Bug 2338429 - After=network-online.target is not usable in initram image
Summary: After=network-online.target is not usable in initram image
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: unbound
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-16 14:13 UTC by Petr Menšík
Modified: 2025-01-20 14:58 UTC (History)
3 users (show)

Fixed In Version: unbound-1.22.0-9.fc42
Clone Of:
Environment:
Last Closed: 2025-01-20 14:58:58 UTC
Type: ---
Embargoed:
pemensik: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-1402 0 None None None 2025-01-16 14:14:25 UTC
Red Hat Issue Tracker FC-1403 0 None None None 2025-01-16 14:46:22 UTC
Red Hat Issue Tracker RHEL-74273 0 None None None 2025-01-16 14:53:41 UTC

Description Petr Menšík 2025-01-16 14:13:15 UTC 
As part of DNS over TLS enabling for RHEL, we have discovered unbound starts After=network-online.target. That is not desired in the default configuration, where it listens only on localhost.

Unbound has to start Before=nss-lookup.target, effectively it may provide basic name resolution for the system. At least we want it with dnsconfd that way.

Because of integration with Network Manager, we may enter deadlock from NM. It wants to set network-online.target only after DNS were successfully configured. Therefore it has to start only After=network.target, because network-online.target may depend on unbound.service activated. Therefore we cannot wait for it.

Reproducible: Always

Steps to Reproduce:
1. systemctl enable unbound.service
2. change unbound.service to have only After=network.target
3. reboot
4. verify it started correctly
Actual Results:  
It starts only after network-online.target is reached

Expected Results:  
It starts before network-online.target is reached

Changed by commit https://src.fedoraproject.org/forks/pemensik/rpms/unbound/c/2b640c85f833618e67f3b412d3a5b88f4518c34b.

This needs to be reverted back.
Comment 1 Petr Menšík 2025-01-16 14:43:29 UTC 
After specific IP address is used in interface: or similar configuration, it might be required to change it After=network-online.target.

That could be done for example command:

systemctl edit unbound.service

Then in the editor, type the following:

[Unit]
After=network-online.target

#before
### Edits below this comment will be discarded

That would make additional change to default unbound.service, making it start later.

Maybe even more preferred way would be setting ip-freebind: yes in server: section. That allows binding to addresses not yet present on the system. It should be used as soon as that address becomes present on the system.
Disadvantage is it won't watch for typos of your addresses. If you listen on address never appearing, it won't tell you the address is wrong.
Comment 2 Fedora Update System 2025-01-16 18:27:25 UTC 
FEDORA-2025-0504e17592 (unbound-1.22.0-9.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-0504e17592
Comment 3 Fedora Update System 2025-01-20 14:58:58 UTC 
FEDORA-2025-0504e17592 (unbound-1.22.0-9.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.