#544 List of services that may start by default
Closed None Opened 8 years ago by toshio.

= Proposal topic =

After much disagreement in today's FPC meeting, FPC passed the following:

May services be on by default? No but FESCo provides exceptions (and has the option of tasking FPC to determine exceptions). (+1:5, 0:0, -1:1)

Tasks arising from this:

  1. Decide whether FPC or FESCo makes the list (b/c some thought this was an expansion of fpc's charter while others thought that it was within FPCs charter and additionally FESCo had agreed to hand it to FPC several meetings back).
  2. If FESCo makes the list, then what's the list?

There was the start of a list here:
https://fedoraproject.org/wiki/User:Spot/DefaultServices

That draft as a whole had several points of contention though:

  • Non agreement for abrtd to belong in the exception list
  • Possible agreement that inetd, systemd and dbus bus activated services also fell under this but it wasn't added to the draft (as the draft as a whole wasn't able to pass).
  • The blanket exception for local services was not okay for everyone since exploits by local users can still be an issue
  • Even if a blanket exception for local services was kept for the final draft, should they cover things that are configured to bind only to localhost but are much heavier weight -- for instance, mysql and httpd could ship with config files that bound to localhost and therefore both would be allowed under the blanket local services policy.

Many alternatives to the draft were suggested although, in the end, only the proposal given at the top of this page was voted upon:

  • An alternative suggestion that only essential services should be allowed on was given and had some support but others thought that "essential services" was too subjective for an FPC guideline.
  • An alternative suggestion was started "Services must be off except for those services needed for someone to configure other services via ssh, a local console, firstboot, [add other methods here if you've got them]" but discussion didn't materialize so we didn't talk about whether other methods existed to be listed there.
  • An alternative suggestion was made that the proper place for turning on services was in the installer and firstboot and those should be separated from the question of whether the package itself should be starting services but no one on fpc felt that the fpc should be telling anaconda/firstboot that service starting was their responsibility.
  • A proposal to look at this like the bundled library exceptions was looked at but revised into the present form where FESCo makes the list of exceptions instead of FPC because some people did not feel that it was within FPC's charter to make those decisions.

Adding meeting keyword here so we can pick it up at next weeks meeting.

13:52 ! spot has a list of all packages with current enabled by default services
13:52 spot$ abrt acpid at audit autofs avahi bluez cluster-glue cobbler coda-client cpuspeed cronie ctrlproxy dbus dkms exim fence-virtd
firebird-superserver firstboot fnfx freenx-server gadget gpm gvrpcd hal hsqldb ifplugd ipmiutil iptables iptables-ipv6 irqbalance
iscsi-initiator-utils isdn4k-utils koji-builder libvirt libvirt-client lvm2 mdadm nfs-utils ocfs2-tools olpc-utils openct
openslp-server openssh-server pcsc-lite pop-before-smtp portreserve preload qemu-co
13:52 spot$ mmon qemu-user quagga rhnsd rpcbind rp-pppoe rsyslog sblim-gather sendmail snort spice-vdagent sysklogd sysstat udev wine-desktop
xen xen-runtime xinetd yum-updatesd

I'll note some of these are dbus services, and it's unclear to me how to enable/disable them.
For example, bluez. Is there actually any way to disable this service from starting without removing the package?

The list has 68 packages currently, which seems very excessive to me. We could either try and come up with a smaller whitelist, or try and prune down the existing list, or everyone could come up with their own and we could discuss ones that are not on everyones list. Whichever way people want to move forward.

mjg59 and notting will sotr thru the list and see if we can address the ones we need to next time.

There was general agreement with Spot's draft on this.

Although untested by me, the systemd draft guideline includes a recipe for installing a dbus containing service that is not started unless the system administrator enables it. Read from the the second paragraph in the following section:

https://fedoraproject.org/wiki/TomCallaway/Systemd_Revised_Draft#Bus_Activation

mjg59/notting: Any progress on a sorted list for tomorrow?

  • Does not require configuration and is not network enabled

fnfx
gpm
hal
libvirt
lvm2
mdadm
openct
pcsc-lite
qemu-common
quagga
sendmail
spice-vdagent
sysstat
xen
xen-runtime
yum-updatesd

  • One-shot service on boot

firstboot
ipmiutil
iptables
iptables-ipv6
irqbalance
libvirt-client
olpc-utils
portreserve
preload
qemu-user
wine-desktop
udev

  • Permitted via exception/requirement for operation

rsyslog
sysklogd
ifplugd
iscsi-initiator-utils
isdn4k-utils
nfs-utils
ocfs2-tools
openssh-server
rpcbind
rp-pppoe
xinetd

  • Looks like they need disabled

firebird-superserver
freenx-server
gadget
gvrpcd
koji-builder
openslp-server
pop-before-smtp
rhnsd
sblim-gather
snort

Oops, forgot some. Updated list:

  • Does not require configuration and is not network enabled

abrt
acpid
at
audit
bluez
cronie
dbus
exim
fence-virtd
fnfx
gpm
hal
libvirt
lvm2
mdadm
openct
pcsc-lite
qemu-common
quagga
sendmail
spice-vdagent
sysstat
xen
xen-runtime
yum-updatesd

  • One-shot service on boot

cpuspeed
dkms
firstboot
ipmiutil
iptables
iptables-ipv6
irqbalance
libvirt-client
olpc-utils
portreserve
preload
qemu-user
wine-desktop
udev

  • Permitted via exception/requirement for operation

autofs
avahi
coda-client
ifplugd
iscsi-initiator-utils
isdn4k-utils
nfs-utils
ocfs2-tools
openssh-server
rpcbind
rp-pppoe
rsyslog
sysklogd
xinetd

  • Looks like they need disabled

cluster-glue
cobbler
ctrlproxy
firebird-superserver
freenx-server
gadget
gvrpcd
koji-builder
openslp-server
pop-before-smtp
rhnsd
sblim-gather
snort

Copied from Spot:

https://fedoraproject.org/wiki/User:Kevin/DefaultServices

I'll note however, that NetworkManager isn't in the list?

We are going to gather feedback from the devel list for a week and revisit this next week.

Just thought of this so I'm writing down -- if the guidelines for what services don't change much from what's here, we need to release note it since system administrators will want to know that more services will be defaulting to on when their package is installed.

I maintain hdapsd. It is a daemon to protect laptop HDD during
physical shock (it uses accelerometer to measure sudden movement). Currently
I have it autostarted for sda and sdb devices. It has no use outside
laptop environment and laptops seldom (never?) have more than two drives.

Protection of user hardware seems like enough cause for autostart. This package is not installed by default.

We are going to gather more info about dbus services and if critical path could tie into this list somehow and revisit next week.

Looking at critical path, the following services are in our prior 'can start by default' list, but aren't in critical path:

  • abrt
  • acpid
  • autofs
  • bluez
  • coda-client
  • cpuspeed
  • dkms
  • exim
  • fence-virtd
  • fnfx
  • gpm
  • ifplugd
  • ipmiutil
  • irqbalance
  • isdn4k-utils
  • libvirt
  • libvirt-client
  • nfs-utils
  • ocfs2-tools
  • olpc-utils
  • openct
  • pcsc-lite
  • portreserve
  • preload
  • qemu-common
  • qemu-user
  • quagga
  • rpcbind
  • rp-pppoe
  • spice-vdagent
  • sysklogd
  • sysstat
  • wine-desktop
  • xen
  • xen-runtime
  • xinetd
  • yum-updatesd

That might be too many to rely on critpath.

After discussion the draft was approved.

In the event this causes too many or the wrong kind of service to be starting by default we can revisit.

Will leave this ticket open until we can figure out where this should be on the wiki and its in place there.

I've added NetworkManager and moved the page to:

https://fedoraproject.org/wiki/Starting_services_by_default

Please reopen if this if there is further action needed.

Login to comment on this ticket.

Metadata