[yast-devel] Handling sysctl config in yast2-security
In this sprint I'm working on a bug reported against yast2-security module. This module manage some YaST sysctl config file attributes [1]. ## Problem After modifying the settings it does not apply the network changes to the running system. In the past that responsibility was handle by boot.ipconfig which it is not the case anymore once we moved to systemd. Currently, if there is at least a conflict [2] with other sysctl config files, the error is reported but the changes are not written as you can check in the code: https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L5... https://github.com/yast/yast-yast2/pull/1021/files#diff-4216cbac8e98ed10343a... Thus, the changes done in the UI are lost, and need to be modified manually later. ## Proposed Solution - The sysctl changes made by the module should be written always to not lost them. - If there is some sysctl config change, then the changes will be applied to the running system. In case of a conflict it will be reported and the changes will be applied system wide (sysctl --system), which means that higher precedence values will be applied instead of the yast ones, but no conflicting attributes will be applied fine. Basically the same that would be applied by rebooting the system. In case of no conflict, then, only the changes of the yast sysctl config file will be applied (sysctl -p /etc/sysctl.d/70-yast.conf). This is faster, and should be safe enough. You can check the proposed solution in this PR: https://github.com/yast/yast-security/pull/67 ## Feeback We would like to know what do you thing about the proposed approach and if you prefer to solve it in other way. Thanks in advance ;) [1] Attributes handling by the module: See https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L9... - kernel.sysrq - net.ipv4.tcp_syncookies - net.ipv4.ip_forward - net.ipv6.conf.all.forwarding [2] A conflict means that there is at least one attribute handled in the yast sysctl config file which is also handled in a file with high precedence than the yast config file See https://github.com/yast/yast-yast2/blob/master/library/general/src/lib/cfa/s... -- Knut Alejandro Anderssen González YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Wed, 1 Apr 2020 09:51:37 +0100
Knut Alejandro Anderssen González
In this sprint I'm working on a bug reported against yast2-security module.
This module manage some YaST sysctl config file attributes [1].
## Problem
After modifying the settings it does not apply the network changes to the running system.
In the past that responsibility was handle by boot.ipconfig which it is not the case anymore once we moved to systemd.
Currently, if there is at least a conflict [2] with other sysctl config files, the error is reported but the changes are not written as you can check in the code:
https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L5...
https://github.com/yast/yast-yast2/pull/1021/files#diff-4216cbac8e98ed10343a...
Thus, the changes done in the UI are lost, and need to be modified manually later.
## Proposed Solution
- The sysctl changes made by the module should be written always to not lost them. - If there is some sysctl config change, then the changes will be applied to the running system.
In case of a conflict it will be reported and the changes will be applied system wide (sysctl --system), which means that higher precedence values will be applied instead of the yast ones, but no conflicting attributes will be applied fine. Basically the same that would be applied by rebooting the system.
In case of no conflict, then, only the changes of the yast sysctl config file will be applied (sysctl -p /etc/sysctl.d/70-yast.conf). This is faster, and should be safe enough.
Well, I would prefer here simplicity and consistency, so also call `sysctl --system`. Speed is usually not issue in Yast and I found a bit strange that manual modifications to other files are in some cases applied and in some not. Josef
You can check the proposed solution in this PR:
https://github.com/yast/yast-security/pull/67
## Feeback
We would like to know what do you thing about the proposed approach and if you prefer to solve it in other way.
Thanks in advance ;)
[1] Attributes handling by the module:
See https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L9...
- kernel.sysrq - net.ipv4.tcp_syncookies - net.ipv4.ip_forward - net.ipv6.conf.all.forwarding
[2] A conflict means that there is at least one attribute handled in the yast sysctl config file which is also handled in a file with high precedence than the yast config file
See https://github.com/yast/yast-yast2/blob/master/library/general/src/lib/cfa/s...
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On 4/2/20 9:16 AM, josef Reidinger wrote:
On Wed, 1 Apr 2020 09:51:37 +0100 Knut Alejandro Anderssen González
wrote: In this sprint I'm working on a bug reported against yast2-security module.
This module manage some YaST sysctl config file attributes [1].
## Problem
After modifying the settings it does not apply the network changes to the running system.
In the past that responsibility was handle by boot.ipconfig which it is not the case anymore once we moved to systemd.
Currently, if there is at least a conflict [2] with other sysctl config files, the error is reported but the changes are not written as you can check in the code:
https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L5...
https://github.com/yast/yast-yast2/pull/1021/files#diff-4216cbac8e98ed10343a...
Thus, the changes done in the UI are lost, and need to be modified manually later.
## Proposed Solution
- The sysctl changes made by the module should be written always to not lost them. - If there is some sysctl config change, then the changes will be applied to the running system.
In case of a conflict it will be reported and the changes will be applied system wide (sysctl --system), which means that higher precedence values will be applied instead of the yast ones, but no conflicting attributes will be applied fine. Basically the same that would be applied by rebooting the system.
In case of no conflict, then, only the changes of the yast sysctl config file will be applied (sysctl -p /etc/sysctl.d/70-yast.conf). This is faster, and should be safe enough.
Well, I would prefer here simplicity and consistency, so also call `sysctl --system`. Speed is usually not issue in Yast and I found a bit strange that manual modifications to other files are in some cases applied and in some not.
I tried to avoid changes to attributes not handled by the yast2-security module if that was not strictly necessary. But, lets use --system by now as we do with other settings.
Josef
You can check the proposed solution in this PR:
https://github.com/yast/yast-security/pull/67
## Feeback
We would like to know what do you thing about the proposed approach and if you prefer to solve it in other way.
Thanks in advance ;)
[1] Attributes handling by the module:
See https://github.com/yast/yast-security/blob/master/src/modules/Security.rb#L9...
- kernel.sysrq - net.ipv4.tcp_syncookies - net.ipv4.ip_forward - net.ipv6.conf.all.forwarding
[2] A conflict means that there is at least one attribute handled in the yast sysctl config file which is also handled in a file with high precedence than the yast config file
See https://github.com/yast/yast-yast2/blob/master/library/general/src/lib/cfa/s...
-- Knut Alejandro Anderssen González YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
participants (2)
-
josef Reidinger
-
Knut Alejandro Anderssen González