Opened 9 months ago

Closed 9 months ago

#33015 closed task (fixed)

turn rc.local into a systemd service

Reported by: anarcat Owned by: anarcat
Priority: Low Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by anarcat)

We have a somewhat strange rc.local configuration file which does this:


## USE: git clone git+ssh://$

if [ -e /proc/sys/kernel/modules_disabled ]; then
	( sleep 60;
	  echo 1 > /proc/sys/kernel/modules_disabled || true
	) & disown

touch /var/run/reboot-lock

Here's what it does, from what I can gather.

  1. If the kernel is so configured (if /proc/sys/kernel/modules_disabled is present) it will disable module loading, after a 60 seconds delay
  2. it creates the /var/run/reboot-lock file, which is used by other components to forbid reboots through a molly-guard hook

Those are two independent purposes, of course.

This, or at least the first part, should be replaced by a systemd service. This will make it easier to disable, which is necessary when we want to actually load modules. This is done in the buster upgrade process, for example, which says:

  1. Enable module loading (for ferm)
sed -i -e 's/.*modules_disabled/#&/' /etc/rc.local


export LC_ALL=C.UTF-8 &&
sudo ttyrec -e screen /var/log/upgrade-buster.ttyrec.2

That sed line has a serious bug which will make rc.local crash during the reboot. Instead of just "disabling the disabling", it actually mangles the shell script and turns the if block into this:

#if [ -e /proc/sys/kernel/modules_disabled ]; then
        ( sleep 60;
#         echo 1 > /proc/sys/kernel/modules_disabled || true
        ) & disown

And while that hack could be fixed, it would be much easier, logical and understandable if it was written as (say) systemctl disable module-disable. There might even be existing service files that do this which we could use.

The reboot lock, on its part, could be created by the systemd.tmpfiles mechanism. This, in turn, would make it effectively as soon as Puppet runs, as opposed to after the first reboot in the old mechanism.

Child Tickets

Change History (3)

comment:1 Changed 9 months ago by anarcat

Owner: changed from tpa to anarcat
Status: newaccepted

i started down this path and deployed unit files on meronense. will test at next reboot. last bit is to test on another box and fix the upgrade docs to say:

systemctl disable modules_disabled.timer

... instead of the sed command.

comment:2 Changed 9 months ago by anarcat

that modules_disabled change was implemented in 65b96f73, 5168f6ed, 770880ad, 4e0561ac and deployed in 7ec46949. the upgrade docs have also been tweaked to refer to the service.

only the reboot-lock file remains.

Last edited 9 months ago by anarcat (previous) (diff)

comment:3 Changed 9 months ago by anarcat

Description: modified (diff)
Resolution: fixed
Status: acceptedclosed

reboot-lock is now populated by systemd-tmpfiles on boot (and on install!) thanks to cbc274ea and the unfortunate 6e733ee5.

this is now done.

Note: See TracTickets for help on using tickets.