Hallo Marc Haber, 19.12.21 16:15 Marc Haber: > On Wed, Dec 08, 2021 at 04:01:30PM +0100, Timo Weingärtner wrote: > > 08.12.21 13:31 Marc Haber: > > > I am running a number of test systems with ssh as socket activated > > > service. Sometimes, after an update, I find myself without ssh access to > > > those systems (connection refused). After a console login and systemctl > > > restart ssh.socket, things are fine again. > > > > > > I THINK this might be connected to needrestart. Today, a libc6 update > > > marked the running ssh daemon (that I was using for the update) as using > > > > > obsolete libraries, which resulted in the following console output: > > To me it looks like a problem in needrestart. The (forked off) sshd > > process > > handling your client connection belongs to cgroup session-NN.scope, no > > matter if it was started by systemd socket activation or regular sshd. > > I concur with your analysis. So we need a bug report against needrestart > with the title "misdetects ssh as started from ssh.service if it's > actually ssh.socket or ssh@.service"? ssh.socket doesn't contain processes. ssh@<connected_socket>.service would AFAIR be detected if libpam-systemd is not installed or if the connection is not yet complete. At least I remember (some years back) needrestart showing me ssh@<connected_socket>.service ticked by default sawing off the branch I was sitting on when blindly nodded through. We should be more specific here: it's about the per-client process which should not get restarted by default. Even when ssh.service is running it misdetects per-client processes, but in that case it is usually quite harmless. > > A workaround might be masking ssh.service. > > That seems to do it for me, this hasn't happeneed on my test systems > since I masked ssh.service. I do consider this a valid workaround (but > not a soution) for the time being. > > ssh maintainer, I think this warrants at least some documentation, for > example in /usr/share/doc/openssh-server/README.Debian.gz, as the way > documented there just suggests disabling ssh.service and not masking it. Masking ssh.service also helps with people (possibly even including yourself) doing "systemctl restart ssh" after editing sshd_config. Grüße Timo
Attachment:
signature.asc
Description: This is a digitally signed message part.