Hello, Am Samstag, 17. Januar 2015 schrieb Tomáš Chvátal:
Dne Pá 16. ledna 2015 15:23:34, Tomáš Chvátal napsal(a):
There are still few leaf packages using regular old initscript instead of unit files. I guess it is due to simple fact that nobody bothered nor had a reason as it still kinda works.
What do you think? Should I do the rpmlint check?
* There was promise that inits will keep working - there was promise that systemd will run initscript for external stuff so you keep compatibility and can in the case still run your software. That compat is not going away and actually we really really really want it to be around for a long time.
Oh really? https://bugzilla.opensuse.org/show_bug.cgi?id=853019 (non-public, sorry) is about a compability problem that is even security-relevant. I reported it a year ago, and nobody did anything to fix it :-( (Well, besides the work I did myself for the workaround in the rpm %post script.) Short summary of the bugreport: always use "rcapparmor reload" to reload your profiles. NEVER use "rcapparmor restart" because that will remove AppArmor protection from currently running programs (until you restart them). Background: the systemd wrapper maps "restart" to "stop, then start", and this causes a totally different handling in the initscript - "stop" unloads all profiles and removes protection from running programs, and "start" can't apply a profile to an already running program. (The initscript itsself maps "restart" to the "reload" behaviour and therefore keeps running programs protected.) Needless to say that I only found this by luck. I wouldn't be surprised if this bug exists since the first version of the systemd initscript wrapper. I could even TL;DR this to "the systemd wrapper for initscripts causes security issues, and nobody cares to fix it" :-( I know this sounds like a rant, and actually I have to admit that it is one ;-) (at least with a real problem in mind) Nevertheless, I'll happily test a fixed wrapper. I'll also happily test an apparmor.service file if someone writes it. However the precondition to accept it is that it's also accepted upstream - *.service files are (also) meant to avoid distro-specific stuff, right? ;-) (hint: it might be a good idea to send it directly to the upstream mailinglist) Bonus points if you make "rcapparmor status" as useful as it's today with the initscript. Hint: ExecStatus is still not implemented AFAIK, and the systemd answer "I started it, so it's probably still running" is anything but useful :-(
Overall you didn't present any really valid reason for not doing it
Did I already mention that ExecStatus is still missing? Note that this would also be useful for the firewall and similar stuff that doesn't include a running process - again, the current behaviour "I started it, so it must still be running" is not a good answer. [1]
- basically my rpmlint update won't get to factory before we fix the core packages anyway, where i can even promise to find a time and fix most
Oh, was this a promise to write apparmor.service and to implement ExecStatus? ;-) Regards, Christian Boltz [1] just to avoid confusion: this "only" affects things that don't have a running process, like AppArmor or a firewall --
Genau, Office und M$-Programme haben meist alle den gleichen Stil. Stimmt, die schaffen das Kammquoting meist besonders gut. *g,d&r* [> Andre Heine und Florian Gross in suse-linux]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org