On 4/2/20 9:16 AM, josef Reidinger wrote: > On Wed, 1 Apr 2020 09:51:37 +0100 > Knut Alejandro Anderssen González <kanders...@suse.de> wrote: > >> In this sprint I'm working on a bug reported against yast2-security module. >> >> This module manage some YaST sysctl config file attributes [1]. >> >> ## Problem >> >> After modifying the settings it does not apply the network changes to >> the running system. >> >> In the past that responsibility was handle by boot.ipconfig which it is >> not the case anymore once we moved to systemd. >> >> Currently, if there is at least a conflict [2] with other sysctl config >> files, the error is reported but the changes are not written as you can >> check in the code: >> >> https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L594 >> >> https://github.com/yast/yast-yast2/pull/1021/files#diff-4216cbac8e98ed10343a00513e10e917R128 >> >> Thus, the changes done in the UI are lost, and need to be modified >> manually later. >> >> ## Proposed Solution >> >> - The sysctl changes made by the module should be written always to not >> lost them. >> - If there is some sysctl config change, then the changes will be >> applied to the running system. >> >> In case of a conflict it will be reported and the changes will be >> applied system wide (sysctl --system), which means that higher >> precedence values will be applied instead of the yast ones, but no >> conflicting attributes will be applied fine. Basically the same that >> would be applied by rebooting the system. >> >> In case of no conflict, then, only the changes of the yast sysctl >> config file will be applied (sysctl -p /etc/sysctl.d/70-yast.conf). This >> is faster, and should be safe enough. > > Well, I would prefer here simplicity and consistency, so also call `sysctl > --system`. Speed is usually not issue in Yast and I found a bit strange that > manual modifications to other files are in some cases applied and in some not. I tried to avoid changes to attributes not handled by the yast2-security module if that was not strictly necessary. But, lets use --system by now as we do with other settings. > > Josef > >> >> You can check the proposed solution in this PR: >> >> https://github.com/yast/yast-security/pull/67 >> >> ## Feeback >> >> We would like to know what do you thing about the proposed approach and >> if you prefer to solve it in other way. >> >> Thanks in advance ;) >> >> >> [1] Attributes handling by the module: >> >> See >> https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L902 >> >> - kernel.sysrq >> - net.ipv4.tcp_syncookies >> - net.ipv4.ip_forward >> - net.ipv6.conf.all.forwarding >> >> [2] A conflict means that there is at least one attribute handled in the >> yast sysctl config file which is also handled in a file with high >> precedence than the yast config file >> >> See >> https://github.com/yast/yast-yast2/blob/master/library/general/src/lib/cfa/sysctl_config.rb#L96 >> >> > -- Knut Alejandro Anderssen González YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: yast-devel+unsubscr...@opensuse.org To contact the owner, e-mail: yast-devel+ow...@opensuse.org
Re: [yast-devel] Handling sysctl config in yast2-security
Knut Alejandro Anderssen González Thu, 02 Apr 2020 01:33:40 -0700
- [yast-devel] Handling sysctl config in ... Knut Alejandro Anderssen González
- Re: [yast-devel] Handling sysctl c... josef Reidinger
- Re: [yast-devel] Handling sysc... Knut Alejandro Anderssen González
