FS#31170 - fail2ban systemd unit fails to start
Attached to Project:
Community Packages
Opened by Spyros Stathopoulos (Foucault) - Friday, 17 August 2012, 14:05 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Sunday, 26 August 2012, 05:45 GMT
Opened by Spyros Stathopoulos (Foucault) - Friday, 17 August 2012, 14:05 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Sunday, 26 August 2012, 05:45 GMT
|
Details
Description:
Since 0.8.7.1-2 fail2ban includes a systemd unit. After activating it I have tried to start it (systemctl start fail2ban.service) however the command takes a long time and returns Job failed. See system journal and 'systemctl status' for details. systemctl status fail2ban.service gives me # systemctl status fail2ban.service fail2ban.service - Ban IPs that make too many password failures Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled) Active: failed (Result: timeout) since Fri, 17 Aug 2012 17:00:37 +0300; 22s ago Process: 5697 ExecStart=/usr/bin/fail2ban-client start (code=exited, status=0/SUCCESS) Main PID: 3691 (code=exited, status=255) CGroup: name=systemd:/system/fail2ban.service Steps to reproduce: * Install fail2ban 0.8.7.1-2 * Activate the unit * Start the unit Further information: I've noticed that changing the service type to simple the systemctl start command succeeds, but after a while the fail2ban daemon exits again with error 255. The standalone commands /usr/bin/fail2ban-client start/stop seem to work as expected according to the fail2ban logs. |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Sunday, 26 August 2012, 05:45 GMT
Reason for closing: Fixed
Sunday, 26 August 2012, 05:45 GMT
Reason for closing: Fixed
[Service]
Type=forking
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
ExecStart=/usr/bin/fail2ban-client start
ExecReload=/usr/bin/fail2ban-client reload
ExecStop=/usr/bin/fail2ban-client stop
ExecStopPost=/bin/rmdir /var/run/fail2ban
PIDFile=/var/run/fail2ban/fail2ban.pid
I've also attached the .service file.
d /var/run/fail2ban 0755 root root - -
instead of adding the StartPre/StopPost lines in fail2ban.service seems to produce the same results indeed. On boot time the required directory is created as one would expect.
So in order to fix the whole problem I did the following:
STEP 1: Similar to Spyro's solution we need to create a conf file that creates a tmpfile, however in my case I followed another example (taken from Mysql) so created the following file: /etc/tmpfiles.d/fail2ban.conf and added the following line to it:
D /var/run/fail2ban 0755 root root -
STEP 2: Edit /usr/lib/systemd/system/fail2ban.service
change "PIDFile=/run/fail2ban.pid"
For "PIDFile=/var/run/fail2ban/fail2ban.pid"
STEP 3: Next we need to actually create the tmpfile instructed on step 1, for that we reboot the system or issue the following command
# systemd-tmpfiles --create fail2ban.conf
STEP 4: Now test your service:
# systemctl start fail2ban
I did received the following warning:
Warning: Unit file of created job changed on disk, 'systemctl --system daemon-reload' recommended.
So I did as instructed
Finally you may enable the service by issuing the following command:
# systemctl enable fail2ban.service
I doesn't hurt to mention that I beg your pardon as english is not my native language, hope it is clear enough for you to understand
After your changes systemd still return "failed" with reason "timeout", but fail2ban start correctly (for a while).
You can check fail2ban from [community-testing], maybe it's PEBKAC. ;)
PIDFile=/var/run/fail2ban.pid
needs to be changed from either
PIDFile=/run/fail2ban/fail2ban.pid
or
PIDFile=/var/run/fail2ban/fail2ban.pid
This fixes the problem completely.