Hi!
On Thu, 16 Apr 2015 07:56:55 -0500 Martin Pitt <mp...@debian.org> wrote:
> apparmor's init.d script currently depends on $remote_fs. This is a
> rather heavy dependency and means that important processes like
> dhclient or NFS cannot be covered by apparmor as they need to start
> before. In the extreme case this also means that
> network-online.target, NetworkManager.service, dbus.service etc. all
> need to run during early boot ("rcS" in the old sysvinit world), which
> likely leads to dependency cycles.
>
> IMHO $local_fs should suffice as during booting the init.d script does
> not need much from /usr or /var. The exception is the click package
> hook processing, but this is only really significant for Ubuntu Touch
> images (which don't use /usr on NFS). The profile cache has been split
> into /etc/ and /var for this reason, so that on boot you only need the
> cache in /etc. The one in /var is only being used for click packages
> as far as I know.
>
> FTR, Ubuntu did that change in
> https://launchpad.net/ubuntu/+source/apparmor/2.9.1-0ubuntu5The reason for Martin filing this bug is most likely [1]. While we are that topic, I think it would be better to not pull apparmor specifics into ifup@.service and networking.service, but rather have apparmor ship a native .service file and specify the correct orderings, maybe by hooking up in network-pre.target. Then again, I'm not too familiar with AppArmor: Is every service, which wants to be confined by apparmor supposed to declare a After=apparmor.service in its service file? Michael [1] https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=experimental&id=db920726c385e2c4ea9b6a82f010483db13dfa46 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
