tinc starts too early on boot

Thu Apr 19 18:09:50 CEST 2018

On Wed, Apr 18, 2018, 1:54 PM Guus Sliepen <guus at tinc-vpn.org> wrote:

> On Mon, Apr 16, 2018 at 09:10:02AM +1000, Hamish Moffatt wrote:
>
> > I have a bunch of Debian stretch machines with systemd where I find that
> > tinc starts too early during boot, and fails to work.
> >
> > Typically it is running, but printing out
> >
> > Apr 14 00:53:41 db7 tinc[3077]: Can't write to Linux tun/tap device (tun
> > mode) /dev/net/tun: Input/output error
> [...]
> > Apr 16 06:54:43 dbtest3 tinc[3206]: tincd 1.1pre14 (Jun  5 2017 01:24:43)
> > starting, debug level 0
> > Apr 16 06:54:43 dbtest3 tinc[3206]: /dev/net/tun is a Linux tun/tap
> device
> > (tun mode)
> > Apr 16 06:54:43 dbtest3 tinc[3206]: Error starting /usr/sbin/tincd
> > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFADDR: No such device
> > Apr 16 06:54:43 dbtest3 tinc[3206]: rsvpn: ERROR while getting interface
> > flags: No such device
> > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFNETMASK: No such device
> > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device
> > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device
>
> That sounds like tinc's tun interface is not being configured correctly.
> Can you show us your tinc-up script?
>
> > The tinc.service file says that tinc should start after networking
> > (After=network.target). I wonder if After=network-online.target might be
> > better? As defined by
> > https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
> >
> > I changed my local copy and tinc came up on boot successfully.
>
> Hm, tinc itself should handle the network not being online just fine. It
> will automatically retry after a while if it cannot make any outgoing
> connections.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

> >That sounds like tinc's tun interface is not being configured correctly.
> >Can you show us your tinc-up script?

> regularly. Unfortunately because it is running systemd does not restart
it, even though it's not actually working. Restarting it manually fixes
this.
seems to me tinc-up is working for Hamish,

No. It sounds like tinc is trying to outrun the loading of the tap module.
and I had the same issue. note " SIOCSIFADDR: No such device"
tinc is outrunning key network modules and scripts that allow, among other
things, tun/tap device mac assignment. even in router mode where "mac does
not exist" the virtual interface
must still be able to be asigned one by the network stack, and this early
in loading it is not able to,

> The tinc.service file says that tinc should start after networking
> (After=network.target). I wonder if After=network-online.target might be
> better? As defined by
> https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
>
> I changed my local copy and tinc came up on boot successfully.

this is a workaround, as it causes tinc to load later, the network stack is
fully available at this point.

Let us remember, that systemd can load multiple systems and services in
tandem, tinc being set to load "After=network.target" simply means after
the first script for networking has returned a running status to systemd,
this does not however mean that networking is fully ready to handle virtual
devices. this was not an issue on initd systems, as initd waits till each
service is fully up, before loading the next.
another issue that comes into play is that the system user permissions
system needs to be loaded, so that access to the tun/tap device may be
checked.

[Unit]
Description=Tinc VPN
After=network.target
Requires= network.target

may also help, as it makes network.target a hard dependency before tinc
even tries to start.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180419/dc598ab1/attachment.html>