[Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs
Lukas Slebodnik
lslebodn at redhat.com
Tue May 3 08:21:46 UTC 2016
On (03/05/16 07:35), Harald Dunkel wrote:
>Hi Lukas,
>
>On 05/02/16 17:59, Lukas Slebodnik wrote:
>> Could you provide output of "systemctl cat sssd.service"?
>> In my case, it should be started before nss-user-lookup.target
>>
>> # /usr/lib/systemd/system/sssd.service
>> [Unit]
>> Description=System Security Services Daemon
>> # SSSD must be running before we permit user sessions
>> Before=systemd-user-sessions.service nss-user-lookup.target
>> Wants=nss-user-lookup.target
>>
>> [Service]
>> EnvironmentFile=-/etc/sysconfig/sssd
>> ExecStart=/usr/sbin/sssd -D -f
>> # These two should be used with traditional UNIX forking daemons
>> # consult systemd.service(5) for more details
>> Type=forking
>> PIDFile=/var/run/sssd.pid
>>
>> [Install]
>> WantedBy=multi-user.target
>
>I got
>
> # /lib/systemd/system/sssd.service
> [Unit]
> Description=System Security Services Daemon
> # SSSD must be running before we permit user sessions
> Before=systemd-user-sessions.service nss-user-lookup.target
> Wants=nss-user-lookup.target
>
> [Service]
> EnvironmentFile=-/etc/sysconfig/sssd
> ExecStart=/usr/sbin/sssd -D -f
> # These two should be used with traditional UNIX forking daemons
> # consult systemd.service(5) for more details
> Type=forking
> PIDFile=/var/run/sssd.pid
>
> [Install]
> WantedBy=multi-user.target
>
>Except for the first comment line diff doesn't show a
>difference.
>
>Maybe there is a misunderstanding: IMHO its not sufficient to start
>sssd before systemd-user-sessions.service and nss-user-lookup.target.
>sssd and all its internal sssd_something services must have
>completed their initialization (including the user database) before
>these services can be started.
>
>Here is the output of "ps -ef", created by the "@reboot" crontab
>entry:
>
>UID PID PPID C STIME TTY TIME CMD
>root 1 0 0 14:27 ? 00:00:00 /sbin/init
>root 23 1 0 14:27 ? 00:00:00 /lib/systemd/systemd-journald
>root 159 1 0 14:28 ? 00:00:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
>daemon 193 1 0 14:28 ? 00:00:00 /usr/sbin/atd -f
>root 194 1 0 14:28 ? 00:00:00 /usr/sbin/cron -f
>root 195 1 0 14:28 ? 00:00:00 /usr/sbin/ModemManager
>root 198 1 0 14:28 ? 00:00:00 /usr/sbin/inetd -i
>root 199 1 0 14:28 ? 00:00:00 /usr/sbin/sshd -D
>root 200 1 0 14:28 ? 00:00:00 lldpd: monitor
>root 201 1 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f
>message+ 206 1 0 14:28 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
>lp 218 1 0 14:28 ? 00:00:00 /usr/sbin/lpd -s
>root 220 1 0 14:28 ? 00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -c /var/lib/ntp/ntp.conf.dhcp -u 112:121
>root 226 1 0 14:28 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
>root 227 1 0 14:28 ? 00:00:00 /usr/sbin/rsyslogd -n
>_lldpd 229 200 0 14:28 ? 00:00:00 lldpd: no neighbor
>root 262 1 0 14:28 ? 00:00:00 /usr/lib/policykit-1/polkitd --no-debug
>root 263 194 0 14:28 ? 00:00:00 /usr/sbin/CRON -f
>zabbix 271 1 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd
>zabbix 274 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec]
>zabbix 275 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection]
>zabbix 276 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection]
>zabbix 277 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection]
>zabbix 278 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec]
>root 492 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root 502 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>Debian-+ 504 1 0 14:28 ? 00:00:00 /usr/sbin/exim4 -bd -q30m
>root 505 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root 506 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root 507 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root 508 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root 509 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root 510 263 0 14:28 ? 00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log
>root 511 510 0 14:28 ? 00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log
>root 512 201 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f
>root 515 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root 516 511 0 14:28 ? 00:00:00 ps -ef
>root 517 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root 518 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root 519 512 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f
>root 520 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root 521 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>
>Please note that the sssd_* jobs are missing, and yet the
>cron service has been started to run this cron job.
>
But that's not a problem of sssd. It bug in cron service file.
If cron relies on user lookup then it shoudl not be started before
nss-user-lookup.target.
Fedora has correct service file for crond.
sh$ systemctl cat crond.service
# /usr/lib/systemd/system/crond.service
[Unit]
Description=Command Scheduler
After=auditd.service nss-user-lookup.target systemd-user-sessions.service
time-sync.target ypbind.service
[Service]
EnvironmentFile=/etc/sysconfig/crond
ExecStart=/usr/sbin/crond -n $CRONDARGS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
[Install]
WantedBy=multi-user.target
Debian has quite minimal version
sh$ systemctl cat cron.service
# /lib/systemd/system/cron.service
[Unit]
Description=Regular background program processing daemon
Documentation=man:cron(8)
[Service]
EnvironmentFile=-/etc/default/cron
ExecStart=/usr/sbin/cron -f $EXTRA_OPTS
IgnoreSIGPIPE=false
KillMode=process
[Install]
WantedBy=multi-user.target
You can create your custom version in
/etc/systemd/system/cron.service
but do not forget to call "systemctl daemon-reload"
LS
More information about the Freeipa-users
mailing list