Bug 30038

Summary: LSB/sysv services with X-Interactive: true fail to start from a user terminal
Product: systemd Reporter: Michael Biebl <mbiebl>
Component: generalAssignee: Lennart Poettering <lennart>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: medium CC: fred
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Michael Biebl 2010-09-05 17:31:14 UTC 
On Debian, e.g. /etc/init.d/apache2 or /etc/init.d/openvpn have set X-Interactive: true, because one might use a certificate which needs to be unlocked (and thus requires user input).

Running systemctl start apache2.service from a user terminal, will result in systemctl hanging for some time (60secs?) and then failing to start the service, as it waits for tty1 to become free.
Comment 1 Lennart Poettering 2010-09-07 10:00:20 UTC 
So, after discussing this with some folks, here's what we came up with:

we'll provide a little tool that can be used to ask questions, which either speaks with plymouth (when it is running, i.e. used on early boot), or with a little session agent. The agent will be then ask for the passphrase and report it back.

For the agent communication a scheme like the following might be thinkable: the password tool places a file with the question to ask in /var/run/passphrase/xxx, which is then picked up by the agent. The agent then invokes a privileged tool via pkexec which sends the reply back via AF_UNIX/SOCK_DGRAM+SCM_CREDENTIALS.

Then, all init scripts needing this would simply call that tool and it would do the right thing.

All this would work fine in a tty-less world.
Comment 2 Michael Biebl 2011-03-11 18:05:44 UTC 
(In reply to comment #1)
> So, after discussing this with some folks, here's what we came up with:
> 
> we'll provide a little tool that can be used to ask questions, which either
> speaks with plymouth (when it is running, i.e. used on early boot), or with a
> little session agent. The agent will be then ask for the passphrase and report
> it back.

To add a bit more backgroup information:
Currently the following services have X-Interactive set in Debian:

apache2
openvpn

console-common
kbd
keyboard-configuration (console-setup/keyboard-setup)

crypsetup (cryptdisks/cryptdisks-early)
loop-aes-utils (checkfs-loop)
udev

- udev and cryptsetup have native systemd suport.
- The console/keyboard setup tools are run early during boot and shouldn't pose a problem. Eventually we may want to use systemd-vconsole-setup.
- loop-aes-utils looks like it could be handled by systemd's native mount/fsck support

This leaves openvpn and apache2

Given the scheme Lennart proposed, we could propbably use OpenVPN's management interface [1] and provide a bit of glue to hook it up with the systemd password agent. Apache's mod_ssl module provides the SSLPassPhraseDialog configure directive which could be used.



[1] http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html

[2] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
Comment 3 Lennart Poettering 2012-05-29 11:02:47 UTC 
We removed X-Interactive support a couple of releases back since it is fundamentally broken, closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.