linux – Why does this systemd service not run at the right time (loading encryption keys from a network drive which are required for lxc containers)?

In Debian with systemd, I use zfs and lxc. My zfs datasets are encrypted and their keys can be loaded from a network host via my /etc/zfs/zfs-load-key.sh script. My LXC containers are started by lxc.service.

Loading the keys requires the network up and running (otherwise I get the error “no route to host”) but lxc.service requires the keys to be loaded.

Sounds trivial, but isn’t. I created this file /etc/systemd/system/zfs-load-keyfile@.service:

(Unit)
Description=Load %I encryption keys from network host
DefaultDependencies=no
Before=zfs-mount.service lxc.service
After=zfs-import.target network-online.target
Requires=zfs-import.target
Wants=network-online.target

(Service)
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/zfs/zfs-load-key.sh %I

(Install)
WantedBy=zfs-mount.service lxc.service

and enabled them via:

systemctl enable zfs-load-keyfile@tank-dataset1.service
systemctl enable zfs-load-keyfile@tank-dataset2.service

For for some reason, my LXC containers do not start because the keys were not yet loaded, ALTHOUGH I have Before=... lxc.service!

Why does this service not run at the right time, i.e. after the network is up and before lxc?

How to fix it?

linux – Why does this systemd service not run at the right time?

In Debian with systemd, I use zfs and lxc. My zfs datasets are encrypted and their keys can be loaded from a network host via my /etc/zfs/zfs-load-key.sh script. My LXC containers are started by lxc.service.

Loading the keys requires the network up and running (otherwise I get the error “no route to host”) but lxc.service requires the keys to be loaded.

Sounds trivial, but isn’t. I created this file /etc/systemd/system/zfs-load-keyfile@.service:

(Unit)
Description=Load %I encryption keys from network host
DefaultDependencies=no
Before=zfs-mount.service lxc.service
After=zfs-import.target network-online.target
Requires=zfs-import.target
Wants=network-online.target

(Service)
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/zfs/zfs-load-key.sh %I

(Install)
WantedBy=zfs-mount.service lxc.service

and enabled them via:

systemctl enable zfs-load-keyfile@tank-dataset1.service
systemctl enable zfs-load-keyfile@tank-dataset2.service

For for some reason, my LXC containers do not start because the keys were not yet loaded, ALTHOUGH I have Before=... lxc.service!

Why does this service not run at the right time, i.e. after the network is up and before lxc?

How to fix it?

boot – How do I enable a service in recovery mode using systemd

I have this custom service and I need it to run in recovery mode as well as the multi-user mode of ubuntu.

I’ve added a .service file for this in the /etc/systemd/system/ folder with the following content hoping WantedBy=multi-user.target rescue.target emergency.target friendly-recovery.target will solve my problem but it didn’t.
Do I need to configure anything else to enable this service in the recovery mode by default?

Description=service name
StartLimitIntervalSec=0
[Service]
Type=forking
User=root
Restart=always
RestartSec=1
ExecStart=/usr/bin/executable

[Install]
WantedBy=multi-user.target rescue.target emergency.target friendly-recovery.target

Start the gui program as non-root in systemd

Run ps -ef to find that the process number of upstart is 1566. When the parent process id of my gui program is 1566, it can be displayed normally. Now there are several problems that cause my gui program to not run normally.

  1. I have a systemd program, its name is terui. I want to start my gui program in terui. This is my startup code: system("su sunxy -c 'DISPLAY=:0 XAUTHORITY=/home/sunxy/.Xauthority /etc/opt/kpki/mw/KCliBaseService/start_tray.sh'");

  2. I found that after starting in this way, the parent process id of the gui program was 1, not 1566, which caused my gui program to fail to display normally. When I enter su sunxy -c’DISPLAY=:0 XAUTHORITY=/home/sunxy/.Xauthority /etc/opt/kpki/mw/KCliBaseService/start_tray.sh’ as a root user in bash, my gui program can be displayed normally, and its parent process id is 1566.

  3. This is my terui.service:

(Unit)
Description=terui Daemon
Requires=network-online.target
After=network-online.target

(Service)
Environment="DISPLAY=:0"
Environment="XAUTHORITY=/home/sunxy/.Xauthority"
ExecStart=/home/testui/build/terui
User=root
Type=simple
Restart=always
RestartSec=3s
(Install)
WantedBy=graphical.target

So, my question is, what should I do to display the gui program normally

systemctl – Migrate custom upstart script to systemd

I have a custom service (I did not create it) that stops multiple services. The server currently uses upstart, and I need to migrate to systemd.

Upstart:

description "Stop all custom services on this server"

console log

start on custom-stop-all <--- Definitely not sure on this one

script
    declare -a events=("fax-stop" "voice-stop" "file-stop" "text-stop" "delayed-stop" "email-stop" "push-stop" "image-stop" "dns-stop" "ssl-cert-stop" )

    for type in "${events(@)}"
    do
        initctl emit $type
    done
end script

If I understand correctly, I cannot use script and end script, and would have to use ExecStart=/path/to/bash/script. So, I am unsure on how to use the systemd version of custom-stop-all.

systemd – Find system service by conf file

Setup:
The task is to remove all proxy settings. Now I came across a proxy.conf file at /root/http-proxy.conf that contains this (with different IP ):

(Service)
Environment="HTTPS_PROXY=https://10.10.10.10:1234"

Question:
How can I figure out the corresponding service given the conf file? Assuming there is a service running that uses this conf file.

Notes:
Because if there is a service using this file, there might be no need for that service anymore and I would like to remove both the service and the conf file.

redhat – Create selinux context for systemd script?

I’m trying to create a systemd service that executes a custom script I wrote. It is just a backup script that I am using with a systemd timer. When I try to execute something simple in the systemd file like “/usr/bin/free” or something like that, it works perfectly. However when I try to execute my script “/root/scripts/mybackupscript.sh”, it fails with:

Main process exited, code=exited, status=203/EXEC

If I set selinux to permissive, it will start my script with no problem.

So I know that selinux is restricting systemd from executing my script. But I don’t know how to use selinux. How do I create an selinux context to allow systemd to execute my script?

Example:
This systemd file runs no problem:

(Unit)
Description=Logs system statistics to the systemd journal
Wants=myMonitor.timer

(Service)
Type=oneshot
ExecStart=/usr/bin/free

(Install)
WantedBy=multi-user.target

But this script fails (unless if I set selinux to permissive, in which case it executes fine):

(Unit)
Description=Logs system statistics to the systemd journal
Wants=myMonitor.timer

(Service)
Type=oneshot
ExecStart=/root/scripts/mybackupscript.sh

(Install)
WantedBy=multi-user.target

Any ideas would be appreciated. Thanks!

systemd – Mount ZFS pool before snapd starts

I have a zpool that has a mountpoint at /var. When I start my server up, the snapd service always throws a bunch of errors and fails to start because it attempts to mount a bunch of things from /var to /snap but it attempts the mounts before the zpool has been mounted so there’s nothing in /var yet.

How can I get snapd to attempt these mounts after the zpool has been mounted?

debian – How to make systemd network-online.target wait for multiple networks?

We have an ESXi virtual machine running Debian 10 and are encountering a problem with postfix starting too early. This is causing issues with resolv.conf not being populated before the postfix chroot. I’ve ensured that both

  • /lib/systemd/system/postfix.service
  • /lib/systemd/system/postfix@.service

files have the line

After=network-online.target nss-lookup.target

However we have multiple nics installed in this VM, with the /etc/network/interfaces file containing

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens192
iface ens192 inet static
        address 10.1.0.29/21
        dns-nameservers 10.1.0.20 10.1.0.23 

# The secondary network interface
allow-hotplug ens224
iface ens224 inet static
        address 192.168.1.8/24
        gateway 192.168.1.240

When I run

grep -E "(Postfix Mail Transport Agent|e1000|Link is Up|link is not ready|link becomes ready|resolv.conf differ|target)" /var/log/syslog

I see that network-online.target only waits for one of the nics to be online.

Jan 12 18:46:54 assp0 kernel: (    1.738897) e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
Jan 12 18:46:54 assp0 kernel: (    1.738897) e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
Jan 12 18:46:54 assp0 kernel: (    1.739922) e1000e 0000:0b:00.0: Interrupt Throttling Rate (ints/sec) set to dynamic conservative mode
Jan 12 18:46:54 assp0 kernel: (    1.795419) e1000e 0000:0b:00.0 0000:0b:00.0 (uninitialized): registered PHC clock
Jan 12 18:46:54 assp0 kernel: (    1.859484) e1000e 0000:0b:00.0 eth0: (PCI Express:2.5GT/s:Width x1)
Jan 12 18:46:54 assp0 kernel: (    1.859486) e1000e 0000:0b:00.0 eth0: Intel(R) PRO/1000 Network Connection
Jan 12 18:46:54 assp0 kernel: (    1.859558) e1000e 0000:0b:00.0 eth0: MAC: 3, PHY: 8, PBA No: 000000-000
Jan 12 18:46:54 assp0 kernel: (    1.860245) e1000e 0000:13:00.0: Interrupt Throttling Rate (ints/sec) set to dynamic conservative mode
Jan 12 18:46:54 assp0 kernel: (    1.915403) e1000e 0000:13:00.0 0000:13:00.0 (uninitialized): registered PHC clock
Jan 12 18:46:54 assp0 kernel: (    1.979239) e1000e 0000:13:00.0 eth1: (PCI Express:2.5GT/s:Width x1)
Jan 12 18:46:54 assp0 kernel: (    1.979240) e1000e 0000:13:00.0 eth1: Intel(R) PRO/1000 Network Connection
Jan 12 18:46:54 assp0 kernel: (    1.979290) e1000e 0000:13:00.0 eth1: MAC: 3, PHY: 8, PBA No: 000000-000
Jan 12 18:46:54 assp0 kernel: (    1.981312) e1000e 0000:0b:00.0 ens192: renamed from eth0
Jan 12 18:46:54 assp0 kernel: (    1.994070) e1000e 0000:13:00.0 ens224: renamed from eth1
Jan 12 18:46:54 assp0 kernel: (    4.577652) IPv6: ADDRCONF(NETDEV_UP): ens224: link is not ready
Jan 12 18:46:54 assp0 kernel: (    4.583595) e1000e: ens224 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
Jan 12 18:46:54 assp0 systemd(1): Reached target Swap.
Jan 12 18:46:54 assp0 systemd(1): Reached target System Initialization.
Jan 12 18:46:54 assp0 systemd(1): Reached target Sockets.
Jan 12 18:46:54 assp0 systemd(1): Reached target Basic System.
Jan 12 18:46:54 assp0 systemd(1): Reached target Timers.
Jan 12 18:46:54 assp0 systemd(1): Reached target Network.
Jan 12 18:46:54 assp0 systemd(1): Reached target Network is Online.
Jan 12 18:46:54 assp0 systemd(1): Starting Postfix Mail Transport Agent (instance -)...
Jan 12 18:46:54 assp0 systemd(1): Reached target Login Prompts.
Jan 12 18:46:54 assp0 kernel: (    4.671007) IPv6: ADDRCONF(NETDEV_UP): ens192: link is not ready
Jan 12 18:46:54 assp0 kernel: (    4.671206) IPv6: ADDRCONF(NETDEV_CHANGE): ens224: link becomes ready
Jan 12 18:46:54 assp0 kernel: (    4.675749) e1000e: ens192 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
Jan 12 18:46:54 assp0 kernel: (    4.676553) IPv6: ADDRCONF(NETDEV_CHANGE): ens192: link becomes ready
Jan 12 18:46:55 assp0 postfix/postfix-script(750): warning: /var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ

I thought there was something you could write in the network config to indicate that connection was required before the OS would consider the network to be up, but I can’t seem to find that info.

Before I cludge together something that works enough for us, I would like to know how to make network-online.target wait for either all nics, or preferably, the ones I specify.