The initscript for iptables has a line USE logger When the syslog initscript has a line NEED net this causes problems in the order of initscript execution because openrc tries to start the syslog service before all network services are up and then will not start syslog. Removing that dependence causes the scripts to be executed in the proper order Reproducible: Always michelin ~ # cat /var/log/rc.log * Bringing up interface eth1 * 128.226.130.161 ... [ ok ] * Adding routes * default via 128.226.130.1 ... [ ok ] * ERROR: cannot start syslog-ng as net.eth0 would not start * Loading iptables state and starting firewall ... [ ok ] * Bringing up interface eth0 * 192.168.0.1 ... [ ok ] * Adding routes * 192.168.0.0/24 via 192.168.0.1 ... [ ok ] * Starting dnsmasq ... [ ok ] michelin ~ # /etc/init.d/syslog-ng depend need net use stunnel config /etc/syslog-ng/syslog-ng.conf use clock need hostname localmount provide logger michelin ~ # /etc/init.d/iptables depend before net use logger
Could you add your emerge --info output please? as well as whether or not you're using parallel startup?
michelin ~ # emerge --info portage 2.1.10.11 (default/linux/amd64/10.0, gcc-4.5.3, glibc-2.12.2-r0, 2.6.39- gentoo-r3 x86_64) ================================================================= System uname: Linux-2.6.39-gentoo-r3-x86_64-AMD_Phenom-tm-_II_X6_1090T_Processor -with-gentoo-2.0.3 Timestamp of tree: Sat, 15 Oct 2011 19:30:01 +0000 app-shells/bash: 4.1_p9 dev-lang/python: 2.7.1-r1, 3.1.3-r1 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r1 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.39 (virtual/os-headers) sys-libs/glibc: 2.12.2 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=barcelona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/yp/Makefile" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo -release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=barcelona -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackag es news parallel-fetch protect-owned sandbox sfperms strict unknown-features-war n unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="ftp://mirrors.rit.edu/gentoo/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclu de=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync5.us.gentoo.org/gentoo-portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cups cxx dri fortran gdbm gpm iconv mmx modules mudflap multilib ncurses nfsv3 nis nls nptl nptlonly openmp pam pcre pppd readline session sse sse2 ssl sysfs unicode xorg zlib" RSYNC_EXTRA_OPTS
(In reply to comment #1) > Could you add your emerge --info output please? as well as whether or not > you're using parallel startup? michelin ~ # cat /etc/rc.conf ... rc_parallel="NO" ... rc_depend_strict="YES" ...
Thomas, please show output of: rc-config show --all
The system has gone into production use, so I cannot now take it down or make modifications easily. Line 23 in /etc/init.d/iptables has been modified to read # use logger ta@michelin ~ $ rc-config show --all Status of init scripts in runlevel "boot" bootmisc [started] fsck [started] hostname [started] hwclock [started] keymaps [started] localmount [started] modules [started] mtab [started] net.lo [started] procfs [started] root [started] swap [started] sysctl [started] termencoding [started] urandom [started] Status of init scripts in runlevel "default" dnsmasq [started] iptables [started] local [started] net.eth0 [started] net.eth1 [started] nfs [started] ntpd [started] opensm [started] sshd [started] syslog-ng [started] udev-postmount [started] vixie-cron [started] vsftpd [started] webfs [started] ypserv [started] Status of init scripts in runlevel "shutdown" killprocs [stopped] mount-ro [stopped] savecache [stopped] Status of init scripts in runlevel "sysinit" devfs [started] dmesg [started] udev [started]
To make it clearer, the syslog-ng initscript adds the dependence NEED net when the daemon is configured to read or write from a tcp or udp socket (lines 10-12 in /etc/init.d/syslog-ng).
I just got nailed by this. Trying to setup a load balancer with haproxy/stunnel and haproxy also requires udp syslog functionality. The machine is not quite in production yet so if you need some info/testing I'd be happy to help if it's soon.
base-system/pva: I propose we drop the 'use logger' from the init.d/iptables and instead convert it to a commented block in conf.d/iptables as follows: === # If you need to log iptables messages as soon as iptables starts, # AND your logger does NOT depend on the network, then you may wish # to uncomment the next line. # If your logger depends on the network, and you uncomment this line # you will create an unresolvable circular dependency during startup. # After commenting or uncommenting this line, you must run 'rc-update -u'. #rc_use="logger" ===
We would neet to also apply the same changes to /etc/init.d/ip6tables and /etc/conf.d/ip6tables.
*** Bug 408753 has been marked as a duplicate of this bug. ***
This has been fixed in iptables-1.4.13-r1.
