You are not logged in.

#1 2022-04-07 18:07:37

scruffidog
Member
Registered: 2010-01-10
Posts: 18

trying to completely disable/deactivate connman-vpn from running

Using connman-141-1 and iwd-1.26-1 to manage network and various wireless protocols and for the most part, things are working to expectations. Biggest annoyance is trying to NOT have connman-vpnd start up as it is currently needed. Used the connman/iwd wiki guide to establish network connections via ethernet and wifi under different scenarios successfully. Was able to eliminate the connman-vpnd from triggering by creating a full systemd override:

/etc/systemd/system/connman_iwd.service:
[Unit]
Description=Connection service
DefaultDependencies=false
Conflicts=shutdown.target
RequiresMountsFor=/var/lib/connman
After=dbus.service network-pre.target systemd-sysusers.service iwd.service
Before=network.target multi-user.target shutdown.target
Wants=network.target
Requires=iwd.service

[Service]
Type=dbus
BusName=net.connman
Restart=on-failure
ExecStart=/usr/bin/connmand --noplugin=vpn --wifi=iwd_agent -n 
StandardOutput=null
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SYS_TIME CAP_SYS_MODULE
ProtectHome=true
ProtectSystem=true

[Install]

So this works fine initially, but the minute I invoke connmanctl interactively, something triggers and invokes connman-vpn systemd unit (I suspect this is being triggered by dbus ?)

What is the right way to disable/deactivate the triggering ?

Offline

#2 2022-04-07 19:03:03

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 16,501

Re: trying to completely disable/deactivate connman-vpn from running

if it's a systemd unit being invoked you can also mask it to prevent it from being started.

Offline

#3 2022-04-07 20:58:09

scruffidog
Member
Registered: 2010-01-10
Posts: 18

Re: trying to completely disable/deactivate connman-vpn from running

systemd shows that it is disabled so pretty sure it is not systemd invoking it:

$ systemctl status connman-vpn
○ connman-vpn.service - ConnMan VPN service
     Loaded: loaded (/usr/lib/systemd/system/connman-vpn.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {newlink} index 2 operstate 2 <DOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {create} index 3 type 1 <ETHER>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {update} flags 69699 <UP,RUNNING,LOWER_UP>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 address A8:93:4A:C8:E5:63 mtu 1500
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 operstate 6 <UP>
Apr 07 13:31:50 victus connman-vpnd[2862]: Terminating
Apr 07 13:31:50 victus connman-vpnd[2862]: eno1 {remove} index 2
Apr 07 13:31:50 victus connman-vpnd[2862]: wlan0 {remove} index 3
Apr 07 13:31:50 victus connman-vpnd[2862]: Exit
Apr 07 13:31:50 victus systemd[1]: connman-vpn.service: Deactivated successfully.

corresponding journal logs:

$ journalctl --unit=connman-vpn
Apr 07 13:31:15 victus systemd[1]: Starting ConnMan VPN service...
Apr 07 13:31:15 victus systemd[1]: Started ConnMan VPN service.
Apr 07 13:31:15 victus connman-vpnd[2862]: Connection Manager VPN daemon version 1.41
Apr 07 13:31:15 victus connman-vpnd[2862]: Can't load /usr/lib/connman/plugins-vpn/openconnect.so: libopenconnect.so.5: cannot open share>
Apr 07 13:31:15 victus connman-vpnd[2862]: lo {newlink} index 1 operstate 0 <UNKNOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {create} index 2 type 1 <ETHER>
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {update} flags 4098 <DOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {newlink} index 2 address C8:5A:CF:A8:5B:91 mtu 1500
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {newlink} index 2 operstate 2 <DOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {create} index 3 type 1 <ETHER>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {update} flags 69699 <UP,RUNNING,LOWER_UP>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 address A8:93:4A:C8:E5:63 mtu 1500
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 operstate 6 <UP>
Apr 07 13:31:50 victus connman-vpnd[2862]: Terminating
Apr 07 13:31:50 victus connman-vpnd[2862]: eno1 {remove} index 2
Apr 07 13:31:50 victus connman-vpnd[2862]: wlan0 {remove} index 3
Apr 07 13:31:50 victus connman-vpnd[2862]: Exit
Apr 07 13:31:50 victus systemd[1]: connman-vpn.service: Deactivated successfully.

the terminating is a result of manually killing the process.

As for masking, there was a few forum posts that made it seem like it was a bad thing, hence the full override. Other than doing something with dbus (which a walk-thru would really be nice!), is it possible that there are some undocumented/unfinished/unpolished pieces that may require upstream activities ?
The --plugin switch seems like a setting that belongs in the configuration file for one. Also, some method/documentation to query available or loaded plugins would be useful. It took some passing remark in some forum was I able to hit A true name (completely non-intuitive) that works. All attempts in using various invocations of elements found in /usr/lib/connman/plugins-vpn/*.so results in failure...

Offline

#4 2022-04-08 12:20:49

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 10,158

Re: trying to completely disable/deactivate connman-vpn from running

dbus kinda lacks tools to allow a user to block things from starting.

I've investigated this in the past and found these options exist :

- mask the systemd service (adds lots of messages about activation fail to log files)
- use NoExtract in pacman.conf to prevent the dbus service from being installed
- remove/replace the offending package
- write your own dbus helper that does allow blacklisting stuff
- use another PID 1

https://bbs.archlinux.org/viewtopic.php?id=261545 for some more background and links

Last edited by Lone_Wolf (2022-04-08 12:21:35)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
Did you use the guided installer ? If yes, I can't help you.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#5 2022-04-08 17:08:28

scruffidog
Member
Registered: 2010-01-10
Posts: 18

Re: trying to completely disable/deactivate connman-vpn from running

Lone_Wolf wrote:

dbus kinda lacks tools to allow a user to block things from starting.

....

https://bbs.archlinux.org/viewtopic.php?id=261545 for some more background and links

So it seems like there's some hard-coded default assumptions in dbus for a number of things, not just connman. The logical functional refactoring would be a combination of options 3) & 4). But given the number of different parties (projects, systemd, dbus, distros) involved, I doubt there's going to be any political will to drive this to a sensible resolution like the bitlocker -> git transition...

Offline

Board footer

Powered by FluxBB