service iptables save, systemctl, and unhelpful error messages

Wed Feb 15 23:12:44 UTC 2012

this will not work since if a systemd-unit is present
systemd no longer is interested in anything from
/etc/init.d/

so there is no solution except patch systemd if iptables.service is
called which will not happen because it would be unmaintainable
ober the long and doing it for iptables would bring a lot of
of other people complaining "but why not XXX whateverservice" too

Am 16.02.2012 00:09, schrieb Emanuel Rietveld:
> On 02/15/2012 03:45 PM, "Jóhann B. Guðmundsson" wrote:
>>> <snip>
>>>
>>> The service iptables save command is documented in a number of places and has been recommended to users for
>>> years. See, for example, the security guide:
>>> http://docs.fedoraproject.org/en-US/Fedora/16/html/Security_Guide/sect-Security_Guide-Using_IPTables-Saving_and_Restoring_IPTables_Rules.html
>>>
>>> This breaking with the systemctl move is expected, but the unhelpful error message is a usability bug. Executing
>>> services iptables save should print "This is no longer supported. Please execute /usr/libexec/iptables.init
>>> save" (See: https://bugzilla.redhat.com/show_bug.cgi?id=748134 )
>>
>> <snip>
>>
>> Somehow I doubt that any bugs will be fixed for this in either systemd ( since this is not systemd bug ) or
>> iptables ( since Thomas is working on the new stuff and this does probably not climb high enough in his priority
>> list anyway he probably would not fix this until all the bits for that are in place).
>>
>> So if you or others want this fixed I'm pretty sure either side ( most notably iptables )  would gladly review
>> and accept patches should they be submitted.
>>
>> JBG
> 
> I propose the following script in /etc/init.d/iptables
> 
> #!/bin/sh
> # Please use systemctl to manage the iptables service
> # The old initscript is in /usr/libexec/iptables.init
> 
> case "$1" in
>     panic|save)
>         [ -c /dev/stderr ] && \
>         echo "This is no longer supported with systemd. \
> Please use /usr/libexec/iptables.init $1" >/dev/stderr
> 	exit 2
> 	;;
>     *)
>         [ -c /dev/stderr ] && echo $"Redirecting to \
> /bin/systemctl $@ iptables.service" >/dev/stderr
>         exec /bin/systemctl $@ iptables.service
>         ;;
> esac
> 
> The behavior of this script is the exactly the same as the current situation, except that the error message is much
> more userfriendly.
> 
> The packaging guidelines say this " If present, the SysV initscript(s) must go into an optional subpackage, so as
> not to confuse sysadmins" at http://fedoraproject.org/wiki/Packaging:Systemd
> 
> Can wrapper scripts such as the above be made into an exception for this rule? I am happy Fedora can move forward
> as fast as it does, but the users have to move forward with us. Providing helpful error messages for deprecated
> behavior, that point in the right direction, could be a big help to make the transitions as easy as possible for
> our users.
> 
> 
> 

-- 

Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120216/7647c65f/attachment.sig>