On Mon, 2018-03-26 at 14:44 -0400, Rob Crittenden via FreeIPA-users
wrote:
named requires 389-ds to be running. It is easier to manage the order
within IPA than systemd.
I'd suggest to setting it After=ipa.service
I don't think this can work. ipa.service starts httpd.service (also,
instead of letting systemd manage it's startup ordering/dependencies)
and httpd.service depends on nss-lookup:
After=network.target remote-fs.target nss-lookup.target
I think that creates a circular dependency doesn't it? When I tried
that on my system the ipa.service unit (and it's ipactl) seemed to get
stuck on "systemctl start httpd.service".
Not to mention how much longer ipa.service takes to complete:
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2018-03-27 11:01:03 EDT; 7min ago
vs named-pkcs11.service:
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset:
disabled)
Active: active (running) since Tue 2018-03-27 10:54:57 EDT; 13min ago
which is actually the service that nss-lookup.target needs, not the
entire ipa.service (stack). That's a 6 minute difference in many
services being able to start.
Yes, this is not at all a big beefy machine with blazing fast disks or
SSDs. But indeed, it is exactly representative of why waiting for
named-pkcs11.service is sufficient, optimal and effective at describing
the actual dependencies more accurately.
So, if the start-up order of the units really cannot be specified in
systemd natively, and as such ipactl really is needed, then perhaps
FreeIPA should be dropping an ipa.conf file into
/etc/systemd/system/nss-lookup.target with:
[Unit]
Wants=named-pkcs11.service
in it?
Cheers,
b.