Skip to content

sysctl: don't modify /etc/sysctl.conf#776

Merged
asfgit merged 1 commit into
apache:masterfrom
exoscale:fix/firewall-sysctl
Sep 9, 2015
Merged

sysctl: don't modify /etc/sysctl.conf#776
asfgit merged 1 commit into
apache:masterfrom
exoscale:fix/firewall-sysctl

Conversation

@vincentbernat

@vincentbernat vincentbernat commented Sep 4, 2015

Copy link
Copy Markdown
Contributor

To configure firewall rules, CloudStack modifies /etc/sysctl.conf and
execute those modifications. This may be harmful for several reasons:

  1. /etc/sysctl.conf may be managed by some configuration management
    system. Such a system will constantly restore the previous version.
  2. /etc/sysctl.conf may contain additional properties that have been
    changed later by some system administrator (for example, once a
    firewall has been configured, forwarding may have been activated
    while it is disabled in /etc/sysctl.conf). Executing the file
    again at a later time may disrupt the system.
  3. Entries are added again and again. /etc/sysctl.conf will contain
    the same directives repeated several times.

Using a configuration file is not needed as sysctl is able to directly
modify sysctl values with -w flag.

Signed-off-by: Vincent Bernat Vincent.Bernat@exoscale.ch

@vincentbernat
sysctl: don't modify /etc/sysctl.conf
f2b8f2e 
To configure firewall rules, CloudStack modifies `/etc/sysctl.conf` and
execute those modifications. This may be harmful for several reasons:

 1. `/etc/sysctl.conf` may be managed by some configuration management
    system. Such a system will constantly restore the previous version.

 2. `/etc/sysctl.conf` may contain additional properties that have been
    changed later by some system administrator (for example, once a
    firewall has been configured, forwarding may have been activated
    while it is disabled in `/etc/sysctl.conf`). Executing the file
    again at a later time may disrupt the system.

 3. Entries are added again and again. `/etc/sysctl.conf` will contain
    the same directives repeated several times.

Using a configuration file is not needed as `sysctl` is able to directly
modify sysctl values with `-w` flag.

Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>
@asfbot

asfbot commented Sep 4, 2015

Copy link
Copy Markdown

cloudstack-pull-rats #503 SUCCESS
This pull request looks good

@resmo

resmo commented Sep 4, 2015

Copy link
Copy Markdown
Member

Salut Vincent

I agree, but AFAIK there is a /etc/sysctl.d directory intended for persistent sysctl configs. What about adding a cloud.conf to /etc/sysctl.d with these settings as well? Any thoughts?

@milamberspace

milamberspace commented Sep 4, 2015

Copy link
Copy Markdown
Contributor

Use a cloud(stack).conf file under /etc/sysctl.d/ seems better and follow the distro philosophy.

@asfbot

asfbot commented Sep 4, 2015

Copy link
Copy Markdown

cloudstack-pull-analysis #436 SUCCESS
This pull request looks good

@vincentbernat

vincentbernat commented Sep 4, 2015

Copy link
Copy Markdown
Contributor Author

@resmo Yes, it could be in /etc/sysctl.d instead (and no sysctl call would be needed). I don't have a strong opinion on this (except in this case, the code should then be removed from security_group.py).

@rafaelweingartner

rafaelweingartner commented Sep 4, 2015

Copy link
Copy Markdown
Member

+1 for /etc/sysctl.d/cloudStack.conf

@wido

wido commented Sep 7, 2015

Copy link
Copy Markdown
Contributor

LGTM. We do not need a persistent file since this PY file will be called during runtime.

@yadvr

yadvr commented Sep 7, 2015

Copy link
Copy Markdown
Member

While looks good, I'll wait for comments from @remibergsma @miguelaferreira Ian and others on it was done this way?

@rafaelweingartner

rafaelweingartner commented Sep 7, 2015

Copy link
Copy Markdown
Member

If we do not need to persist a file, LGTM

@wido

wido commented Sep 8, 2015

Copy link
Copy Markdown
Contributor

We have to LGTMs. Are we merging this?

@resmo

resmo commented Sep 8, 2015

Copy link
Copy Markdown
Member

I prefer a persistent config (you know where to search for it) and not a dynamic one with hard coded values. If these would be dynamic, then it is clear to use the .py. but they are not so why not write them down?

@vincentbernat

vincentbernat commented Sep 8, 2015

Copy link
Copy Markdown
Contributor Author

@resmo the only problem with shipping a /etc/sysctl.d/cloudstack.conf is that this is more a packaging issue. It has to be handled for all distributions. And what about people installing from source? This doesn't seem an easy problem.

@wido

wido commented Sep 8, 2015

Copy link
Copy Markdown
Contributor

@vincentbernat Agreed, if we want a persistent file we should fix it in the packaging and not in the Python code.

Code should never create files in a dynamic way like this.

@yadvr

yadvr commented Sep 8, 2015

Copy link
Copy Markdown
Member

@wido @vincentbernat agree

@wilderrodrigues

wilderrodrigues commented Sep 9, 2015

Copy link
Copy Markdown
Contributor

I went through the file history and it has been like this since when it was pushed (back in 2012). The change makes sense and the explanations given about having or not a conf file were also instructive.

In my opinion, this should be merged. 👍

Who will do the honours? :)

Cheers,
Wilder

@asfgit asfgit merged commit f2b8f2e into apache:master Sep 9, 2015
asfgit pushed a commit that referenced this pull request Sep 9, 2015
@wido
Merge pull request #776 from exoscale/fix/firewall-sysctl
28d18dc 
sysctl: don't modify /etc/sysctl.confTo configure firewall rules, CloudStack modifies `/etc/sysctl.conf` and
execute those modifications. This may be harmful for several reasons:

 1. `/etc/sysctl.conf` may be managed by some configuration management
    system. Such a system will constantly restore the previous version.

 2. `/etc/sysctl.conf` may contain additional properties that have been
    changed later by some system administrator (for example, once a
    firewall has been configured, forwarding may have been activated
    while it is disabled in `/etc/sysctl.conf`). Executing the file
    again at a later time may disrupt the system.

 3. Entries are added again and again. `/etc/sysctl.conf` will contain
    the same directives repeated several times.

Using a configuration file is not needed as `sysctl` is able to directly
modify sysctl values with `-w` flag.

Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>

* pr/776:
  sysctl: don't modify /etc/sysctl.conf

Signed-off-by: Wido den Hollander <wido@widodh.nl>
yadvr pushed a commit that referenced this pull request Jan 20, 2021
@Pearl1594 @yadvr
Fix dedicate zone to a domain / account (#776)
77650b9 
Co-authored-by: Pearl Dsilva <pearl.dsilva@shapeblue.com>
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This was referenced Aug 4, 2021
Open
Open
@snyk-bot snyk-bot mentioned this pull request Sep 2, 2021
Open
@snyk-bot snyk-bot mentioned this pull request Sep 17, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@vincentbernat @asfbot @resmo @milamberspace @rafaelweingartner @wido @yadvr @wilderrodrigues @asfgit