[MediaWiki-commits] [Gerrit] operations/puppet[production]: Load connection tracking sysctl values via a separate system...

Mon, 07 Nov 2016 06:32:57 -0800 

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320197

Change subject: Load connection tracking sysctl values via a separate systemd 
unit
......................................................................

Load connection tracking sysctl values via a separate systemd unit

Connection tracking parameters cannot be set via the default
/etc/sysctl.d hierarchy; it needs to be ensured that these are set
after ferm is started (which loads the connection tracking kernel
modules which configure the respective sysctl options)

Provide a separate systemd unit ferm-sysctl.service which gets
started after ferm.

Bug: T136094
Change-Id: Icdac447b8ab3528cca652901779eeb4d7ea6fc5a
---
A modules/base/files/firewall/ferm-sysctl.service
M modules/base/manifests/firewall.pp
2 files changed, 25 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/97/320197/1

diff --git a/modules/base/files/firewall/ferm-sysctl.service 
b/modules/base/files/firewall/ferm-sysctl.service
new file mode 100644
index 0000000..e6a7c4b
--- /dev/null
+++ b/modules/base/files/firewall/ferm-sysctl.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Apply connection tracking sysctl settings for ferm
+After=ferm.service
+ConditionPathIsReadWrite=/proc/sys/
+ConditionPathExists=/etc/ferm/conntrack-sysctl.conf
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/sysctl -q --load=/etc/ferm/conntrack-sysctl.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/modules/base/manifests/firewall.pp 
b/modules/base/manifests/firewall.pp
index 680b3ba..9c24117 100644
--- a/modules/base/manifests/firewall.pp
+++ b/modules/base/manifests/firewall.pp
@@ -24,6 +24,18 @@
         },
     }
 
+    # Connection tracking parameters cannot be set via the default 
/etc/sysctl.d
+    # hierarchy; it needs to be ensured that these are set after ferm is 
started
+    # (which loads the connection tracking kernel modules which configure the
+    # respective sysctl options)
+    file { '/lib/systemd/system/ferm-sysctl.service':
+        ensure  => $ensure,
+        mode    => '0644',
+        owner   => 'root',
+        group   => 'root',
+        source  => 'puppet:///modules/base/firewall/ferm-sysctl.service',
+    }
+
     # The sysctl value net.netfilter.nf_conntrack_buckets is read-only. It is 
configured
     # via a modprobe parameter, bump it manually for running systems
     exec { 'bump nf_conntrack hash table size':

-- 
To view, visit https://gerrit.wikimedia.org/r/320197
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icdac447b8ab3528cca652901779eeb4d7ea6fc5a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to