[Initscripts-ng-devel] Defining the workgroup objectives
Sven Mueller
debian at incase.de
Wed Jul 27 14:48:12 UTC 2005
Olaf van der Spek wrote on 27/07/2005 15:56:
> On 7/27/05, Sven Mueller <debian at incase.de> wrote:
>
>>I assume the start-X-before-Y&stop-X-before-Y case?
>>
>>Firewall with a deny-all policy when stopped:
>>You want the firewall to start before any service daemon is started so
>>that they don't fail in DNS lookups or delivering of mails or whatever
>>they do at startup. However, you _might_ also want to close all ports
>>quickly before shutting down the services, so no new requests come in
>>during shutdown.
>>A pretty constructed example, but still a valid example.
>
>
> Is it? It looks like a race condition to me.
> How much time is there really between the port being closed by the
> firewall and the port being closed by the service itself?
> And what about a connect that's done before the firewall closes the
> port and a request that's done after?
You probably will never be able to completely work around such race
conditions on shutdown. But at least for some applications, the
mechanism I described above is the closest you will get to avoiding
them. Also depends on wether "deny-all policy when stopped" is a
complete deny-all policy or includes a "permit established connections"
rules (like my firewall scripts usually do except when 'stopped' by
"panic" instead of "stop").
What I initially tried to say is simply that there could be situations
where start-before-stop-before is as valid a choice as
start-before-stop-after for a service dependency.
cu,
sven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/initscripts-ng-devel/attachments/20050727/b824cb7d/signature.pgp
More information about the initscripts-ng-devel
mailing list