Bug#1098708: ifupdown: systemd kills child processes (pppd/hostapd) if ifup -a in networking.service returns failure code

Sun, 23 Feb 2025 02:00:12 -0800 

Hi Frank,

Thanks for the insightful report.

On Sat, Feb 22, 2025 at 10:07:12PM -0500, Frank Bormann wrote:
> [...if] the call from networking.service to ifup -a --read-environment
> returns an error code, ifup will still have brought both the pppoe as
> well as the wlan ap interfaces up, however systemd now considers
> networking.service failed and therefore stopped and terminates any
> processes spawned by ifup for other network interfaces that were
> successfully configured, such as pppd and hostapd processes.

This is concerning indeed. I suppose what systemd wants us to do is to have
individual services instead of spawning long-running processes directly.

I can see two ways to satisfy systemd's lust for control:

 1) Arrange for networking.service to start individual ifup@$IFACE services
    using systemd-run(1) instead of bringing everything up in one go. This
    would contain systemd's blast radius to one iface.

 2) Change ifupdown scripts of things like ppp/hostapd to use systemd-run.

The former seems preferable since it's a change that's contained to
ifupdown and doesn't need us to bring other maintainers on board with this.

One caveat to the whole thing: I belive ifupdown is used outside of a
systemd context aswell so we'd have to figure out how to detect if systemd
is in use and forgoe the systemd-run wrapper in that case. Is that
something you could look into?

> [...] if I change the above to
> 
> ExecStart=-/sbin/ifup -a --read-environment
> ExecStart=-/bin/sh -c 'if [ -f /run/network/restart-hotplug ]; then 
> /sbin/ifup -a --read-environment --allow=hotplug; fi'

While I can't think of a truly really good reason networking.service should
ever have to inidcate a failure under normal circumstances I'm not
comfortable doing this. Think of the case where /etc/network/interfaces
simply has a syntax error. Shouldn't it be able to indicate failure then?

We could ofc. cover that case by adding an ExecCondition to check the
syntax, but unexpected failures (crashes and whatnot) do happen and hiding
them is bad.

--Daniel

Attachment: signature.asc
Description: PGP signature

Reply via email to