Brian J. Murrell via FreeIPA-users wrote: > I see on my EL7 machine with IDM (freeipa) installed that named- > pcks11.service is actually set to disabled in systemd, but it is > started at some point, presumably, directly by the ipa.service unit's > /usr/sbin/ipactl. > > This causes problems with other systemd unit dependencies, in > particular with nss-lookup.target. > > Ultimately we don't want the nss-lookup.target being reached before > (all of) the lookup services have actually started including DNS which > is started with named-pkcs11.service. > > However in order for that to happen named-pkcs11.service needs to be in > the same transaction as nss-lookup.target which it normally gets by > being wanted (Wants) by multi-user.target which usually happens as a > result of enabling a unit. When enabled (systemctl enable ...) a > symlink gets created from /usr/lib/systemd/system/named-pkcs11.service > to /etc/systemd/system/multi-user.target.wants/ providing that Wants > relationship that is needed and currently missing. > > I have managed to work-around this by adding: > > [Unit] > Wants=named-pkcs11.service > > to /etc/systemd/system/nss-lookup.target.d/override.conf but according > to the systemd folks, this is not really the correction relationship > and that the Wants really belongs to multi-user.target. > > Ultimately, I wonder if it's really necessary to have named- > pkcs11.service disabled and started by ipactl rather than being a more > natural systemd unit, enabled in systemd, and started on boot by > systemd. > > Surely the complex set of mechanisms that systemd provides to express > relationships and ordering is sufficient to have systemd start up > named-pkcs11.service itself, isn't it? > > As an aside, I also have: > > After=named-pkcs11.service > > in the [Unit] section of my /etc/systemd/system/nss- > lookup.target.d/override.conf but I'm not positive that that is still > necessary as it was just put there on my debugging path to getting to > where I am now. I have yet tried removing it and seeing if I get the > same correct ordering of nss-lookup.target only starting after named- > pkcs11.service.
named requires 389-ds to be running. It is easier to manage the order within IPA than systemd. I'd suggest to setting it After=ipa.service rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
