1934291 – wpa_supplicant.service stops with systemctl isolate mulit-user.target runlevel change

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1934291 - wpa_supplicant.service stops with systemctl isolate mulit-user.target runlevel change

Summary: wpa_supplicant.service stops with systemctl isolate mulit-user.target runleve...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	NetworkManager
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	NetworkManager Development Team
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1935910
TreeView+	depends on / blocked

Reported:	2021-03-02 20:59 UTC by Curtis Taylor
Modified:	2021-11-10 06:51 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 19:29:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4361	0	None	None	None	2021-11-09 19:30:19 UTC
freedesktop.org Gitlab	NetworkManager NetworkManager-ci merge_requests 750	0	None	None	None	2021-04-15 13:06:08 UTC

Description Curtis Taylor 2021-03-02 20:59:46 UTC

Description of problem:
Going from graphical.target to multi-user.target results in wpa_supplicant.service being stopped.

Version-Release number of selected component (if applicable):
wpa_supplicant-2.9-2.el8.x86_64

How reproducible:
Reproduces in VM easily with fresh RHEL8.3 installation.

Steps to Reproduce:
1. From graphical.target with wpa_supplicant running
# systemctl status wpa_supplicant.service 
wpa_supplicant.service - WPA supplicant
   Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-02-09 13:22:59 CET; 59s ago
 Main PID: 1578 (wpa_supplicant)
    Tasks: 1 (limit: 49320)
   Memory: 5.8M
   CGroup: /system.slice/wpa_supplicant.service
           ??1578 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s -O /var/run/wpa_supplicant

2. systemctl isolate mulit-user.target

3. witness wpa_supplicant stopped

Actual results:
# systemctl status wpa_supplicant.service 
wpa_supplicant.service - WPA supplicant
   Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

Expected results:
# systemctl status wpa_supplicant.service 
wpa_supplicant.service - WPA supplicant
   Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-02-09 13:22:59 CET; 59s ago
 Main PID: 1578 (wpa_supplicant)
    Tasks: 1 (limit: 49320)
   Memory: 5.8M
   CGroup: /system.slice/wpa_supplicant.service
           ??1578 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s -O /var/run/wpa_supplicant

Additional info:
Enabling IgnoreOnIsolate, with a wpa_supplicant.service override, solves the issue and seems like it should be the default in wpa_supplicant.service.

  # systemctl edit wpa_supplicant.service  
  [Unit]
  IgnoreOnIsolate=true

  # systemctl show wpa_supplicant.service | grep OnIsolate
  IgnoreOnIsolate=yes

Comment 1 Beniamino Galvani 2021-03-03 09:04:15 UTC

The current behavior seems correct because wpa_supplicant is disabled:

 $ systemctl status wpa_supplicant
 ● wpa_supplicant.service - WPA supplicant
    Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; disabled; vendor preset: disabled)

wpa_supplicant is started in the graphical target only because another
program activates it via D-Bus:

 dbus-daemon[947]: [system] Activating via systemd: service name='fi.w1.wpa_supplicant1' unit='wpa_supplicant.service' requested by ':1.115' (uid=997 pid=2330 comm="/usr/libexec/geoclue " label="system_u:system_r:geoclue_t:s0")

GeoClue is started when GNOME is running to provide geographical
awareness and for some reasons it needs wpa_supplicant. If you are
relying on this implicit dependency to have wpa_supplicant started
automatically, this seems wrong.

Another program that might activate wpa_supplicant is NetworkManager,
but only when a Wi-Fi device is found. So, if you isolate the
multi-user target and there is a Wi-Fi device managed by NM,
wpa_supplicant will be active.

To have wpa_supplicant always running even if not requested by another
program (like NM), you need to enable the service explicitly:

 # systemctl enable wpa_supplicant

Comment 2 Beniamino Galvani 2021-03-03 09:32:58 UTC

Okay, I think the root issue is that an ethernet 802.1X connection active in graphical.target breaks when switching to multi-user.target because wpa_supplicant gets stopped. I'm not sure if this is a systemd bug (which should not stop wpa_supplicant because it was started by a unit that is still active in the new target) or NM's (as it should restart wpa_supplicant when it gets killed externally).

Also enabling IgnoreOnIsolate could be a solution, but I'm worried that perhaps this would lead to situations where wpa_supplicant is running when it's not expected to.

Comment 3 Curtis Taylor 2021-03-04 01:30:10 UTC

(In reply to Beniamino Galvani from comment #2)
> Also enabling IgnoreOnIsolate could be a solution, but I'm worried that
> perhaps this would lead to situations where wpa_supplicant is running when
> it's not expected to.

Would not IgnoreOnIsolate just rely upon the application which started wpa_supplicant to handle stopping it when necessary and not actually result in wpa_supplicant running when not expected?

My thinking is:

service A1 starts wpa_supplicant
systemd target is changed but service A1 remains destination target
  wpa_supplicant is still required but stops if IgnoreOnIsolate is not set.
systemd target is changed to a target where A1 is stopped
  wpa_supplicant is stopped by A1 when A1 stops or else it's a bug in A1 for not stopping what it started

Therefore I believe the fix is for wpa_supplicant to enable IgnoreOnIsolate in the wpa_supplicant.service it provides.

Comment 4 Curtis Taylor 2021-03-04 01:34:34 UTC

... or else if we are thinking about "what if something else starts wpa_supplicant", then in that case A1 is not NetworkManager and the same argument, of the bug being that A1 does not stop what it started,still applies.   

The way to keep wpa_supplicant running if it is supplying a service that is not enabled by default is to have it provide a service with IgnoreOnIsolate.

Comment 5 Beniamino Galvani 2021-03-09 07:46:41 UTC

> Would not IgnoreOnIsolate just rely upon the application which
> started wpa_supplicant to handle stopping it when necessary and not
> actually result in wpa_supplicant running when not expected?

wpa_supplicant is D-Bus activatable, which means that an application
doesn't explicitly have to start it. The calling application (e.g. NM)
just needs to send a D-Bus request (ignoring whether wpa_supplicant is
actually running or not), and systemd will take care of starting the
service if needed.

Therefore, the calling application doesn't need to care about stopping
wpa_supplicant (and it wouldn't have a way to do it even if it
wanted).

> My thinking is:
>
> service A1 starts wpa_supplicant
> systemd target is changed but service A1 remains destination target
>   wpa_supplicant is still required but stops if IgnoreOnIsolate is not set.

Normally, if there is a 802.1X connection active and wpa_supplicant
stops, NM would restart it. This didn't happen for connections with
the property 802-1x.optional set to 'yes' (as in the attached case)
due to a bug. The fix for this bug is:

 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/776

With this commit, wpa_supplicant would still be stopped on isolate
(when it's not explicitly enabled), the connection profile would
reconnect and NM would start wpa_supplicant again.

> systemd target is changed to a target where A1 is stopped
>   wpa_supplicant is stopped by A1 when A1 stops or else it's a bug in A1 for not stopping what it started

> Therefore I believe the fix is for wpa_supplicant to enable
> IgnoreOnIsolate in the wpa_supplicant.service it provides.

I am not totally sure about this. If IgnoreOnIsolate is the right
solution, then every D-Bus activatable service should have it, so that
the service survives a 'systemctl isolate'.

Comment 6 Beniamino Galvani 2021-03-09 07:48:14 UTC

I'm reassigning this bz to the systemd team to know what is their
opinion about this topic. The question is the following:

We have service A enabled and service B disabled. Service A activates
service B via D-Bus in graphical.target. Then the user does a
'systemctl isolate multi-user.target'. The result is that service B
gets stopped (because it is disabled), while service A is kept
running.

Shouldn't systemd somehow know that B was started by A and keep it
running in the new target? If not, how do you suggest to fix this
situation?

Should service B have IgnoreOnIsolate=yes? Or instead service A should
notice that B is gone and it should restart it?

Comment 7 David Tardon 2021-03-11 10:05:23 UTC

(In reply to Beniamino Galvani from comment #6)
> We have service A enabled and service B disabled. Service A activates
> service B via D-Bus in graphical.target. Then the user does a
> 'systemctl isolate multi-user.target'. The result is that service B
> gets stopped (because it is disabled), while service A is kept
> running.

Well, it works as expected. The best way to avoid this problem is to not use isolate. It's a dangerous command.

> 
> Shouldn't systemd somehow know that B was started by A and keep it
> running in the new target? If not, how do you suggest to fix this
> situation?

No, it shouldn't. systemd doesn't track any runtime relations between services, like a service starting another service via D-Bus or using "systemctl start". All it cares about are specified dependencies between units (which may be added at runtime, btw).

> Should service B have IgnoreOnIsolate=yes?

I'm not sure that's appropriate here. IgnoreOnIsolate=yes should be used for units that provide basic system functionality (to ensure that the system doesn't break after isolate).

> Or instead service A should
> notice that B is gone and it should restart it?

This looks like a reasonable solution to me.

Comment 8 Beniamino Galvani 2021-03-15 14:13:01 UTC

(In reply to David Tardon from comment #7)
> > Should service B have IgnoreOnIsolate=yes?
> 
> I'm not sure that's appropriate here. IgnoreOnIsolate=yes should be used for
> units that provide basic system functionality (to ensure that the system
> doesn't break after isolate).
> 
> > Or instead service A should
> > notice that B is gone and it should restart it?
> 
> This looks like a reasonable solution to me.

Okay, thanks. This is implemented by [1].

[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/776

Comment 14 errata-xmlrpc 2021-11-09 19:29:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: NetworkManager security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4361

Note You need to log in before you can comment on or make changes to this bug.