RFC: disable ssh.service - enable ssh.socket AND switch firstlogin reload ssh to restart

[alexl83]

Description

systemctl restart ssh prevents botching job if sshd is started by socket

How Has This Been Tested?

Quite harmless change which broadens systemctl tolerance towards services, no negative impacts expected

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• My changes generate no new warnings

[EvilOlaf]

Not sure how this should fix things. There is most likely a reason why sshd refuses to work at first start but debugging is always difficult when an expected behavior is not reproducible.

On the other hand it probably won't make things worse. That way even the comment above fits 😁

[alexl83]

Not sure how this should fix things. There is most likely a reason why sshd refuses to work at first start but debugging is always difficult when an expected behavior is not reproducible.

On the other hand it probably won't make things worse. That way even the comment above fits 😁

I assume it's some kind of race condition, it appeared for me last couple of days on trixie
On default "experience" ssh starts 1 time every 2 or 3 reboots

I "fix" it by customize.sh, disabling sshd.service and enabling sshd.socket: this way it always starts on first boot (I perform root pwd change, user creation, and locale setting via ssh, completely headless)

Then during firstlogin.service systemctl fails to reload sshd.service (while triggered via socket)

"systemctl reload-or-restart" seemed to work but really it does 1 out of 2 times, while "systemctl restart" always works (used manually) - I pushed second commit out of faith while recompiling the image but then fell asleep

Going to test it in an hour, fingers crossed

Key takeaway for me is to move default setup from sshd.service to sshd.socket

Thanks for your trust and for reading this whole nerdy rant :)

[alexl83]

seems to work, no systemctl error after
You selected ZSH as your default shell. If you want to use it right away, please logout and login!
If anyone guys has a better solution than mine based on customize.sh to have rootfs created with sshd.service disabled and ssh.socket enabled - we could completely fix it in the framework directly not needing user intervention in customizing dark side of systemd!

[igorpecovnik]

if anyone guys has a better solution than mine

We just need to test this solution better (on stable user spaces) before merging it, if fix is provided right before release.

[alexl83]

Agreed, I'm testing an additional supplementary PR that moves ssh from service to socket in distro-agnostic.sh

If it works as I expect I'm going to propose it as an RFC

Thanks @igorpecovnik!

[alexl83]

it works for me, IMHO it makes sense to avoid a statically-enabled network service in favour of a trigger by socket
test output:

`kali@kalian:~$ systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: enabled)
     Active: active (running) since Sun 2024-05-12 14:08:35 CEST; 13s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 2655 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 2657 (sshd)
      Tasks: 1 (limit: 18362)
     Memory: 2.7M (peak: 19.8M)
        CPU: 389ms
     CGroup: /system.slice/ssh.service
             └─2657 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

able to connect via ssh on first boot on first try, no issues during armbian-firstlogin process restarting sshd