[Bug 1674330] [NEW] Please consider dropping /etc/network/if-up.d/openssh-server

Sat Mar 25 09:57:26 UTC 2017

On Mon, Mar 20, 2017 at 05:14:07PM -0000, Perry E. Metzger wrote:
> And it isn't a "hack", this is exactly what ifup/down scripts are for.

They're useful for giving sysadmins the flexibility to do this sort of
thing locally without too much work, but doing service restarts on
if-{up,down} is an awfully big hammer that's generally better handled
some other way if possible.

Not being the maintainer and not using Ubuntu any more, you might be
unaware of how much work this hack has been to maintain over the years.
I'd certainly support removing it if it can be demonstrated to be safe
to do so (in which I do include your original use case).  For example:

  https://bugs.debian.org/502444
  https://bugs.debian.org/756547
  https://bugs.launchpad.net/bugs/1584393

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1674330

Title:
  Please consider dropping /etc/network/if-up.d/openssh-server

Status in openssh package in Ubuntu:
  New

Bug description:
  The /etc/network/if-up.d/openssh-server hack was introduced ten years ago [1] as a response to bug 
  103436. At least from today's perspective this isn't justified:

  I can't seem to be able to actually reproduce that issue: I can start
  a VM with no network interfaces, remove the above hack, then start
  sshd, then bring up an ethernet interface, and I can connect to ssh
  via ethernet just fine. Also, e. g. Fedora has no counterpart of this
  hack, and these days a lot of people would complain if that would
  cause problems, as hotpluggable/roaming network devices are
  everywhere.

  The hack introduces a race: you run into connection errors after
  bringing up a new interface as sshd stops listening briefly while
  being reloaded. That's the reason why I looked at it, as this
  regularly happens in upstream's cockpit integration tests.

  Also, /etc/network/if-up.d/ isn't being run when using
  networkd/netplan, i. e. in more recent Ubuntnu cloud instances. So far
  this doesn't seem to have caused any issues.

  I asked the original reporter of bug 103436 for some details, and to
  check whether that hack is still necessary. There is actually a
  proposed patch upstream [2] to use IP_FREEBIND, which is the modern
  solution to listening to all "future" interfaces as well. But at least
  for the majority of cases it seems to work fine without that even.

  So I wonder if it's time to bury that hack?

  [1] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=ba6b55ed6
  [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2512

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1674330/+subscriptions