On Tue, Nov 11, 2014 at 04:37:32PM +0100, Stanislav Brabec wrote:
I would like to open a discussion about use of systemd presets while packaging.
Systemd preset files are preferred way how packages set the default state of services. Preset files are located in /usr/lib/systemd/system-preset directory. %service_add_post is aware of presets, and if the package adds systemd service together with presets, %service_add_post performs one-time set to the preset default state.
Current policy is simple: All presets belongs to: systemd-presets-branding-{product} /usr/lib/systemd/system-preset/90-default-openSUSE.preset and the default to disable all other: /usr/lib/systemd/system-preset/99-default-disable.preset
It makes a lot of sense for packages with optional services, that should be always on, like apache, network servers etc.
But I think that makes less sense for packages that are optional to install, but it they are installed and not active, they are broken. Especially if they are socket activated, the standby state means no more than one socket opened by systemd.
I have two examples from last weeks: uuidd: Optional socket activated util-linux daemon providing support for UUIDs. pcsc-lite pcscd: Smart Card daemon that is socket activated whenever application attempts to use Smart Card PC/SC API. If it is not enabled, Smart Card access does not work.
Note that it has a security implication: Each package that installs default-on preset, should be audited by security team. Security team would need to watch the whole directory, not only a branding file.
As you noticed, security likes a tight control over presets on systemd services/sockets/etc. The security team (well basically me) are(is) maintaining the systemd-presets-branding-openSUSE (and -SLE) packages. And these are the system defaults. In general we take all requests and also usually allow them, so its not needed to have packages do it seperately. You mention apache etc, but these are usually enabled either by the admin or someone else. So I would like not to have specific presets in packages, but track them all in the branding-presets-. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org