Hallo, 17.02.21 21:42 Chris Hofstaedtler: > * Thomas Goirand <zigo@debian.org> [210217 20:38]: > > # cat /etc/systemd/system/ssh.service.d/override.conf > > [Unit] > > After=network-online.target auditd.service > > > > But IMO, this is very wrong to mandate doing this, and not having ssh > > connectivity after a reboot, is kind of a grave problem. > > > > So, could you hard-wire this in the openssh-server package directly, so > > Debian users can avoid such an override? Indeed After=network.target > > doesn't tell you that network is ready. After=network-online.target does, > > and that's IMO what the ssh daemon should be using. > > But if you do this, you'll end up delaying start of sshd for up to > 120seconds in error cases. And even then, you might not get what you > want (if you read systemd-networkd-wait-online.service(8) > carefully). > > Services that use After=network-online.target are generally broken, > please do not introduce that. Seconded. Just consider a node where one link is down on boot and you would have to wait such a long time until you can examine the problem via ssh. > As discussed already, IP_FREEBIND is a thing. The system-wide sysctl > is a common workaround, especially for "bgp-on-the-host" setups, for > all sorts of servers/daemons. That should work; systemd-sysctl.service is ordered before ssh. Another option is in #965132 (ssh@.socket), but then the fix for #946180 and #934663 (RuntimeDirectoryPreserve=yes for ssh*.service) is also needed. Grüße Timo [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965132 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946180 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934663
Attachment:
signature.asc
Description: This is a digitally signed message part.