Re: Read sysctl from file

[Raimo Niskanen]

On Tue, Jul 25, 2017 at 09:32:33AM +0300, Mihai Popescu wrote:
> > As I see it everybody has agreed upon that and some are now just making
> > suggestions on how to solve the OP's problem, that do not involve adding -p 
> > to
> > OpenBSD's sysctl. So I thik that was uncalled for.
> 
> Not everybody! Man, you talk like a black suit manager here.

Maybe I am ;-)

But I saw nobody in the thread that still advocated that sysctl -p should
be added to OpenBSD.  So that was what i saw was agreed upon by everybody
(in the thread).  Therefore it was not necessary to once again point out
that sysctl -p will never be added to OpenBSD.
Because it will not.
Never.
Already said that.

> 
> > I just do not get that.
> 
> Yes, you obviously don't. It has been explained that the CONCEPT of -p
> is WRONG in OpenBSD area and maybe other areas, too. IF you can grasp
> that, then think why the hell would someone try to implement this and
> find a solution for the OP?

Now that is a different, and valid argument.  To tell someone that
implementing a substitute for sysctl -p is a bad idea because that would
send the wrong message (no message) to the Ansible folks.

But that was not the response the implementer got.

> 
> I think one of the reasons that OpenBSD avoided to become useless
> swiss army knife of OSes is exactly that resitance to implement crap
> "just because ...".

Bla bla bla.  Heard it before.  Agrees completely.  Have said it myself
many times.  Nothing new.  And that was not the subject.

Sorry, maybe it was the subject, but very indirectly.

As I see it is the message that helping someone solve a problem in a way that
encourages other OS:es bad decision is a bad strategy that did not get
through the usual @misc communication style of go f*ck your self you know
nothing.

There are better ways to send that message then what used in this thread.
For example by writing it up front.

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Read sysctl from file

[Mihai Popescu]

> As I see it everybody has agreed upon that and some are now just making
> suggestions on how to solve the OP's problem, that do not involve adding -p to
> OpenBSD's sysctl. So I thik that was uncalled for.

Not everybody! Man, you talk like a black suit manager here.

> I just do not get that.

Yes, you obviously don't. It has been explained that the CONCEPT of -p
is WRONG in OpenBSD area and maybe other areas, too. IF you can grasp
that, then think why the hell would someone try to implement this and
find a solution for the OP?

I think one of the reasons that OpenBSD avoided to become useless
swiss army knife of OSes is exactly that resitance to implement crap
"just because ...".

Re: Read sysctl from file

[Raimo Niskanen]

On Fri, Jul 21, 2017 at 05:30:32PM -0600, Theo de Raadt wrote:
> > > On Jul 21, 2017, at 3:42 PM, li...@wrant.com wrote:
> > >=20
> > > Fri, 21 Jul 2017 12:33:31 -0700 Peter Faiman 
> > >> # ./sysctl -p example.conf
> > >> Peter
> > >=20
> > > Hi Peter, ansibles,
> > >=20
> > > No guarantee systems controls stay affixed, wrapper tools comply got =
> > it?
> > 
> > The point of sysctl -p is reloading from a file. So that you put controls in
> > the file and load that file, exactly as happens in system startup. The whole
> > point is to ensure consistency with system startup. True, securelevel throws
> > a bit of a wrench in that, but this works for all other settings.
> 
> We don't have -p.
> 
> It is an addition made by a foreign system which barely uses sysctl,
> and has been acting for years like they will be removing support.
> 
> THERE IS NO SUPPORT FOR -p.
> 
> It is unlikely to happen.

As I see it everybody has agreed upon that and some are now just making
suggestions on how to solve the OP's problem, that do not involve adding -p
to OpenBSD's sysctl.  So I thik that was uncalled for.

> 
> Let's just stop this.  You just aren't capable of listening to what
> is being said.  Also, you are ridiculously rude.

I just do not get that.  I think Peter has listened to what was said and
that others are rude to him for no (very little) reason.

Best regards
-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Read sysctl from file

[Raimo Niskanen]

On Fri, Jul 21, 2017 at 05:40:04PM -0600, Theo de Raadt wrote:
> Peter, please leave.  People around here don't need to read your
> insults.
>  

Peter, you do not have to leave.  Theo says that all the time.

I did not read your posts as particulary insulting to anyone and understand
why you feel you ought to defend yourself for getting maybe deliberately
misunderstood.

Best regards
-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Read sysctl from file

[Theo de Raadt]

Peter, please leave.  People around here don't need to read your
insults.
 

Re: Read sysctl from file

[Peter Faiman]

> On Jul 21, 2017, at 1:30 PM, Mihai Popescu  wrote:
> 
>> Also it does not fail halfway, it will report errors for each of the 
>> settings that cannot  > be applied,
> 
> So Peter, just to check if i got it right, you did a script who
> reports errors about things people knows in advance they will generate
> errors, that despite the warnings that the concept is wrong from the
> start till the end.
> 
> Nice, I remember about a Dilbert situation, but I'm too lazy to search for it.

Yes, my script reports errors. Since apparently everyone knows in advance
which sysctls will produce errors, it is bad for me to report them? Is that
what you're saying?

Well then you should submit a patch to /sbin/sysctl that stops reporting
errors. After all, as you say, "people knows in advance they will generate
errors.” Now THAT is a Dilbert situation.

Peter

Re: Read sysctl from file

[Theo de Raadt]

> > On Jul 21, 2017, at 3:42 PM, li...@wrant.com wrote:
> >=20
> > Fri, 21 Jul 2017 12:33:31 -0700 Peter Faiman 
> >> # ./sysctl -p example.conf
> >> Peter
> >=20
> > Hi Peter, ansibles,
> >=20
> > No guarantee systems controls stay affixed, wrapper tools comply got =
> it?
> 
> The point of sysctl -p is reloading from a file. So that you put controls in
> the file and load that file, exactly as happens in system startup. The whole
> point is to ensure consistency with system startup. True, securelevel throws
> a bit of a wrench in that, but this works for all other settings.

We don't have -p.

It is an addition made by a foreign system which barely uses sysctl,
and has been acting for years like they will be removing support.

THERE IS NO SUPPORT FOR -p.

It is unlikely to happen.

Let's just stop this.  You just aren't capable of listening to what
is being said.  Also, you are ridiculously rude.

Re: Read sysctl from file

[Peter Faiman]

> On Jul 21, 2017, at 3:42 PM, li...@wrant.com wrote:
> 
> Fri, 21 Jul 2017 12:33:31 -0700 Peter Faiman 
>> # ./sysctl -p example.conf
>> Peter
> 
> Hi Peter, ansibles,
> 
> No guarantee systems controls stay affixed, wrapper tools comply got it?

The point of sysctl -p is reloading from a file. So that you put controls in
the file and load that file, exactly as happens in system startup. The whole
point is to ensure consistency with system startup. True, securelevel throws
a bit of a wrench in that, but this works for all other settings.

> Wrap around as advised for a system operator, don't push for short cuts.

It’s not a short cut. Ansible wants sysctl -p, I implemented sysctl -p
exactly as Linux does it, using the OpenBSD /etc/rc code that actually
applies sysctls from /etc/sysctl.conf.

I never said anyone should use Ansible. I don't use it, I don't like it. But
clearly this person is going to use it, so I might as well give them
something that will do what they want, even if I don't agree with it.

> Please, stop imposing your designs on our systems wasting precious time.

I'm not imposing my designs on anyone. Someone on the mailing list needed
the exact Linux behavior, so I spent 5 minutes on the train to work writing
and testing a compatible tool.

I already _specifically_ said I wrote a wrapper this way because it's the
easiest way to be compatible without changing ANY OpenBSD code, or ANYTHING
else about the OpenBSD system. In other words I deliberately chose to solve
this problem in a way that imposes NOTHING on anyone else.

> Kind regards,

You should stop putting this at the bottom of your emails if you think it's
acceptable to talk to others this way. When you send out half-baked
responses that clearly demonstrate you did not bother to read what I said,
you're the one wasting my time.

Peter

Re: Read sysctl from file

[lists]

Fri, 21 Jul 2017 12:33:31 -0700 Peter Faiman 
> # ./sysctl -p example.conf
> Peter

Hi Peter, ansibles,

No guarantee systems controls stay affixed, wrapper tools comply got it?
Wrap around as advised for a system operator, don't push for short cuts.
Please, stop imposing your designs on our systems wasting precious time.

Kind regards,
Anton Lazarov

Re: Read sysctl from file

[Mihai Popescu]

> Also it does not fail halfway, it will report errors for each of the settings 
> that cannot  > be applied,

So Peter, just to check if i got it right, you did a script who
reports errors about things people knows in advance they will generate
errors, that despite the warnings that the concept is wrong from the
start till the end.

Nice, I remember about a Dilbert situation, but I'm too lazy to search for it.

Re: Read sysctl from file

[Peter Faiman]

> On Jul 21, 2017, at 12:22 PM, Theo de Raadt  wrote:
> 
>>> On Jul 21, 2017, at 3:47 AM, Stuart Henderson  =
>> wrote:
>>> =20
>>> On 2017-07-20, BARDOU Pierre  wrote:
 Is there a way to make sysctl re-read its conf file, or even another =
>> file, like sysctl -p does on linux systems ?
 Supporting this option would be nice, as it is used by the sysctl =
>> module of ansible.
>>> =20
>>> Sounds risky. It won't reset default values thag are unspecified in
>>> sysctl.conf, so you could be sitting on a configuration that appears =
>> ok,
>>> but will fail after a reboot.
>> 
>> Stuart makes a good point. So does Theo, adding -p to the sysctl binary =
>> when
>> it doesn't currently do any file handling at all seems extreme. So I =
>> wrote a
>> wrapper script that emulates Linux sysctl -p. I put very simple =
>> directions
>> at the top of the file. Find it here:
>> 
>> https://gist.github.com/PeterFaiman/5b67c530b0ffa009ebef904ed0678e26
>> 
>> Ideally these tools wouldn't use Linux-specific features. But emulating
>> simple features like sysctl -p in a non-invasive way isn't too hard.
> 
> One more point to add:
> 
> Some setting can only be changed before securelevel.  They fail afterwards.
> 
> I'd say the entire approach is wrong, because it cannot tell them apart.
> It will fail halfway.
> 
> It was obviously written by people who don't care.

True, there is no way to get around the securelevel problem without
rebooting, by definition. But if this MUST be done with these workflow
constraints, I think this is the "best" way to do it.

Also it does not fail halfway, it will report errors for each of the
settings that cannot be applied, e.g. with a config that sets
kern.securelevel=0 and net.inet.udp.sendspace=9216, this happens:

# ./sysctl -p example.conf
sysctl: kern.securelevel: Operation not permitted
net.inet.udp.sendspace: 9216 -> 9216

Peter

Re: Read sysctl from file

[Theo de Raadt]

> > On Jul 21, 2017, at 3:47 AM, Stuart Henderson  =
> wrote:
> >=20
> > On 2017-07-20, BARDOU Pierre  wrote:
> >> Is there a way to make sysctl re-read its conf file, or even another =
> file, like sysctl -p does on linux systems ?
> >> Supporting this option would be nice, as it is used by the sysctl =
> module of ansible.
> >=20
> > Sounds risky. It won't reset default values thag are unspecified in
> > sysctl.conf, so you could be sitting on a configuration that appears =
> ok,
> > but will fail after a reboot.
> 
> Stuart makes a good point. So does Theo, adding -p to the sysctl binary =
> when
> it doesn't currently do any file handling at all seems extreme. So I =
> wrote a
> wrapper script that emulates Linux sysctl -p. I put very simple =
> directions
> at the top of the file. Find it here:
> 
> https://gist.github.com/PeterFaiman/5b67c530b0ffa009ebef904ed0678e26
> 
> Ideally these tools wouldn't use Linux-specific features. But emulating
> simple features like sysctl -p in a non-invasive way isn't too hard.

One more point to add:

Some setting can only be changed before securelevel.  They fail afterwards.

I'd say the entire approach is wrong, because it cannot tell them apart.
It will fail halfway.

It was obviously written by people who don't care.

Re: Read sysctl from file

[Peter Faiman]

> On Jul 21, 2017, at 3:47 AM, Stuart Henderson  wrote:
> 
> On 2017-07-20, BARDOU Pierre  wrote:
>> Is there a way to make sysctl re-read its conf file, or even another file, 
>> like sysctl -p does on linux systems ?
>> Supporting this option would be nice, as it is used by the sysctl module of 
>> ansible.
> 
> Sounds risky. It won't reset default values thag are unspecified in
> sysctl.conf, so you could be sitting on a configuration that appears ok,
> but will fail after a reboot.

Stuart makes a good point. So does Theo, adding -p to the sysctl binary when
it doesn't currently do any file handling at all seems extreme. So I wrote a
wrapper script that emulates Linux sysctl -p. I put very simple directions
at the top of the file. Find it here:

https://gist.github.com/PeterFaiman/5b67c530b0ffa009ebef904ed0678e26

Ideally these tools wouldn't use Linux-specific features. But emulating
simple features like sysctl -p in a non-invasive way isn't too hard.

Peter

Re: Read sysctl from file

[Stuart Henderson]

On 2017-07-20, BARDOU Pierre  wrote:
> Is there a way to make sysctl re-read its conf file, or even another file, 
> like sysctl -p does on linux systems ?
> Supporting this option would be nice, as it is used by the sysctl module of 
> ansible.

Sounds risky. It won't reset default values thag are unspecified in
sysctl.conf, so you could be sitting on a configuration that appears ok,
but will fail after a reboot.

Re: Read sysctl from file

[BARDOU Pierre]

Hello,

I didn't realized that, but you have a point here.
For future reference, I got ansible sysctl working tuning the options :

Task :
- name: "Tuning sysctl"
  sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
reload: no
sysctl_set: yes
  with_items: "{{ sysctl }}"

Vars :
sysctl:
  - name: "net.inet.ip.forwarding"
value: 1
  - name: "net.inet.carp.preempt"
value: 1

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Theo de Raadt [mailto:dera...@openbsd.org] 
Envoyé : jeudi 20 juillet 2017 15:46
À : BARDOU Pierre 
Cc : misc@openbsd.org
Objet : Re: Read sysctl from file

> Is there a way to make sysctl re-read its conf file, or even another 
> file, like sysctl -p does on linux systems ?
> Supporting this option would be nice, as it is used by the sysctl 
> module of= ansible.

But sysctl doesn't have a configuration file.

there is a file called sysctl.conf, but it isn't a configuration file for the 
command.  It is a list of sysctl changes, which will be made by the rc scripts 
at startup.

someone in linux land went off the map here.  and then another piece of 
software started un-portably assuming that's the way to do things?

Re: Read sysctl from file

[Remi Locherer]

On Thu, Jul 20, 2017 at 06:14:03PM -0700, Lyndon Nerenberg wrote:
> 
> > On Jul 20, 2017, at 6:35 AM, BARDOU Pierre  wrote:
> > 
> > Hello,
> > 
> > Is there a way to make sysctl re-read its conf file, or even another file, 
> > like sysctl -p does on linux systems ?
> > Supporting this option would be nice, as it is used by the sysctl module of 
> > ansible.

I'm also using Ansible to distribute sysctl configs to OpenBSD hosts. In the
sysctl tasks I set sysctl_set to yes and reload to no. That works fine.

Remi

Re: Read sysctl from file

[Lyndon Nerenberg]

> On Jul 20, 2017, at 6:35 AM, BARDOU Pierre  wrote:
> 
> Hello,
> 
> Is there a way to make sysctl re-read its conf file, or even another file, 
> like sysctl -p does on linux systems ?
> Supporting this option would be nice, as it is used by the sysctl module of 
> ansible.

Here's the script we call (ansible handler, or as an rdist 'special') whenever 
we push a new sysctl.conf.  It's the same code the system runs at boot time, 
lifted out into a standalone script.


#!/bin/sh

# sysctlreload: apply sysctl.conf(5) settings.

# Strip in- and whole-line comments from a file.
# Strip leading and trailing whitespace if IFS is set.
# Usage: stripcom /path/to/file
stripcom() {
local _file=$1 _line

[[ -s $_file ]] || return

while read _line ; do
_line=${_line%%#*}
[[ -n $_line ]] && print -r -- "$_line"
done <$_file
}

stripcom /etc/sysctl.conf |
while read _line; do
sysctl "$_line"
done

Re: Read sysctl from file

[Kapetanakis Giannis]

On 20/07/17 18:48, Consus wrote:

On 07:08 Thu 20 Jul, Kai Wetlesen wrote:

Because it's a nice way to apply configuration changes made to
/etc/sysctl.conf without restarting the whole server?

Systemctl doesn't offer hot reload unless the controlled daemon offers
the capability in the first place. The only thing systemd does is hits
the controlling process on the head with a known conf-reload signal or
(gasp) a DBus control statement. Both of these can be done just as
well with an rc script, and without restarting the service.

What systemd has to do with anything? We are talking about sysctl(8) and
sysctl.conf(5).


Guys, it's easy to emulate sysctl -p with a simple 4 line (maybe less) 
script.


In advance, /etc/rc already does that.

G

Re: Read sysctl from file

[Kai Wetlesen]

> Because it's a nice way to apply configuration changes made to
> /etc/sysctl.conf without restarting the whole server?

Systemctl doesn't offer hot reload unless the 
controlled daemon offers the capability in 
the first place. The only thing systemd does 
is hits the controlling process on the head 
with a known conf-reload signal or (gasp) a 
DBus control statement. Both of these can 
be done just as well with an rc script, and
without restarting the service.

Re: Read sysctl from file

[Consus]

On 07:08 Thu 20 Jul, Kai Wetlesen wrote:
> > Because it's a nice way to apply configuration changes made to
> > /etc/sysctl.conf without restarting the whole server?
> 
> Systemctl doesn't offer hot reload unless the controlled daemon offers
> the capability in the first place. The only thing systemd does is hits
> the controlling process on the head with a known conf-reload signal or
> (gasp) a DBus control statement. Both of these can be done just as
> well with an rc script, and without restarting the service.

What systemd has to do with anything? We are talking about sysctl(8) and
sysctl.conf(5).

Re: Read sysctl from file

[Theo de Raadt]

> > > On 07:39 Thu 20 Jul, Theo de Raadt wrote:
> > > > someone in linux land went off the map here.  and then another piece of
> > > > software started un-portably assuming that's the way to do things?
> > > 
> > > Because it's a nice way to apply configuration changes made to
> > > /etc/sysctl.conf without restarting the whole server?
> > 
> > only thinking of yourself, and missing the point.
> > 
> > the point is that the 25-year old sysctl design had no such feature,
> > and now other things are changing that.
> > 
> > No, what you want does not exist.
> 
> He just asks if OpenBSD supports such a feature. Why so butthurt?

I said no the first time, and provided a detailed explaination.

Why did you feel the need jump in?  Ichy butt?

Re: Read sysctl from file

[Consus]

On 07:45 Thu 20 Jul, Theo de Raadt wrote:
> > On 07:39 Thu 20 Jul, Theo de Raadt wrote:
> > > someone in linux land went off the map here.  and then another piece of
> > > software started un-portably assuming that's the way to do things?
> > 
> > Because it's a nice way to apply configuration changes made to
> > /etc/sysctl.conf without restarting the whole server?
> 
> only thinking of yourself, and missing the point.
> 
> the point is that the 25-year old sysctl design had no such feature,
> and now other things are changing that.
> 
> No, what you want does not exist.

He just asks if OpenBSD supports such a feature. Why so butthurt?

Re: Read sysctl from file

[Theo de Raadt]

> On 07:39 Thu 20 Jul, Theo de Raadt wrote:
> > someone in linux land went off the map here.  and then another piece of
> > software started un-portably assuming that's the way to do things?
> 
> Because it's a nice way to apply configuration changes made to
> /etc/sysctl.conf without restarting the whole server?

only thinking of yourself, and missing the point.

the point is that the 25-year old sysctl design had no such feature,
and now other things are changing that.

No, what you want does not exist.

Re: Read sysctl from file

[Consus]

On 07:39 Thu 20 Jul, Theo de Raadt wrote:
> someone in linux land went off the map here.  and then another piece of
> software started un-portably assuming that's the way to do things?

Because it's a nice way to apply configuration changes made to
/etc/sysctl.conf without restarting the whole server?

Re: Read sysctl from file

[Theo de Raadt]

> Is there a way to make sysctl re-read its conf file, or even another file,
> like sysctl -p does on linux systems ?
> Supporting this option would be nice, as it is used by the sysctl module of=
> ansible.

But sysctl doesn't have a configuration file.

there is a file called sysctl.conf, but it isn't a configuration file for
the command.  It is a list of sysctl changes, which will be made by the rc
scripts at startup.

someone in linux land went off the map here.  and then another piece of
software started un-portably assuming that's the way to do things?