I have a bunch of Debian stretch machines with systemd where I find that tinc starts too early during boot, and fails to work. Typically it is running, but printing out Apr 14 00:53:41 db7 tinc[3077]: Can't write to Linux tun/tap device (tun mode) /dev/net/tun: Input/output error regularly. Unfortunately because it is running systemd does not restart it, even though it's not actually working. Restarting it manually fixes this. I just had another case where it didn't even start properly during boot; fortunately it exits so systemd tries again later and all is good. Apr 16 06:54:43 dbtest3 tinc[3206]: tincd 1.1pre14 (Jun 5 2017 01:24:43) starting, debug level 0 Apr 16 06:54:43 dbtest3 tinc[3206]: /dev/net/tun is a Linux tun/tap device (tun mode) Apr 16 06:54:43 dbtest3 tinc[3206]: Error starting /usr/sbin/tincd Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFADDR: No such device Apr 16 06:54:43 dbtest3 tinc[3206]: rsvpn: ERROR while getting interface flags: No such device Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFNETMASK: No such device Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device Apr 16 06:54:43 dbtest3 tinc[3311]: Cannot read greeting from control socket: Connection reset by peer Apr 16 06:54:43 dbtest3 tinc[3311]: Could not send TERM signal to process with PID 3218: No such process These machines are using DHCP configured in /etc/network/interfaces although I also have some using static IPs. The tinc.service file says that tinc should start after networking (After=network.target). I wonder if After=network-online.target might be better? As defined by https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ I changed my local copy and tinc came up on boot successfully. Hamish
On Mon, Apr 16, 2018 at 09:10:02AM +1000, Hamish Moffatt wrote:> I have a bunch of Debian stretch machines with systemd where I find that > tinc starts too early during boot, and fails to work. > > Typically it is running, but printing out > > Apr 14 00:53:41 db7 tinc[3077]: Can't write to Linux tun/tap device (tun > mode) /dev/net/tun: Input/output error[...]> Apr 16 06:54:43 dbtest3 tinc[3206]: tincd 1.1pre14 (Jun 5 2017 01:24:43) > starting, debug level 0 > Apr 16 06:54:43 dbtest3 tinc[3206]: /dev/net/tun is a Linux tun/tap device > (tun mode) > Apr 16 06:54:43 dbtest3 tinc[3206]: Error starting /usr/sbin/tincd > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFADDR: No such device > Apr 16 06:54:43 dbtest3 tinc[3206]: rsvpn: ERROR while getting interface > flags: No such device > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFNETMASK: No such device > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such deviceThat sounds like tinc's tun interface is not being configured correctly. Can you show us your tinc-up script?> The tinc.service file says that tinc should start after networking > (After=network.target). I wonder if After=network-online.target might be > better? As defined by > https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ > > I changed my local copy and tinc came up on boot successfully.Hm, tinc itself should handle the network not being online just fine. It will automatically retry after a while if it cannot make any outgoing connections. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180418/45c5ed04/attachment.sig>
On Wed, Apr 18, 2018, 1:54 PM Guus Sliepen <guus at tinc-vpn.org> wrote:> On Mon, Apr 16, 2018 at 09:10:02AM +1000, Hamish Moffatt wrote: > > > I have a bunch of Debian stretch machines with systemd where I find that > > tinc starts too early during boot, and fails to work. > > > > Typically it is running, but printing out > > > > Apr 14 00:53:41 db7 tinc[3077]: Can't write to Linux tun/tap device (tun > > mode) /dev/net/tun: Input/output error > [...] > > Apr 16 06:54:43 dbtest3 tinc[3206]: tincd 1.1pre14 (Jun 5 2017 01:24:43) > > starting, debug level 0 > > Apr 16 06:54:43 dbtest3 tinc[3206]: /dev/net/tun is a Linux tun/tap > device > > (tun mode) > > Apr 16 06:54:43 dbtest3 tinc[3206]: Error starting /usr/sbin/tincd > > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFADDR: No such device > > Apr 16 06:54:43 dbtest3 tinc[3206]: rsvpn: ERROR while getting interface > > flags: No such device > > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFNETMASK: No such device > > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device > > Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device > > That sounds like tinc's tun interface is not being configured correctly. > Can you show us your tinc-up script? > > > The tinc.service file says that tinc should start after networking > > (After=network.target). I wonder if After=network-online.target might be > > better? As defined by > > https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ > > > > I changed my local copy and tinc came up on boot successfully. > > Hm, tinc itself should handle the network not being online just fine. It > will automatically retry after a while if it cannot make any outgoing > connections. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> >That sounds like tinc's tun interface is not being configured correctly. > >Can you show us your tinc-up script?> regularly. Unfortunately because it is running systemd does not restartit, even though it's not actually working. Restarting it manually fixes this. seems to me tinc-up is working for Hamish, No. It sounds like tinc is trying to outrun the loading of the tap module. and I had the same issue. note " SIOCSIFADDR: No such device" tinc is outrunning key network modules and scripts that allow, among other things, tun/tap device mac assignment. even in router mode where "mac does not exist" the virtual interface must still be able to be asigned one by the network stack, and this early in loading it is not able to,> The tinc.service file says that tinc should start after networking > (After=network.target). I wonder if After=network-online.target might be > better? As defined by > https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ > > I changed my local copy and tinc came up on boot successfully.this is a workaround, as it causes tinc to load later, the network stack is fully available at this point. Let us remember, that systemd can load multiple systems and services in tandem, tinc being set to load "After=network.target" simply means after the first script for networking has returned a running status to systemd, this does not however mean that networking is fully ready to handle virtual devices. this was not an issue on initd systems, as initd waits till each service is fully up, before loading the next. another issue that comes into play is that the system user permissions system needs to be loaded, so that access to the tun/tap device may be checked. [Unit] Description=Tinc VPN After=network.target Requires= network.target may also help, as it makes network.target a hard dependency before tinc even tries to start. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180419/dc598ab1/attachment.html>
On 19/04/18 06:46, Guus Sliepen wrote:> On Mon, Apr 16, 2018 at 09:10:02AM +1000, Hamish Moffatt wrote: > > >> Apr 16 06:54:43 dbtest3 tinc[3206]: tincd 1.1pre14 (Jun 5 2017 01:24:43) >> starting, debug level 0 >> Apr 16 06:54:43 dbtest3 tinc[3206]: /dev/net/tun is a Linux tun/tap device >> (tun mode) >> Apr 16 06:54:43 dbtest3 tinc[3206]: Error starting /usr/sbin/tincd >> Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFADDR: No such device >> Apr 16 06:54:43 dbtest3 tinc[3206]: rsvpn: ERROR while getting interface >> flags: No such device >> Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCSIFNETMASK: No such device >> Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device >> Apr 16 06:54:43 dbtest3 tinc[3206]: SIOCADDRT: No such device > That sounds like tinc's tun interface is not being configured correctly. > Can you show us your tinc-up script?Yes that turned out to be the problem. I was using DNS in my tinc-up script (so I can get the local VPN address from the DNS using $HOST.myvpndomain, rather than customising the script for every host): ifconfig $INTERFACE $NAME.myvpndomain netmask 255.255.0.0 This was running before the network was up, so it failed. I modified the script to return an error, and then tinc logged the following: Apr 16 08:03:16 dbtest3 tincd[3152]: /dev/net/tun is a Linux tun/tap device (tun mode) Apr 16 08:03:16 dbtest3 tincd[3152]: dbtest3.[redacted]: Host name lookup failure Apr 16 08:03:16 dbtest3 tincd[3152]: ifconfig: `--help' gives usage information. Apr 16 08:03:16 dbtest3 tincd[3152]: SIOCADDRT: Network is down Apr 16 08:03:16 dbtest3 tincd[3152]: SIOCADDRT: Network is down Apr 16 08:03:16 dbtest3 tincd[3152]: Script tinc-up exited with non-zero status 7 Apr 16 08:03:16 dbtest3 tincd[3152]: Ready Apr 16 08:03:16 dbtest3 tincd[3152]: Error looking up [redacted] port 655: Temporary failure in name resolution Apr 16 08:03:16 dbtest3 tincd[3152]: Error looking up [redacted2] port 655: Temporary failure in name resolution Apr 16 08:03:31 dbtest3 tincd[3152]: Can't write to Linux tun/tap device (tun mode) /dev/net/tun: Input/output error but then it kept running with a broken tun interface. Might it be better to exit if the tinc-up script fails? Actually changing the systemd unit to wait for network-online didn't help as the DNS still wasn't reliable at that stage. I also converted all my hosts from legacy ifupdown configuration to systemd network configuration thinking that might be the reason why tinc was started too early but it didn't help. Ultimately I used DeviceStandby=yes in the configuration. Then by the time tincd can find the ConnectTo hosts (which are specified by hostname), the tinc-up script will be also be successful. Hamish