[Initscripts-ng-devel] Defining the workgroup objectives

Sven Mueller debian at incase.de
Wed Jul 27 14:48:12 UTC 2005

Olaf van der Spek wrote on 27/07/2005 15:56:
> On 7/27/05, Sven Mueller <debian at incase.de> wrote:
>>I assume the start-X-before-Y&stop-X-before-Y case?
>>Firewall with a deny-all policy when stopped:
>>You want the firewall to start before any service daemon is started so
>>that they don't fail in DNS lookups or delivering of mails or whatever
>>they do at startup. However, you _might_ also want to close all ports
>>quickly before shutting down the services, so no new requests come in
>>during shutdown.
>>A pretty constructed example, but still a valid example.
> Is it? It looks like a race condition to me.
> How much time is there really between the port being closed by the
> firewall and the port being closed by the service itself?
> And what about a connect that's done before the firewall closes the
> port and a request that's done after?

You probably will never be able to completely work around such race
conditions on shutdown. But at least for some applications, the
mechanism I described above is the closest you will get to avoiding
them. Also depends on wether "deny-all policy when stopped" is a
complete deny-all policy or includes a "permit established connections"
rules (like my firewall scripts usually do except when 'stopped' by
"panic" instead of "stop").

What I initially tried to say is simply that there could be situations
where start-before-stop-before is as valid a choice as
start-before-stop-after for a service dependency.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/initscripts-ng-devel/attachments/20050727/b824cb7d/signature.pgp

More information about the initscripts-ng-devel mailing list