[MediaWiki-commits] [Gerrit] operations/puppet[production]: Load nf_conntrack via /etc/modules-load.d/

Fri, 21 Apr 2017 02:04:36 -0700 

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/349392 )

Change subject: Load nf_conntrack via /etc/modules-load.d/
......................................................................

Load nf_conntrack via /etc/modules-load.d/

The nf_conntrack kernel module is usually auto-loaded during ferm startup
But some additional configuration options for timewait handling are configured
via sysctl settings and if ferm autoloads the kernel module after
systemd-sysctl.service has run, the sysctl settings are not applied
Add the nf_conntrack module via /etc/modules-load.d/ which loads
them before systemd-sysctl.service is executed

Restricted to Debian systems, sysctl handling is slightly different with
Upstart anyway and the numbers of remaining Ubuntu hosts is shrinking
steadily anyway

Bug: T136094
Change-Id: I877ed1d637277882e9c2776af3a0e76032c4ae3a
---
M modules/ferm/manifests/init.pp
1 file changed, 17 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/92/349392/1

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index f26b244..ebda3f4 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -11,6 +11,23 @@
         source => 'puppet:///modules/base/firewall/nf_conntrack.conf',
     }
 
+    # The nf_conntrack kernel module is usually auto-loaded during ferm 
startup.
+    # But some additional configuration options for timewait handling are 
configured
+    # via sysctl settings and if ferm autoloads the kernel module after
+    # systemd-sysctl.service has run, the sysctl settings are not applied
+    # Add the nf_conntrack module via /etc/modules-load.d/ which loads
+    # them before systemd-sysctl.service is executed
+    if os_version('debian >= jessie') {
+        file { '/etc/modules-load.d/conntrack.conf':
+            ensure  => present,
+            owner   => 'root',
+            group   => 'root',
+            mode    => '0444',
+            content => "nf_conntrack\n",
+            require => File['/etc/modprobe.d/nf_conntrack.conf'],
+        }
+    }
+
     package { ['ferm', 'libnet-dns-perl', 'conntrack']:
         ensure  => present,
         require => File['/etc/modprobe.d/nf_conntrack.conf'],

-- 
To view, visit https://gerrit.wikimedia.org/r/349392
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I877ed1d637277882e9c2776af3a0e76032c4ae3a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to