[hipl-dev] Re: [Branch ~hipl-core/hipl/trunk] Rev 5952: Require network and local filesystem to be initialized in init scripts.
- From: Miika Komu <mkomu@xxxxxxxxx>
- To: hipl-dev@xxxxxxxxxxxxx
- Date: Wed, 08 Jun 2011 07:40:44 +0300
Hi,
On 07/06/11 18:30, noreply@xxxxxxxxxxxxx wrote:
------------------------------------------------------------
revno: 5952
committer: David Martin<david.martin.mailbox@xxxxxxxxxxxxxx>
branch nick: hipl_init-scripts
timestamp: Tue 2011-06-07 16:33:45 +0200
message:
Require network and local filesystem to be initialized in init scripts.
The HIPL daemons should only be started after the filesystems and the
network have been already set up. They should be exited before the
filesystems and network gets teared down as well.
Documentation on possible boot dependencies can be found here:
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/ \
LSB-Core-generic/facilname.html
modified:
debian/hipl-daemon.init
debian/hipl-dnsproxy.init
debian/hipl-firewall.init
did you commit this because you encountered some problem in practice?
I would actually disagree with the network part of this commit assuming
it was not a practical problem. Now that the HIP stuff is not
initialized before network, it is possible that some of the
communications leak without proper HIP handling, namely:
1. Incoming/outgoing HIP packets that should be blocked by hipfw
2. Outgoing DNS requests that escape HIP DNS proxy
The list of services to be started before HIP is now:
$local_fs $remote_fs $syslog $network
So, now the compromised list of services includes standard stuff such
NFS(v3) client (due to 2), NFSv3 server (due to 2), remote syslog
servers (due to 2) and basically any other service started during boot
up. The $remote_fs and $syslog were enabled earlier, but was that really
thought out?
Other related posts:
