majorlinux/majorwiki
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ssh.socket wiki: correct BindsTo→Requires, add warning

Browse source 
BindsTo=tailscaled.service causes a systemd ordering cycle that
prevents ssh.socket from starting on reboot. Updated the recommended
fix to use Requires= and added a warning admonition explaining why
BindsTo must not be used. Added tttpod-hetzner to affected hosts
list and linked the 2026-05-23 dcaprod incident.
This commit is contained in:
Marcus Summers 2026-05-23 02:40:04 -04:00
parent 318f50c50b
commit 3b8c8b0597
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
05-troubleshooting/networking/ssh-socket-tailscale-race-condition.md
View file

@ -35,7 +35,7 @@ Add Tailscale dependency to the socket override:
# /etc/systemd/system/ssh.socket.d/override.conf # /etc/systemd/system/ssh.socket.d/override.conf
[Unit] [Unit]
After=tailscaled.service After=tailscaled.service
BindsTo=tailscaled.service Requires=tailscaled.service
[Socket] [Socket]
ListenStream= ListenStream=
@ -51,11 +51,14 @@ systemctl status ssh.socket # verify Listen: shows correct IP
``` ```
- `After=` ensures the socket waits for Tailscale to start - `After=` ensures the socket waits for Tailscale to start
- `BindsTo=` restarts the socket if Tailscale restarts, preventing stale binds - `Requires=` ensures tailscaled must be running for the socket to activate
!!! warning "Do NOT use BindsTo"
`BindsTo=tailscaled.service` creates a **systemd ordering cycle** during shutdown: `basic.target → sockets.target → ssh.socket → tailscaled.service → basic.target`. Systemd breaks the cycle by deleting jobs unpredictably, which can prevent `ssh.socket` from starting on the next boot — leaving SSH dead until manual intervention. This was discovered on 2026-05-23 after the original fix (2026-05-19) used `BindsTo` and caused a second outage on dcaprod-hetzner. `Requires` provides the startup dependency without the dangerous bidirectional lifecycle coupling.
### Affected Hosts ### Affected Hosts
Ubuntu hosts using `configure_tailscale_ssh_only.yml`: majorlinux, dcaprod-hetzner. Fedora hosts (majordiscord) use firewall rules for SSH restriction — not affected by this race. Ubuntu hosts using `configure_tailscale_ssh_only.yml`: majorlinux, dcaprod-hetzner, tttpod-hetzner. Fedora hosts (majordiscord) use firewall rules for SSH restriction — not affected by this race.
--- ---
@ -116,4 +119,5 @@ All hosts where Tailscale is the primary access path. Particularly impactful on
- [[dcaprod#2026-05-19 — SSH unreachable due to ssh.socket race condition with Tailscale]] - [[dcaprod#2026-05-19 — SSH unreachable due to ssh.socket race condition with Tailscale]]
- [[majordiscord#2026-05-19 — Tailscale boot race: unreachable after Ansible reboot]] - [[majordiscord#2026-05-19 — Tailscale boot race: unreachable after Ansible reboot]]
- [[majorlinux#2026-05-19 — ssh.socket override patched: added Tailscale dependency]] - [[majorlinux#2026-05-19 — ssh.socket override patched: added Tailscale dependency]]
- [[dcaprod#2026-05-23 — SSH unreachable again: BindsTo ordering cycle in ssh.socket override]]
- Ansible: `configure_tailscale_ssh_only.yml`, `configure_tailscale_network_wait.yml` - Ansible: `configure_tailscale_ssh_only.yml`, `configure_tailscale_network_wait.yml`