Am 12.09.2017 um 22:31 schrieb Bryan Call:
proxy.config.disable_configuration_modification was a feature that was
requested and the group didn’t use it.
We are planning on having the configuration to be read-only for ATS 8.
frankly ATS 8 is way too late after years of complaining when you need
to have Letsencrypt enabled in a few weeks because Google Chrome will
warn on every page with a from tag and no SSL
it's just UNACCEPTABLE that you have to HARD RESTART Trafficserver for
every remamp/ssl change, it was UNACCEPTABLE the last years too but now
it's becoming a joke
where is the rocket science just read the fucking config file and shut
up like every other software on this plant is able to do?
[root@proxy:/var/log/trafficserver]$ nano
/etc/trafficserver/ssl_multicert.config
[root@proxy:/var/log/trafficserver]$ cat *
[root@proxy:/var/log/trafficserver]$ systemctl reload trafficserver.service
[root@proxy:/var/log/trafficserver]$ cat *
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE:
[Rollback::openFile] Open of ssl_multicert.config failed: Read-only file
system
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE:
[Rollback::internalUpdate] Unable to create new version of
ssl_multicert.config : Read-only file system
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE:
[Rollback::checkForUserUpdate] Failed to roll changed user file
ssl_multicert.config: System Call Error
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: User has changed
config file ssl_multicert.config
[root@proxy:/var/log/trafficserver]$
On Sep 12, 2017, at 8:45 AM, Reindl Harald <[email protected]> wrote:
Am 02.09.2017 um 04:51 schrieb Miles Libbey:
On Fri, Sep 1, 2017 at 6:40 PM, Reindl Harald <[email protected]> wrote:
Am 01.09.2017 um 22:43 schrieb Alan Carroll:
Is that addressed by
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=records%20config#proxy-config-disable-configuration-modification
sounds good - when is 8.0 planned to be released?
It's also available in 7. We do a terrible job of having the
documentation match the actual version (eg why we default to a version
that won't be released for quite some time is beyond me,
IT DON'T WORK
that you currently need a hard restart for config changes is a pain and will
be much more pain when you have to use letsencrypt with it's frequent
certificate updates in the next month after Chrome is starting to warn about
any site containing a from-tag without TLS
They don't. Remap, SSL cert, and parents just need reloads, not
restarts. Many record config values are also reloads
IT DON'T RELOAD because of readonly /etc
"/usr/bin/traffic_ctl config reload" don't do anything beause of this
"[Rollback::Rollback] Config file is read-only : ssl_multicert.config" bullshit and i am
currently working to implement letsencrypt for hundrets of domains which means that at every point
in time certificates can be changed and a reload is needed and HARD RESTART IS A NO-GO
why in the world is that broken-by-design not fixed after 5 years of complaining or at
least a option called "proxy.config.disable_configuration_modification" not
tested at all?
is it really that hard to create a basic systemd unit and set the OS to redonly
which should be the case for every network service in 2017 and test BASIC
OPERATIONS?
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=/etc/trafficserver/internal
ReadWriteDirectories=/etc/trafficserver/snapshots
[root@proxy:~]$ cat records.config | grep configuration
# Main threads configuration (worker threads). Also see configurations for #
# parent proxy configuration #
CONFIG proxy.config.disable_configuration_modification INT 1
CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
IT JUST DON'T WORK
