On Mi, 26.08.20 08:37, Ulrich Windl (Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx) wrote: > Hi! > > I see this problem in SLES12 (systemd-228-157.12.5.x86_64): On boot systemd tries to use LDAP to resolve user names, resulting in an error like this: > systemd-tmpfiles: nss-ldap: do_open: do_start_tls failed:stat=-1 Files and directories managed by systemd-tmpfiles have to be owned by *system* users and groups. If you declare files/dirs that are owned by non-system users, then you are on your own, and things will fall apart. A system user must be resolvable during the entire runtime of the system, i.e. managed in /etc/passwd and /etc/group, not in LDAP. This is extensively documented in tmpfiles.d(5) or here: https://systemd.io/UIDS-GIDS/#notes-on-resolvability-of-user-and-group-names Hence, if this happens your setup is borked in some way: some entries in tmpfiles.d/ drop-ins are owned by users/groups managed by LDAP. Fix that, and everything should be fine. > Eventually: > systemd-tmpfiles: nss_ldap: could not search LDAP server - Server is unavailable > > And: > systemd[1]: systemd-tmpfiles-setup.service: Main process exited, code=exited, status=1/FAILURE > > > Aboput 15 minutes later I see this message: > systemd[1]: Started Cleanup of Temporary Directories. > > So Cleanup succeeds while setup failed? Yes. During early boot systemd-tmpfiles-setup.service runs and creates some files and dirs and chown()s them. During regular runtime systemd-tmpfiles-clean.service runs and cleans up temporary files. The former needs resolvable users, the latter doesn't really since it doesn#t create stuff, just "ages" out stuff. In addition during early boot your LDAP will not be available since the network is not up, but 15min later it's likely working. > OK, basically I have this problem: One of my services implicitly > requires tmpfiles. So it fails when tmpfiles is unavailable. > However when I started tmpfiles manually (after network and thus > LDAP are up), my service did not start automatically. Should I add > an explicit dependency for tmpfiles? No. Don't server system users/groups via LDAP. If you do you are on your own. > Also, can I re-trigger the tmpfiles once network (and LDAP) are up? > (In a cluster software we had, yu would just reset the "failure > flag", and then the software would try a restart (up to the next > failure) You can add a hack around everything you like. But I'd suggest fixing the actual issue instead of taping over it... Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: tmpfiles chicken-egg problem
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: tmpfiles chicken-egg problem
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Wed, 26 Aug 2020 15:40:31 +0200
- Cc: "systemd-devel@xxxxxxxxxxxxxxxxxxxxx" <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <5F460343020000A10003AE57@gwsmtp.uni-regensburg.de>
- References: <5F460343020000A10003AE57@gwsmtp.uni-regensburg.de>
- Follow-Ups:
- Antw: [EXT] Re: tmpfiles chicken-egg problem
- From: Ulrich Windl
- Antw: [EXT] Re: tmpfiles chicken-egg problem
- References:
- tmpfiles chicken-egg problem
- From: Ulrich Windl
- tmpfiles chicken-egg problem
- Prev by Date: Re: 'PIDFile=' warning and override.conf
- Next by Date: Re: 'PIDFile=' warning and override.conf
- Previous by thread: Re: tmpfiles chicken-egg problem
- Next by thread: Antw: [EXT] Re: tmpfiles chicken-egg problem
- Index(es):
 |