e65;6602;1cOn Di, 08.03.22 22:59, Michael Biebl (mbiebl@xxxxxxxxx) wrote: > I wonder if firewald should be turned into an early boot service as > well. I doubt you can do that. Thing is that firewalld uses D-Bus, and services that do D-Bus will have a hard time to run during early boot. In systemd we have some services which do D-Bus and run in early boot, specifically networkd, resolved and systemd itself. They do that by simply not doing D-Bus that early, and watching the d-bus socket so that they connect the moment it becomes available. It's ugly as fuck, though and very hard to get right, it took us quite some time to get this reasonably right and race-free. Last time I looked firewalld is a bunch of scripts around iptables/nft shell outs? I have my doubts it's going to be easy to make that work, i.e. add the glue it needs to instantly connect to D-Bus once it becomes available in a race-free fashion- > Currently it looks like this: > > [Unit] > Description=firewalld - dynamic firewall daemon > Before=network-pre.target Network management services such as networkd are early-boot services. A late boot service ordered before network-pre.target and thus networkd is hence already an ordering cycle. > After=dbus.service > After=polkit.service These two are late boot service, hence hard to move to early boot if you keep them. > I wonder if the following would make sense > > > [Unit] > Description=firewalld - dynamic firewall daemon > DefaultDependencies=no > Before=network-pre.target > Wants=network-pre.target > After=local-fs.target > Conflicts=iptables.service ip6tables.service ebtables.service > ipset.service nftables.service > Documentation=man:firewalld(1) > > [Service] > ... > [Install] > WantedBy=sysinit.target It should also have Before=sysinit.target really. > Alias=dbus-org.fedoraproject.FirewallD1.service > I dropped the After=dbus.service polkit.service orderings, as they are > either socket or D-Bus activated services, added an explicit > After=local-fs.target ordering just to be sure and hooked it into > sysinit.target. My educated guess is that they want After=dbus.service mostly for shutdown ordering, i.e. so that they can still be talked to while the system goes down or so? The thing though is: i doubt firewalld is able to handle the case where the dbus broker isn't connectible yet. > Would you agree that making a firewall service an early boot service > is a good idea? Well, I am not a fan of the firewalld concept tbh. But yes, if you buy into the idea of firewalld, then you have to make it an early boot service really, if you intend to be compatible with early boot networking. That said, I think NetworkManager is not early-boot either right now, is it? So you have to move that too. But in that case too, not sure if it can deal with D-Bus not being around. Lennart -- Lennart Poettering, Berlin
Re: making firewalld an early boot service
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: making firewalld an early boot service
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Wed, 9 Mar 2022 10:57:54 +0100
- Cc: systemd Mailing List <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <CAGWsdOj9_HZm5C5aL6J++iYsO6bR9U3_43aNJU+j2Y9WTCxSgA@mail.gmail.com>
- References: <CAGWsdOj9_HZm5C5aL6J++iYsO6bR9U3_43aNJU+j2Y9WTCxSgA@mail.gmail.com>
- References:
- making firewalld an early boot service
- From: Michael Biebl
- making firewalld an early boot service
- Prev by Date: Re: making firewalld an early boot service
- Next by Date: Re: making firewalld an early boot service
- Previous by thread: Re: making firewalld an early boot service
- Next by thread: EFI Boot default not honered
- Index(es):
 |