Mageia 7 RC systemd doesn't run SYSV service properly

This forum is dedicated to testing early releases and cauldron : Howtos, tips, tricks and user global feedback and thoughts...

Helpful tip :
For bugs tracking we use : https://bugs.mageia.org = The Mageia Bug Tracker
In this bug tracker you'll find already reported bugs and you'll be able to report those you have found....

Mageia 7 RC systemd doesn't run SYSV service properly

Postby griffin2 » Jun 14th, '19, 02:07

Under Mageia 7 RC it appears that systemd doesn't run services defined in old style init.d scripts, whereas it did under Mageia 6. I have a bash script that defines an iptables firewall. Systemd used to run it during startup under Mageia 6, but no longer does so under Mageia 7 RC. This leaves my system unable to connect to the internet, so I do notice this.
Last edited by griffin2 on Jun 18th, '19, 21:36, edited 3 times in total.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run init.d service anymore

Postby martinw » Jun 14th, '19, 20:43

What is the output of
Code: Select all
systemctl status name-of-your-service

(substituting the name of your script for name-of-your-service)
martinw
 
Posts: 563
Joined: May 14th, '11, 10:59

Re: Mageia 7 RC systemd doesn't run init.d service anymore

Postby griffin2 » Jun 14th, '19, 21:52

Thanks, here is the output of that command:
Code: Select all
[root@eris ram]# systemctl status bastille
● bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/rc.d/init.d/bastille; generated)
   Active: active (exited) since Fri 2019-06-14 07:54:05 PDT; 4h 13min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1264 ExecStart=/etc/rc.d/init.d/bastille start (code=exited, status=0/SUCCESS)

Jun 14 07:54:05 eris bastille[1264]: Bad argument `DROP'
Jun 14 07:54:05 eris bastille[1264]: Try `iptables -h' or 'iptables --help' for more information.
Jun 14 07:54:05 eris bastille[1264]:  done.
Jun 14 07:54:05 eris bastille[1264]: Setting up services audit rules... done.
Jun 14 07:54:05 eris bastille[1264]: Setting up ICMP rules... done.
Jun 14 07:54:05 eris bastille[1264]: Allowing traffic for established connections... done.
Jun 14 07:54:05 eris bastille[1264]: Setting up general rules... done.
Jun 14 07:54:05 eris bastille[1264]: Setting up outbound rules... done.
Jun 14 07:54:05 eris bastille[1264]: Enabling IP forwarding... done.
Jun 14 07:54:05 eris systemd[1]: Started SYSV: iptables packet filtering firewall.

That indicates that the system did run the bastille script with the command "/sbin/bastille-netfilter start", but there was a hidden error, as subsequent poking with "/sbin/bastille-netfilter status" revealed, in that the configuration file /etc/sysconfig/bastille-firewall.cfg wasn't sourced when the script was run by systemd.
(Thus the iptables rules were truncated, as hinted by the "Bad argument" error in the output above, as well as the fact that a SNAT rule for an internal network wasn't added to Postrouting section of the NAT table.)
Unless there's some way to get systemd to source that configuration file when it runs the netfilter script, it looks like I might have to move the configuration file into the top of the script, in order to let the script source those variables. At present, the workaround for this problem under Mageia 7 RC is to rerun the netfilter script from a terminal session. And I will add the word "properly" to the title of this thread.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby griffin2 » Jun 15th, '19, 05:27

In my initial post in this thread I stated that systemd ran this init.d service properly under Mageia 6, but I just now saw that fail after a reboot of Mageia 6 with the same symptoms, and I worked around the problem in the exact same way. Poking around a bit more, it occurs to me that permissions might have something to do with this issue. I'm pondering it.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby doktor5000 » Jun 15th, '19, 14:59

FWIW. why run it as a legacy init script when you could also just write a systemd service unit for that ?
You could make sure your configuration file exists and gets sourced as well ... For some more information see https://serverfault.com/a/413408/241255 or https://coreos.com/os/docs/latest/using ... units.html
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 15670
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby griffin2 » Jun 15th, '19, 15:06

doktor5000 wrote:FWIW. why run it as a legacy init script when you could also just write a systemd service unit for that ?

Well, you're right. I'll do that if the alternative is to move the configuration file into the iptables script. Thanks.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby griffin2 » Jun 16th, '19, 11:30

doktor5000 wrote:FWIW. why run it as a legacy init script when you could also just write a systemd service unit for that ?
You could make sure your configuration file exists and gets sourced as well ... For some more information see https://serverfault.com/a/413408/241255 or https://coreos.com/os/docs/latest/using ... units.html

I tried setting up my bastille firewall as a systemd service as you suggested, and initially it appeared to work just fine, but ultimately it turned out that systemd still couldn't start the firewall properly after reboot, and had the same issue. Here is the systemd service that I created.
I put the iptables script in /etc/systemd/system/bastille.service:
Code: Select all
[Unit]
Description=bastille.service - SYSV: iptables packet filtering firewall
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/systemd/system/bastille.service.d/bastille-firewall.conf
ExecStart=/sbin/bastille-netfilter.service start
ExecStop=/sbin/bastille-netfilter.service stop
[Install]
WantedBy=multi-user.target

And I copied the very large and crufty configuration file from /etc/sysconfig/bastille-firewall.cfg to /etc/systemd/system/bastille.service.d/bastille-firewall.conf. That all seemed to work when I tested it, as shown below:
Code: Select all
[root@eris ram]# systemctl status bastille.service 
● bastille.service - bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/systemd/system/bastille.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/bastille.service.d
           └─bastille-firewall.conf
   Active: active (exited) since Sun 2019-06-16 01:15:11 PDT; 3min 12s ago
  Process: 837 ExecStart=/sbin/bastille-netfilter.service start (code=exited, status=0/SUCCESS)
 Main PID: 837 (code=exited, status=0/SUCCESS)

Jun 16 01:15:10 eris bastille-netfilter.service[837]: Bad argument `DROP'
Jun 16 01:15:10 eris bastille-netfilter.service[837]: Try `iptables -h' or 'iptables --help' for more information.
Jun 16 01:15:10 eris bastille-netfilter.service[837]:  done.
Jun 16 01:15:10 eris bastille-netfilter.service[837]: Setting up services audit rules... done.
Jun 16 01:15:10 eris bastille-netfilter.service[837]: Setting up ICMP rules... done.
Jun 16 01:15:11 eris bastille-netfilter.service[837]: Allowing traffic for established connections... done.
Jun 16 01:15:11 eris bastille-netfilter.service[837]: Setting up general rules... done.
Jun 16 01:15:11 eris bastille-netfilter.service[837]: Setting up outbound rules... done.
Jun 16 01:15:11 eris bastille-netfilter.service[837]: Enabling IP forwarding... done.
Jun 16 01:15:11 eris systemd[1]: Started bastille.service - SYSV: iptables packet filtering firewall.

But it still failed to set the SNAT POSTROUTING rule when it ran in reboot. I'd thought that the configuration file wasn't getting sourced, but that wasn't the problem because everything else in the script worked, which wouldn't have happened if the configuration file wasn't present. So I'm in a veritable quandary here, frustrated by the utterly mysterious SNAT POSTROUTING rule glitch at this point.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby doktor5000 » Jun 16th, '19, 15:08

What did systemctl status bastille.service -al -n50 look like after a reboot ? Also what does systemctl is-enabled bastille.service say ?
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 15670
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby griffin2 » Jun 16th, '19, 17:01

doktor5000 wrote:What did systemctl status bastille.service -al -n50 look like after a reboot ? Also what does systemctl is-enabled bastille.service say ?

I'd put the SYSV style firewall script back in place, so I wasn't able to see the results of native systemd bastille.service execution. But I did get output about how systemd tried to execute the firewall code found in the SYSV style script:
Code: Select all
[root@eris ram]# systemctl status bastille.service -al -n50
● bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/rc.d/init.d/bastille; generated)
   Active: active (exited) since Sun 2019-06-16 06:50:30 PDT; 5min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1278 ExecStart=/etc/rc.d/init.d/bastille start (code=exited, status=0/SUCCESS)

Jun 16 06:50:29 eris systemd[1]: Starting SYSV: iptables packet filtering firewall...
Jun 16 06:50:29 eris bastille[1278]: Our local addresses are...
Jun 16 06:50:29 eris bastille[1278]: 127.0.0.1/8
Jun 16 06:50:29 eris bastille[1278]: : error fetching interface information: Device not found
Jun 16 06:50:29 eris bastille[1278]: Our trusted interface is lo
Jun 16 06:50:29 eris bastille[1278]: Our internal interface is enp0s17
Jun 16 06:50:29 eris bastille[1278]: Our internal network is
Jun 16 06:50:29 eris bastille[1278]: Kernel IP routing table
Jun 16 06:50:29 eris bastille[1278]: Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
Jun 16 06:50:29 eris bastille[1278]: Setting up IP spoofing protection... done.
Jun 16 06:50:29 eris bastille[1278]: Setting up broadcast echo protection... done.
Jun 16 06:50:29 eris bastille[1278]: Setting up bad error message protection... done.
Jun 16 06:50:29 eris bastille[1278]: Setting up denial of service protection... done.
Jun 16 06:50:29 eris bastille[1278]: Disabling ICMP accept redirects... done.
Jun 16 06:50:29 eris bastille[1278]: Disabling ICMP send redirects... done.
Jun 16 06:50:29 eris bastille[1278]: Disabling source routed packets... done.
Jun 16 06:50:29 eris bastille[1278]: Setting up log-martians... done.
Jun 16 06:50:29 eris bastille[1278]: Allowing traffic from trusted interfaces... done.
Jun 16 06:50:29 eris bastille[1278]: Loading NAT modules... done.
Jun 16 06:50:29 eris bastille[1278]: Setting up DNAT and SNAT rules...iptables v1.8.2 (legacy): option "--to" requires an argument
Jun 16 06:50:29 eris bastille[1278]: Try `iptables -h' or 'iptables --help' for more information.
Jun 16 06:50:29 eris bastille[1278]:  done.
Jun 16 06:50:29 eris bastille[1278]: Setting up chains for internal interface traffic... done.
Jun 16 06:50:29 eris bastille[1278]: Directing traffic to public interfaces... done.
Jun 16 06:50:30 eris bastille[1278]: Excluding private network traffic on public interfacess...Bad argument `limit'
Jun 16 06:50:30 eris bastille[1278]: Try `iptables -h' or 'iptables --help' for more information.
Jun 16 06:50:30 eris bastille[1278]: Bad argument `DROP'
Jun 16 06:50:30 eris bastille[1278]: Try `iptables -h' or 'iptables --help' for more information.
Jun 16 06:50:30 eris bastille[1278]:  done.
Jun 16 06:50:30 eris bastille[1278]: Setting up services audit rules... done.
Jun 16 06:50:30 eris bastille[1278]: Setting up ICMP rules... done.
Jun 16 06:50:30 eris bastille[1278]: Allowing traffic for established connections... done.
Jun 16 06:50:30 eris bastille[1278]: Setting up general rules... done.
Jun 16 06:50:30 eris bastille[1278]: Setting up outbound rules... done.
Jun 16 06:50:30 eris bastille[1278]: Enabling IP forwarding... done.
Jun 16 06:50:30 eris systemd[1]: Started SYSV: iptables packet filtering firewall.

The script didn't get very far, obviously. Compare that output to the results of running bastille-netfilter in a terminal:
Code: Select all
[root@eris ram]# /sbin/bastille-netfilter start
Our local addresses are...
68.167.251.142/32
10.0.0.1/32
127.0.0.1/8

Our gateway interface is enp0s16
Our trusted interface is lo
Our internal interface is enp0s17

Our default internet address is 68.167.251.142

Our gateway interface address is 68.167.251.141
Our internal network is 10.0.0.0/255.255.255.0

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         h-68-167-251-14 0.0.0.0         UG        0 0          0 enp0s16
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 enp0s17
68.167.251.140  0.0.0.0         255.255.255.252 U         0 0          0 enp0s16

Setting up IP spoofing protection... done.
Setting up broadcast echo protection... done.
Setting up bad error message protection... done.
Setting up denial of service protection... done.
Disabling ICMP accept redirects... done.
Disabling ICMP send redirects... done.
Disabling source routed packets... done.
Setting up log-martians... done.
Allowing traffic from trusted interfaces... done.
Loading NAT modules... done.
Setting up DNAT and SNAT rules... done.
Setting up chains for internal interface traffic... done.
Directing traffic to public interfaces... done.
Excluding private network traffic on public interfacess... done.
Setting up services audit rules... done.
Setting up ICMP rules... done.
Allowing traffic for established connections... done.
Setting up general rules... done.
Setting up outbound rules... done.
Enabling IP forwarding... done.

I'll go back to working on the native systemd version of this firewall service.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby griffin2 » Jun 17th, '19, 12:21

On second thought, I want to fix systemd exection of my SYSV init style iptables firewall as defined in /etc/rc.d/init.d, because that is also failing now, with the same symptoms, under Mageia 6. I must have broken this, so I want to fix it. This iptables firewall has been working for me for years, up until just a couple of days ago, so it's necessary to fix this, rather than run off to convert it into a native systemd service, because it's likely that will still have the same problem.
Code: Select all
[root@eris ram]# systemctl is-enabled bastille.service
bastille.service is not a native service, redirecting to systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install is-enabled bastille
enabled

Code: Select all
[root@eris ram]# systemctl status bastille.service -al -n50
● bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/rc.d/init.d/bastille; generated; vendor preset: enabled)
   Active: active (exited) since Sun 2019-06-16 23:32:40 PDT; 3h 15min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1194 ExecStart=/etc/rc.d/init.d/bastille start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/bastille.service

Jun 16 23:32:35 eris systemd[1]: Starting SYSV: iptables packet filtering firewall...
Jun 16 23:32:36 eris bastille[1194]: Our local-addresses are...
Jun 16 23:32:36 eris bastille[1194]: 127.0.0.1/8
Jun 16 23:32:36 eris bastille[1194]: : error fetching interface information: Device not found
Jun 16 23:32:36 eris bastille[1194]: Our trusted interface is lo
Jun 16 23:32:36 eris bastille[1194]: Our internal interface is enp0s17
Jun 16 23:32:36 eris bastille[1194]: Our internal network is
Jun 16 23:32:38 eris bastille[1194]: Setting up IP spoofing protection... done.
Jun 16 23:32:38 eris bastille[1194]: Setting up broadcast echo protection... done.
Jun 16 23:32:38 eris bastille[1194]: Setting up bad error message protection... done.
Jun 16 23:32:38 eris bastille[1194]: Setting up denial of service protection... done.
Jun 16 23:32:38 eris bastille[1194]: Disabling ICMP accept redirects... done.
Jun 16 23:32:38 eris bastille[1194]: Disabling ICMP send redirects... done.
Jun 16 23:32:38 eris bastille[1194]: Disabling source routed packets... done.
Jun 16 23:32:38 eris bastille[1194]: Setting up log-martians... done.
Jun 16 23:32:39 eris bastille[1194]: Allowing traffic from trusted interfaces... done.
Jun 16 23:32:39 eris bastille[1194]: Loading NAT modules... done.
Jun 16 23:32:39 eris bastille[1194]: Setting up DNAT and SNAT rules...iptables v1.6.1: option "--to" requires an argument
Jun 16 23:32:39 eris bastille[1194]: Try `iptables -h' or 'iptables --help' for more information.
Jun 16 23:32:39 eris bastille[1194]:  done.
Jun 16 23:32:39 eris bastille[1194]: Setting up chains for internal interface traffic... done.
Jun 16 23:32:39 eris bastille[1194]: Directing traffic to public interfaces... done.
Jun 16 23:32:39 eris bastille[1194]: Excluding private network traffic on public interfacess...Bad argument `limit'
Jun 16 23:32:39 eris bastille[1194]: Try `iptables -h' or 'iptables --help' for more information.
Jun 16 23:32:39 eris bastille[1194]: Bad argument `DROP'
Jun 16 23:32:39 eris bastille[1194]: Try `iptables -h' or 'iptables --help' for more information.
Jun 16 23:32:39 eris bastille[1194]:  done.
Jun 16 23:32:39 eris bastille[1194]: Setting up services audit rules... done.
Jun 16 23:32:39 eris bastille[1194]: Setting up ICMP rules... done.
Jun 16 23:32:39 eris bastille[1194]: Allowing traffic for established connections... done.
Jun 16 23:32:40 eris bastille[1194]: Setting up general rules... done.
Jun 16 23:32:40 eris bastille[1194]: Setting up outbound rules... done.
Jun 16 23:32:40 eris bastille[1194]: Enabling IP forwarding... done.
Jun 16 23:32:40 eris systemd[1]: Started SYSV: iptables packet filtering firewall.

Here is the code in bastille-netfilter that encounters the first error above:
Code: Select all
PATH=/bin:/sbin:/usr/bin:/usr/sbin
IPTABLES=/sbin/iptables
CONFIG=/etc/sysconfig/bastille-firewall.cfg
#
if [ ! -x ${IPTABLES} ]; then
        echo "ERROR: \"${IPTABLES}\" does not exist!"
        exit 1
fi ;
#
if [ ! -f ${CONFIG} ]; then
        echo "ERROR: Unable to read configuration file \"${CONFIG}\"!"
        exit 1
fi ;
#
# Source the configuration file, which will set environment variables.
. ${CONFIG}
#
if [ -z "${REJECT_METHOD}" ]; then
        echo "ERROR: No reject method specified!"
        exit 1
fi ;
#
# Computed values
#
# These things should be queried/computed at run time
#
# LOCAL_ADDRESSES
#
# LOCAL_ADDRESSES lists all IP addresses for this server
#  (for the INTERNAL_SERVICES rules); if you have virtual
#  network devices, you may want to hand-code this, e.g.
# LOCAL_ADDRESSES="127.0.0.0/8"
#
# The following makes a list of all current IP addresses
LOCAL_ADDRESSES=`ifconfig | grep "inet " | awk '{print $2}' | awk -F: '{print $1"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8:`
#
# Echo our local addresses...
echo -n "Our local-addresses are..."
echo
echo "${LOCAL_ADDRESSES}"
echo
#
# DEFAULT_GW_IFACE
#
# The name of the address that is the default gateway
DEFAULT_GW_IFACE=`netstat -nr | awk '$1 == "0.0.0.0" {print $8}'`

The question is, what's broken in this system environment that causes this script to fail when it's run by systemd, while the same script runs properly when run from a terminal?
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby doktor5000 » Jun 17th, '19, 14:02

The script seems to fail during boot right where DEFAULT_GW_IFACE gets used first, so a bit further down the line ...

I see several problems there. For one, how do you ensure that this service only runs once the network is already up? When you manually run it, you're usually in multi-user mode and network is already up and running, so you don't encounter the problem.
Also, for either LOCAL_ADDRESSES and DEFAULT_GW_IFACE, there's no error handling at all. You query something, and then echo it out or use it further down the line without checking if you actually got something sane back.
You should at the very least add something like
Code: Select all
if [ -n "${LOCAL_ADDRESSES}" ]; then echo "LOCAL_ADDRESSES is empty"; fi
and the same for DEFAULT_GW_IFACE

Also, for many commands you simply rely on PATH being set. Either check PATH, your command or use absolute commands.

Apart from that, an easier way to query the interface where default gateway is defined use
Code: Select all
/sbin/ip route|awk '/default/ {print $5}'
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 15670
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Mageia 7 RC systemd doesn't run init.d service properly

Postby griffin2 » Jun 17th, '19, 17:55

I have fixed this problem under Mageia 6, but it's still a problem under Mageia 7. See below. However, thank you for suggesting that maybe the network wasn't up yet. That was the problem here under Mageia 6, and it's still the issue under Mageia 7. I suppose I'm lucky this firewall worked for about 15 years until software development led to a race condition that caused it to fail.
Here is the systemd status output for Mageia 6:
Code: Select all
[root@eris ram]# systemctl status bastille.service -al -n50
● bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/rc.d/init.d/bastille; generated; vendor preset: enabled)
   Active: active (exited) since Mon 2019-06-17 08:27:07 PDT; 21min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1588 ExecStart=/etc/rc.d/init.d/bastille start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/bastille.service

Jun 17 08:27:02 eris systemd[1]: Starting SYSV: iptables packet filtering firewall...
Jun 17 08:27:03 eris bastille[1588]: Our local-addresses are...
Jun 17 08:27:03 eris bastille[1588]: 68.167.251.142/32
Jun 17 08:27:03 eris bastille[1588]: 10.0.0.1/32
Jun 17 08:27:03 eris bastille[1588]: 127.0.0.1/8
Jun 17 08:27:03 eris bastille[1588]: Our gateway interface is enp0s16
Jun 17 08:27:03 eris bastille[1588]: Our trusted interface is lo
Jun 17 08:27:03 eris bastille[1588]: Our internal interface is enp0s17
Jun 17 08:27:03 eris bastille[1588]: Our gateway address is 68.167.251.141
Jun 17 08:27:03 eris bastille[1588]: Our internal network is 10.0.0.0/255.255.255.0
Jun 17 08:27:05 eris bastille[1588]: Setting up IP spoofing protection... done.
Jun 17 08:27:05 eris bastille[1588]: Setting up broadcast echo protection... done.
Jun 17 08:27:05 eris bastille[1588]: Setting up bad error message protection... done.
Jun 17 08:27:05 eris bastille[1588]: Setting up denial of service protection... done.
Jun 17 08:27:05 eris bastille[1588]: Disabling ICMP accept redirects... done.
Jun 17 08:27:05 eris bastille[1588]: Disabling ICMP send redirects... done.
Jun 17 08:27:05 eris bastille[1588]: Disabling source routed packets... done.
Jun 17 08:27:05 eris bastille[1588]: Setting up log-martians... done.
Jun 17 08:27:05 eris bastille[1588]: Allowing traffic from trusted interfaces... done.
Jun 17 08:27:05 eris bastille[1588]: Loading NAT modules... done.
Jun 17 08:27:06 eris bastille[1588]: Setting up DNAT and SNAT rules... done.
Jun 17 08:27:06 eris bastille[1588]: Setting up chains for internal interface traffic... done.
Jun 17 08:27:06 eris bastille[1588]: Directing traffic to public interfaces... done.
Jun 17 08:27:07 eris bastille[1588]: Excluding private network traffic on public interfacess... done.
Jun 17 08:27:07 eris bastille[1588]: Setting up services audit rules... done.
Jun 17 08:27:07 eris bastille[1588]: Setting up ICMP rules... done.
Jun 17 08:27:07 eris bastille[1588]: Allowing traffic for established connections... done.
Jun 17 08:27:07 eris bastille[1588]: Setting up general rules... done.
Jun 17 08:27:07 eris bastille[1588]: Setting up outbound rules... done.
Jun 17 08:27:07 eris bastille[1588]: Enabling IP forwarding... done.
Jun 17 08:27:07 eris systemd[1]: Started SYSV: iptables packet filtering firewall.

And here is listing displaying the firewall rules set up by this rather simple Bastille personal firewall:
Code: Select all
[root@eris ram]# /sbin/bastille-netfilter status
Our local-addresses are...
68.167.251.142/32
10.0.0.1/32
127.0.0.1/8

Our gateway interface is enp0s16
Our trusted interface is lo
Our internal interface is enp0s17

Our gateway address is 68.167.251.141
Our internal network is 10.0.0.0/255.255.255.0

FILTER Table
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "INPUT DROP 0 "
    0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  !lo    *       0.0.0.0/0            127.0.0.0/8          limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "INPUT DROP 1 "
    0     0 DROP       all  --  !lo    *       0.0.0.0/0            127.0.0.0/8         
    0     0 LOG        all  --  !lo    *       127.0.0.0/8          0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "INPUT DROP 2 "
    0     0 DROP       all  --  !lo    *       127.0.0.0/8          0.0.0.0/0           
 1791  208K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  141 12032 INT_IN     all  --  enp0s17 *       0.0.0.0/0            0.0.0.0/0           
 1685 1736K PUB_IN     all  --  enp0s16 *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      enp0s16  10.0.0.0/24          0.0.0.0/0           
    0     0 ACCEPT     all  --  *      enp0s17  0.0.0.0/0            10.0.0.0/24         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1791  208K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  148 17654 INT_OUT    all  --  *      enp0s17  0.0.0.0/0            0.0.0.0/0           
 1531  145K PUB_OUT    all  --  *      enp0s16  0.0.0.0/0            0.0.0.0/0           

Chain INT_IN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  131  7860 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,113,123,631,873,5222,5353,5900,6000:6063,18741
   10  4172 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,113,123,631,873,5222,5353,5900,6000:6063,18741
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  131  7860 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   10  4172 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PUB_IN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/8            0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 3 "
    0     0 DROP       all  --  *      *       0.0.0.0/8            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/8            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 4 "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/8           
    0     0 LOG        all  --  *      *       10.0.0.0/8           0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 5 "
    0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            10.0.0.0/8           limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 6 "
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.0.0.0/8         
    0     0 LOG        all  --  *      *       169.254.0.0/16       0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 7 "
    0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            169.254.0.0/16       limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 8 "
    0     0 DROP       all  --  *      *       0.0.0.0/0            169.254.0.0/16     
    0     0 LOG        all  --  *      *       172.16.0.0/12        0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 9 "
    0     0 DROP       all  --  *      *       172.16.0.0/12        0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            172.16.0.0/12        limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 10 "
    0     0 DROP       all  --  *      *       0.0.0.0/0            172.16.0.0/12       
    0     0 LOG        all  --  *      *       192.168.0.0/16       0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 11 "
    0     0 DROP       all  --  *      *       192.168.0.0/16       0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            192.168.0.0/16       limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 12 "
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.0/16     
    0     0 LOG        all  --  *      *       224.0.0.0/4          0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 13 "
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    8  1778 LOG        all  --  *      *       0.0.0.0/0            224.0.0.0/4          limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 14 "
   11  3245 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 LOG        all  --  *      *       240.0.0.0/5          0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 15 "
    0     0 DROP       all  --  *      *       240.0.0.0/5          0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            240.0.0.0/5          limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 16 "
    0     0 DROP       all  --  *      *       0.0.0.0/0            240.0.0.0/5         
    0     0 LOG        all  --  *      *       68.167.251.142       0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 17 "
    0     0 DROP       all  --  *      *       68.167.251.142       0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            255.255.255.255      limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB-IN DROP 18 "
    0     0 DROP       all  --  *      *       0.0.0.0/0            255.255.255.255     
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "audit "
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB_IN DROP 20 "
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 1662 1731K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 5222,18741
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 137:139,631,1026:1028,5353
    4   160 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1:1023,3418,5900,6000:6063 limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB_IN DROP 21 "
    4   160 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1:1023,3418,5900,6000:6063
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 5222,18741
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 137:139,631,1026:1028,5353
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1:1023,3418,5900,6000:6063 limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB_IN DROP 22 "
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1:1023,3418,5900,6000:6063
    8  1300 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PUB_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 1 LOG flags 0 level 4 prefix "PUB_OUT DROP 23 "
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 1524  140K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

NAT Table
Chain PREROUTING (policy ACCEPT 141 packets, 9240 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 137 packets, 9080 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 125 packets, 23153 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 109 packets, 7658 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      enp0s16  10.0.0.0/24          0.0.0.0/0            to:68.167.251.142
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby griffin2 » Jun 18th, '19, 22:08

I have reopened this thread because the problem is still an issue under Mageia 7 RC, although it has been resolved under Mageia 6. I discovered this after rebuilding an identical clone of my Mageia 6 system and upgrading it to Mageia 7 RC.
The SYSV init scripts involved are structured by soft links under /etc/rc.d/ in /etc/rc.d/rc2.d, rc3.d, rc4.d and rc5.d, as follows: S10network points to /etc/rc.d/init.d/network, S11network-up points to /etc/rc.d/init.d/network-up, and S12bastille points to /etc/rc.d/init.d/bastille. That is the SYSV style init script that starts the bastille iptables firewall. Here are the systemd systemctl status outputs for these three scripts under Mageia 7 RC:
Code: Select all
[root@eris ram]# systemctl status network -al -n50
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; generated)
   Active: active (running) since Tue 2019-06-18 08:30:24 PDT; 3h 48min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 941 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
   Memory: 2.8M
   CGroup: /system.slice/network.service
           ├─1128 /sbin/ifplugd -I -b -i enp0s16
           └─1175 /sbin/ifplugd -I -b -i enp0s17

Jun 18 08:30:22 eris systemd[1]: Starting LSB: Bring up/down networking...
Jun 18 08:30:23 eris network[941]: Bringing up loopback interface:  [  OK  ]
Jun 18 08:30:24 eris ifplugd(enp0s16)[1128]: ifplugd 0.28 initializing.
Jun 18 08:30:24 eris ifplugd(enp0s16)[1128]: Using interface enp0s16/00:1B:FC:E2:E2:1B with driver <forcedeth> (version: 0.64)
Jun 18 08:30:24 eris ifplugd(enp0s16)[1128]: Using detection mode: SIOCETHTOOL
Jun 18 08:30:24 eris ifplugd(enp0s16)[1128]: Initialization complete, link beat detected.
Jun 18 08:30:24 eris ifplugd(enp0s16)[1128]: Executing '/etc/ifplugd/ifplugd.action enp0s16 up'.
Jun 18 08:30:24 eris network[941]: Bringing up interface enp0s16:  [  OK  ]
Jun 18 08:30:24 eris ifplugd(enp0s17)[1175]: ifplugd 0.28 initializing.
Jun 18 08:30:24 eris ifplugd(enp0s17)[1175]: Using interface enp0s17/00:1B:FC:D8:A4:EF with driver <forcedeth> (version: 0.64)
Jun 18 08:30:24 eris ifplugd(enp0s17)[1175]: Using detection mode: SIOCETHTOOL
Jun 18 08:30:24 eris ifplugd(enp0s17)[1175]: Initialization complete, link beat detected.
Jun 18 08:30:24 eris ifplugd(enp0s17)[1175]: Executing '/etc/ifplugd/ifplugd.action enp0s17 up'.
Jun 18 08:30:24 eris network[941]: Bringing up interface enp0s17:  [  OK  ]
Jun 18 08:30:24 eris systemd[1]: Started LSB: Bring up/down networking.
Jun 18 08:30:28 eris ifplugd(enp0s17)[1175]: Program executed successfully.
Jun 18 08:30:28 eris ifplugd(enp0s16)[1128]: Program executed successfully.

Code: Select all
[root@eris ram]# systemctl status network-up -al -n50
● network-up.service - LSB: Wait for the hotplugged network to be up
   Loaded: loaded (/etc/rc.d/init.d/network-up; generated)
   Active: active (exited) since Tue 2019-06-18 08:30:29 PDT; 3h 51min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1456 ExecStart=/etc/rc.d/init.d/network-up start (code=exited, status=0/SUCCESS)

Jun 18 08:30:25 eris systemd[1]: Starting LSB: Wait for the hotplugged network to be up...
Jun 18 08:30:29 eris network-up[1456]: Waiting for network to be up[  OK  ]
Jun 18 08:30:29 eris systemd[1]: Started LSB: Wait for the hotplugged network to be up.

Code: Select all
[root@eris ram]# systemctl status bastille -al -n50
● bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/rc.d/init.d/bastille; generated)
   Active: active (exited) since Tue 2019-06-18 08:30:25 PDT; 3h 44min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1264 ExecStart=/etc/rc.d/init.d/bastille start (code=exited, status=0/SUCCESS)

Jun 18 08:30:24 eris systemd[1]: Starting SYSV: iptables packet filtering firewall...
Jun 18 08:30:24 eris bastille[1264]: Our local addresses are...
Jun 18 08:30:24 eris bastille[1264]: 127.0.0.1/8
Jun 18 08:30:24 eris bastille[1264]: : error fetching interface information: Device not found
Jun 18 08:30:24 eris bastille[1264]: Our trusted interface is lo
Jun 18 08:30:24 eris bastille[1264]: Our internal interface is enp0s17
Jun 18 08:30:24 eris bastille[1264]: Our internal network is
Jun 18 08:30:24 eris bastille[1264]: Our kernel routing table is...
Jun 18 08:30:24 eris bastille[1264]: Setting up IP spoofing protection... done.
Jun 18 08:30:24 eris bastille[1264]: Setting up broadcast echo protection... done.
Jun 18 08:30:24 eris bastille[1264]: Setting up bad error message protection... done.
Jun 18 08:30:24 eris bastille[1264]: Setting up denial of service protection... done.
Jun 18 08:30:24 eris bastille[1264]: Disabling ICMP accept redirects... done.
Jun 18 08:30:24 eris bastille[1264]: Disabling ICMP send redirects... done.
Jun 18 08:30:24 eris bastille[1264]: Disabling source routed packets... done.
Jun 18 08:30:24 eris bastille[1264]: Setting up log-martians... done.
Jun 18 08:30:24 eris bastille[1264]: Allowing traffic from trusted interfaces... done.
Jun 18 08:30:24 eris bastille[1264]: Loading NAT modules... done.
Jun 18 08:30:25 eris bastille[1264]: Setting up DNAT and SNAT rules...iptables v1.8.2 (legacy): option "--to" requires an argument
Jun 18 08:30:25 eris bastille[1264]: Try `iptables -h' or 'iptables --help' for more information.
Jun 18 08:30:25 eris bastille[1264]:  done.
Jun 18 08:30:25 eris bastille[1264]: Setting up chains for internal interface traffic... done.
Jun 18 08:30:25 eris bastille[1264]: Directing traffic to public interfaces... done.
Jun 18 08:30:25 eris bastille[1264]: Excluding private network traffic on public interfacess...Bad argument `limit'
Jun 18 08:30:25 eris bastille[1264]: Try `iptables -h' or 'iptables --help' for more information.
Jun 18 08:30:25 eris bastille[1264]: Bad argument `DROP'
Jun 18 08:30:25 eris bastille[1264]: Try `iptables -h' or 'iptables --help' for more information.
Jun 18 08:30:25 eris bastille[1264]:  done.
Jun 18 08:30:25 eris bastille[1264]: Setting up services audit rules... done.
Jun 18 08:30:25 eris bastille[1264]: Setting up ICMP rules... done.
Jun 18 08:30:25 eris bastille[1264]: Allowing traffic for established connections... done.
Jun 18 08:30:25 eris bastille[1264]: Setting up general rules... done.
Jun 18 08:30:25 eris bastille[1264]: Setting up outbound rules... done.
Jun 18 08:30:25 eris bastille[1264]: Enabling IP forwarding... done.
Jun 18 08:30:25 eris systemd[1]: Started SYSV: iptables packet filtering firewall.

The starting and ending times reveal the problem. There's a race condition that results in the bastille iptables firewall script starting before the network script has ended, as well as before the network-up script even starts! That makes it clear that systemd breaks the serialization directed by the explicit sequence numbering of the SYSV style init scripts. The completion of the network script should probably be sufficient to trigger successful release of the bastille script.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby ITA84 » Jun 19th, '19, 16:26

Judging from what I've read on the topic, systemd ignores the ordering given by the script names (I don't know if this was a recent change, I've found issues about it dated 2015, not sure why it works fine for you in Mageia 6) and instead relies on LSB headers; for example, a Red Hat article here describes an issue similar to yours and gives LSB headers as a solution
ITA84
 
Posts: 195
Joined: Mar 5th, '13, 18:15

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby griffin2 » Jun 19th, '19, 17:11

Thanks for the advice and link. However, the bastille SYSV init script in question does have the LSB header information. Indeed, systemd appears to wait for the network script to end, then starts the bastille script. Unfortunately it's apparent that the network isn't actually fully up at that point, so the bastille script fails.
Code: Select all
[root@eris ram]# cat /disk3/etc/rc.d/init.d/bastille
#!/bin/sh
RCDLINKS="0,K91 1,K91 2,S12 3,S12 5,S12 6,K91"
#
#     The Bastille Firewall Packet Filtering Firewall - V0.99 beta 1
#
#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
#     (c) 2005 - Robert A Munro (ramunro@speakeasy.net)
#
#       On most distributions, this file should be called:
#       /etc/rc.d/init.d/bastille or /etc/init.d/bastille
#
#       This init script is self-documenting.  See /sbin/bastille-netfilter.
#
#       This program is free software; you can redistribute it and/or modify
#       it under the terms of Version 2 of the GNU General Public License
#       as published by the Free Software Foundation.
#
#       This program is distributed in the hope that it will be useful,
#       but WITHOUT ANY WARRANTY; without even the implied warranty of
#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#       GNU General Public License for more details.
#
#       You should have received a copy of the GNU General Public License
#       along with this program; if not, write to the Free Software
#       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
#       Commands are:
#
#          bastille start                         Starts the firewall
#          bastille stop                          Stops the firewall
#          bastille status                        Displays firewall status
#
#### BEGIN INIT INFO
# Provides:       bastille-netfilter
# Required-Start: $network $network-up
# Required-Stop:
# Default-Start:  2 3 5
# Default-Stop:   0 1 6
# Description:    starts and stops the bastille-netfilter iptables firewall
### END INIT INFO

# chkconfig: 2345 12 91
# description: iptables packet filtering firewall
#

################################################################################
# Give Usage Information                                                       #
################################################################################
usage() {
    echo "Usage: $0 start|stop|status"
    exit 1
}

################################################################################
# E X E C U T I O N    B E G I N S   H E R E                                   #
################################################################################
command="$1"

case "$1" in

        start)
                /sbin/bastille-netfilter start
        ;;
        status)
                /sbin/bastille-netfilter status
        ;;
        stop)
                /sbin/bastille-netfilter stop
        ;;
    *)

        usage
        ;;

esac
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby ITA84 » Jun 19th, '19, 19:52

Having had a closer look at your service logs, it seems your service starts right after network is considered 'finished' by systemd (active (running) since Tue 2019-06-18 08:30:24 PDT), and evidently at that point there's still something missing. Unfortunately I have no idea what that is (or why the dependency on network-up is ignored, but I think it'd be better to bring the firewall up before that anyway, it'd be more secure)
ITA84
 
Posts: 195
Joined: Mar 5th, '13, 18:15

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby griffin2 » Jun 19th, '19, 21:02

The way systemd works has changed in Mageia 7 compared to Mageia 6, and that is why the bastille netfilter script that works under Mageia 6 fails under Mageia 7. Here are the status logs for the network and bastille scripts under Mageia 6.
Code: Select all
[root@eris ram]# systemctl status network -al -n50
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; generated; vendor preset: enabled)
   Active: active (running) since Wed 2019-06-19 06:21:51 PDT; 5h 17min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 975 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/network.service
           ├─1192 /sbin/ifplugd -I -b -i enp0s16
           └─1228 /sbin/ifplugd -I -b -i enp0s17

Jun 19 06:21:48 eris systemd[1]: Starting LSB: Bring up/down networking...
Jun 19 06:21:50 eris network[975]: Bringing up loopback interface:  [  OK  ]
Jun 19 06:21:51 eris ifplugd(enp0s16)[1192]: ifplugd 0.28 initializing.
Jun 19 06:21:51 eris ifplugd(enp0s16)[1192]: Using interface enp0s16/00:1B:FC:E2:E2:1B with driver <forcedeth> (version: 0.64)
Jun 19 06:21:51 eris ifplugd(enp0s16)[1192]: Using detection mode: SIOCETHTOOL
Jun 19 06:21:51 eris ifplugd(enp0s16)[1192]: Initialization complete, link beat detected.
Jun 19 06:21:51 eris ifplugd(enp0s16)[1192]: Executing '/etc/ifplugd/ifplugd.action enp0s16 up'.
Jun 19 06:21:51 eris network[975]: Bringing up interface enp0s16:  [  OK  ]
Jun 19 06:21:51 eris ifplugd(enp0s17)[1228]: ifplugd 0.28 initializing.
Jun 19 06:21:51 eris ifplugd(enp0s17)[1228]: Using interface enp0s17/00:1B:FC:D8:A4:EF with driver <forcedeth> (version: 0.64)
Jun 19 06:21:51 eris ifplugd(enp0s17)[1228]: Using detection mode: SIOCETHTOOL
Jun 19 06:21:51 eris ifplugd(enp0s17)[1228]: Initialization complete, link beat detected.
Jun 19 06:21:51 eris ifplugd(enp0s17)[1228]: Executing '/etc/ifplugd/ifplugd.action enp0s17 up'.
Jun 19 06:21:51 eris network[975]: Bringing up interface enp0s17:  [  OK  ]
Jun 19 06:21:51 eris systemd[1]: Started LSB: Bring up/down networking.
Jun 19 06:21:56 eris ifplugd(enp0s17)[1228]: Program executed successfully.
Jun 19 06:21:56 eris ifplugd(enp0s16)[1192]: Program executed successfully.

Code: Select all
[root@eris ram]# systemctl status bastille -al -n50
● bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/rc.d/init.d/bastille; generated; vendor preset: enabled)
   Active: active (exited) since Wed 2019-06-19 06:22:11 PDT; 5h 16min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1657 ExecStart=/etc/rc.d/init.d/bastille start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/bastille.service

Jun 19 06:21:56 eris systemd[1]: Starting SYSV: iptables packet filtering firewall...
Jun 19 06:21:58 eris bastille[1657]: Our local addresses are...
Jun 19 06:21:58 eris bastille[1657]: 68.167.251.142/32
Jun 19 06:21:58 eris bastille[1657]: 10.0.0.1/32
Jun 19 06:21:58 eris bastille[1657]: 127.0.0.1/8
Jun 19 06:21:58 eris bastille[1657]: 127.0.0.1/8
Jun 19 06:21:58 eris bastille[1657]: Our gateway interface is enp0s16
Jun 19 06:21:58 eris bastille[1657]: Our trusted interface is lo
Jun 19 06:21:58 eris bastille[1657]: Our internal interface is enp0s17
Jun 19 06:21:58 eris bastille[1657]: Our default internet address is 68.167.251.142
Jun 19 06:21:58 eris bastille[1657]: Our gateway interface address is 68.167.251.141
Jun 19 06:21:58 eris bastille[1657]: Our internal network is  10.0.0.0/255.255.255.0
Jun 19 06:21:58 eris bastille[1657]: Our kernel routing table is...
Jun 19 06:21:58 eris bastille[1657]: default via 68.167.251.141 dev enp0s16 metric 10
Jun 19 06:21:58 eris bastille[1657]: 10.0.0.0/24 dev enp0s17 proto kernel scope link src 10.0.0.1 metric 10
Jun 19 06:21:58 eris bastille[1657]: 68.167.251.140/30 dev enp0s16 proto kernel scope link src 68.167.251.142 metric 10
Jun 19 06:22:03 eris bastille[1657]: Setting up IP spoofing protection... done.
Jun 19 06:22:03 eris bastille[1657]: Setting up broadcast echo protection... done.
Jun 19 06:22:03 eris bastille[1657]: Setting up bad error message protection... done.
Jun 19 06:22:03 eris bastille[1657]: Setting up denial of service protection... done.
Jun 19 06:22:03 eris bastille[1657]: Disabling ICMP accept redirects... done.
Jun 19 06:22:03 eris bastille[1657]: Disabling ICMP send redirects... done.
Jun 19 06:22:03 eris bastille[1657]: Disabling source routed packets... done.
Jun 19 06:22:03 eris bastille[1657]: Setting up log-martians... done.
Jun 19 06:22:32 eris bastille[1657]: Allowing traffic from trusted interfaces... done.
Jun 19 06:22:32 eris bastille[1657]: Loading NAT modules... done.
Jun 19 06:22:32 eris bastille[1657]: Setting up DNAT and SNAT rules... done.
Jun 19 06:22:32 eris bastille[1657]: Setting up chains for internal interface traffic... done.
Jun 19 06:22:32 eris bastille[1657]: Directing traffic to public interfaces... done.
Jun 19 06:22:32 eris bastille[1657]: Excluding private network traffic on public interfacess... done.
Jun 19 06:22:32 eris bastille[1657]: Setting up services audit rules... done.
Jun 19 06:22:32 eris bastille[1657]: Setting up ICMP rules... done.
Jun 19 06:22:32 eris bastille[1657]: Allowing traffic for established connections... done.
Jun 19 06:22:32 eris bastille[1657]: Setting up general rules... done.
Jun 19 06:22:32 eris bastille[1657]: Setting up outbound rules... done.
Jun 19 06:22:32 eris bastille[1657]: Enabling IP forwarding... done.
Jun 19 06:22:11 eris systemd[1]: Started SYSV: iptables packet filtering firewall.

Note that under Mageia 6 the bastille script doesn't start until the last network script command ends. In Mageia 7 the bastille script is started four seconds earlier.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby ITA84 » Jun 20th, '19, 12:33

Looking at the systemd changelog (230 -> 241) I couldn't find anything that seemed related to this issue, so I'm looking at the changes in the network init script; I can't spot anything that's obviously related here either, but these are the differences that stand out:

  • the deprecated ipv4 ip_forward setting was removed in mga7
  • there are some additions which take NetworkManager into account
  • a sleep was added in mga7 after starting the network to compensate for network delay
  • a different way to detect network mounts
If the issue doesn't originate from here, then it could be somewhere deep inside systemd code
ITA84
 
Posts: 195
Joined: Mar 5th, '13, 18:15

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby griffin2 » Jun 20th, '19, 14:34

To be clear, Mageia 6 doesn't start the bastille script until after the command subtasks issued by the network script end, but Mageia 7 starts the bastille script four seconds earlier, after the network script reports it has completed execution, but before the command subtasks end. Thus under Mageia 7 the network is not really up when the bastille script starts, which causes the bastille iptables netfilter firewall script to fail. Does this suggest that a change must have been made upstream in systemd code? Will Mageia issue a bug report on this?
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby griffin2 » Jun 25th, '19, 02:03

I have added a patch to my bastille firewall script as a workaround for the "network not really up" bug in Mageia 7 RC. The bastille script detects that the network is not available, but ignores that to set the iptables netfilter firewall rules it needs to establish. This works because I have a static internet address rather than leasing dhcp address assignments.
Code: Select all
[root@eris ram]# systemctl status network -al -n50       
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; generated)
   Active: active (running) since Sun 2019-06-23 18:57:07 PDT; 4min 40s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 939 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
   Memory: 3.1M
   CGroup: /system.slice/network.service
           ├─1126 /sbin/ifplugd -I -b -i enp0s16
           └─1191 /sbin/ifplugd -I -b -i enp0s17

Jun 23 18:57:06 eris systemd[1]: Starting LSB: Bring up/down networking...
Jun 23 18:57:07 eris network[939]: Bringing up loopback interface:  [  OK  ]
Jun 23 18:57:07 eris ifplugd(enp0s16)[1126]: ifplugd 0.28 initializing.
Jun 23 18:57:07 eris ifplugd(enp0s16)[1126]: Using interface enp0s16/00:1B:FC:E2:E2:1B with driver <forcedeth> (version: 0.64)
Jun 23 18:57:07 eris ifplugd(enp0s16)[1126]: Using detection mode: SIOCETHTOOL
Jun 23 18:57:07 eris ifplugd(enp0s16)[1126]: Initialization complete, link beat detected.
Jun 23 18:57:07 eris ifplugd(enp0s16)[1126]: Executing '/etc/ifplugd/ifplugd.action enp0s16 up'.
Jun 23 18:57:07 eris network[939]: Bringing up interface enp0s16:  [  OK  ]
Jun 23 18:57:07 eris ifplugd(enp0s17)[1191]: ifplugd 0.28 initializing.
Jun 23 18:57:07 eris ifplugd(enp0s17)[1191]: Using interface enp0s17/00:1B:FC:D8:A4:EF with driver <forcedeth> (version: 0.64)
Jun 23 18:57:07 eris ifplugd(enp0s17)[1191]: Using detection mode: SIOCETHTOOL
Jun 23 18:57:07 eris ifplugd(enp0s17)[1191]: Initialization complete, link beat detected.
Jun 23 18:57:07 eris ifplugd(enp0s17)[1191]: Executing '/etc/ifplugd/ifplugd.action enp0s17 up'.
Jun 23 18:57:07 eris network[939]: Bringing up interface enp0s17:  [  OK  ]
Jun 23 18:57:07 eris systemd[1]: Started LSB: Bring up/down networking.
Jun 23 18:57:12 eris ifplugd(enp0s17)[1191]: Program executed successfully.
Jun 23 18:57:12 eris ifplugd(enp0s16)[1126]: Program executed successfully.

Code: Select all
[root@eris ram]# systemctl status network-up -al -n50
● network-up.service - LSB: Wait for the hotplugged network to be up
   Loaded: loaded (/etc/rc.d/init.d/network-up; generated)
   Active: active (exited) since Sun 2019-06-23 18:57:13 PDT; 4min 49s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1456 ExecStart=/etc/rc.d/init.d/network-up start (code=exited, status=0/SUCCESS)

Jun 23 18:57:08 eris systemd[1]: Starting LSB: Wait for the hotplugged network to be up...
Jun 23 18:57:13 eris network-up[1456]: Waiting for network to be up[  OK  ]
Jun 23 18:57:13 eris systemd[1]: Started LSB: Wait for the hotplugged network to be up.

Code: Select all
[root@eris ram]# systemctl status bastille -al -n50
● bastille.service - SYSV: iptables packet filtering firewall
   Loaded: loaded (/etc/rc.d/init.d/bastille; generated)
   Active: active (exited) since Sun 2019-06-23 18:57:08 PDT; 2min 56s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1247 ExecStart=/etc/rc.d/init.d/bastille start (code=exited, status=0/SUCCESS)

Jun 23 18:57:07 eris systemd[1]: Starting SYSV: iptables packet filtering firewall...
Jun 23 18:57:07 eris bastille[1247]: Our local addresses are...
Jun 23 18:57:07 eris bastille[1247]: 127.0.0.1/8
Jun 23 18:57:08 eris bastille[1247]: Warning: The network is not available yet
Jun 23 18:57:08 eris bastille[1247]: Our gateway interface is enp0s16
Jun 23 18:57:08 eris bastille[1247]: Our trusted interface is lo
Jun 23 18:57:08 eris bastille[1247]: Our internal interface is enp0s17
Jun 23 18:57:08 eris bastille[1247]: Our default internet address is 68.167.251.142
Jun 23 18:57:08 eris bastille[1247]: Our internal network is
Jun 23 18:57:08 eris bastille[1247]: Our kernel routing table is...
Jun 23 18:57:08 eris bastille[1247]: Setting up IP spoofing protection... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up broadcast echo protection... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up bad error message protection... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up denial of service protection... done.
Jun 23 18:57:08 eris bastille[1247]: Disabling ICMP accept redirects... done.
Jun 23 18:57:08 eris bastille[1247]: Disabling ICMP send redirects... done.
Jun 23 18:57:08 eris bastille[1247]: Disabling source routed packets... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up log-martians... done.
Jun 23 18:57:08 eris bastille[1247]: Allowing traffic from trusted interfaces... done.
Jun 23 18:57:08 eris bastille[1247]: Loading NAT modules... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up DNAT and SNAT rules... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up chains for internal interface traffic... done.
Jun 23 18:57:08 eris bastille[1247]: Directing traffic to public interfaces... done.
Jun 23 18:57:08 eris bastille[1247]: Excluding private network traffic on public interfacess... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up services audit rules... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up ICMP rules... done.
Jun 23 18:57:08 eris bastille[1247]: Allowing traffic for established connections... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up general rules... done.
Jun 23 18:57:08 eris bastille[1247]: Setting up outbound rules... done.
Jun 23 18:57:08 eris bastille[1247]: Enabling IP forwarding... done.
Jun 23 18:57:08 eris systemd[1]: Started SYSV: iptables packet filtering firewall.

In addition, I have opened bug report #25000 about this problem in bugzilla.
griffin2
 
Posts: 21
Joined: Nov 27th, '18, 11:51

Re: Mageia 7 RC systemd doesn't run SYSV service properly

Postby doktor5000 » Jun 25th, '19, 18:32

griffin2 wrote:"network not really up" bug in Mageia 7 RC

Which would that be in particular? Your script relying on legacy pseudo-targets like $network and $network-up ? That just creates all sorts of race conditions, like you noticed already.

The only targets that should achieve what you want are either network-auth.service which you have to enable first or networkmanager-wait-online.service in case you're using networkmanager, or systemd-networkd-wait-online.service if you use native systemd-networkd to manage your network connectivity.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 15670
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany


Return to Testing : Alpha, Beta, RC and Cauldron

Who is online

Users browsing this forum: No registered users and 1 guest