Servers fail to bind to addresses at boot
up vote
7
down vote
favorite
I'm dealing with a known issue in RHEL 7 whereby services that specify an address to bind to will not start correctly. I've found a number of similar reports, many say they have been resolved with updates to systemd but I still face this problem. This affects all the services on my box (sshd, sshd, vsftpd, nginx) that don't just bind to 0.0.0.0.
I've found all sorts of supposed workarounds but none of them work for me consistently. Taking sshd as an example, config looks like this:
Port 22
ListenAddress 192.168.242.225
...
Here's what I've tried, alone and in combinations:
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c4 (I've also tried sys-subsystem-net-devices-eth1.device in place of network-online.target but I suspect this doesn't wait for addressing to happen.)
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c11
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1438749#c0
systemctl add-wants multi-user.target network.target
From somewhere
mkdir /etc/systemd/system/sshd.service.requires
ln -s /usr/lib/systemd/system/network-online.target /etc/systemd/system/sshd.service.requires/
No matter what I try, I usually end up with "error: bind to port 22 on 192.168.242.125 failed: Cannot assign requested address". Sometimes, everything starts up perfectly, which I am guessing is down to a timing issue.
Running Scientific Linux (RHEL) 7.5 and network manager is enabled, all IP addressing is static. If there are any other details that might help, please let me know. Here is the output of journalctl after a failed startup, with After=network-online.target in the sshd unit file. Relevant stuff starts down around line 1700. Hoping someone has come across this issue and solved it successfully!
systemd rhel7
asked Nov 24 at 0:08
miken32
369622
add a comment |
up vote
7
down vote
favorite
I'm dealing with a known issue in RHEL 7 whereby services that specify an address to bind to will not start correctly. I've found a number of similar reports, many say they have been resolved with updates to systemd but I still face this problem. This affects all the services on my box (sshd, sshd, vsftpd, nginx) that don't just bind to 0.0.0.0.
I've found all sorts of supposed workarounds but none of them work for me consistently. Taking sshd as an example, config looks like this:
Port 22
ListenAddress 192.168.242.225
...
Here's what I've tried, alone and in combinations:
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c4 (I've also tried sys-subsystem-net-devices-eth1.device in place of network-online.target but I suspect this doesn't wait for addressing to happen.)
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c11
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1438749#c0
systemctl add-wants multi-user.target network.target
From somewhere
mkdir /etc/systemd/system/sshd.service.requires
ln -s /usr/lib/systemd/system/network-online.target /etc/systemd/system/sshd.service.requires/
No matter what I try, I usually end up with "error: bind to port 22 on 192.168.242.125 failed: Cannot assign requested address". Sometimes, everything starts up perfectly, which I am guessing is down to a timing issue.
Running Scientific Linux (RHEL) 7.5 and network manager is enabled, all IP addressing is static. If there are any other details that might help, please let me know. Here is the output of journalctl after a failed startup, with After=network-online.target in the sshd unit file. Relevant stuff starts down around line 1700. Hoping someone has come across this issue and solved it successfully!
systemd rhel7
asked Nov 24 at 0:08
miken32
369622
add a comment |
up vote
7
down vote
favorite
up vote
7
down vote
favorite
I'm dealing with a known issue in RHEL 7 whereby services that specify an address to bind to will not start correctly. I've found a number of similar reports, many say they have been resolved with updates to systemd but I still face this problem. This affects all the services on my box (sshd, sshd, vsftpd, nginx) that don't just bind to 0.0.0.0.
I've found all sorts of supposed workarounds but none of them work for me consistently. Taking sshd as an example, config looks like this:
Port 22
ListenAddress 192.168.242.225
...
Here's what I've tried, alone and in combinations:
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c4 (I've also tried sys-subsystem-net-devices-eth1.device in place of network-online.target but I suspect this doesn't wait for addressing to happen.)
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c11
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1438749#c0
systemctl add-wants multi-user.target network.target
From somewhere
mkdir /etc/systemd/system/sshd.service.requires
ln -s /usr/lib/systemd/system/network-online.target /etc/systemd/system/sshd.service.requires/
No matter what I try, I usually end up with "error: bind to port 22 on 192.168.242.125 failed: Cannot assign requested address". Sometimes, everything starts up perfectly, which I am guessing is down to a timing issue.
Running Scientific Linux (RHEL) 7.5 and network manager is enabled, all IP addressing is static. If there are any other details that might help, please let me know. Here is the output of journalctl after a failed startup, with After=network-online.target in the sshd unit file. Relevant stuff starts down around line 1700. Hoping someone has come across this issue and solved it successfully!
systemd rhel7
asked Nov 24 at 0:08
miken32
369622
I'm dealing with a known issue in RHEL 7 whereby services that specify an address to bind to will not start correctly. I've found a number of similar reports, many say they have been resolved with updates to systemd but I still face this problem. This affects all the services on my box (sshd, sshd, vsftpd, nginx) that don't just bind to 0.0.0.0.
I've found all sorts of supposed workarounds but none of them work for me consistently. Taking sshd as an example, config looks like this:
Port 22
ListenAddress 192.168.242.225
...
Here's what I've tried, alone and in combinations:
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c4 (I've also tried sys-subsystem-net-devices-eth1.device in place of network-online.target but I suspect this doesn't wait for addressing to happen.)
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c11
mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
From https://bugzilla.redhat.com/show_bug.cgi?id=1438749#c0
systemctl add-wants multi-user.target network.target
From somewhere
mkdir /etc/systemd/system/sshd.service.requires
ln -s /usr/lib/systemd/system/network-online.target /etc/systemd/system/sshd.service.requires/
No matter what I try, I usually end up with "error: bind to port 22 on 192.168.242.125 failed: Cannot assign requested address". Sometimes, everything starts up perfectly, which I am guessing is down to a timing issue.
Running Scientific Linux (RHEL) 7.5 and network manager is enabled, all IP addressing is static. If there are any other details that might help, please let me know. Here is the output of journalctl after a failed startup, with After=network-online.target in the sshd unit file. Relevant stuff starts down around line 1700. Hoping someone has come across this issue and solved it successfully!
systemd rhel7
systemd rhel7
asked Nov 24 at 0:08
miken32
369622
asked Nov 24 at 0:08
miken32
369622
edited Nov 24 at 1:40
asked Nov 24 at 0:08
miken32
369622
asked Nov 24 at 0:08
miken32
369622
asked Nov 24 at 0:08
miken32
369622
369622
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
If you're using NetworkManager, then in order for network-online.target to work as expected, you need to enable service NetworkManager-wait-online.service, which is the one that actually waits for the network to be online to satisy that target.
The network-online.target needs to be "hooked" into your network manager (since NetworkManager is not the only alternative, there is also systemd-networkd which can be used to manage the network.)
For network-online.target to work with NetworkManager, you need to have a symlink under /etc/systemd/system/network-online.target.wants/ pointing to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Which you can actually create by enabling that service:
$ sudo systemctl enable NetworkManager-wait-online.service
Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Once that's in place, dependencies on network-online.target should start working, waiting until NetworkManager is done bringing up all interfaces it's supposed to bring up at boot.
To help diagnose any issues with that setup, you might want to look at output of systemctl status network-online.target and systemctl status NetworkManager-wait-online.service as well, as they might have more clues about what is going on. (In particular, the timestamps might be helpful, if the daemons that depend on network-online.target are starting before NetworkManager-wait-online.service is finished, then you might have an issue with your configuration.)
Of the solutions you listed, I'd recommend this one:
# mkdir /etc/systemd/system/sshd.service.d
# tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
Since network-online.target is the one you actually want (to ensure all IPs are up, etc.) and including Wants= makes sure its startup will be requested.
From the other methods, this one won't work: systemctl add-wants multi-user.target network.target, since it's not creating any dependencies between the services themselves (SSH daemon, etc.) and the network being fully up. It's just saying you want the network to be up...
And the one involving the /etc/systemd/system/sshd.service.requires/ directory is missing the After= dependency (which I believe is essential, and not implied by just having a .requires/ on it.) If you think Requires= is better than Wants= (it's stronger, causes the unit to fail if the dependency fails), then I'd recommend just using that in /etc/systemd/system/sshd.service.d/wait.conf instead, the override file is definitely a more flexible way to manage this configuration.
Adding a dependency on sys-subsystem-net-devices-eth1.device doesn't help either, since that only indicates that the device exists (from the point of view of udev), which says nothing about it being up and configured yet. So that's not an option either.
answered Nov 24 at 8:44
Filipe Brandenburger
32316
1
No symlink, and NetworkManager-wait-online.service is disabled. Going to enable and create the symlink. Hopefully you're on to something!
– miken32
Nov 24 at 19:20
1
Didn't even need to create the symlink. Output fromsystemctl enable NetworkManager-wait-online.servicewas "Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service."
– miken32
Nov 24 at 20:27
1
That's done the trick, thanks. Not sure why that service is disabled by default.
– miken32
Nov 25 at 19:07
Great to hear this worked for you @miken32! I have reordered and rephrased the answer a little, since theNetworkManager-wait-online.servicepart was the most important one, I brought it first. I also incorporated your suggestion onsystemctl enableworking to activate it. Let me know if you think the answer can still be improved somehow. Cheers!
– Filipe Brandenburger
Nov 27 at 0:50
add a comment |
up vote
5
down vote
It may be better to not configure system services to listen on specific IP addresses, and to control access to them via the host firewall if necessary.
If you really need to be able to bind to specific IP addresses before they are configured on a network interface, you can work around the timing issue by setting the sysctl net.ipv4.ip_nonlocal_bind for IPv4 and the sysctl net.ipv6.ip_nonlocal_bind for IPv6. Services can then bind to IP addresses not configured on any network interface, but they will not be accessible until those IP addresses are configured on an interface.
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
1
For most of the services, listening on 0.0.0.0 would be fine, but nginx needs to run different services on different IP addresses. Are there any negative implications to allowing the services to attempt to bind to arbitrary IP addresses? (Assuming, of course, that the system administrator is halfway competent and doesn't configure services with bogus addresses!)
– miken32
Nov 24 at 1:59
It might be confusing if an admin isn't expecting it. It's not normally done to configure services this way. Most of the time it isn't necessary as a host usually isn't on two or more networks at once. In the case of a web server, configuring a specific IP address to listen on means that a virtual host is inaccessible from other IP addresses (including the localhost addresses), which can make host agent based monitoring tricky. Overall it's just something to be avoided unless you really, really have a need for it.
– Michael Hampton♦
Nov 24 at 2:05
This is a FreePBX box which includes a web-based administration tool and a user-facing portal. The "recommended" setup runs both these through the same virtual host, just sticks the admin stuff under an/admindirectory. But I do not want a web app running as the asterisk user on a public IP address! So I need a completely separate vhost, php-fpm instance, etc. Admin runs on the private IP, which we access via VPN, user portal runs on the public IP.
– miken32
Nov 24 at 2:11
1
Oh, well in that case... I'll buy you a beer, you're going to need it!
– Michael Hampton♦
Nov 24 at 2:14
1
Hmm. I think if I were you I would just make Apache listen on localhost, and stick a copy of nginx in front of it, make that public facing, and filter by URL and IP address/network in the nginx configuration. Then I wouldn't have to disturb FreePBX's Apache customizations much or at all.
– Michael Hampton♦
Nov 24 at 2:22
|
show 4 more comments
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
If you're using NetworkManager, then in order for network-online.target to work as expected, you need to enable service NetworkManager-wait-online.service, which is the one that actually waits for the network to be online to satisy that target.
The network-online.target needs to be "hooked" into your network manager (since NetworkManager is not the only alternative, there is also systemd-networkd which can be used to manage the network.)
For network-online.target to work with NetworkManager, you need to have a symlink under /etc/systemd/system/network-online.target.wants/ pointing to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Which you can actually create by enabling that service:
$ sudo systemctl enable NetworkManager-wait-online.service
Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Once that's in place, dependencies on network-online.target should start working, waiting until NetworkManager is done bringing up all interfaces it's supposed to bring up at boot.
To help diagnose any issues with that setup, you might want to look at output of systemctl status network-online.target and systemctl status NetworkManager-wait-online.service as well, as they might have more clues about what is going on. (In particular, the timestamps might be helpful, if the daemons that depend on network-online.target are starting before NetworkManager-wait-online.service is finished, then you might have an issue with your configuration.)
Of the solutions you listed, I'd recommend this one:
# mkdir /etc/systemd/system/sshd.service.d
# tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
Since network-online.target is the one you actually want (to ensure all IPs are up, etc.) and including Wants= makes sure its startup will be requested.
From the other methods, this one won't work: systemctl add-wants multi-user.target network.target, since it's not creating any dependencies between the services themselves (SSH daemon, etc.) and the network being fully up. It's just saying you want the network to be up...
And the one involving the /etc/systemd/system/sshd.service.requires/ directory is missing the After= dependency (which I believe is essential, and not implied by just having a .requires/ on it.) If you think Requires= is better than Wants= (it's stronger, causes the unit to fail if the dependency fails), then I'd recommend just using that in /etc/systemd/system/sshd.service.d/wait.conf instead, the override file is definitely a more flexible way to manage this configuration.
Adding a dependency on sys-subsystem-net-devices-eth1.device doesn't help either, since that only indicates that the device exists (from the point of view of udev), which says nothing about it being up and configured yet. So that's not an option either.
answered Nov 24 at 8:44
Filipe Brandenburger
32316
1
No symlink, and NetworkManager-wait-online.service is disabled. Going to enable and create the symlink. Hopefully you're on to something!
– miken32
Nov 24 at 19:20
1
Didn't even need to create the symlink. Output fromsystemctl enable NetworkManager-wait-online.servicewas "Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service."
– miken32
Nov 24 at 20:27
1
That's done the trick, thanks. Not sure why that service is disabled by default.
– miken32
Nov 25 at 19:07
Great to hear this worked for you @miken32! I have reordered and rephrased the answer a little, since theNetworkManager-wait-online.servicepart was the most important one, I brought it first. I also incorporated your suggestion onsystemctl enableworking to activate it. Let me know if you think the answer can still be improved somehow. Cheers!
– Filipe Brandenburger
Nov 27 at 0:50
add a comment |
up vote
3
down vote
accepted
If you're using NetworkManager, then in order for network-online.target to work as expected, you need to enable service NetworkManager-wait-online.service, which is the one that actually waits for the network to be online to satisy that target.
The network-online.target needs to be "hooked" into your network manager (since NetworkManager is not the only alternative, there is also systemd-networkd which can be used to manage the network.)
For network-online.target to work with NetworkManager, you need to have a symlink under /etc/systemd/system/network-online.target.wants/ pointing to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Which you can actually create by enabling that service:
$ sudo systemctl enable NetworkManager-wait-online.service
Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Once that's in place, dependencies on network-online.target should start working, waiting until NetworkManager is done bringing up all interfaces it's supposed to bring up at boot.
To help diagnose any issues with that setup, you might want to look at output of systemctl status network-online.target and systemctl status NetworkManager-wait-online.service as well, as they might have more clues about what is going on. (In particular, the timestamps might be helpful, if the daemons that depend on network-online.target are starting before NetworkManager-wait-online.service is finished, then you might have an issue with your configuration.)
Of the solutions you listed, I'd recommend this one:
# mkdir /etc/systemd/system/sshd.service.d
# tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
Since network-online.target is the one you actually want (to ensure all IPs are up, etc.) and including Wants= makes sure its startup will be requested.
From the other methods, this one won't work: systemctl add-wants multi-user.target network.target, since it's not creating any dependencies between the services themselves (SSH daemon, etc.) and the network being fully up. It's just saying you want the network to be up...
And the one involving the /etc/systemd/system/sshd.service.requires/ directory is missing the After= dependency (which I believe is essential, and not implied by just having a .requires/ on it.) If you think Requires= is better than Wants= (it's stronger, causes the unit to fail if the dependency fails), then I'd recommend just using that in /etc/systemd/system/sshd.service.d/wait.conf instead, the override file is definitely a more flexible way to manage this configuration.
Adding a dependency on sys-subsystem-net-devices-eth1.device doesn't help either, since that only indicates that the device exists (from the point of view of udev), which says nothing about it being up and configured yet. So that's not an option either.
answered Nov 24 at 8:44
Filipe Brandenburger
32316
1
No symlink, and NetworkManager-wait-online.service is disabled. Going to enable and create the symlink. Hopefully you're on to something!
– miken32
Nov 24 at 19:20
1
Didn't even need to create the symlink. Output fromsystemctl enable NetworkManager-wait-online.servicewas "Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service."
– miken32
Nov 24 at 20:27
1
That's done the trick, thanks. Not sure why that service is disabled by default.
– miken32
Nov 25 at 19:07
Great to hear this worked for you @miken32! I have reordered and rephrased the answer a little, since theNetworkManager-wait-online.servicepart was the most important one, I brought it first. I also incorporated your suggestion onsystemctl enableworking to activate it. Let me know if you think the answer can still be improved somehow. Cheers!
– Filipe Brandenburger
Nov 27 at 0:50
add a comment |
up vote
3
down vote
accepted
up vote
3
down vote
accepted
If you're using NetworkManager, then in order for network-online.target to work as expected, you need to enable service NetworkManager-wait-online.service, which is the one that actually waits for the network to be online to satisy that target.
The network-online.target needs to be "hooked" into your network manager (since NetworkManager is not the only alternative, there is also systemd-networkd which can be used to manage the network.)
For network-online.target to work with NetworkManager, you need to have a symlink under /etc/systemd/system/network-online.target.wants/ pointing to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Which you can actually create by enabling that service:
$ sudo systemctl enable NetworkManager-wait-online.service
Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Once that's in place, dependencies on network-online.target should start working, waiting until NetworkManager is done bringing up all interfaces it's supposed to bring up at boot.
To help diagnose any issues with that setup, you might want to look at output of systemctl status network-online.target and systemctl status NetworkManager-wait-online.service as well, as they might have more clues about what is going on. (In particular, the timestamps might be helpful, if the daemons that depend on network-online.target are starting before NetworkManager-wait-online.service is finished, then you might have an issue with your configuration.)
Of the solutions you listed, I'd recommend this one:
# mkdir /etc/systemd/system/sshd.service.d
# tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
Since network-online.target is the one you actually want (to ensure all IPs are up, etc.) and including Wants= makes sure its startup will be requested.
From the other methods, this one won't work: systemctl add-wants multi-user.target network.target, since it's not creating any dependencies between the services themselves (SSH daemon, etc.) and the network being fully up. It's just saying you want the network to be up...
And the one involving the /etc/systemd/system/sshd.service.requires/ directory is missing the After= dependency (which I believe is essential, and not implied by just having a .requires/ on it.) If you think Requires= is better than Wants= (it's stronger, causes the unit to fail if the dependency fails), then I'd recommend just using that in /etc/systemd/system/sshd.service.d/wait.conf instead, the override file is definitely a more flexible way to manage this configuration.
Adding a dependency on sys-subsystem-net-devices-eth1.device doesn't help either, since that only indicates that the device exists (from the point of view of udev), which says nothing about it being up and configured yet. So that's not an option either.
answered Nov 24 at 8:44
Filipe Brandenburger
32316
If you're using NetworkManager, then in order for network-online.target to work as expected, you need to enable service NetworkManager-wait-online.service, which is the one that actually waits for the network to be online to satisy that target.
The network-online.target needs to be "hooked" into your network manager (since NetworkManager is not the only alternative, there is also systemd-networkd which can be used to manage the network.)
For network-online.target to work with NetworkManager, you need to have a symlink under /etc/systemd/system/network-online.target.wants/ pointing to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Which you can actually create by enabling that service:
$ sudo systemctl enable NetworkManager-wait-online.service
Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service.
Once that's in place, dependencies on network-online.target should start working, waiting until NetworkManager is done bringing up all interfaces it's supposed to bring up at boot.
To help diagnose any issues with that setup, you might want to look at output of systemctl status network-online.target and systemctl status NetworkManager-wait-online.service as well, as they might have more clues about what is going on. (In particular, the timestamps might be helpful, if the daemons that depend on network-online.target are starting before NetworkManager-wait-online.service is finished, then you might have an issue with your configuration.)
Of the solutions you listed, I'd recommend this one:
# mkdir /etc/systemd/system/sshd.service.d
# tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF
Since network-online.target is the one you actually want (to ensure all IPs are up, etc.) and including Wants= makes sure its startup will be requested.
From the other methods, this one won't work: systemctl add-wants multi-user.target network.target, since it's not creating any dependencies between the services themselves (SSH daemon, etc.) and the network being fully up. It's just saying you want the network to be up...
And the one involving the /etc/systemd/system/sshd.service.requires/ directory is missing the After= dependency (which I believe is essential, and not implied by just having a .requires/ on it.) If you think Requires= is better than Wants= (it's stronger, causes the unit to fail if the dependency fails), then I'd recommend just using that in /etc/systemd/system/sshd.service.d/wait.conf instead, the override file is definitely a more flexible way to manage this configuration.
Adding a dependency on sys-subsystem-net-devices-eth1.device doesn't help either, since that only indicates that the device exists (from the point of view of udev), which says nothing about it being up and configured yet. So that's not an option either.
answered Nov 24 at 8:44
Filipe Brandenburger
32316
edited Nov 27 at 0:49
answered Nov 24 at 8:44
Filipe Brandenburger
32316
answered Nov 24 at 8:44
Filipe Brandenburger
32316
answered Nov 24 at 8:44
Filipe Brandenburger
32316
32316
1
No symlink, and NetworkManager-wait-online.service is disabled. Going to enable and create the symlink. Hopefully you're on to something!
– miken32
Nov 24 at 19:20
1
Didn't even need to create the symlink. Output fromsystemctl enable NetworkManager-wait-online.servicewas "Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service."
– miken32
Nov 24 at 20:27
1
That's done the trick, thanks. Not sure why that service is disabled by default.
– miken32
Nov 25 at 19:07
Great to hear this worked for you @miken32! I have reordered and rephrased the answer a little, since theNetworkManager-wait-online.servicepart was the most important one, I brought it first. I also incorporated your suggestion onsystemctl enableworking to activate it. Let me know if you think the answer can still be improved somehow. Cheers!
– Filipe Brandenburger
Nov 27 at 0:50
add a comment |
1
No symlink, and NetworkManager-wait-online.service is disabled. Going to enable and create the symlink. Hopefully you're on to something!
– miken32
Nov 24 at 19:20
1
Didn't even need to create the symlink. Output fromsystemctl enable NetworkManager-wait-online.servicewas "Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service."
– miken32
Nov 24 at 20:27
1
That's done the trick, thanks. Not sure why that service is disabled by default.
– miken32
Nov 25 at 19:07
Great to hear this worked for you @miken32! I have reordered and rephrased the answer a little, since theNetworkManager-wait-online.servicepart was the most important one, I brought it first. I also incorporated your suggestion onsystemctl enableworking to activate it. Let me know if you think the answer can still be improved somehow. Cheers!
– Filipe Brandenburger
Nov 27 at 0:50
1
1
No symlink, and NetworkManager-wait-online.service is disabled. Going to enable and create the symlink. Hopefully you're on to something!
– miken32
Nov 24 at 19:20
No symlink, and NetworkManager-wait-online.service is disabled. Going to enable and create the symlink. Hopefully you're on to something!
– miken32
Nov 24 at 19:20
1
1
Didn't even need to create the symlink. Output from
systemctl enable NetworkManager-wait-online.service was "Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service."– miken32
Nov 24 at 20:27
Didn't even need to create the symlink. Output from
systemctl enable NetworkManager-wait-online.service was "Created symlink from /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service to /usr/lib/systemd/system/NetworkManager-wait-online.service."– miken32
Nov 24 at 20:27
1
1
That's done the trick, thanks. Not sure why that service is disabled by default.
– miken32
Nov 25 at 19:07
That's done the trick, thanks. Not sure why that service is disabled by default.
– miken32
Nov 25 at 19:07
Great to hear this worked for you @miken32! I have reordered and rephrased the answer a little, since the
NetworkManager-wait-online.service part was the most important one, I brought it first. I also incorporated your suggestion on systemctl enable working to activate it. Let me know if you think the answer can still be improved somehow. Cheers!– Filipe Brandenburger
Nov 27 at 0:50
Great to hear this worked for you @miken32! I have reordered and rephrased the answer a little, since the
NetworkManager-wait-online.service part was the most important one, I brought it first. I also incorporated your suggestion on systemctl enable working to activate it. Let me know if you think the answer can still be improved somehow. Cheers!– Filipe Brandenburger
Nov 27 at 0:50
add a comment |
up vote
5
down vote
It may be better to not configure system services to listen on specific IP addresses, and to control access to them via the host firewall if necessary.
If you really need to be able to bind to specific IP addresses before they are configured on a network interface, you can work around the timing issue by setting the sysctl net.ipv4.ip_nonlocal_bind for IPv4 and the sysctl net.ipv6.ip_nonlocal_bind for IPv6. Services can then bind to IP addresses not configured on any network interface, but they will not be accessible until those IP addresses are configured on an interface.
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
1
For most of the services, listening on 0.0.0.0 would be fine, but nginx needs to run different services on different IP addresses. Are there any negative implications to allowing the services to attempt to bind to arbitrary IP addresses? (Assuming, of course, that the system administrator is halfway competent and doesn't configure services with bogus addresses!)
– miken32
Nov 24 at 1:59
It might be confusing if an admin isn't expecting it. It's not normally done to configure services this way. Most of the time it isn't necessary as a host usually isn't on two or more networks at once. In the case of a web server, configuring a specific IP address to listen on means that a virtual host is inaccessible from other IP addresses (including the localhost addresses), which can make host agent based monitoring tricky. Overall it's just something to be avoided unless you really, really have a need for it.
– Michael Hampton♦
Nov 24 at 2:05
This is a FreePBX box which includes a web-based administration tool and a user-facing portal. The "recommended" setup runs both these through the same virtual host, just sticks the admin stuff under an/admindirectory. But I do not want a web app running as the asterisk user on a public IP address! So I need a completely separate vhost, php-fpm instance, etc. Admin runs on the private IP, which we access via VPN, user portal runs on the public IP.
– miken32
Nov 24 at 2:11
1
Oh, well in that case... I'll buy you a beer, you're going to need it!
– Michael Hampton♦
Nov 24 at 2:14
1
Hmm. I think if I were you I would just make Apache listen on localhost, and stick a copy of nginx in front of it, make that public facing, and filter by URL and IP address/network in the nginx configuration. Then I wouldn't have to disturb FreePBX's Apache customizations much or at all.
– Michael Hampton♦
Nov 24 at 2:22
|
show 4 more comments
up vote
5
down vote
It may be better to not configure system services to listen on specific IP addresses, and to control access to them via the host firewall if necessary.
If you really need to be able to bind to specific IP addresses before they are configured on a network interface, you can work around the timing issue by setting the sysctl net.ipv4.ip_nonlocal_bind for IPv4 and the sysctl net.ipv6.ip_nonlocal_bind for IPv6. Services can then bind to IP addresses not configured on any network interface, but they will not be accessible until those IP addresses are configured on an interface.
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
1
For most of the services, listening on 0.0.0.0 would be fine, but nginx needs to run different services on different IP addresses. Are there any negative implications to allowing the services to attempt to bind to arbitrary IP addresses? (Assuming, of course, that the system administrator is halfway competent and doesn't configure services with bogus addresses!)
– miken32
Nov 24 at 1:59
It might be confusing if an admin isn't expecting it. It's not normally done to configure services this way. Most of the time it isn't necessary as a host usually isn't on two or more networks at once. In the case of a web server, configuring a specific IP address to listen on means that a virtual host is inaccessible from other IP addresses (including the localhost addresses), which can make host agent based monitoring tricky. Overall it's just something to be avoided unless you really, really have a need for it.
– Michael Hampton♦
Nov 24 at 2:05
This is a FreePBX box which includes a web-based administration tool and a user-facing portal. The "recommended" setup runs both these through the same virtual host, just sticks the admin stuff under an/admindirectory. But I do not want a web app running as the asterisk user on a public IP address! So I need a completely separate vhost, php-fpm instance, etc. Admin runs on the private IP, which we access via VPN, user portal runs on the public IP.
– miken32
Nov 24 at 2:11
1
Oh, well in that case... I'll buy you a beer, you're going to need it!
– Michael Hampton♦
Nov 24 at 2:14
1
Hmm. I think if I were you I would just make Apache listen on localhost, and stick a copy of nginx in front of it, make that public facing, and filter by URL and IP address/network in the nginx configuration. Then I wouldn't have to disturb FreePBX's Apache customizations much or at all.
– Michael Hampton♦
Nov 24 at 2:22
|
show 4 more comments
up vote
5
down vote
up vote
5
down vote
It may be better to not configure system services to listen on specific IP addresses, and to control access to them via the host firewall if necessary.
If you really need to be able to bind to specific IP addresses before they are configured on a network interface, you can work around the timing issue by setting the sysctl net.ipv4.ip_nonlocal_bind for IPv4 and the sysctl net.ipv6.ip_nonlocal_bind for IPv6. Services can then bind to IP addresses not configured on any network interface, but they will not be accessible until those IP addresses are configured on an interface.
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
It may be better to not configure system services to listen on specific IP addresses, and to control access to them via the host firewall if necessary.
If you really need to be able to bind to specific IP addresses before they are configured on a network interface, you can work around the timing issue by setting the sysctl net.ipv4.ip_nonlocal_bind for IPv4 and the sysctl net.ipv6.ip_nonlocal_bind for IPv6. Services can then bind to IP addresses not configured on any network interface, but they will not be accessible until those IP addresses are configured on an interface.
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
answered Nov 24 at 1:54
Michael Hampton♦
163k26303614
163k26303614
1
For most of the services, listening on 0.0.0.0 would be fine, but nginx needs to run different services on different IP addresses. Are there any negative implications to allowing the services to attempt to bind to arbitrary IP addresses? (Assuming, of course, that the system administrator is halfway competent and doesn't configure services with bogus addresses!)
– miken32
Nov 24 at 1:59
It might be confusing if an admin isn't expecting it. It's not normally done to configure services this way. Most of the time it isn't necessary as a host usually isn't on two or more networks at once. In the case of a web server, configuring a specific IP address to listen on means that a virtual host is inaccessible from other IP addresses (including the localhost addresses), which can make host agent based monitoring tricky. Overall it's just something to be avoided unless you really, really have a need for it.
– Michael Hampton♦
Nov 24 at 2:05
This is a FreePBX box which includes a web-based administration tool and a user-facing portal. The "recommended" setup runs both these through the same virtual host, just sticks the admin stuff under an/admindirectory. But I do not want a web app running as the asterisk user on a public IP address! So I need a completely separate vhost, php-fpm instance, etc. Admin runs on the private IP, which we access via VPN, user portal runs on the public IP.
– miken32
Nov 24 at 2:11
1
Oh, well in that case... I'll buy you a beer, you're going to need it!
– Michael Hampton♦
Nov 24 at 2:14
1
Hmm. I think if I were you I would just make Apache listen on localhost, and stick a copy of nginx in front of it, make that public facing, and filter by URL and IP address/network in the nginx configuration. Then I wouldn't have to disturb FreePBX's Apache customizations much or at all.
– Michael Hampton♦
Nov 24 at 2:22
|
show 4 more comments
1
For most of the services, listening on 0.0.0.0 would be fine, but nginx needs to run different services on different IP addresses. Are there any negative implications to allowing the services to attempt to bind to arbitrary IP addresses? (Assuming, of course, that the system administrator is halfway competent and doesn't configure services with bogus addresses!)
– miken32
Nov 24 at 1:59
It might be confusing if an admin isn't expecting it. It's not normally done to configure services this way. Most of the time it isn't necessary as a host usually isn't on two or more networks at once. In the case of a web server, configuring a specific IP address to listen on means that a virtual host is inaccessible from other IP addresses (including the localhost addresses), which can make host agent based monitoring tricky. Overall it's just something to be avoided unless you really, really have a need for it.
– Michael Hampton♦
Nov 24 at 2:05
This is a FreePBX box which includes a web-based administration tool and a user-facing portal. The "recommended" setup runs both these through the same virtual host, just sticks the admin stuff under an/admindirectory. But I do not want a web app running as the asterisk user on a public IP address! So I need a completely separate vhost, php-fpm instance, etc. Admin runs on the private IP, which we access via VPN, user portal runs on the public IP.
– miken32
Nov 24 at 2:11
1
Oh, well in that case... I'll buy you a beer, you're going to need it!
– Michael Hampton♦
Nov 24 at 2:14
1
Hmm. I think if I were you I would just make Apache listen on localhost, and stick a copy of nginx in front of it, make that public facing, and filter by URL and IP address/network in the nginx configuration. Then I wouldn't have to disturb FreePBX's Apache customizations much or at all.
– Michael Hampton♦
Nov 24 at 2:22
1
1
For most of the services, listening on 0.0.0.0 would be fine, but nginx needs to run different services on different IP addresses. Are there any negative implications to allowing the services to attempt to bind to arbitrary IP addresses? (Assuming, of course, that the system administrator is halfway competent and doesn't configure services with bogus addresses!)
– miken32
Nov 24 at 1:59
For most of the services, listening on 0.0.0.0 would be fine, but nginx needs to run different services on different IP addresses. Are there any negative implications to allowing the services to attempt to bind to arbitrary IP addresses? (Assuming, of course, that the system administrator is halfway competent and doesn't configure services with bogus addresses!)
– miken32
Nov 24 at 1:59
It might be confusing if an admin isn't expecting it. It's not normally done to configure services this way. Most of the time it isn't necessary as a host usually isn't on two or more networks at once. In the case of a web server, configuring a specific IP address to listen on means that a virtual host is inaccessible from other IP addresses (including the localhost addresses), which can make host agent based monitoring tricky. Overall it's just something to be avoided unless you really, really have a need for it.
– Michael Hampton♦
Nov 24 at 2:05
It might be confusing if an admin isn't expecting it. It's not normally done to configure services this way. Most of the time it isn't necessary as a host usually isn't on two or more networks at once. In the case of a web server, configuring a specific IP address to listen on means that a virtual host is inaccessible from other IP addresses (including the localhost addresses), which can make host agent based monitoring tricky. Overall it's just something to be avoided unless you really, really have a need for it.
– Michael Hampton♦
Nov 24 at 2:05
This is a FreePBX box which includes a web-based administration tool and a user-facing portal. The "recommended" setup runs both these through the same virtual host, just sticks the admin stuff under an
/admin directory. But I do not want a web app running as the asterisk user on a public IP address! So I need a completely separate vhost, php-fpm instance, etc. Admin runs on the private IP, which we access via VPN, user portal runs on the public IP.– miken32
Nov 24 at 2:11
This is a FreePBX box which includes a web-based administration tool and a user-facing portal. The "recommended" setup runs both these through the same virtual host, just sticks the admin stuff under an
/admin directory. But I do not want a web app running as the asterisk user on a public IP address! So I need a completely separate vhost, php-fpm instance, etc. Admin runs on the private IP, which we access via VPN, user portal runs on the public IP.– miken32
Nov 24 at 2:11
1
1
Oh, well in that case... I'll buy you a beer, you're going to need it!
– Michael Hampton♦
Nov 24 at 2:14
Oh, well in that case... I'll buy you a beer, you're going to need it!
– Michael Hampton♦
Nov 24 at 2:14
1
1
Hmm. I think if I were you I would just make Apache listen on localhost, and stick a copy of nginx in front of it, make that public facing, and filter by URL and IP address/network in the nginx configuration. Then I wouldn't have to disturb FreePBX's Apache customizations much or at all.
– Michael Hampton♦
Nov 24 at 2:22
Hmm. I think if I were you I would just make Apache listen on localhost, and stick a copy of nginx in front of it, make that public facing, and filter by URL and IP address/network in the nginx configuration. Then I wouldn't have to disturb FreePBX's Apache customizations much or at all.
– Michael Hampton♦
Nov 24 at 2:22
|
show 4 more comments
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f941421%2fservers-fail-to-bind-to-addresses-at-boot%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
