I’m dealing with a known issue in RHEL 7 whereby services that specify an address to bind to will not start correctly. I’ve found a number of similar reports, many say they have been resolved with updates to systemd but I still face this problem. This affects all the services on my box (sshd, sshd, vsftpd, nginx) that don’t just bind to 0.0.0.0.
I’ve found all sorts of supposed workarounds but none of them work for me consistently. Taking sshd as an example, config looks like this:
Port 22 ListenAddress 192.168.242.225 ...
Here’s what I’ve tried, alone and in combinations:
From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c4 (I’ve also tried
sys-subsystem-net-devices-eth1.device in place of
network-online.target but I suspect this doesn’t wait for addressing to happen.)
mkdir /etc/systemd/system/sshd.service.d tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF' [Unit] After=network-online.target EOF
mkdir /etc/systemd/system/sshd.service.d tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF' [Unit] Wants=network-online.target After=network-online.target EOF
systemctl add-wants multi-user.target network.target
mkdir /etc/systemd/system/sshd.service.requires ln -s /usr/lib/systemd/system/network-online.target /etc/systemd/system/sshd.service.requires/
No matter what I try, I usually end up with “error: bind to port 22 on 192.168.242.125 failed: Cannot assign requested address”. Sometimes, everything starts up perfectly, which I am guessing is down to a timing issue.
Running Scientific Linux (RHEL) 7.5 and network manager is enabled, all IP addressing is static. If there are any other details that might help, please let me know. Here is the output of
journalctl after a failed startup, with
After=network-online.target in the sshd unit file. Relevant stuff starts down around line 1700. Hoping someone has come across this issue and solved it successfully!
It may be better to not configure system services to listen on specific IP addresses, and to control access to them via the host firewall if necessary.
If you really need to be able to bind to specific IP addresses before they are configured on a network interface, you can work around the timing issue by setting the sysctl
net.ipv4.ip_nonlocal_bind for IPv4 and the sysctl
net.ipv6.ip_nonlocal_bind for IPv6. Services can then bind to IP addresses not configured on any network interface, but they will not be accessible until those IP addresses are configured on an interface.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.