sshd unexpectedly depending upon DNS and NTP through systemd

Description:

If systemd-time-wait-sync (for whatever reason) get stuck at startup also sshd.service won't start. This effectively introduces an unexpected dependency of sshd on DNS and NTP.

I just locked myself out of my server and spent a few hours debugging why changing networking settings prevented me from being able to reconnect via ssh even though the server was reachable via ping just fine.

Additional info:

  • package version(s): 9.9p1-2
  • config and/or log files: none
  • link to upstream bug report, if any: none

Steps to reproduce:

  1. Modify systemd-time-wait-sync.service to sleep indefinitely
  2. Reboot the system
  3. Look at output of systemctl status and notice sshd not having started (yet), despite the login prompt already showing and the system appearing to be up and running.

Even worse, systemd-time-wait-sync.service does not appear to have any built in timeout. And therefore sshd won't ever start and admins can very easily unexpectedly lock themselves out of the system when changing DNS or NTP.

Is there that could be done to remove this unexpected dependency of the ssh daemon on DNS and NTP again?

It looks like the dependency also get inherited through the sshdgenkeys.service service as well.

Would it be possible to add DefaultDependencies=no to both sshd.service and sshdgenkeys.service and thereby remove the implicit dependency upon sysinit.target and systemd-time-wait-sync.service?

(Edit: This alone appears to be not enough for the sshd.service, it is still stuck. However the sshdgenkeys.service now runs. Maybe that's because multi-user.target which the sshd service lists in [Install] WantedBy=multi-user.target also is in state waiting. Should this be ssh-access.target instead?)

Edit2: It's because of the pacman-init.service which has Before=sshd.service specified and also gets stuck. For some odd reason this Before= dependency doesn't cause it to show up in systemctl list-dependencies. Do we really need this dependency? Why do we have to initiate the pacman keyring before sshd is allowed to start anyway?

Edited by Klaus Frank
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information