Bug#982950: ssh.service starts sshd before network is online: please switch to After=network-online.target instead of just After=network.target
Package: openssh-server
Version: 1:8.4p1-4
Severity: grave
Hi there,
On a Sid/Testing system, currently we have in /lib/systemd/system/ssh.service:
After=network.target auditd.service
While this isn't a problem in most installation, it didn't work under our setup,
because we use "bgp-to-the-host" networking. In this setup, we need FRR (the
BGP routing daemon which is a fork of Quagga, if you didn't know) to provide
network connectivity to the server. Our configuration is something like this:
# cat /etc/frr/frr.conf
[...]
!
int lo
ip address 10.56.17.7/32
!
[...]
This means that, until FRR is fully up and running, with the BGP session
established, the server IP (10.x.x.x/32 bound to the loopback interface) isn't
set yet on the server, and the ssh daemon cannot bind on the IP (as it's not
there yet).
Our fix was pretty simple:
# cat /etc/systemd/system/ssh.service.d/override.conf
[Unit]
After=network-online.target auditd.service
But IMO, this is very wrong to mandate doing this, and not having ssh
connectivity after a reboot, is kind of a grave problem.
So, could you hard-wire this in the openssh-server package directly, so Debian
users can avoid such an override? Indeed After=network.target doesn't tell you
that network is ready. After=network-online.target does, and that's IMO what
the ssh daemon should be using.
Thanks for maintaining openssh in Debian,
Cheers,
Thomas Goirand (zigo)
Reply to: