[prev in list] [next in list] [prev in thread] [next in thread] 

List:       systemd-devel
Subject:    Re: [systemd-devel] Ordering dependency on device unit not working
From:       Andrei Borzenkov <arvidjaar () gmail ! com>
Date:       2023-08-14 6:21:39
Message-ID: acb1ae4a-07b9-f983-b016-7855e45268c2 () gmail ! com
[Download RAW message or body]

On 13.08.2023 22:37, Ian Pilcher wrote:
> I am attempting to create a service that will load device-specific
> netfilter rules after the corresponding device has been created (bonds,
> VLANs, etc.).
> 
> Here is my current attempt.
> 
>    [Unit]
>    Description=Apply device-specific nftables rules for %I
>    Wants=sys-devices-virtual-net-%I.device nftables.service
>    After=sys-devices-virtual-net-%I.device
> 
>    [Service]
>    Type=oneshot
>    ProtectSystem=full
>    ProtectHome=true
>    ExecStart=/sbin/nft -f /etc/sysconfig/nftables-%I.conf
>    RemainAfterExit=yes
> 
>    [Install]
>    WantedBy=multi-user.target
> 
> 
> But the service is still being started too early, despite its ordering
> dependency on the device unit.
> 
>    # systemctl status late-nftables@bond0.256.service
>    × late-nftables@bond0.256.service - Apply device-specific nftables
> rules for bond0.256
>         Loaded: loaded (/etc/systemd/system/late-nftables@.service;
> enabled; preset: disabled)
>         Active: failed (Result: exit-code) since Sun 2023-08-13 13:52:49
> CDT; 29min ago
>        Process: 525 ExecStart=/sbin/nft -f
> /etc/sysconfig/nftables-bond0.256.conf (code=exited, status=1/FAILURE)
>       Main PID: 525 (code=exited, status=1/FAILURE)
>            CPU: 45ms
> 
>    Aug 13 13:52:49 firewall.penurio.us nft[525]: In file included from
> /etc/sysconfig/nftables-bond0.256.conf:1:1-37:
>    Aug 13 13:52:49 firewall.penurio.us nft[525]:
> /etc/nftables/fail2ban.nft:12:8-15: Error: Could not process rule: No
> such file or directory
>    Aug 13 13:52:49 firewall.penurio.us nft[525]:         chain FAIL2BAN {
>    Aug 13 13:52:49 firewall.penurio.us nft[525]:               ^^^^^^^^
>    Aug 13 13:52:49 firewall.penurio.us systemd[1]:
> late-nftables@bond0.256.service: Main process exited, code=exited,
> status=1/FAILURE
>    Aug 13 13:52:49 firewall.penurio.us systemd[1]:
> late-nftables@bond0.256.service: Failed with result 'exit-code'.
>    Aug 13 13:52:49 firewall.penurio.us systemd[1]: Failed to start Apply
> device-specific nftables rules for bond0.256.
> 
>    # systemctl status late-nftables@bond0.256.service
>    ● sys-devices-virtual-net-bond0.256.device -
> /sys/devices/virtual/net/bond0.256

I suspect name escaping issue. bond0.256 contains dot, so the unit name 
must be escaped. Try %i instead.

>         Loaded: loaded
>         Active: active (plugged) since Sun 2023-08-13 13:52:51 CDT; 31min ago
>          Until: Sun 2023-08-13 13:52:51 CDT; 31min ago
>         Device: /sys/devices/virtual/net/bond0.256
> 
> The device unit has been "active (plugged) since Sun 2023-08-13 13:52:51
> CDT", but the service failed at 13:52:49, 2 seconds earlier.
> 
> What am I missing?
> 

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic