[MediaWiki-commits] [Gerrit] operations/puppet[production]: Load nf_conntrack via /etc/modules-load.d/

Fri, 21 Apr 2017 02:29:30 -0700 

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/349392 )

Change subject: Load nf_conntrack via /etc/modules-load.d/
......................................................................


Load nf_conntrack via /etc/modules-load.d/

The nf_conntrack kernel module is usually auto-loaded during ferm startup
But some additional configuration options for timewait handling are configured
via sysctl settings and if ferm autoloads the kernel module after
systemd-sysctl.service has run, the sysctl settings are not applied
Add the nf_conntrack module via /etc/modules-load.d/ which loads
them before systemd-sysctl.service is executed

Restricted to Debian systems, sysctl handling is slightly different with
Upstart anyway and the numbers of remaining Ubuntu hosts is shrinking
steadily anyway

Bug: T136094
Change-Id: I877ed1d637277882e9c2776af3a0e76032c4ae3a
---
M modules/ferm/manifests/init.pp
1 file changed, 17 insertions(+), 0 deletions(-)

Approvals:
  Ema: Looks good to me, but someone else must approve
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index f26b244..221f763 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -11,6 +11,23 @@
         source => 'puppet:///modules/base/firewall/nf_conntrack.conf',
     }
 
+    # The nf_conntrack kernel module is usually auto-loaded during ferm 
startup.
+    # But some additional configuration options for timewait handling are 
configured
+    #   via sysctl settings and if ferm autoloads the kernel module after
+    #   systemd-sysctl.service has run, the sysctl settings are not applied.
+    # Add the nf_conntrack module via /etc/modules-load.d/ which loads
+    #   them before systemd-sysctl.service is executed.
+    if os_version('debian >= jessie') {
+        file { '/etc/modules-load.d/conntrack.conf':
+            ensure  => present,
+            owner   => 'root',
+            group   => 'root',
+            mode    => '0444',
+            content => "nf_conntrack\n",
+            require => File['/etc/modprobe.d/nf_conntrack.conf'],
+        }
+    }
+
     package { ['ferm', 'libnet-dns-perl', 'conntrack']:
         ensure  => present,
         require => File['/etc/modprobe.d/nf_conntrack.conf'],

-- 
To view, visit https://gerrit.wikimedia.org/r/349392
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I877ed1d637277882e9c2776af3a0e76032c4ae3a
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: Ema <e...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to