Use systemd.device units instead of running systemctl enable/disable

[commiterate]

Description

systemd supports device units (systemd.device) which are dynamically created/deleted/reloaded on device hot-attach/hot-detach/change.

Update the udev rules and systemd unit files to use this instead of systemctl enable/disable.

Background

The current udev rules create/delete + start/stop systemd units by running systemctl enable/disable --now on ENI hot-attach/detach.

This is undesirable for a few reasons:

1. It doesn't work in distributions with an immutable /etc/systemd/system (e.g. NixOS).
   • systemctl enable/disable creates/deletes symlinks to systemd unit files elsewhere on the system (e.g. /lib/systemd/system) in /etc/systemd/system.
2. Interface-specific units are started automatically on reboot by systemd without input from udev.
   • If an instance is stopped, an ENI is detached, and the instance is started, there may be zombie service and timer units until udev emits a remove event (if it does it at all. It might not if there's a power outage or the system crashes and the ENI is removed before the subsequent boot).

Even without switching to systemd.device units, the udev rules should be doing systemctl start/stop instead of systemctl enable/disable.

See NixOS/nixpkgs#355111 (comment) for a more detailed discussion.

Notes

• The udev remove rule should also have the systemd tag to ensure device units are removed on hot-detach (USB device still active even after physically unplugged systemd/systemd#7587 (comment)).
• BindsTo= can be used to tie units together (e.g. the policy refresh service and timer units).
• Package should use systemd presets instead of enabling/disabling services #102 talks about using systemd presets (systemd.preset) instead, primarily to express that systemd-networkd should be used over NetworkManager.
  • This complects management of the network daemon with installing the systemd units. The systemd units should just gracefully not start or do a no-op if systemd-networkd isn't active (e.g. use Requisite=).

[arianvp]

i.e. idiomatic example would be:

SUBSYSTEM=="net", ACTION=="add", ENV{ID_NET_DRIVER}=="vif|ena|ixgbevf", SYSTEMD_WANTS="[email protected] [email protected]"

And then add this to the timer and service

[Unit]
Description=Set up policy routes for %I
BindsTo=%i.device # stops unit if the device goes away
After=%i.device
[Service]
ExecStart=policy-routes %I

The script would then get the full sysfs path as an argument (e.g. /sys/devices/pci0000:00/0000:00:05.0/net/ens5) instead of just the device name so the scripts need to be adjusted slightly

Systemd already adds TAG+=systemd to network devices so this should just work

[arianvp]

It doesn't work in distributions with an immutable /etc/systemd/system (e.g. NixOS).
systemctl enable/disable creates/deletes symlinks to systemd unit files elsewhere on the system (e.g. /lib/systemd/system) in /etc/systemd/system.

Because the unit files have nothing in their [Install] section I think this shouldnt be a problem. Basically systemctl enable/disable --now just act as systemctl start/stop because of it

[commiterate]

That happens to be the case today, but it should probably be fixed so it doesn't become a bug in the future (if it isn't already one today with ENI detach while the instance is stopped).