On ti, 27 maalis 2018, Brian J. Murrell via FreeIPA-users wrote:
On Mon, 2018-03-26 at 14:44 -0400, Rob Crittenden via FreeIPA-users
wrote:
>
> named requires 389-ds to be running. It is easier to manage the order
> within IPA than systemd.
>
> I'd suggest to setting it After=ipa.service
I don't think this can work. ipa.service starts httpd.service (also,
instead of letting systemd manage it's startup ordering/dependencies)
and httpd.service depends on nss-lookup:
After=network.target remote-fs.target nss-lookup.target
I think that creates a circular dependency doesn't it? When I tried
that on my system the ipa.service unit (and it's ipactl) seemed to get
stuck on "systemctl start httpd.service".
Not to mention how much longer ipa.service takes to complete:
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2018-03-27 11:01:03 EDT; 7min ago
vs named-pkcs11.service:
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset:
disabled)
Active: active (running) since Tue 2018-03-27 10:54:57 EDT; 13min ago
which is actually the service that nss-lookup.target needs, not the
entire ipa.service (stack). That's a 6 minute difference in many
services being able to start.
Yes, this is not at all a big beefy machine with blazing fast disks or
SSDs. But indeed, it is exactly representative of why waiting for
named-pkcs11.service is sufficient, optimal and effective at describing
the actual dependencies more accurately.
So, if the start-up order of the units really cannot be specified in
systemd natively, and as such ipactl really is needed, then perhaps
FreeIPA should be dropping an ipa.conf file into
/etc/systemd/system/nss-lookup.target with:
[Unit]
Wants=named-pkcs11.service
in it?
If you want to add that, you can also check
ipaserver/install/service.py, where we have an ordering table for IPA
services.
'DNS' service is starting at level 30 and we launch all services in
order, waiting for the previous to complete its start up. However, in
some cases a service is unable to properly report to systemd that it is
able to serve its clients, only that it started. I know dogtag is one
such exception, may be named as well?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland