systemd circular dependency caused by cloud-init and firewalld #6502
Description
Bug report
systemd circular dependency with cloud-init and firewalld
Just heads up that if you have cloud-init and firewalld you'd face issue that firewalld won't start after reboot with error Job firewalld.service/start deleted to break ordering cycle starting with network-pre.target/start
Systemd detects this circular dependency at boot and breaks the cycle by:
- Deleting firewalld.service/start job
- Allowing network-pre.target to complete immediately (no firewalld to wait for)
- Network starts → cloud-init completes → sysinit completes → basic completes
- Boot continues, but firewalld never starts
Steps to reproduce the problem
- Get instance with Ubuntu 24.04 image that includes cloud-init installed.
- Install firewalld
"apt install firewalld && systemctl enable --now firewalld - Restart system/server and get firewalld down
Environment details
- Cloud-init version: /usr/bin/cloud-init 25.2-0ubuntu1~24.04.1
- Operating System Distribution: "24.04.3 LTS (Noble Numbat)" | Linux 6.8.0-85-generic fix invalid json in tools/.lp-to-git-user #85-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 18 15:26:59 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
- Cloud provider, platform or installer type: DigitalOcean
cloud-init logs
Oct 06 10:49:38 whatchamacallit systemd[1]: Detected virtualization kvm.
Oct 06 10:49:38 whatchamacallit systemd[1]: Detected architecture x86-64.
Oct 06 10:49:38 whatchamacallit systemd[1]: Hostname set to <cooeemobile>.
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found ordering cycle on firewalld.service/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on polkit.service/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on basic.target/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on sockets.target/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on snapd.socket/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on sysinit.target/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on cloud-init.service/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on systemd-networkd-wait-online.service/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on systemd-networkd.service/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Found dependency on network-pre.target/start
Oct 06 10:49:38 whatchamacallit systemd[1]: network-pre.target: Job firewalld.service/start deleted to break ordering cycle starting with network-pre.target/start
Oct 06 10:49:38 whatchamacallit systemd[1]: Queued start job for default target graphical.target.
Dependency chain that creates the loop:
sysinit.target
↓ (After=cloud-init.service)
↓ [sysinit waits for cloud-init to complete]
↓
cloud-init.service
↓ (After=systemd-networkd-wait-online.service)
↓ [cloud-init waits for network to be online]
↓
systemd-networkd-wait-online.service
↓ (After=systemd-networkd.service)
↓ [wait-online waits for networkd to start]
↓
systemd-networkd.service
↓ (After=network-pre.target)
↓ [networkd waits for network-pre to complete]
↓
network-pre.target
↓ (After=firewalld.service)
↓ [network-pre waits for firewalld to start]
↓
firewalld.service
↓ (After=polkit.service)
↓ [firewalld waits for polkit to be ready]
↓
polkit.service
↓ (After=basic.target)
↓ [polkit waits for basic to complete]
↓
basic.target
↓ (Requires=sysinit.target)
↓ [basic REQUIRES sysinit to complete first]
↓
sysinit.target => CYCLE!
The dependency does not occur if:
- no firewalld but cloud-init installed
- no cloud-init but firewalld installed