[arch-general] [Bulk] Re: libsystemd to systemd

C Anthony Risinger anthony at xtfx.me
Sun Sep 2 14:52:53 EDT 2012

On Sat, Sep 1, 2012 at 8:46 AM, Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:
>> On Aug 31, 2012 7:47 PM, "Kevin Chadwick" <ma1l1ists at yahoo.co.uk> wrote:
>> >
>> > > > I will give one example. Lennart says come on who connects to sshd
>> more
>> > > > than once a month. I can't believe he's never seen a sshd log with
>> > > > constant pass attempts even though passwords are disabled.
>> > >
>> > > You are misunderstanding the sshd example.
>> >
>> > How? Systemds method would seem more problematic and wasteful to me if
>> > you get connections to it a lot.
>> The example explicitly only deals with the case where you do not get a lot
>> of connections. E.g. in a private network.
> "And even SSH: as long as nobody wants to contact your machine there is
> no need to run it, as long as it is then started on the first
> connection. (And admit it, on most machines where sshd might be
> listening somebody connects to it only every other month or so.)"
> Your just making stuff up now to cover his back, which questions many
> of your many baseless responses simply stating I have shown I don't
> understand systemd, end of discussion.
> It is far less likely that ssh is used behind a firewall and there is
> no mention of this, it is a fact that ssh is primarily used to cross
> the internet where it will be connected to frequently on any connection
> as long as it is set to the recommended default port.

i highly doubt you, Lennart, or anyone else for that matter has any
real numbers to support anything being said, so please, spare me.

now, IME, both privately and in the numerous IT-based companies i've
both worked and/or consulted with ... there are indeed usually MANY
servers that happily run sshd all day long, and do not receive
connections unless there is a problem.

regardless, Lennart's only point was "sshd should only start when
someone tries to connect" ... let's not beat around the bush here,

... and a connection attempt is very different from a connection.  if
you really want to block the former, then you use something like
fwknopd to make the sshd port invisible to everyone except the
authorized.  i use this on all my servers -- it's fantastic.

>> > Home connections even get many ssh
>> > connection attempts
>> If you have a pubic IP you'd be better off using the regular service and
>> not the xinet-style one.
> The point is that much of his spec like bringing linux together and
> assumptions are wrong and significant sacrifices for speed bring tiny
> speed increases.

... tell me, have you actually ran systemd yet? hmm ...

> Here's another assumption.
> "A central part of a system that starts up and maintains services should
> be process babysitting: it should watch services. Restart them if they
> shut down."
> Wrong, few want this feature and respawn and especially baby sitting is
> not a central feature of 'services' for an init system.

ehm, of the whopping 3 or so things sysvinit actually DID for you,
wasn't respawn one of them?

you seem to want an init that does nothing at all -- and since shell
is "like teh coolest thing eva .. eva", i suggest writing one in bash!
it's not hard, and like i said in the past, i wrote one for LXC based
systems that was ~20-30 lines, FULLY replacing sysvinit (well, i used
that until systemd started to work nicely ;-)

> On single web server this may be desired and a user installs a
> small package to do so that has features systemd hasn't and shouldn't
> have.


> In most cases it isn't true and if you have redundant services as most
> do or a secure service, you don't want the service restarted as it may
> have been exploited, the restart may even enable the exploit, so another
> server will take over instead.

# systemctl stop <exploited>.service
[and optionally]
# systemctl disable <exploited>.service

... problem solved?

> Right, you've got me to waste more time than I wished, so no more.

nah friend, you did this to yourself -- no one made you do anything.


C Anthony

More information about the arch-general mailing list