apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

sysctl: don't modify /etc/sysctl.conf

Browse Source 
To configure firewall rules, CloudStack modifies `/etc/sysctl.conf` and
execute those modifications. This may be harmful for several reasons:

 1. `/etc/sysctl.conf` may be managed by some configuration management
    system. Such a system will constantly restore the previous version.

 2. `/etc/sysctl.conf` may contain additional properties that have been
    changed later by some system administrator (for example, once a
    firewall has been configured, forwarding may have been activated
    while it is disabled in `/etc/sysctl.conf`). Executing the file
    again at a later time may disrupt the system.

 3. Entries are added again and again. `/etc/sysctl.conf` will contain
    the same directives repeated several times.

Using a configuration file is not needed as `sysctl` is able to directly
modify sysctl values with `-w` flag.

Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>
This commit is contained in:
Vincent Bernat 2015-09-04 14:31:09 +02:00
parent dd9ba48efa
commit f2b8f2eade
2 changed files with 6 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
plugins/hypervisors/ovm/scripts/vm/hypervisor/ovm/OvmSecurityGroupModule.py
View File

@ -75,13 +75,9 @@ class OvmSecurityGroup(OvmObject):
@staticmethod @staticmethod
def add_fw_framework(bridge_name): def add_fw_framework(bridge_name):
try: try:
cfo = ConfigFileOps("/etc/sysctl.conf") execute("sysctl -w net.bridge.bridge-nf-call-arptables=1")
cfo.addEntry("net.bridge.bridge-nf-call-arptables", "1") execute("sysctl -w net.bridge.bridge-nf-call-iptables=1")
cfo.addEntry("net.bridge.bridge-nf-call-iptables", "1") execute("sysctl -w net.bridge.bridge-nf-call-ip6tables=1")
cfo.addEntry("net.bridge.bridge-nf-call-ip6tables", "1")
cfo.save()
execute("sysctl -p /etc/sysctl.conf")
except: except:
logging.debug("failed to turn on bridge netfilter") logging.debug("failed to turn on bridge netfilter")
return False return False

10
scripts/vm/network/security_group.py
View File

@ -960,13 +960,9 @@ def getBrfw(brname):
def addFWFramework(brname): def addFWFramework(brname):
try: try:
cfo = configFileOps("/etc/sysctl.conf") execute("sysctl -w net.bridge.bridge-nf-call-arptables=1")
cfo.addEntry("net.bridge.bridge-nf-call-arptables", "1") execute("sysctl -w net.bridge.bridge-nf-call-iptables=1")
cfo.addEntry("net.bridge.bridge-nf-call-iptables", "1") execute("sysctl -w net.bridge.bridge-nf-call-ip6tables=1")
cfo.addEntry("net.bridge.bridge-nf-call-ip6tables", "1")
cfo.save()
execute("sysctl -p /etc/sysctl.conf")
except: except:
logging.debug("failed to turn on bridge netfilter") logging.debug("failed to turn on bridge netfilter")
return False return False