[systemd-devel] ssh socket activation (Was: systemd unit files for Debian based systems)

Do you know of a service file for openssh-server?

The Fedora packages have some, but I don't like them too much since they
don't use socket activation...

Is someone actually working on real socket activation for openssh? While
the inetd like stuff works, it does not perform well.

it doesn't? In which way? It should be totally OK?

Lennart

--
Lennart Poettering - Red Hat, Inc.

Alexander E. Patrakov

2012-06-19 17:40:28 UTC

Do you know of a service file for openssh-server?

The Fedora packages have some, but I don't like them too much since they
don't use socket activation...

Is someone actually working on real socket activation for openssh? While
the inetd like stuff works, it does not perform well.

it doesn't? In which way? It should be totally OK?

IMHO there is one "issue" with the inetd-style approach: it is
explicitly discouraged in "man sshd". It may well be the case of
outdated documentation, as I don't see any of the indicated problems
on my desktop or laptop. Still, it would be nice to clarify this
discrepancy in the unit file.

--
Alexander E. Patrakov

Lennart Poettering

2012-06-19 17:45:47 UTC

Post by Alexander E. Patrakov
IMHO there is one "issue" with the inetd-style approach: it is
explicitly discouraged in "man sshd". It may well be the case of
outdated documentation, as I don't see any of the indicated problems
on my desktop or laptop. Still, it would be nice to clarify this
discrepancy in the unit file.

I think this is mostly out of date information on today's
machines. Starting a per-connection instance is hardly distuingishable
from single-instance sshd latency-wise, at least on my machines here.

(I mean, I'd be happy if somebody would make sshd single-instance socket
activatable, but I think the inetd-style activation is pretty OK
performance wise and Apple ships SSH like this too, so I don't see why
we shouldn't).

Lennart

--
Lennart Poettering - Red Hat, Inc.

Michael Olbrich

2012-06-20 11:43:41 UTC

I think this is mostly out of date information on today's
machines. Starting a per-connection instance is hardly distuingishable
from single-instance sshd latency-wise, at least on my machines here.

Well, I don't have any numbers, but I think on a 200MHz ARM the situation
might be a bit different.

Post by Lennart Poettering
(I mean, I'd be happy if somebody would make sshd single-instance socket
activatable, but I think the inetd-style activation is pretty OK
performance wise and Apple ships SSH like this too, so I don't see why
we shouldn't).

I was mostly curious because of the issue in the man page. If that is no
problem any more, then inetd-style activation is ok.
ssh is mostly a debug and development tool for me anyways. And here any
socket activation is really great because there is no impact one the
startup time and memory usage but it's still available when needed.

Michael

Mantas Mikulėnas

2012-06-19 17:53:46 UTC

Post by Alexander E. Patrakov

On Tue, Jun 19, 2012 at 8:40 PM, Alexander E. Patrakov

Do you know of a service file for openssh-server?

The Fedora packages have some, but I don't like them too much since they
don't use socket activation...

Is someone actually working on real socket activation for openssh? While
the inetd like stuff works, it does not perform well.

it doesn't? In which way? It should be totally OK?

The documentation is incomplete. The ephemeral key is only generated
if SSHv1 is enabled, while practically every installation now has
"Protocol 2" set.

--
Mantas Mikulėnas

Mathieu Bridon

2012-06-20 02:17:49 UTC

Do you know of a service file for openssh-server?

The Fedora packages have some, but I don't like them too much since they
don't use socket activation...

Is someone actually working on real socket activation for openssh? While
the inetd like stuff works, it does not perform well.

it doesn't? In which way? It should be totally OK?

When we worked on porting the package to systemd units, we found that
the per-connection openssh process would exit with a non-zero status
code even if the client disconnected properly:
https://bugzilla.redhat.com/show_bug.cgi?id=697698#c59

No idea if that has been fixed upstream since, but that's why the
inetd-style socket activation units aren't shipped in Fedora.

--
Mathieu

Lennart Poettering

2012-06-20 06:44:26 UTC

Post by Mathieu Bridon

Do you know of a service file for openssh-server?

The Fedora packages have some, but I don't like them too much since they
don't use socket activation...

Is someone actually working on real socket activation for openssh? While
the inetd like stuff works, it does not perform well.

it doesn't? In which way? It should be totally OK?

When we worked on porting the package to systemd units, we found that
the per-connection openssh process would exit with a non-zero status
https://bugzilla.redhat.com/show_bug.cgi?id=697698#c59
No idea if that has been fixed upstream since, but that's why the
inetd-style socket activation units aren't shipped in Fedora.

Well, but that's hardly a performance issue, and adding "-" to the
ExecStart= line makes this problem go away nicely.

Lennart

--
Lennart Poettering - Red Hat, Inc.

Mathieu Bridon

2012-06-20 06:52:26 UTC

Post by Mathieu Bridon