From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6803364431668445184
X-Received: by 2002:ac8:66cf:: with SMTP id m15mr12220828qtp.146.1586794932519;
        Mon, 13 Apr 2020 09:22:12 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a37:6c44:: with SMTP id h65ls215316qkc.11.gmail; Mon, 13 Apr
 2020 09:22:11 -0700 (PDT)
X-Google-Smtp-Source: APiQypIkSADbvDYAigUO4zzx/TYVD0t5Z8SAaM6fUMj7yiVQcjdQRyAO2Nfb95XAchT9NPQCVphy
X-Received: by 2002:a05:600c:21d6:: with SMTP id x22mr20287370wmj.95.1586794931802;
        Mon, 13 Apr 2020 09:22:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586794931; cv=none;
        d=google.com; s=arc-20160816;
        b=NI2g2QfjftReVZS3ExOj++THE3zKgOv/fF0eBCbMjiOeX0TbY3NiIfyYHiAG/MLUE7
         sC3v+OoQ8d1QUiVRQxV1Di1Cjd2IyS7cEYipuXRHvBW95XyvE6XyqxwP4Zp1xMwlXCZo
         UouTYJei11aCrxHgYpObHVfqlaMwkLph/XOyqlSzJLT5BHOJn5rLlidV9SY4XeuM9GzA
         kgRWR2s6i5QQZvlBje52wVp1m3SiGDFuV02vzJtLnZEi3GiV5dYUI0KoAROXTrVc6AV4
         /vSSJB6HCIEfh5qAzg6lEpR1Jvj2iYO23ZVqxndU7bhX0M+CXY049YCHStXjM+AP7PmC
         eGGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :mail-followup-to:message-id:subject:to:from:date;
        bh=2LV3ne+SfdGpkXsgKtS28hwFOUb34DyINNeWJUhyKQg=;
        b=Ka32+MrPF+hbPchVo9vTDMQJHkzmIJBGH1bD62/64O6G0ov9RNagBiZIMkzyZ4wsFl
         mP8YvX+srppaB67ZUHksCcNitMiYzolVDPv7mrvk+ojLxGYj1U8nw4m9nLCraDPYTb/F
         dVz/HCtQM+UfUdsycQ+olnCNVOLEXcOWwh66rVAOs/1GG5kXlG1crM1yXhHNq8bmAC7Q
         FhToptuk4ZiA5JG8CDB5Fy3sUdIOfY9x+xYK8L8MYHS6oTfXYUiyR7cjUkuYTGo+xioD
         Pc+VMwIwGAW+yWG9oLuudiY7IQhjg3Ux1bkXczNAIqdR2NkLnzd2SUSHKKkDAptzvuSl
         0LTw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Return-Path: <ibr@radix50.net>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id u16si716486wmd.2.2020.04.13.09.22.11
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Mon, 13 Apr 2020 09:22:11 -0700 (PDT)
Received-SPF: neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Received: from yssyq.m.ilbers.de (dslb-090-186-034-013.090.186.pools.vodafone-ip.de [90.186.34.13])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8) with ESMTPSA id 03DGM8g1005686
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <isar-users@googlegroups.com>; Mon, 13 Apr 2020 18:22:10 +0200
Date: Mon, 13 Apr 2020 18:22:03 +0200
From: Baurzhan Ismagulov <ibr@radix50.net>
To: isar-users@googlegroups.com
Subject: Re: [PATCH] sshd-regen-keys: fix race condition
Message-ID: <20200413162202.zvkalsae6gxksmn2@yssyq.m.ilbers.de>
Mail-Followup-To: isar-users@googlegroups.com
References: <20200312164837.20377-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200312164837.20377-1-Quirin.Gylstorff@siemens.com>
User-Agent: NeoMutt/20180716
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: VuwzEqEMNkty

Hello Quirin,

On Thu, Mar 12, 2020 at 05:48:37PM +0100, Q. Gylstorff wrote:
> Systemd waits with starting service until a oneshot is finished this leads
> to a race condition if you try to restart a service in a oneshot.
> 
> "Behavior of oneshot is similar to simple; however, the service manager will consider
> the unit started after the main process exits. It will then start follow-up units.
> RemainAfterExit= is particularly useful for this type of service.  Type=oneshot is the
> implied default if neither Type= nor ExecStart= are specified."[1]
> 
> [1]: man systemd.service

Could you please help me understand the race you are facing? I've gone through
a couple of scenarios and couldn't identify one.


Apart from that, systemctl(1) says for enable:

"Note that this does not have the effect of also starting any of the units
being enabled. If this is desired, combine this command with the --now switch,
or invoke start with appropriate arguments later."

Similarly, for disable:

"Note that this command does not implicitly stop the units that are being
disabled. If this is desired, either combine this command with the --now
switch, or invoke the stop command with appropriate arguments later."

Considering the following scenario:

1. systemd starts ssh. It reads e.g. one key file but not others.

2. systemd starts sshd-regen-keys.sh. It disables ssh but doesn't stop it, then
   removes the keys.

3. sshd continues reading the other keys.

Is it possible that sshd finds inconsistent set of keys or doesn't find the
other keys? Shouldn't we specify --now for both enable and disable?


With kind regards,
Baurzhan.