Bug 1574959 - Set IPAddressDeny= in systemd-logind service file
Summary: Set IPAddressDeny= in systemd-logind service file
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss_nis
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matej Mužila
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-04 12:22 UTC by Ido Schimmel
Modified: 2018-08-17 16:17 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-08-17 16:17:19 UTC


Attachments (Terms of Use)

Description Ido Schimmel 2018-05-04 12:22:13 UTC
Description of problem:

We upgraded one of ours servers - which uses NSS/NIS - from Fedora 27 to Fedora 28 and faced timeouts in systemd-logind. This causes ssh logins to take 25 seconds to complete.

The problem is further described here [1] and fixed by setting IPAddressDeny= in systemd-logind service file. Also described in systemd 235 release notes [2]:

"
Downstream distributions might want to update their nss-nis packaging to include such a drop-in snippet, accordingly, to hide this incompatibility from the user.
"

Thanks.

1. https://github.com/systemd/systemd/issues/7074
2. https://github.com/systemd/systemd/commit/2bcbffd6db8efe8f0cc2f2b01d407a326247176d

Comment 1 Jussi Eloranta 2018-05-08 21:22:45 UTC
Yes, this is very annoying bug that hit my 28 servers too. It would be important to have an official fix rather than starting to patch things by hand. This bug affects everyone running NIS, so this should be high priority.

Comment 2 Maurizio Paolini 2018-06-15 06:17:08 UTC
We also experience the same problem.  The proposed solution given above works for us and it seems to suggest a "drop-in" file to be added in the nss_nis package
with

[Service]
IPAddressDeny=

and placed in /lib/systemd/system/systemd-logind.service.d

I think it should be done upstream, but in the meantime an rpm with the fix seems in order...

Comment 3 Edgar Hoch 2018-06-15 09:28:57 UTC
I got also crashes from other systemd services, e.g. systemd-udevd, because they also need to look up hosts, users, groups, netgroups, etc., using nis (if nis is an entry in lines in /etc/nsswitch.conf). So the "workaround" should also be done for (all?) other systemd services that uses the same mechanism.

# grep -ri IPAddressDeny  /usr/lib/systemd/system/
/usr/lib/systemd/system/systemd-timedated.service:IPAddressDeny=any
/usr/lib/systemd/system/systemd-logind.service:IPAddressDeny=any
/usr/lib/systemd/system/systemd-machined.service:IPAddressDeny=any
/usr/lib/systemd/system/systemd-journald.service:IPAddressDeny=any
/usr/lib/systemd/system/systemd-udevd.service:IPAddressDeny=any
/usr/lib/systemd/system/systemd-localed.service:IPAddressDeny=any
/usr/lib/systemd/system/systemd-coredump@.service:IPAddressDeny=any
/usr/lib/systemd/system/systemd-hostnamed.service:IPAddressDeny=any


I am currently trying using nscd instead of allowing networking for these services, but I don't currently know if this solves all problems, because nscd does not cache all nis maps (as far as I know, e.g. ethers.byname, ethers.byaddr, auto.master, auto.home, mail.aliases), but it may be that these systemd services don't need access to these nis maps.

Comment 4 Fedora Update System 2018-08-01 12:32:44 UTC
nss_nis-3.0-6.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-78f95660f9

Comment 5 Fedora Update System 2018-08-01 18:26:38 UTC
nss_nis-3.0-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-78f95660f9

Comment 6 Fedora Update System 2018-08-17 16:17:19 UTC
nss_nis-3.0-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.