[opensuse] Need help with systemd
Hi Folks, On a fresh install of 64-bit 12.1 I decided to try sshguard instead of the block-hosts package I've been using for years. sshguard was installed from the security repository. After fiddling with /etc/init.d/sshguard and /etc/sysconfig/sshguard I managed to get it working. The big problem was the iptables entry to allow ssh appeared before the sshguard entry. But now it doesn't work on bootup. The changes sshguard makes to iptables are overwritten by a subsequent process. If I run "/etc/init.d/sshguard restart' after the system is up in runlevel 5 everything is fine. So I need to figure out how to delay sshguard so that it appears later in the boot sequence. Would it be as simple as changing the order of the entries in /etc/init.d? Does anyone know how to do this right in a default systemd system? I don't want to experiment too much because the system is remote (Vancover) and the KVM/IP thing doesn't work with SuSE. (that's a matter for a later date) Thanks, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2012-02-26 at 19:53 -0800, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence. Would it be as simple as changing the order of the entries in /etc/init.d?
No, never. Not with systemv, even less with systemd.
Does anyone know how to do this right in a default systemd system?
Nope. systemd is a big unknown. I have seen some people doing things and posting them, so look in the mail archive, here and factory. - -- Cheers, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk9MS1cACgkQtTMYHG2NR9W9dACghhsViKKcVE/vyANKr1KS6loK IvkAn0ynfEpshb0UMs8s+8/DvZrkkoL2 =hPO6 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/28/2012 11:34 AM, Carlos E. R. wrote:
On Sunday, 2012-02-26 at 19:53 -0800, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence. Would it be as simple as changing the order of the entries in /etc/init.d?
No, never. Not with systemv, even less with systemd.
???? The start-up scripts for systemV were actually executed based on the order in /etc/rc5.d (if going into graphical mode) or /etc/rc3.d (if going into multi-user mode). The names of the processes started with SXX or KXX. S was for start-up while K was for shutdown. The XX are numerical, thus you could order them as needed. You'd find that S99local would always be the last to run. So, while it isn't the order in /etc/init.d there is a way to control the order.....
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-02-28 05:14, Ed Greshko wrote:
On 02/28/2012 11:34 AM, Carlos E. R. wrote:
No, never. Not with systemv, even less with systemd.
????
The start-up scripts for systemV were actually executed based on the order in /etc/rc5.d (if going into graphical mode) or /etc/rc3.d (if going into multi-user mode).
Not in recent openSUSE versions, the links are basically ignored. Instead, what is used are makefiles in /etc/init.d/. It is documented. Or was, the manual page has disappeared recently from doc.opensuse.org.
So, while it isn't the order in /etc/init.d there is a way to control the order.....
Yes, but creating manually the symlinks or changing the numbers in the name will not work by default. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9MX+MACgkQIvFNjefEBxpEdQCgvQyMU1xIbyjk19xhAeaaOx/c skUAoJPcaGz+QxrRCiWRd8oxvJybsrUI =AHxc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/28/2012 01:02 PM, Carlos E. R. wrote:
On 2012-02-28 05:14, Ed Greshko wrote:
On 02/28/2012 11:34 AM, Carlos E. R. wrote:
No, never. Not with systemv, even less with systemd.
????
The start-up scripts for systemV were actually executed based on the order in /etc/rc5.d (if going into graphical mode) or /etc/rc3.d (if going into multi-user mode).
Not in recent openSUSE versions, the links are basically ignored. Instead, what is used are makefiles in /etc/init.d/. It is documented. Or was, the manual page has disappeared recently from doc.opensuse.org.
You said "No, *never*". Which is clearly not the case...as I was talking about "SystemV" systems and I used the word "were" which just happens to be past tense. When you say "recent openSUSE" versions are you speaking of those which use a combination of systemd and init scripts? I don't know why you call the scripts in /etc/init.d makefiles.... I haven't had the time or the need to determine how to influence start-up order on systemd with or without a combination of init scripts. But, clearly it is possible since you'd generally need to start the network prior to starting services which require that the network be up. For example, the network needs to be up prior to mounting NFS shares. Clearly, systemd would need to account for that.
So, while it isn't the order in /etc/init.d there is a way to control the order.....
Yes, but creating manually the symlinks or changing the numbers in the name will not work by default.
Yes, it did with systemV systems.... I'd been doing it for *years*.
Ed Greshko wrote:
On 02/28/2012 01:02 PM, Carlos E. R. wrote:
Yes, but creating manually the symlinks or changing the numbers in the name will not work by default.
Yes, it did with systemV systems.... I'd been doing it for *years*.
Ditto. -- Per Jessen, Zürich (1.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-02-28 06:16, Ed Greshko wrote:
On 02/28/2012 01:02 PM, Carlos E. R. wrote:
When you say "recent openSUSE" versions are you speaking of those which use a combination of systemd and init scripts? I don't know why you call the scripts in /etc/init.d makefiles....
I'm referring to systemV exclusively, in distros like 11.0, 11.1, 11.2, 11.3, 11.4. And I talk of makefiles, not init scripts. Look for yourself: cer@Telcontar:~> ls /etc/init.d/.[tab][tab] ./ ../ .depend.boot .depend.halt .depend.start .depend.stop Those files follow a makefile syntax. See startpar(8): "The -M option switches startpar into a make(1) like behaviour."
Yes, it did with systemV systems.... I'd been doing it for *years*.
Then review the posts of people here complaining that it did not work for them, that the order they wrote was not respected. Of course, if you disable the parallel feature, then the symlinks are followed classic style. But is not the default. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9MybUACgkQIvFNjefEBxqrXwCgwzTrUNJ3yOpKAbk7FGZ9CmrO OsEAoIwK7OEJ8gATVrxvit5GmW+h7heV =N0ng -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tuesday 28 February 2012, Carlos E. R. wrote:
On 2012-02-28 06:16, Ed Greshko wrote:
On 02/28/2012 01:02 PM, Carlos E. R. wrote:
When you say "recent openSUSE" versions are you speaking of those which use a combination of systemd and init scripts? I don't know why you call the scripts in /etc/init.d makefiles....
I'm referring to systemV exclusively, in distros like 11.0, 11.1, 11.2, 11.3, 11.4. And I talk of makefiles, not init scripts. Look for yourself:
cer@Telcontar:~> ls /etc/init.d/.[tab][tab] ./ ../ .depend.boot .depend.halt .depend.start .depend.stop
Those files follow a makefile syntax. See startpar(8): "The -M option switches startpar into a make(1) like behaviour."
Yes, it did with systemV systems.... I'd been doing it for *years*.
Then review the posts of people here complaining that it did not work for them, that the order they wrote was not respected.
Of course, if you disable the parallel feature, then the symlinks are followed classic style. But is not the default.
Yep, unfortunately the default is RUN_PARALLEL="yes" which always caused me non-deterministig failures until I noticed how to get rid of that useless startpar. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/28/2012 08:33 PM, Carlos E. R. wrote:
Then review the posts of people here complaining that it did not work for them, that the order they wrote was not respected.
Of course, if you disable the parallel feature, then the symlinks are followed classic style. But is not the default.
Please note that I was talking about systemV systems in general and not openSUSE's borked implementation. I totally agree with Ruediger Meier's sentiment.
On Tuesday 28 February 2012, Ed Greshko wrote:
On 02/28/2012 08:33 PM, Carlos E. R. wrote:
Then review the posts of people here complaining that it did not work for them, that the order they wrote was not respected.
Of course, if you disable the parallel feature, then the symlinks are followed classic style. But is not the default.
Please note that I was talking about systemV systems in general and not openSUSE's borked implementation.
I totally agree with Ruediger Meier's sentiment.
Yup, really dont't need any possible issues when doing a reboot. My users often say to me "WTF, you force me to log off all the time just because you find it funny to reboot" I say "I do it as seldom as possible only on kernel updates and when you're idle anyway". Can't say wheather me or the user is right but the least thing I need in this situation is that the reboot does any sublte other things than it did on the last reboot some months ago. Thats why I hate systemd as well as sysvinit/startpar (which is BTW not only a "borked suse thing" but applied by upstream). The good thing about systemd is being default now is that we could make sysvinit's default config stable again without disappointing grandma and grandpa who want to reboot 10 times per day while seeing funny plymouth animations and who would not care if the one or the other reboot fails. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/27/2012 11:53 AM, Lew Wolfgang wrote:
Hi Folks,
On a fresh install of 64-bit 12.1 I decided to try sshguard instead of the block-hosts package I've been using for years. sshguard was installed from the security repository.
After fiddling with /etc/init.d/sshguard and /etc/sysconfig/sshguard I managed to get it working. The big problem was the iptables entry to allow ssh appeared before the sshguard entry.
But now it doesn't work on bootup. The changes sshguard makes to iptables are overwritten by a subsequent process. If I run "/etc/init.d/sshguard restart' after the system is up in runlevel 5 everything is fine.
So I need to figure out how to delay sshguard so that it appears later in the boot sequence. Would it be as simple as changing the order of the entries in /etc/init.d?
Does anyone know how to do this right in a default systemd system? I don't want to experiment too much because the system is remote (Vancover) and the KVM/IP thing doesn't work with SuSE. (that's a matter for a later date)
You can consult http://fedoraproject.org/wiki/Systemd and when you get there, search for the word "ordering". You'll find it to be non-trivial. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 27/02/12 00:53, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence.
Later is quite vague, do you want it after Susefirewall I presume ? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/27/2012 09:54 PM, Cristian Rodríguez wrote:
On 27/02/12 00:53, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence.
Later is quite vague, do you want it after Susefirewall I presume ?
Right. sshguard needs to start after SuSEfirewall2_setup. The sshguard rpm created /etc/init.d/sshguard and the symlink /etc/init.d/rc3.d/S08sshguard. The firewall setup link is S15SuSEfirewall2_setup. So I moved S08sshguard to S16sshguard and rebooted. But it still doesn't work, S15SuSEfirewall2_setup is being run after S16sshguard. But "systemctl list-units |grep guard" shows: sshguard.service loaded active running LSB: SSHGUARD provides automatic attack blocking So systemd knows about sshguard, but I don't know how it found out about it. Maybe the install rpm? If it found it by scanning the init.d scripts it must be ignoring the "ls" order. My default runlevel is 3. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, On 02/28/2012 01:33 AM, Lew Wolfgang wrote:
On 02/27/2012 09:54 PM, Cristian Rodríguez wrote:
On 27/02/12 00:53, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence.
Later is quite vague, do you want it after Susefirewall I presume ?
Right. sshguard needs to start after SuSEfirewall2_setup.
The sshguard rpm created /etc/init.d/sshguard and the symlink /etc/init.d/rc3.d/S08sshguard. The firewall setup link is S15SuSEfirewall2_setup. So I moved S08sshguard to S16sshguard and rebooted. But it still doesn't work, S15SuSEfirewall2_setup is being run after S16sshguard.
But "systemctl list-units |grep guard" shows:
sshguard.service loaded active running LSB: SSHGUARD provides automatic attack blocking
So systemd knows about sshguard, but I don't know how it found out about it. Maybe the install rpm? If it found it by scanning the init.d scripts it must be ignoring the "ls" order.
My default runlevel is 3.
For sysV init the order is determined by the LSB header in the init script, yes I know comments that are significant is not very nice, but that's the way it has been for a long time. Thus, for sshguard to start after SuSEfirewall in a sysV init environment you'd need to add SuSEfirewall2_setup at the end of the Required-Start: line within the ### BEGIN INIT INFO and ### END INIT INFO block in the init script for sshguard. After you are done with your modification run insserv sshguard and the order will be correct and things will work. For the systemd init process the order is set with key words: After Before Requires Wants see http://0pointer.de/public/systemd-man/systemd.unit.html Files for systemd are located in /lib/systemd/system/ If sshguard already has a .service file it should be in the /lib/systemd/system directory. You can edit this file and add an After=SuSEfirewall2_setup.service This should work even though SuSEfirewall2_setup does not yet have a .service file. We have "magic" in various places that ties sysV init and systemd together such that during the transitions phase (until all services have .service files) services are started properly. HTH, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/28/2012 02:51 AM, Robert Schweikert wrote:
Hi,
On 02/28/2012 01:33 AM, Lew Wolfgang wrote:
On 02/27/2012 09:54 PM, Cristian Rodríguez wrote:
On 27/02/12 00:53, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence.
Later is quite vague, do you want it after Susefirewall I presume ?
Right. sshguard needs to start after SuSEfirewall2_setup.
The sshguard rpm created /etc/init.d/sshguard and the symlink /etc/init.d/rc3.d/S08sshguard. The firewall setup link is S15SuSEfirewall2_setup. So I moved S08sshguard to S16sshguard and rebooted. But it still doesn't work, S15SuSEfirewall2_setup is being run after S16sshguard.
But "systemctl list-units |grep guard" shows:
sshguard.service loaded active running LSB: SSHGUARD provides automatic attack blocking
So systemd knows about sshguard, but I don't know how it found out about it. Maybe the install rpm? If it found it by scanning the init.d scripts it must be ignoring the "ls" order.
My default runlevel is 3.
For sysV init the order is determined by the LSB header in the init script, yes I know comments that are significant is not very nice, but that's the way it has been for a long time.
Thus, for sshguard to start after SuSEfirewall in a sysV init environment you'd need to add
SuSEfirewall2_setup
at the end of the
Required-Start:
line within the ### BEGIN INIT INFO and ### END INIT INFO block in the init script for sshguard.
After you are done with your modification run insserv sshguard and the order will be correct and things will work.
Hi Robert, This didn't work, insserv came up with dependency issues. I had to remove the "$ALL" entry in SuSEfirewall2's Required-Start, as well as adding SuSEfirewall2_setup to sshguard's. I think that SuSEfirewall2_setup may be starting earlier in the boot sequence now, but it doesn't seem to hurt anything. It works now!
For the systemd init process the order is set with key words:
After Before Requires Wants
see http://0pointer.de/public/systemd-man/systemd.unit.html
Files for systemd are located in /lib/systemd/system/
If sshguard already has a .service file it should be in the /lib/systemd/system directory. You can edit this file and add an
sshguard doesn't have a .service file.
After=SuSEfirewall2_setup.service
This should work even though SuSEfirewall2_setup does not yet have a .service file. We have "magic" in various places that ties sysV init and systemd together such that during the transitions phase (until all services have .service files) services are started properly.
Thanks for the help, I learned a bit too. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 28/02/12 03:33, Lew Wolfgang escribió:
On 02/27/2012 09:54 PM, Cristian Rodríguez wrote:
On 27/02/12 00:53, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence.
Later is quite vague, do you want it after Susefirewall I presume ?
Right. sshguard needs to start after SuSEfirewall2_setup.
The init script does not look very promising. i.e iptables_start() { /usr/sbin/iptables -N sshguard /usr/sbin/iptables -A INPUT -p tcp --dport $PORTS -j sshguard } iptables_stop() { /usr/sbin/iptables -F sshguard /usr/sbin/iptables -D INPUT -p tcp --dport $PORTS -j sshguard /usr/sbin/iptables -X sshguard } Does not belong there, this has to be done somewhat with SUSE firewall configuration scripts. also it appear this tool does not have a configuration file or is not making use of it.. so still needs to use sysconfig *ARGHHHH..* I will add native systemd units to the package once I figure out how to get rid of iptables setup section properly ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/28/2012 12:23 PM, Cristian Rodríguez wrote:
El 28/02/12 03:33, Lew Wolfgang escribió:
On 02/27/2012 09:54 PM, Cristian Rodríguez wrote:
On 27/02/12 00:53, Lew Wolfgang wrote:
So I need to figure out how to delay sshguard so that it appears later in the boot sequence.
Later is quite vague, do you want it after Susefirewall I presume ?
Right. sshguard needs to start after SuSEfirewall2_setup.
The init script does not look very promising.
i.e
iptables_start() { /usr/sbin/iptables -N sshguard /usr/sbin/iptables -A INPUT -p tcp --dport $PORTS -j sshguard }
iptables_stop() { /usr/sbin/iptables -F sshguard /usr/sbin/iptables -D INPUT -p tcp --dport $PORTS -j sshguard /usr/sbin/iptables -X sshguard }
Does not belong there, this has to be done somewhat with SUSE firewall configuration scripts.
also it appear this tool does not have a configuration file or is not making use of it.. so still needs to use sysconfig *ARGHHHH..*
I will add native systemd units to the package once I figure out how to get rid of iptables setup section properly ...
Hi Cristian, Here's what I did to /etc/init.d/sshguard to get it working: iptables_start() { /usr/sbin/iptables -N sshguard /usr/sbin/iptables -I INPUT 4 -p tcp --dport $PORTS -j sshguard } The "-A INPUT" was adding the sshguard entry at the end of the INPUT chain, which meant that having sshd enabled in input_ext section would prevent sshguard from ever being reached. The "-I INPUT 4" inserts sshguard in front of input_ext. I have no idea if this is the right way to do it, but it works. Also, this needs changing in /etc/sysconfig/sshguard: ## Type: integer ## Default: 4 # Number of attacks before IP gets blocked ATTACK_ATTEMPTS="4" The "4" should be "40". With it set to 4 it blocks on the first mistyped password! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Carlos E. R.
-
Cristian Rodríguez
-
Ed Greshko
-
Lew Wolfgang
-
Per Jessen
-
Robert Schweikert
-
Ruediger Meier