On 09.03.2022 00:59, Michael Biebl wrote: > Hi, > > I need help with firewalld issue, specifically > https://github.com/firewalld/firewalld/issues/414 > > the TLDR: both firewalld.service and cloud-init-local.service hook > into network-pre.target and have a Before=network-pre.target ordering. > > cloud-init-local.service is an early boot service using > DefaultDependencies=no and before sysinit.target. > firewalld.service via DefaultDependencies=yes get's an > After=sysinit.target ordering. > > So we have conflicting requirements and a dependency loop that needs > to be broken by systemd. > Firewalld is red herring here. cloud-init.service has After=networking.service Before=sysinit.target This is a loop which has nothing to do with firewalld. [ 1.643638] systemd[1]: sysinit.target: Found ordering cycle on cloud-init.service/start [ 1.645482] systemd[1]: sysinit.target: Found dependency on networking.service/start [ 1.647274] systemd[1]: sysinit.target: Found dependency on network-pre.target/start [ 1.649010] systemd[1]: sysinit.target: Found dependency on firewalld.service/start [ 1.650718] systemd[1]: sysinit.target: Found dependency on dbus.service/start [ 1.652294] systemd[1]: sysinit.target: Found dependency on basic.target/start [ 1.654033] systemd[1]: sysinit.target: Found dependency on sysinit.target/start [ 1.655528] systemd[1]: sysinit.target: Job cloud-init.service/start deleted to break ordering cycle starting with sysinit.target/start ... > > > I dropped the After=dbus.service polkit.service orderings, as they are > either socket or D-Bus activated services, added an explicit > After=local-fs.target ordering just to be sure and hooked it into > sysinit.target. > > Would you agree that making a firewall service an early boot service > is a good idea? Firewalld cannot be socket activated. The whole reason to have firewall (any firewall) startup service is to instantiate netfilter configuration before networking becomes available. When exactly it is done does not matter - it can well be done as early boot service. But it cannot be delayed until something contacts firewall endpoint. It must be done before network-pre.target. > Does the above make sense or have I missed something? > > Feedback welcome. firewalld requires D-Bus so it must be started after D-Bus. You cannot start it earlier.
Re: making firewalld an early boot service
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: making firewalld an early boot service
- From: Andrei Borzenkov <arvidjaar@xxxxxxxxx>
- Date: Wed, 9 Mar 2022 08:49:26 +0300
- In-reply-to: <CAGWsdOj9_HZm5C5aL6J++iYsO6bR9U3_43aNJU+j2Y9WTCxSgA@mail.gmail.com>
- References: <CAGWsdOj9_HZm5C5aL6J++iYsO6bR9U3_43aNJU+j2Y9WTCxSgA@mail.gmail.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
- Follow-Ups:
- Re: making firewalld an early boot service
- From: Lennart Poettering
- Re: making firewalld an early boot service
- From: Michael Biebl
- Re: making firewalld an early boot service
- References:
- making firewalld an early boot service
- From: Michael Biebl
- making firewalld an early boot service
- Prev by Date: making firewalld an early boot service
- Next by Date: Re: making firewalld an early boot service
- Previous by thread: making firewalld an early boot service
- Next by thread: Re: making firewalld an early boot service
- Index(es):
 |