'ssh-daemon' fails to start

> Hi,

>

> following a recent discussion on guix-sysadmin I have to confirm the

> ssh-daemon issue since it is still happening on some of the machines I

> administer

>

> Previous possibly related bug reports are

> https://issues.guix.gnu.org/issue/30993 and

> https://issues.guix.gnu.org/issue/32197

>

> Unfortunately this issue is *not* well reproducible, it depends on some

> mysterious (to me) timing factor; AFAIU it does *not* depend on the

> shepherd version, probably it depends on "something" related to IPv6

> (read below the details)

>

> Andreas Enge <andreas@enge.fr> writes:

>

> [...]

>

>> My impression is that the problem is still there. I am quite certain it

>> happened when I rebooted dover, since I had to connect on the serial console

>> to manually restart the ssh service.

>

> I'm sure it happened when milano-guix-1 was rebooted due to data centre

> maintenance and happened yesterday to one of my personal Guix machines at

> office

>

> [...]

>

> My situation is similar to the one observed by Andreas

>

>> Well, it is in /var/log/messages:

>> Aug 3 21:11:38 localhost sshd[360]: Server listening on 0.0.0.0 port 22.

>> Aug 3 21:11:55 localhost shepherd[1]: Service ssh-daemon could not be started.

>

> [...]

> Sep 4 21:46:02 localhost shepherd[1]: Service syslogd has been started.

> [...]

> Sep 4 21:46:03 localhost shepherd[1]: Service loopback has been started.

> [...]

> Sep 4 21:46:22 localhost vmunix: [ 0.226337] PCI: Using configuration type 1 for base access

> Sep 4 21:46:09 localhost dhclient: DHCPREQUEST for 10.38.2.16 on eno1 to 255.255.255.255 port 67

> [...]

> Sep 4 21:46:24 localhost shepherd[1]: Service networking has been started.

> [...]

> Sep 4 21:46:12 localhost sshd[577]: Server listening on 0.0.0.0 port 22.

> [...]

> Sep 4 21:46:30 localhost vmunix: [ 0.250107] ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 5 6 10 *11 12 14 15)

> Sep 4 21:46:13 localhost dhclient: DHCPREQUEST for 10.38.2.16 on eno1 to 255.255.255.255 port 67

> [...]

> Sep 4 21:46:16 localhost dhclient: DHCPACK of 10.38.2.16 from 10.38.2.1

> [...]

> Sep 4 21:46:33 localhost shepherd[1]: Service ssh-daemon could not be started.

> [...]

> Sep 4 21:46:47 localhost vmunix: [ 0.731142] Segment Routing with IPv6

>

>

> Please note the timing of the dhclient and the sshd processes: I

> inserted them as printed in /var/log/messages but they are not

> time-sequential: does it means something or is irrelevant?

>

> So the sshd process started (as far as I cen see there is no trace it

> was stopped) and pretty soon shepherd noticed ssh-daemon was not

> started.

>

> Logging in from the console I see the ssh-daemon is stopped but enabled:

>

> Status of ssh-daemon:

> It is stopped.

> It is enabled.

> Provides (ssh-daemon).

> Requires (syslogd loopback).

> Conflicts with ().

> Will be respawned.

>

>

> [...]

>

> If I start it via `sudo herd start ssh-daemon` it immediatly starts,

> like in Andreas experience:

>

>> Aug 3 21:13:10 localhost sshd[385]: Server listening on 0.0.0.0 port 22.

>> Aug 3 21:13:10 localhost sshd[385]: Server listening on :: port 22.

>> Aug 3 21:13:11 localhost shepherd[1]: Service ssh-daemon has been started.

>

> Sep 5 13:38:55 localhost sshd[745]: Server listening on 0.0.0.0 port 22.

> Sep 5 13:38:55 localhost sshd[745]: Server listening on :: port 22.

> Sep 5 13:38:55 localhost shepherd[1]: Service ssh-daemon has been started.

>

>

> Please notice the difference from above: this time the sshd server is

> also listening on the IPv6 address :: while in the above log it was only

> listening on the 0.0.0.0 IPv4 address

>

> Does the failure have something to do with IPv6 not available when sshd

> starts for the first time after a reboot?

> [...]

> Yes, I think when 'ssh-daemon' failed to start, shepherd should respawn

> it until success or disable it, but by look at the code of

> 'make-forkexec-constructor', when using 'pid-file' (as 'ssh-ademon'

> does), and a timeout (default to 5s %pid-file-timeout) is reached, the

> processes got a 'SIGTERM' and return '#f' as its running state, which

> won't be respawn (it's not a pid number) I guess...

>

> To ludo: Is my analysis correct? It's not clear to me how to fix it so

> 'ssh-daemon' can be respawn though...

> I think I am also running into a similar issue on my spinning rust based

> T400. Is there a workaround available that does the above,

> Hi Jelle,

>

> Jelle Licht <jlicht@fsfe.org> writes:

>

> [...]

>

>> I think I am also running into a similar issue on my spinning rust based

>> T400. Is there a workaround available that does the above,

>

> I added `(extra-content "ListenAddress 0.0.0.0")` to my

> openssh-configuration, to only listen on IPv4 addresses:

>

> --8<---------------cut here---------------start------------->8---

> (service openssh-service-type

> (openssh-configuration

> (port-number 22)

> (extra-content "ListenAddress 0.0.0.0")

> (authorized-keys

> `(("g" ,(local-file "keys/ssh/g.pub"))

> ("hydra",(local-file "keys/ssh/hydra.pub"))))))

> --8<---------------cut here---------------end--------------->8---

>

> I tried to reboot several times one machine I can use for testing and it

> works for me: please can you try and report if this also works for you?

>This works around https://issues.guix.info/issue/30993.

>

>* gnu/services/ssh.scm (<openssh-configuration>)[address-family]: New

>field.

>(openssh-config-file): Use it.

>* doc/guix.texi: Document it.

>---

> doc/guix.texi | 10 ++++++++++

> gnu/services/ssh.scm | 16 +++++++++++++++-

> 2 files changed, 25 insertions(+), 1 deletion(-)

>

>diff --git a/doc/guix.texi b/doc/guix.texi

>index 39eb25385c..cf0e141baf 100644

>--- a/doc/guix.texi

>+++ b/doc/guix.texi

>@@ -13913,6 +13913,16 @@ This is a symbol specifying the logging level:

>@code{quiet}, @code{fatal},

>@code{error}, @code{info}, @code{verbose}, @code{debug}, etc. See the

>man

> page for @file{sshd_config} for the full list of level names.

>

>+@item @code{address-family} (default: @code{'inet})

>+This is a symbol specifying which type of internet addresses should be

>+handled by @command{sshd}. The options are @code{inet} (IPv4),

>+@code{inet6} (IPv6), or @code{any}, which selects both @code{inet} and

>+@code{inet6}. The upstream default in @code{any}. However, we

>+currently default to @code{inet} due to a nondeterministic

>+@command{sshd} startup failure when using IPv6 on Guix. See

>+@uref{https://issues.guix.info/issue/30993, the bug report} for more

>+information on this temporary limitation.

>+

> @item @code{extra-content} (default: @code{""})

>This field can be used to append arbitrary text to the configuration

>file. It

>is especially useful for elaborate configurations that cannot be

>expressed

>diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm

>index d2dbb8f80d..7e25810eff 100644

>--- a/gnu/services/ssh.scm

>+++ b/gnu/services/ssh.scm

>@@ -4,6 +4,7 @@

> ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>

> ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>

> ;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>

>+;;; Copyright © 2019 Leo Famulari <leo@famulari.name>

> ;;;

> ;;; This file is part of GNU Guix.

> ;;;

>@@ -340,7 +341,16 @@ The other options should be self-descriptive."

>;; proposed in <https://bugs.gnu.org/27155>. Keep it

>internal/undocumented

> ;; for now.

> (%auto-start? openssh-auto-start?

>- (default #t)))

>+ (default #t))

>+

>+ ;; Symbol

>+ ;; XXX: This shouldn't be required, but due to limitations with IPv6

>+ ;; on Guix, sshd often fails to start when it attempts to bind to

>both

>+ ;; 0.0.0.0 and ::, because the IPv6 interface is not ready in time.

>+ ;; Accepted options are inet (IPv4), inet6 (IPv6), or any (both).

>+ ;; <https://issues.guix.info/issue/30993>

>+ (address-family openssh-configuration-address-family

>+ (default 'inet)))

>

> (define %openssh-accounts

> (list (user-group (name "sshd") (system? #t))

>@@ -468,6 +478,10 @@ of user-name/file-like tuples."

> (symbol->string

> (openssh-configuration-log-level config))))

>

>+ (format port "AddressFamily ~a\n"

>+ #$(symbol->string

>+ (openssh-configuration-address-family config)))

>+

> ;; Add '/etc/authorized_keys.d/%u', which we populate.

> (format port "AuthorizedKeysFile \

>.ssh/authorized_keys .ssh/authorized_keys2

>/etc/ssh/authorized_keys.d/%u\n")

> Le 3 d�cembre 2019 21:12:51 GMT+01:00, Leo Famulari <leo@famulari.name> a �crit :

> >+@item @code{address-family} (default: @code{'inet})

> >+This is a symbol specifying which type of internet addresses should be

> >+handled by @command{sshd}. The options are @code{inet} (IPv4),

> >+@code{inet6} (IPv6), or @code{any}, which selects both @code{inet} and

> >+@code{inet6}. The upstream default in @code{any}. However, we

> default *is*

> On Tue, Dec 03, 2019 at 10:53:11PM +0100, Julien Lepiller wrote:

>> Le 3 décembre 2019 21:12:51 GMT+01:00, Leo Famulari <leo@famulari.name> a écrit :

>> >+@item @code{address-family} (default: @code{'inet})

>> >+This is a symbol specifying which type of internet addresses should be

>> >+handled by @command{sshd}. The options are @code{inet} (IPv4),

>> >+@code{inet6} (IPv6), or @code{any}, which selects both @code{inet} and

>> >+@code{inet6}. The upstream default in @code{any}. However, we

>> default *is*

>

> Thanks!

>

> This patch did make sshd work for me again.

>

> However, as part of trying to debug this issue, I changed my system

> configuration so that it uses dhcp-client-service and

> wpa-supplicant-service instead of using Wicd. And now I can't reproduce

> the bug anymore.

>

> I guess that either 1) wpa_supplicant brings the network interfaces up

> faster or 2) the state of the network interfaces is more accurately

> captured with these services (in the sense of, is the network up?).

> Hi,

>

> following a recent discussion on guix-sysadmin I have to confirm the

> ssh-daemon issue since it is still happening on some of the machines I

> administer

>

> Previous possibly related bug reports are

> https://issues.guix.gnu.org/issue/30993 and

> https://issues.guix.gnu.org/issue/32197

>

> Unfortunately this issue is *not* well reproducible, it depends on some

> mysterious (to me) timing factor; AFAIU it does *not* depend on the

> shepherd version, probably it depends on "something" related to IPv6

> (read below the details)

> Giovanni Biscuolo writes:

>

>> Hi,

>>

>> following a recent discussion on guix-sysadmin I have to confirm the

>> ssh-daemon issue since it is still happening on some of the machines I

>> administer

>>

>> Previous possibly related bug reports are

>> https://issues.guix.gnu.org/issue/30993 and

>> https://issues.guix.gnu.org/issue/32197

>>

>> Unfortunately this issue is *not* well reproducible, it depends on some

>> mysterious (to me) timing factor; AFAIU it does *not* depend on the

>> shepherd version, probably it depends on "something" related to IPv6

>> (read below the details)

>

> This issue continues to plauge me, and has ever since I started to use

> GuixSD. However it is much worse now that I am running Guix on

> servers... I frequently have to log in via Linode's (nonfree!) web

> console on every server that is rebooted and kick herd to restart

> openssh. Once I do that it's fine.

> I don't think my linode machine is on "spinning rust" so I don't think

> this is the cause. IPv6, maybe? Dunno what.

>

> However I think that it's probably really a dependency issue somewhere;

> herd is starting opensshd before some other dependent service is

> spawned. But what? Maybe something authentication related like

> networking, or something. But hm, networking is required...

>

> I'm assuming others must be experiencing this still too... right?

> Would really like to see it fixed. It's one of the few things holding

> me back from recommending Guix on servers to others.

>

> Do others have any idea?

>

> I noticed the lsh daemon requires networking. Why doesn't openssh?

> What about the following "fix"?

> (list (shepherd-service

> (documentation "OpenSSH server.")

> - (requirement '(syslogd loopback))

> + (requirement '(syslogd networking loopback))

> Christopher Lemmer Webber <cwebber@dustycloud.org> skriver:

> > I'm assuming others must be experiencing this still too... right?

>

> FWIW I have never encountered this. :-/

> On Sat, Nov 28, 2020 at 02:08:34AM +0100, Marius Bakke wrote:

>> Christopher Lemmer Webber <cwebber@dustycloud.org> skriver:

>> > I'm assuming others must be experiencing this still too... right?

>>

>> FWIW I have never encountered this. :-/

>

> I reenabled IPv6 listening for sshd after updating to 1.2.0 and things

> are working for now. The problem has always been intermittent for me in

> the past.

>

> Chris, are you using an old Thinkpad too?