Following the implementation of the change described in bug 288992, shorewall shows up as not having started when it really has (using baselayout 1 rc system). This is entered as a separate bug because Tony Vroon says so. Observed behavior: shorewall has actually started: ------------------------------------------------------------------------------ twister ~ # shorewall status Shorewall-4.2.11 Status at twister - Thu Apr 15 22:16:00 EDT 2010 Shorewall is running State:Started (Thu Apr 15 22:11:11 EDT 2010) ------------------------------------------------------------------------------ (I have also verified that it actually started and is running by seeing startup entries in logs, new blacklist hits in logs, etc.) However, the rc system says it has not started: ------------------------------------------------------------------------------ twister ~ # /etc/init.d/shorewall status * status: stopped ------------------------------------------------------------------------------ I've reviewed the dependencies of my init scripts and don't see anything amiss there. What would cause this? Reproducible: Always Steps to Reproduce: ----------------------------------------------------------------------------- twister ~ # emerge --info Portage 2.1.8.3 (hardened/linux/x86, gcc-4.3.4, glibc-2.10.1-r1, 2.6.28-hardened-r9 i686) ================================================================= System uname: Linux-2.6.28-hardened-r9-i686-Pentium_III_-Coppermine-with-gentoo-1.12.13 Timestamp of tree: Sat, 17 Apr 2010 13:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p37 dev-lang/python: 2.6.4-r1 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.osuosl.org/ ftp://ftp.gtlib.gatech.edu/pub/gentoo http://open-systems.ufl.edu/mirrors/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1,--hash-style=gnu" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="acpi berkdb bzip2 caps cli cracklib crypt cxx dri gpm hardened iconv mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pic python readline reflection samba session spl sse ssl sysfs unicode urandom userlocales x86 xorg zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en_US en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="i810" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY Contents of /etc/portage/package.keywords ---------------------------------------------------------------------------- =net-firewall/iptables-1.4* ~x86 =net-firewall/ipset-4.2* ~x86 =net-firewall/shorewall-perl-4.2* ~x86 =net-firewall/shorewall-common-4.2* ~x86
twister ~ # rc-status Runlevel: default dnsmasq [ started ] ez-ipupdate [ started ] hydrophone [ started ] ipset [ started ] local [ started ] net.eth0 [ started ] net.eth1 [ started ] net.eth2 [ started ] ntpd [ started ] samba [ started ] shorewall [ stopped ] <---- Note sshd [ started ] syslog-ng [ started ] udev-postmount [ started ] uptimed [ started ] vixie-cron [ started ]
John, from what I see now, somebody had managed to include a "use logger" dependency in net-firewall/shorewall-common-4.2.11-r1. Since you are using syslog-ng, could you manually comment out "need net" from within the depend() function in /etc/init.d/syslog-ng and see if the inconsistency persists? Also, which openrc version are you using, and are you using the "rc_parallel" or the "rc_depend_strict" option in /etc/rc.conf?
(In reply to comment #2) The "net" dependency of syslog-ng is conditional upon the presence of "net" or "udp" in one or more uncommented syslog-ng.conf "source" or "destination" statements. I have two such statements, but they are commented-out. The relevant portion of /etc/init.d/syslog-ng: ------------------------------------------------------------------------------ # Make networking dependency conditional on configuration case $(sed 's/#.*//' /etc/syslog-ng/syslog-ng.conf) in *source*tcp*|*source*udp*|*destination*tcp*|*destination*udp*) need net use stunnel ;; esac ------------------------------------------------------------------------------- So, to implement your suggestion, I have commented out the entire block of code shown above and rebooted the machine. Unfortunately, it seems to have had no effect: ------------------------------------------------------------------------------- twister ~ # rc-status Runlevel: default dnsmasq [ started ] ez-ipupdate [ started ] hydrophone [ started ] ipset [ started ] local [ started ] net.eth0 [ started ] net.eth1 [ started ] net.eth2 [ started ] ntpd [ started ] samba [ started ] shorewall [ stopped ] <---- :( sshd [ started ] syslog-ng [ started ] udev-postmount [ started ] uptimed [ started ] vixie-cron [ started ] ------------------------------------------------------------------------------- I have the uneasy feeling this is due to some configuration error of my own (i.e. PEBKAC), so I will keep looking at it. If no one else has reported this, it must be me. Thanks for the suggestion, though.
(In reply to comment #2) > Also, which openrc version are you using, and are you using the "rc_parallel" > or the "rc_depend_strict" option in /etc/rc.conf? As noted above, I am not using openrc on this machine. This is a baselayout1 machine. It is ACCEPT_KEYWORDS="x86" (not "~x86), except for those keyworded packages noted above. However, in /etc/conf.d/rc (which roughly corresponds to /etc/rc.conf on an openrc machine), potentially relevant variables are: RC_PARALLEL_STARTUP="no" RC_HOTPLUG="no" RC_COLDPLUG="no" RC_PLUG_SERVICES="!*" RC_NET_STRICT_CHECKING="yes"
Created attachment 228705 [details] bootchart (svg) Here is a bootchart for the system (a firewall/router running on a Pentium III). As you can see, syslog is starting before shorewall, but it is not causing the net.* services to do so. It all seems to be starting in the proper sequence. ipset shorewall network interfaces network-dependent services They mystery is why the rc system says shorewall is "stopped" when it's not.
*** Bug 316327 has been marked as a duplicate of this bug. ***
Tom Eastep said he is going to consider implementing a two-stage startup approach similar to SuSEFirewall for 4.4.10, in order to conform to the Gentoo police. I hope for this reason that this version is going into Portage soon, given that Portage is still on 4.2.
Seems to be fixed from version 4.4.10+
