that people think twice before making everything configurable, because often enough it is smarter to make things non-configurable. For example, there is no reason to configure the uid/gid of the ntpd daemon. Hence there doesn't have to be and option in sysconfig for it. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
