systemd: ensure dbus is available for network services

Fix race condition where network services attempt to use D-Bus functionality
before the D-Bus broker is fully initialized:

1. Add DefaultDependencies=no to dbus.socket to allow D-Bus to start earlier
   in the boot process
2. Make network-pre.target require dbus-broker.service to ensure D-Bus is
   ready before network services start
3. Disable PrivateTmp for dbus-broker.service to remove dependency on
   systemd-tmpfiles and local-fs.target

Signed-off-by: Yutong Sun <[email protected]>

Author: ytsssun

packages/dbus-broker/dbus-broker.service

@@ -2,7 +2,9 @@
 Description=D-Bus System Message Bus
 Documentation=https://github.com/bus1/dbus-broker
 DefaultDependencies=false
-After=dbus.socket
+# Ensure the dbus user is created before starting dbus-broker
+After=dbus.socket systemd-sysusers.service
+Wants=dbus.socket systemd-sysusers.service
 Before=basic.target shutdown.target
 Requires=dbus.socket
 Conflicts=shutdown.target
@@ -13,7 +15,9 @@ Sockets=dbus.socket
 OOMScoreAdjust=-900
 LimitNOFILE=16384
 ProtectSystem=full
-PrivateTmp=true
+# Disable private /tmp to avoid dependency on systemd-tmpfiles and consequently
+# local-fs.target, allowing dbus to start earlier in the boot
+PrivateTmp=no
 PrivateDevices=true
 ExecStart=/usr/bin/dbus-broker-launch --scope system
 ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig

packages/dbus-broker/dbus.socket

@@ -1,5 +1,10 @@
 [Unit]
 Description=D-Bus System Message Bus Socket
+# Disable DefaultDependencies to allow D-Bus to be started earlier in the boot
+# so that it is available for other services
+DefaultDependencies=no
+Before=shutdown.target sockets.target
+Conflicts=shutdown.target
 
 [Socket]
 ListenStream=/run/dbus/system_bus_socket

packages/release/network-pre-target-dbus-dep.conf

@@ -0,0 +1,10 @@
+[Unit]
+# Ensure D-Bus is fully initialized before network services start
+# This prevents a race condition where network services could attempt
+# to use D-Bus functionality (like networkctl commands) before the D-Bus
+# broker service is fully ready to handle requests.
+DefaultDependencies=no
+After=dbus-broker.service
+Requires=dbus-broker.service
+Before=shutdown.target
+Conflicts=shutdown.target

packages/release/release.spec

@@ -110,6 +110,7 @@ Source1107: systemd-journald-compat.conf
 Source1108: systemd-sysusers-selinux.conf
 Source1109: modprobe-no-exit.conf
 Source1110: tmp-mount-noexec.conf
+Source1111: network-pre-target-dbus-dep.conf
 
 # network link rules
 Source1200: 80-release.link
@@ -271,6 +272,10 @@ install -d %{buildroot}%{_cross_unitdir}/tmp.mount.d
 install -p -m 0644 %{S:1110} \
   %{buildroot}%{_cross_unitdir}/tmp.mount.d/10-no-exec.conf
 
+install -d %{buildroot}%{_cross_unitdir}/network-pre.target.d
+install -p -m 0644 %{S:1111} \
+  %{buildroot}%{_cross_unitdir}/network-pre.target.d/00-dbus-dep.conf
+
 # Empty (but packaged) directory. The FIPS packages for kernels will add drop-ins to
 # this directory to arrange for the right modules to be loaded before the check runs.
 install -d %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d
@@ -386,6 +391,8 @@ ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target
 %{_cross_unitdir}/mask-local-mnt.service
 %{_cross_unitdir}/mask-local-opt.service
 %{_cross_unitdir}/mask-local-var.service
+%dir %{_cross_unitdir}/network-pre.target.d
+%{_cross_unitdir}/network-pre.target.d/00-dbus-dep.conf
 %{_cross_unitdir}/root-.aws.mount
 %{_cross_unitdir}/repart-data-preferred.service
 %{_cross_unitdir}/repart-data-fallback.service