On Thu, Sep 14, 2017 at 8:38 AM, Leif Hedstrom <[email protected]> wrote:
> > > > On Sep 12, 2017, at 2:41 PM, Reindl Harald <[email protected]> > wrote: > > > > > > > >> Am 12.09.2017 um 22:31 schrieb Bryan Call: > >> proxy.config.disable_configuration_modification was a feature that was > requested and the group didn’t use it. > >> We are planning on having the configuration to be read-only for ATS 8. > > > > frankly ATS 8 is way too late after years of complaining when you need > to have Letsencrypt enabled in a few weeks because Google Chrome will warn > on every page with a from tag and no SSL > > > > it's just UNACCEPTABLE that you have to HARD RESTART Trafficserver for > every remamp/ssl change, it was UNACCEPTABLE the last years too but now > it's becoming a joke > > > > where is the rocket science just read the fucking config file and shut > up like every other software on this plant is able to do? > > You need to stop whining like a spoiled brat! There are / were several > reasons why this was done, e.g. it's a requirement for the cluster config > to work. Clustering is dead now, and gives us a way to remove this code and > behavior for 8.0. > > That much said, as much complaining as you have done on this subject, the > amount of code contributions from you or anyone else that has a problem > with this feature is exactly zero. Which open source projects lets you > dictate others to do your work for you? We all have our priorities as > (usually) dictated by the respective companies paying our salaries. > > Sincerely, > > -- Leif (not speaking on behalf of anyone other than myself) > > > > > [root@proxy:/var/log/trafficserver]$ nano /etc/trafficserver/ssl_ > multicert.config > > [root@proxy:/var/log/trafficserver]$ cat * > > [root@proxy:/var/log/trafficserver]$ systemctl reload > trafficserver.service > > [root@proxy:/var/log/trafficserver]$ cat * > > [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: > [Rollback::openFile] Open of ssl_multicert.config failed: Read-only file > system > > [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: > [Rollback::internalUpdate] Unable to create new version of > ssl_multicert.config : Read-only file system > > [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: > [Rollback::checkForUserUpdate] Failed to roll changed user file > ssl_multicert.config: System Call Error > > [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: User has changed > config file ssl_multicert.config > > [root@proxy:/var/log/trafficserver]$ > > > >>> On Sep 12, 2017, at 8:45 AM, Reindl Harald <[email protected]> > wrote: > >>> > >>> > >>> > >>>> Am 02.09.2017 um 04:51 schrieb Miles Libbey: > >>>>> On Fri, Sep 1, 2017 at 6:40 PM, Reindl Harald < > [email protected]> wrote: > >>>>> > >>>>> > >>>>>> Am 01.09.2017 um 22:43 schrieb Alan Carroll: > >>>>>> > >>>>>> Is that addressed by > >>>>>> https://docs.trafficserver.apache.org/en/latest/admin- > guide/files/records.config.en.html?highlight=records% > 20config#proxy-config-disable-configuration-modification > >>>>> > >>>>> sounds good - when is 8.0 planned to be released? > >>>> It's also available in 7. We do a terrible job of having the > >>>> documentation match the actual version (eg why we default to a version > >>>> that won't be released for quite some time is beyond me, > >>> > >>> IT DON'T WORK > >>> > >>>>> that you currently need a hard restart for config changes is a pain > and will > >>>>> be much more pain when you have to use letsencrypt with it's frequent > >>>>> certificate updates in the next month after Chrome is starting to > warn about > >>>>> any site containing a from-tag without TLS > >>>> They don't. Remap, SSL cert, and parents just need reloads, not > >>>> restarts. Many record config values are also reloads > >>> > >>> IT DON'T RELOAD because of readonly /etc > >>> > >>> "/usr/bin/traffic_ctl config reload" don't do anything beause of this > "[Rollback::Rollback] Config file is read-only : ssl_multicert.config" > bullshit and i am currently working to implement letsencrypt for hundrets > of domains which means that at every point in time certificates can be > changed and a reload is needed and HARD RESTART IS A NO-GO > >>> > >>> why in the world is that broken-by-design not fixed after 5 years of > complaining or at least a option called > "proxy.config.disable_configuration_modification" > not tested at all? > >>> > >>> is it really that hard to create a basic systemd unit and set the OS > to redonly which should be the case for every network service in 2017 and > test BASIC OPERATIONS? > >>> > >>> ReadOnlyDirectories=/etc > >>> ReadOnlyDirectories=/usr > >>> ReadOnlyDirectories=/var/lib > >>> ReadWriteDirectories=/etc/trafficserver/internal > >>> ReadWriteDirectories=/etc/trafficserver/snapshots > >>> > >>> [root@proxy:~]$ cat records.config | grep configuration > >>> # Main threads configuration (worker threads). Also see configurations > for # > >>> # parent proxy configuration # > >>> CONFIG proxy.config.disable_configuration_modification INT 1 > >>> CONFIG proxy.config.cluster.cluster_configuration STRING > cluster.config > >>> > >>> IT JUST DON'T WORK > > Hallelujah! I'm not the only one finding this guy annoying! If I was head of this project he would had been off the mailing list long time ago. Using language like this about people that gave him a great tool to use for FREE is just unacceptable. I have ATS compiled and installed from source and have /etc/trafficserver symlinked to /usr/local/etc/trafficserver and have never seen the issue he's talking about. There are million ways and at least half a dozen of tools that can help workaround and automate any issue you can think of. And if you are still complaining about something trivial like that for 5 years than really you should quit your job and start doing something else. I guess that's what you get when you put PHP (haha PHP, now that's a real "joke") enthusiast doing a sysadmin job. You clearly explained the reason why was this not possible till now but he's still not getting it :-/ So thanks to everyone involved in this project, keep the good work and please ignore comments from people that have no talent or creativity to do anything else but complaining. Regards, -- Igor Cicimov | DevOps p. +61 (0) 433 078 728 e. [email protected] <http://encompasscorporation.com/> w*.* www.encompasscorporation.com a. Level 4, 65 York Street, Sydney 2000
