You are not logged in.
- Topics: Active | Unanswered
#1 2022-04-07 18:07:37
- scruffidog
- Member
- Registered: 2010-01-10
- Posts: 26
trying to completely disable/deactivate connman-vpn from running
Using connman-141-1 and iwd-1.26-1 to manage network and various wireless protocols and for the most part, things are working to expectations. Biggest annoyance is trying to NOT have connman-vpnd start up as it is currently needed. Used the connman/iwd wiki guide to establish network connections via ethernet and wifi under different scenarios successfully. Was able to eliminate the connman-vpnd from triggering by creating a full systemd override:
/etc/systemd/system/connman_iwd.service:
[Unit]
Description=Connection service
DefaultDependencies=false
Conflicts=shutdown.target
RequiresMountsFor=/var/lib/connman
After=dbus.service network-pre.target systemd-sysusers.service iwd.service
Before=network.target multi-user.target shutdown.target
Wants=network.target
Requires=iwd.service
[Service]
Type=dbus
BusName=net.connman
Restart=on-failure
ExecStart=/usr/bin/connmand --noplugin=vpn --wifi=iwd_agent -n
StandardOutput=null
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SYS_TIME CAP_SYS_MODULE
ProtectHome=true
ProtectSystem=true
[Install]So this works fine initially, but the minute I invoke connmanctl interactively, something triggers and invokes connman-vpn systemd unit (I suspect this is being triggered by dbus ?)
What is the right way to disable/deactivate the triggering ?
Offline
#2 2022-04-07 19:03:03
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 23,927
Re: trying to completely disable/deactivate connman-vpn from running
if it's a systemd unit being invoked you can also mask it to prevent it from being started.
Offline
#3 2022-04-07 20:58:09
- scruffidog
- Member
- Registered: 2010-01-10
- Posts: 26
Re: trying to completely disable/deactivate connman-vpn from running
systemd shows that it is disabled so pretty sure it is not systemd invoking it:
$ systemctl status connman-vpn
○ connman-vpn.service - ConnMan VPN service
Loaded: loaded (/usr/lib/systemd/system/connman-vpn.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {newlink} index 2 operstate 2 <DOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {create} index 3 type 1 <ETHER>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {update} flags 69699 <UP,RUNNING,LOWER_UP>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 address A8:93:4A:C8:E5:63 mtu 1500
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 operstate 6 <UP>
Apr 07 13:31:50 victus connman-vpnd[2862]: Terminating
Apr 07 13:31:50 victus connman-vpnd[2862]: eno1 {remove} index 2
Apr 07 13:31:50 victus connman-vpnd[2862]: wlan0 {remove} index 3
Apr 07 13:31:50 victus connman-vpnd[2862]: Exit
Apr 07 13:31:50 victus systemd[1]: connman-vpn.service: Deactivated successfully.corresponding journal logs:
$ journalctl --unit=connman-vpn
Apr 07 13:31:15 victus systemd[1]: Starting ConnMan VPN service...
Apr 07 13:31:15 victus systemd[1]: Started ConnMan VPN service.
Apr 07 13:31:15 victus connman-vpnd[2862]: Connection Manager VPN daemon version 1.41
Apr 07 13:31:15 victus connman-vpnd[2862]: Can't load /usr/lib/connman/plugins-vpn/openconnect.so: libopenconnect.so.5: cannot open share>
Apr 07 13:31:15 victus connman-vpnd[2862]: lo {newlink} index 1 operstate 0 <UNKNOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {create} index 2 type 1 <ETHER>
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {update} flags 4098 <DOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {newlink} index 2 address C8:5A:CF:A8:5B:91 mtu 1500
Apr 07 13:31:15 victus connman-vpnd[2862]: eno1 {newlink} index 2 operstate 2 <DOWN>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {create} index 3 type 1 <ETHER>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {update} flags 69699 <UP,RUNNING,LOWER_UP>
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 address A8:93:4A:C8:E5:63 mtu 1500
Apr 07 13:31:15 victus connman-vpnd[2862]: wlan0 {newlink} index 3 operstate 6 <UP>
Apr 07 13:31:50 victus connman-vpnd[2862]: Terminating
Apr 07 13:31:50 victus connman-vpnd[2862]: eno1 {remove} index 2
Apr 07 13:31:50 victus connman-vpnd[2862]: wlan0 {remove} index 3
Apr 07 13:31:50 victus connman-vpnd[2862]: Exit
Apr 07 13:31:50 victus systemd[1]: connman-vpn.service: Deactivated successfully.the terminating is a result of manually killing the process.
As for masking, there was a few forum posts that made it seem like it was a bad thing, hence the full override. Other than doing something with dbus (which a walk-thru would really be nice!), is it possible that there are some undocumented/unfinished/unpolished pieces that may require upstream activities ?
The --plugin switch seems like a setting that belongs in the configuration file for one. Also, some method/documentation to query available or loaded plugins would be useful. It took some passing remark in some forum was I able to hit A true name (completely non-intuitive) that works. All attempts in using various invocations of elements found in /usr/lib/connman/plugins-vpn/*.so results in failure...
Offline
#4 2022-04-08 12:20:49
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,279
Re: trying to completely disable/deactivate connman-vpn from running
dbus kinda lacks tools to allow a user to block things from starting.
I've investigated this in the past and found these options exist :
- mask the systemd service (adds lots of messages about activation fail to log files)
- use NoExtract in pacman.conf to prevent the dbus service from being installed
- remove/replace the offending package
- write your own dbus helper that does allow blacklisting stuff
- use another PID 1
https://bbs.archlinux.org/viewtopic.php?id=261545 for some more background and links
Last edited by Lone_Wolf (2022-04-08 12:21:35)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Online
#5 2022-04-08 17:08:28
- scruffidog
- Member
- Registered: 2010-01-10
- Posts: 26
Re: trying to completely disable/deactivate connman-vpn from running
dbus kinda lacks tools to allow a user to block things from starting.
....
https://bbs.archlinux.org/viewtopic.php?id=261545 for some more background and links
So it seems like there's some hard-coded default assumptions in dbus for a number of things, not just connman. The logical functional refactoring would be a combination of options 3) & 4). But given the number of different parties (projects, systemd, dbus, distros) involved, I doubt there's going to be any political will to drive this to a sensible resolution like the bitlocker -> git transition...
Offline