Muehlenhoff has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/319071 )
Change subject: Create a separate sysctl configuration for setting conntrack
settings
......................................................................
Create a separate sysctl configuration for setting conntrack settings
Currently connection tracking sysctl settings are configured via
/etc/sysctl.d, which is racy; if /etc/sysctl.d is processed before
ferm is started (which loads the connection tracking kernel modules
which configures the respective sysctl options), the values cannot
be set.
This will be fixed in a followup commit, which adds a systemd unit
which gets started after ferm.
This doesn't use the /etc/sysctl.d path used by the sysctl class
to avoid confusion (it also wipes all config files not managed
via sysctl::parameters).
Change-Id: I1313c35aff23d0295b1541baff53f8f447c8d524
---
A modules/ferm/files/conntrack.conf
M modules/ferm/manifests/init.pp
2 files changed, 17 insertions(+), 0 deletions(-)
Approvals:
Muehlenhoff: Looks good to me, approved
Ottomata: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/modules/ferm/files/conntrack.conf
b/modules/ferm/files/conntrack.conf
new file mode 100644
index 0000000..64e2e18
--- /dev/null
+++ b/modules/ferm/files/conntrack.conf
@@ -0,0 +1,3 @@
+# sysctl parameters managed by ferm puppet module
+net.netfilter.nf_conntrack_max = 262144
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 65
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 845633e..f26b244 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -32,6 +32,20 @@
notify => Service['ferm'],
}
+ # The connection tracking values cannot be set via the standard
+ # /etc/sysctl.d hierarchy: The conntrack entries are only available
+ # once ferm loads the connection tracking kernel modules. So these
+ # values are set via a separate systemd unit which is started after
+ # ferm. This doesn't use the /etc/sysctl.d path used by the sysctl
+ # class to avoid confusion
+ file { '/etc/ferm/conntrack-sysctl.conf':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///modules/ferm/conntrack.conf',
+ }
+
file { '/etc/ferm/functions.conf' :
ensure => present,
owner => 'root',
--
To view, visit https://gerrit.wikimedia.org/r/319071
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I1313c35aff23d0295b1541baff53f8f447c8d524
Gerrit-PatchSet: 10
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Elukey <ltosc...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: Ottomata <ao...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
