Debian Bug report logs - #832802
usage of network-pre.target results in systemd ordering cycle

Package: systemd; Maintainer for systemd is Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>; Source for systemd is src:systemd (PTS, buildd, popcon).

Reported by: Patrick Schleizer <adrelanos@whonix.org>

Date: Thu, 28 Jul 2016 23:45:02 UTC

Severity: grave

Tags: security

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, whonix-devel@whonix.org, Jonathan Wiltshire <jmw@debian.org>:
Bug#832802; Package netfilter-persistent. (Thu, 28 Jul 2016 23:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to Patrick Schleizer <adrelanos@whonix.org>:
New Bug report received and forwarded. Copy sent to whonix-devel@whonix.org, Jonathan Wiltshire <jmw@debian.org>. (Thu, 28 Jul 2016 23:45:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Patrick Schleizer <adrelanos@whonix.org>
To: submit@bugs.debian.org
Subject: usage of network-pre.target results in systemd ordering cycle
Date: Thu, 28 Jul 2016 23:40:00 +0000
Package: netfilter-persistent
Severity: grave
X-Debbugs-CC: whonix-devel@whonix.org
Tags: security

Dear maintainer,

I am using the following minimal systemd unit file for testing purposes.

###
/lib/systemd/system/my-test.service

[Unit]
Description=my-test-firewall-service

Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
StandardOutput=syslog

[Install]
WantedBy=multi-user.target
###

Enabled it using "sudo systemctl enable my-test.service". It results in
a systemd ordering cycle.

Jul 29 01:23:59 localhost systemd[1]: Found ordering cycle on
basic.target/start
Jul 29 01:23:59 localhost systemd[1]: Found dependency on
sysinit.target/start
Jul 29 01:23:59 localhost systemd[1]: Found dependency on
networking.service/start
Jul 29 01:23:59 localhost systemd[1]: Found dependency on
network-pre.target/start
Jul 29 01:23:59 localhost systemd[1]: Found dependency on
my-test.service/start
Jul 29 01:23:59 localhost systemd[1]: Found dependency on basic.target/start
Jul 29 01:23:59 localhost systemd[1]: Breaking ordering cycle by
deleting job networking.service/start
Jul 29 01:23:59 localhost systemd[1]: Job networking.service/start
deleted to break ordering cycle starting with basic.target/start

Alternatively I tried "WantedBy=network-pre.target", but that resulted
in the systemd unit not being automatically activated after boot at all.
It stays in a loaded, enabled, inactive status. (Manual systemctl start
my-test worked.)

I think this is security relevant since to learn that there is a systemd
ordering cycle one has to look at the syslog. And systemd's automatic
breaking of the chain might result in the firewall not being load early
enough?

Cheers,
Patrick

Bug reassigned from package 'netfilter-persistent' to 'systemd'. Request was from Patrick Schleizer <adrelanos@riseup.net> to control@bugs.debian.org. (Fri, 29 Jul 2016 01:12:09 GMT) (full text, mbox, link).

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Fri, 29 Jul 2016 07:21:12 GMT) (full text, mbox, link).

Notification sent to Patrick Schleizer <adrelanos@whonix.org>:
Bug acknowledged by developer. (Fri, 29 Jul 2016 07:21:12 GMT) (full text, mbox, link).

Message #12 received at 832802-done@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>
To: 832802-done@bugs.debian.org, Patrick Schleizer <adrelanos@whonix.org>
Subject: Re: usage of network-pre.target results in systemd ordering cycle
Date: Fri, 29 Jul 2016 09:17:28 +0200
[Message part 1 (text/plain, inline)]
On Thu, 28 Jul 2016 23:40:00 +0000 Patrick Schleizer
<adrelanos@whonix.org> wrote:
> Package: netfilter-persistent
> Severity: grave
> X-Debbugs-CC: whonix-devel@whonix.org
> Tags: security
> 
> Dear maintainer,
> 
> I am using the following minimal systemd unit file for testing purposes.
> 
> ###
> /lib/systemd/system/my-test.service
> 
> [Unit]
> Description=my-test-firewall-service
> 
> Before=network-pre.target
> Wants=network-pre.target
> 
> [Service]
> Type=oneshot
> RemainAfterExit=yes
> ExecStart=/bin/true
> StandardOutput=syslog
> 
> [Install]
> WantedBy=multi-user.target
> ###
> 
> Enabled it using "sudo systemctl enable my-test.service". It results in
> a systemd ordering cycle.


That's not a bug in systemd but in your service file.
If you want to run in early boot, you'll need to use
DefaultDependencies=yes and specify your dependencies/orderings carefully.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#832802; Package systemd. (Fri, 29 Jul 2016 08:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>. (Fri, 29 Jul 2016 08:00:03 GMT) (full text, mbox, link).

Message #17 received at 832802@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>
To: 832802@bugs.debian.org, Patrick Schleizer <adrelanos@whonix.org>
Subject: Re: usage of network-pre.target results in systemd ordering cycle
Date: Fri, 29 Jul 2016 09:57:15 +0200
[Message part 1 (text/plain, inline)]
Am 29.07.2016 um 09:17 schrieb Michael Biebl:
> That's not a bug in systemd but in your service file.
> If you want to run in early boot, you'll need to use
> DefaultDependencies=yes and specify your dependencies/orderings carefully.

I've filed an upstream RFE bug at [1]. Maybe they have an idea how
dependency cycles can be made more discoverable by the user.
It's best if you follow up there, if you have any contributions

Michael

[1] https://github.com/systemd/systemd/issues/3829
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?


[signature.asc (application/pgp-signature, attachment)]

Message #18 received at 832802-done@bugs.debian.org (full text, mbox, reply):

From: Patrick Schleizer <adrelanos@whonix.org>
To: 832802-done@bugs.debian.org
Subject: Re: usage of network-pre.target results in systemd ordering cycle
Date: Sat, 30 Jul 2016 14:52:00 +0000
Michael Biebl:
> If you want to run in early boot, you'll need to use
> DefaultDependencies=yes and specify your dependencies/orderings carefully.

I guess you meant DefaultDependencies=no, because
DefaultDependencies=yes is the default anyhow?

Cheers,
Patrick

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Aug 2016 07:25:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jul 27 05:25:03 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.