Bug#982950: ssh.service starts sshd before network is online: please switch to After=network-online.target instead of just After=network.target

[Chris Hofstaedtler <zeha@debian.org>]

* Thomas Goirand <zigo@debian.org> [210217 20:38]:
> # cat /etc/systemd/system/ssh.service.d/override.conf 
> [Unit]
> After=network-online.target auditd.service
> 
> But IMO, this is very wrong to mandate doing this, and not having ssh
> connectivity after a reboot, is kind of a grave problem.
> 
> So, could you hard-wire this in the openssh-server package directly, so Debian
> users can avoid such an override? Indeed After=network.target doesn't tell you
> that network is ready. After=network-online.target does, and that's IMO what
> the ssh daemon should be using.

But if you do this, you'll end up delaying start of sshd for up to
120seconds in error cases. And even then, you might not get what you
want (if you read systemd-networkd-wait-online.service(8)
carefully).

Services that use After=network-online.target are generally broken,
please do not introduce that.

As discussed already, IP_FREEBIND is a thing. The system-wide sysctl
is a common workaround, especially for "bgp-on-the-host" setups, for
all sorts of servers/daemons.

Chris