From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6803364431668445184 X-Received: by 2002:a2e:9490:: with SMTP id c16mr16350579ljh.110.1588054977336; Mon, 27 Apr 2020 23:22:57 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:ac2:55ba:: with SMTP id y26ls5021079lfg.11.gmail; Mon, 27 Apr 2020 23:22:56 -0700 (PDT) X-Google-Smtp-Source: APiQypKTDEkdbHvyQ3MMLxiMb62wO6mTjklgEPQ41fK6NxVu18qt/Jxnk7zxkoLiG7i9H7FMAcdP X-Received: by 2002:a19:4a03:: with SMTP id x3mr17990458lfa.159.1588054976494; Mon, 27 Apr 2020 23:22:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588054976; cv=none; d=google.com; s=arc-20160816; b=seXh/OU+DFFC7LViSn93LQhmeYvuEXNTaCIE4Zt4MB/k66fxfD1xQleqSTENsHfaK8 ERlav/yRBZZBaNM5EQMA/1MpuYwJCxvdWCxUYzLOUueP9g2tiS2KvA/+1MOEGKToqC9F MtQNl0f+GFufCh/0/+BWqrrfJnfZu9cGQBl+R0YQFoK9MwUm8R9MCVdMeGS0oKB++O9+ BInZOaUYOVRX3Irr4IKphieYnZFjHkqf/PUl6y/ihF8SndoU4UMeWHB2BrT01dfrAZk9 JtYgfWk6I3stbiR14tmCWu/FLFJNRFYoB1LqM+avluEDwpy/gWfDtRq/e0jeBE4ZSomz T5zQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject; bh=YtZp9jBhIO8L5qnfyYqWhEJcQOpT5iBYpLv8kh5Uf7o=; b=Z6pzGpDmCCha/lu69gMnBMay7XdHU7ficaHBupSCsHh/IjIHx8k9xe+7qoDGRSnTiM j49SHKwE0SjGkuf0H4nMSmj4EGJ94gimhWgzJUtDOOr2OL0fRCXCRaPytKp7/9SymabC du7mPSlv0n9uIKc+N+Q6bx+7i2OGoV64fbWfKzwK6s0oJe5J5a0LDmpAvCDUKT4L/zfZ 5ilwacsWn4aj9LCoXMHLZtyk4jV+m/cO9qLr3ny6qgFgc9GNFz2TFdPF+uxkeDfpvtkQ N9ofI7DbQ76Jq7vmxSl2PriCR6MSQeJrdnN7aiDWSMUTLsLhSWyFVQBd4WXU2RuriE0Q NjUg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id c16si842904ljk.5.2020.04.27.23.22.56 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Apr 2020 23:22:56 -0700 (PDT) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id 03S6MtT0028081 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Apr 2020 08:22:55 +0200 Received: from [167.87.241.52] ([167.87.241.52]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 03S6MsUq029260; Tue, 28 Apr 2020 08:22:55 +0200 Subject: Re: [PATCH] sshd-regen-keys: fix race condition To: isar-users@googlegroups.com, Quirin Gylstorff , Baurzhan Ismagulov References: <20200312164837.20377-1-Quirin.Gylstorff@siemens.com> <20200413162202.zvkalsae6gxksmn2@yssyq.m.ilbers.de> From: Jan Kiszka Message-ID: <82ef1e5c-42c6-8a53-b3d3-cbb3fa6a977b@siemens.com> Date: Tue, 28 Apr 2020 08:22:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20200413162202.zvkalsae6gxksmn2@yssyq.m.ilbers.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: Jl5hYKElVEwl On 13.04.20 18:22, Baurzhan Ismagulov wrote: > Hello Quirin, > > On Thu, Mar 12, 2020 at 05:48:37PM +0100, Q. Gylstorff wrote: >> Systemd waits with starting service until a oneshot is finished this leads >> to a race condition if you try to restart a service in a oneshot. >> >> "Behavior of oneshot is similar to simple; however, the service manager will consider >> the unit started after the main process exits. It will then start follow-up units. >> RemainAfterExit= is particularly useful for this type of service. Type=oneshot is the >> implied default if neither Type= nor ExecStart= are specified."[1] >> >> [1]: man systemd.service > > Could you please help me understand the race you are facing? I've gone through > a couple of scenarios and couldn't identify one. > > > Apart from that, systemctl(1) says for enable: > > "Note that this does not have the effect of also starting any of the units > being enabled. If this is desired, combine this command with the --now switch, > or invoke start with appropriate arguments later." > > Similarly, for disable: > > "Note that this command does not implicitly stop the units that are being > disabled. If this is desired, either combine this command with the --now > switch, or invoke the stop command with appropriate arguments later." > > Considering the following scenario: > > 1. systemd starts ssh. It reads e.g. one key file but not others. > > 2. systemd starts sshd-regen-keys.sh. It disables ssh but doesn't stop it, then > removes the keys. > > 3. sshd continues reading the other keys. > > Is it possible that sshd finds inconsistent set of keys or doesn't find the > other keys? Shouldn't we specify --now for both enable and disable? > > > With kind regards, > Baurzhan. > Quirin, I think this is still open, and - being about to create another one-shot service - I was wondering whether we need to fix more services. Baurzhan, please fix your client settings so that you always preserve CC lists when replying. Thanks, Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux