Servers fail to bind to addresses at boot

miken32 asked:

I’m dealing with a known issue in RHEL 7 whereby services that specify an address to bind to will not start correctly. I’ve found a number of similar reports, many say they have been resolved with updates to systemd but I still face this problem. This affects all the services on my box (sshd, sshd, vsftpd, nginx) that don’t just bind to 0.0.0.0.

I’ve found all sorts of supposed workarounds but none of them work for me consistently. Taking sshd as an example, config looks like this:

Port 22
ListenAddress 192.168.242.225
...

Here’s what I’ve tried, alone and in combinations:

From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c4 (I’ve also tried sys-subsystem-net-devices-eth1.device in place of network-online.target but I suspect this doesn’t wait for addressing to happen.)

mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
After=network-online.target
EOF

From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c11

mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF

From https://bugzilla.redhat.com/show_bug.cgi?id=1438749#c0

systemctl add-wants multi-user.target network.target

From somewhere

mkdir /etc/systemd/system/sshd.service.requires
ln -s /usr/lib/systemd/system/network-online.target /etc/systemd/system/sshd.service.requires/

No matter what I try, I usually end up with “error: bind to port 22 on 192.168.242.125 failed: Cannot assign requested address”. Sometimes, everything starts up perfectly, which I am guessing is down to a timing issue.

Running Scientific Linux (RHEL) 7.5 and network manager is enabled, all IP addressing is static. If there are any other details that might help, please let me know. Here is the output of journalctl after a failed startup, with After=network-online.target in the sshd unit file. Relevant stuff starts down around line 1700. Hoping someone has come across this issue and solved it successfully!

My answer:


It may be better to not configure system services to listen on specific IP addresses, and to control access to them via the host firewall if necessary.

If you really need to be able to bind to specific IP addresses before they are configured on a network interface, you can work around the timing issue by setting the sysctl net.ipv4.ip_nonlocal_bind for IPv4 and the sysctl net.ipv6.ip_nonlocal_bind for IPv6. Services can then bind to IP addresses not configured on any network interface, but they will not be accessible until those IP addresses are configured on an interface.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.