sysctl.d: Add prefix 60 to baselayout.conf and set rp_filter values #13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The baselayout.conf file was applied after all "[0-9]+.*.conf" files due to sorting by file name. This made it difficult for users to apply their configuration files because they had to use a name starting with something being sorted after "bb" while everybody expects "90" to be the latest in the order. This also caused that baselayout was overwriting the "50-default.conf" file from systemd. Sort the baselayout file after the "50-default.conf" file but before any possible user files like "90-...". By inserting the baselayout file after "50-default.conf" we have a good way to overwrite the systemd settings for rp_filter that we want to change to 0. This allows us to drop any patches to the systemd ebuild file.
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 14, 2020
The patches were not taking effect because they did not set net.ipv4.conf.default.rp_filter for new interfaces. Also, they got overwritten by the baselayout configuration which takes precedence and is the place for Flatcar-specific sysctl settings. The desired configuration was enfored there: flatcar/baselayout#13
|
Test results: |
t-lo
requested changes
Dec 15, 2020
There was a problem hiding this comment.
This differs from https://github.com/kinvolk/coreos-overlay/pull/746/files as it does not cover net.ipv4.conf.all.promote_secondaries (which networkd relies on, see comment in https://github.com/kinvolk/coreos-overlay/pull/746/files#diff-17a2157c938f6228c6e37bb3b789d422a44442b0d50f8424f1629e7efa2607a9). Also, net.ipv4.conf.*.accept_source_route = 0 is not covered (see https://github.com/kinvolk/coreos-overlay/pull/746/files#diff-b8338bc6daaa469bac329ff335815017bcbcfd2640e4120de50d0021adbf5a09).
|
For |
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
The patches were not taking effect because they did not set net.ipv4.conf.default.rp_filter for new interfaces. Also, they got overwritten by the baselayout configuration which takes precedence and is the place for Flatcar-specific sysctl settings. The desired configuration was enfored there: flatcar/baselayout#13
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
The patches were not taking effect because they did not set net.ipv4.conf.default.rp_filter for new interfaces. Also, they got overwritten by the baselayout configuration which takes precedence and is the place for Flatcar-specific sysctl settings. The desired configuration was enfored there: flatcar/baselayout#13
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
The patches were not taking effect because they did not set net.ipv4.conf.default.rp_filter for new interfaces. Also, they got overwritten by the baselayout configuration which takes precedence and is the place for Flatcar-specific sysctl settings. The desired configuration was enfored there: flatcar/baselayout#13
t-lo
approved these changes
Dec 15, 2020
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
This pulls in flatcar/baselayout#13 to set sysctl rp_filter=0 and reorder how the configs are applied.
pothos
added a commit
that referenced
this pull request
Dec 15, 2020
sysctl.d: Add prefix 60 to baselayout.conf and set rp_filter values
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
This pulls in flatcar/baselayout#13 to set sysctl rp_filter=0 and reorder how the configs are applied. A branch flatcar-2605-2705 is used as maitenance branch.
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
This pulls in flatcar/baselayout#13 to set sysctl rp_filter=0 and reorder how the configs are applied. A branch flatcar-2605-2705 is used as maintenance branch.
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
This pulls in flatcar/baselayout#13 to set sysctl rp_filter=0 and reorder how the configs are applied. A branch flatcar-2605-2705 is used as maintenance branch.
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Dec 15, 2020
This pulls in flatcar/baselayout#13 to set sysctl rp_filter=0 and reorder how the configs are applied. A branch flatcar-2605-2705 is used as maintenance branch.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
The baselayout.conf file was applied after all "[0-9]+.*.conf" files
due to sorting by file name. This made it difficult for users to apply
their configuration files because they had to use a name starting with
something being sorted after "bb" while everybody expects "90" to be
the latest in the order. This also caused that baselayout was
overwriting the "50-default.conf" file from systemd.
Sort the baselayout file after the "50-default.conf" file but before
any possible user files like "90-...". By inserting the baselayout file
after "50-default.conf" we have a good way to overwrite the systemd
settings for rp_filter that we want to change to 0. This allows us to
drop any patches to the systemd ebuild file.
Note: Pick for 2605 and 2705
How to use
Build an image and check that
sudo sysctl -a | grep '\.rp_filter'reports= 0for every line.Testing done
Done here