On Wed, 1 Apr 2020 09:51:37 +0100 Knut Alejandro Anderssen González <kanders...@suse.de> wrote:
> In this sprint I'm working on a bug reported against yast2-security module. > > This module manage some YaST sysctl config file attributes [1]. > > ## Problem > > After modifying the settings it does not apply the network changes to > the running system. > > In the past that responsibility was handle by boot.ipconfig which it is > not the case anymore once we moved to systemd. > > Currently, if there is at least a conflict [2] with other sysctl config > files, the error is reported but the changes are not written as you can > check in the code: > > https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L594 > > https://github.com/yast/yast-yast2/pull/1021/files#diff-4216cbac8e98ed10343a00513e10e917R128 > > Thus, the changes done in the UI are lost, and need to be modified > manually later. > > ## Proposed Solution > > - The sysctl changes made by the module should be written always to not > lost them. > - If there is some sysctl config change, then the changes will be > applied to the running system. > > In case of a conflict it will be reported and the changes will be > applied system wide (sysctl --system), which means that higher > precedence values will be applied instead of the yast ones, but no > conflicting attributes will be applied fine. Basically the same that > would be applied by rebooting the system. > > In case of no conflict, then, only the changes of the yast sysctl > config file will be applied (sysctl -p /etc/sysctl.d/70-yast.conf). This > is faster, and should be safe enough. Well, I would prefer here simplicity and consistency, so also call `sysctl --system`. Speed is usually not issue in Yast and I found a bit strange that manual modifications to other files are in some cases applied and in some not. Josef > > You can check the proposed solution in this PR: > > https://github.com/yast/yast-security/pull/67 > > ## Feeback > > We would like to know what do you thing about the proposed approach and > if you prefer to solve it in other way. > > Thanks in advance ;) > > > [1] Attributes handling by the module: > > See > https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L902 > > - kernel.sysrq > - net.ipv4.tcp_syncookies > - net.ipv4.ip_forward > - net.ipv6.conf.all.forwarding > > [2] A conflict means that there is at least one attribute handled in the > yast sysctl config file which is also handled in a file with high > precedence than the yast config file > > See > https://github.com/yast/yast-yast2/blob/master/library/general/src/lib/cfa/sysctl_config.rb#L96 > > -- To unsubscribe, e-mail: yast-devel+unsubscr...@opensuse.org To contact the owner, e-mail: yast-devel+ow...@opensuse.org
