FS#31170 - fail2ban systemd unit fails to start

Attached to Project: Community Packages
Opened by Spyros Stathopoulos (Foucault) - Friday, 17 August 2012, 14:05 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Sunday, 26 August 2012, 05:45 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
Since 0.8.7.1-2 fail2ban includes a systemd unit. After activating it I have tried to start it (systemctl start fail2ban.service) however the command takes a long time and returns

Job failed. See system journal and 'systemctl status' for details.

systemctl status fail2ban.service gives me

# systemctl status fail2ban.service
fail2ban.service - Ban IPs that make too many password failures
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
Active: failed (Result: timeout) since Fri, 17 Aug 2012 17:00:37 +0300; 22s ago
Process: 5697 ExecStart=/usr/bin/fail2ban-client start (code=exited, status=0/SUCCESS)
Main PID: 3691 (code=exited, status=255)
CGroup: name=systemd:/system/fail2ban.service

Steps to reproduce:
* Install fail2ban 0.8.7.1-2
* Activate the unit
* Start the unit

Further information:
I've noticed that changing the service type to simple the systemctl start command succeeds, but after a while the fail2ban daemon exits again with error 255. The standalone commands /usr/bin/fail2ban-client start/stop seem to work as expected according to the fail2ban logs.
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Sunday, 26 August 2012, 05:45 GMT
Reason for closing:  Fixed
Comment by Spyros Stathopoulos (Foucault) - Saturday, 18 August 2012, 10:38 GMT
OK, I think I got that. It seems that fail2ban requires the presence of /var/run/fail2ban folder before the daemon starts. Changing the fail2ban.service [Service] section to this, seems to allow the daemon to start properly during boot.

[Service]
Type=forking
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
ExecStart=/usr/bin/fail2ban-client start
ExecReload=/usr/bin/fail2ban-client reload
ExecStop=/usr/bin/fail2ban-client stop
ExecStopPost=/bin/rmdir /var/run/fail2ban
PIDFile=/var/run/fail2ban/fail2ban.pid

I've also attached the .service file.
Comment by Dave Reisner (falconindy) - Saturday, 18 August 2012, 12:40 GMT
This is the wrong way to create directories. tmpfi;es.d should be used instead.
Comment by Spyros Stathopoulos (Foucault) - Saturday, 18 August 2012, 13:05 GMT
Sorry, I'm afraid I don't the internals of systemd well yet. I'm only using it for a couple of weeks now. Creating the file /usr/lib/tmpfiles.d/fail2ban.conf with contents

d /var/run/fail2ban 0755 root root - -

instead of adding the StartPre/StopPost lines in fail2ban.service seems to produce the same results indeed. On boot time the required directory is created as one would expect.
Comment by Jimmy L. (dvisor) - Monday, 20 August 2012, 07:52 GMT
I've noticed that there's also a mistake in file /usr/lib/systemd/system/fail2ban.service where it states that PIDFile=/run/fail2ban.pid and it is supposed to be located at /var/run/fail2ban/fail2ban.pid

So in order to fix the whole problem I did the following:

STEP 1: Similar to Spyro's solution we need to create a conf file that creates a tmpfile, however in my case I followed another example (taken from Mysql) so created the following file: /etc/tmpfiles.d/fail2ban.conf and added the following line to it:

D /var/run/fail2ban 0755 root root -

STEP 2: Edit /usr/lib/systemd/system/fail2ban.service
change "PIDFile=/run/fail2ban.pid"
For "PIDFile=/var/run/fail2ban/fail2ban.pid"

STEP 3: Next we need to actually create the tmpfile instructed on step 1, for that we reboot the system or issue the following command
# systemd-tmpfiles --create fail2ban.conf

STEP 4: Now test your service:
# systemctl start fail2ban

I did received the following warning:
Warning: Unit file of created job changed on disk, 'systemctl --system daemon-reload' recommended.

So I did as instructed

Finally you may enable the service by issuing the following command:
# systemctl enable fail2ban.service


I doesn't hurt to mention that I beg your pardon as english is not my native language, hope it is clear enough for you to understand
Comment by Bartłomiej Piotrowski (Barthalion) - Wednesday, 22 August 2012, 05:08 GMT
Right, sorry guys I didn't test it before pushing -- now I switched to systemd on my VPS too.

After your changes systemd still return "failed" with reason "timeout", but fail2ban start correctly (for a while).
You can check fail2ban from [community-testing], maybe it's PEBKAC. ;)
Comment by Matthew Gyurgyik (pyther) - Saturday, 25 August 2012, 22:13 GMT
In the current package from testing (fail2ban 0.8.7.1-3) /usr/lib/systemd/system/fail2ban.service is still incorrect.

PIDFile=/var/run/fail2ban.pid

needs to be changed from either

PIDFile=/run/fail2ban/fail2ban.pid
or
PIDFile=/var/run/fail2ban/fail2ban.pid

This fixes the problem completely.

Loading...