> On Sep 12, 2017, at 2:41 PM, Reindl Harald <[email protected]> wrote:
>
>
>
>> Am 12.09.2017 um 22:31 schrieb Bryan Call:
>> proxy.config.disable_configuration_modification was a feature that was
>> requested and the group didn’t use it.
>> We are planning on having the configuration to be read-only for ATS 8.
>
> frankly ATS 8 is way too late after years of complaining when you need to
> have Letsencrypt enabled in a few weeks because Google Chrome will warn on
> every page with a from tag and no SSL
>
> it's just UNACCEPTABLE that you have to HARD RESTART Trafficserver for every
> remamp/ssl change, it was UNACCEPTABLE the last years too but now it's
> becoming a joke
>
> where is the rocket science just read the fucking config file and shut up
> like every other software on this plant is able to do?
You need to stop whining like a spoiled brat! There are / were several reasons
why this was done, e.g. it's a requirement for the cluster config to work.
Clustering is dead now, and gives us a way to remove this code and behavior for
8.0.
That much said, as much complaining as you have done on this subject, the
amount of code contributions from you or anyone else that has a problem with
this feature is exactly zero. Which open source projects lets you dictate
others to do your work for you? We all have our priorities as (usually)
dictated by the respective companies paying our salaries.
Sincerely,
-- Leif (not speaking on behalf of anyone other than myself)
>
> [root@proxy:/var/log/trafficserver]$ nano
> /etc/trafficserver/ssl_multicert.config
> [root@proxy:/var/log/trafficserver]$ cat *
> [root@proxy:/var/log/trafficserver]$ systemctl reload trafficserver.service
> [root@proxy:/var/log/trafficserver]$ cat *
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: [Rollback::openFile]
> Open of ssl_multicert.config failed: Read-only file system
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE:
> [Rollback::internalUpdate] Unable to create new version of
> ssl_multicert.config : Read-only file system
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE:
> [Rollback::checkForUserUpdate] Failed to roll changed user file
> ssl_multicert.config: System Call Error
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: User has changed config
> file ssl_multicert.config
> [root@proxy:/var/log/trafficserver]$
>
>>> On Sep 12, 2017, at 8:45 AM, Reindl Harald <[email protected]> wrote:
>>>
>>>
>>>
>>>> Am 02.09.2017 um 04:51 schrieb Miles Libbey:
>>>>> On Fri, Sep 1, 2017 at 6:40 PM, Reindl Harald <[email protected]>
>>>>> wrote:
>>>>>
>>>>>
>>>>>> Am 01.09.2017 um 22:43 schrieb Alan Carroll:
>>>>>>
>>>>>> Is that addressed by
>>>>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=records%20config#proxy-config-disable-configuration-modification
>>>>>
>>>>> sounds good - when is 8.0 planned to be released?
>>>> It's also available in 7. We do a terrible job of having the
>>>> documentation match the actual version (eg why we default to a version
>>>> that won't be released for quite some time is beyond me,
>>>
>>> IT DON'T WORK
>>>
>>>>> that you currently need a hard restart for config changes is a pain and
>>>>> will
>>>>> be much more pain when you have to use letsencrypt with it's frequent
>>>>> certificate updates in the next month after Chrome is starting to warn
>>>>> about
>>>>> any site containing a from-tag without TLS
>>>> They don't. Remap, SSL cert, and parents just need reloads, not
>>>> restarts. Many record config values are also reloads
>>>
>>> IT DON'T RELOAD because of readonly /etc
>>>
>>> "/usr/bin/traffic_ctl config reload" don't do anything beause of this
>>> "[Rollback::Rollback] Config file is read-only : ssl_multicert.config"
>>> bullshit and i am currently working to implement letsencrypt for hundrets
>>> of domains which means that at every point in time certificates can be
>>> changed and a reload is needed and HARD RESTART IS A NO-GO
>>>
>>> why in the world is that broken-by-design not fixed after 5 years of
>>> complaining or at least a option called
>>> "proxy.config.disable_configuration_modification" not tested at all?
>>>
>>> is it really that hard to create a basic systemd unit and set the OS to
>>> redonly which should be the case for every network service in 2017 and test
>>> BASIC OPERATIONS?
>>>
>>> ReadOnlyDirectories=/etc
>>> ReadOnlyDirectories=/usr
>>> ReadOnlyDirectories=/var/lib
>>> ReadWriteDirectories=/etc/trafficserver/internal
>>> ReadWriteDirectories=/etc/trafficserver/snapshots
>>>
>>> [root@proxy:~]$ cat records.config | grep configuration
>>> # Main threads configuration (worker threads). Also see configurations for
>>> #
>>> # parent proxy configuration #
>>> CONFIG proxy.config.disable_configuration_modification INT 1
>>> CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
>>>
>>> IT JUST DON'T WORK
