Brian J. Murrell via FreeIPA-users wrote:
I see on my EL7 machine with IDM (freeipa) installed that named-
pcks11.service is actually set to disabled in systemd, but it is
started at some point, presumably, directly by the ipa.service unit's
/usr/sbin/ipactl.
This causes problems with other systemd unit dependencies, in
particular with nss-lookup.target.
Ultimately we don't want the nss-lookup.target being reached before
(all of) the lookup services have actually started including DNS which
is started with named-pkcs11.service.
However in order for that to happen named-pkcs11.service needs to be in
the same transaction as nss-lookup.target which it normally gets by
being wanted (Wants) by multi-user.target which usually happens as a
result of enabling a unit. When enabled (systemctl enable ...) a
symlink gets created from /usr/lib/systemd/system/named-pkcs11.service
to /etc/systemd/system/multi-user.target.wants/ providing that Wants
relationship that is needed and currently missing.
I have managed to work-around this by adding:
[Unit]
Wants=named-pkcs11.service
to /etc/systemd/system/nss-lookup.target.d/override.conf but according
to the systemd folks, this is not really the correction relationship
and that the Wants really belongs to multi-user.target.
Ultimately, I wonder if it's really necessary to have named-
pkcs11.service disabled and started by ipactl rather than being a more
natural systemd unit, enabled in systemd, and started on boot by
systemd.
Surely the complex set of mechanisms that systemd provides to express
relationships and ordering is sufficient to have systemd start up
named-pkcs11.service itself, isn't it?
As an aside, I also have:
After=named-pkcs11.service
in the [Unit] section of my /etc/systemd/system/nss-
lookup.target.d/override.conf but I'm not positive that that is still
necessary as it was just put there on my debugging path to getting to
where I am now. I have yet tried removing it and seeing if I get the
same correct ordering of nss-lookup.target only starting after named-
pkcs11.service.
named requires 389-ds to be running. It is easier to manage the order
within IPA than systemd.
I'd suggest to setting it After=ipa.service
rob