Page MenuHomeDevCentral
Create Task
Maniphest T1801

sysctl conflict for router role
Closed, InvalidPublic
Actions

Description

On Complector, D2904 showed there is a conflict:

router-001:
----------
          ID: /etc/sysctl.conf
    Function: file.managed
      Result: True
     Comment: File /etc/sysctl.conf updated
     Started: 23:57:09.019819
    Duration: 271.21 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -15,10 +15,12 @@
                   #   </auto-generated>

                   #   -------------------------------------------------------------
                  -#   Network
                  +#   Interprocess Communication
                  +#
                  +#   See T519
                   #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                  -net.inet.ip.forwarding=1
                  +kern.ipc.somaxconn=1024

                   #   -------------------------------------------------------------
                   #   VFS — kernel interface to file systems

Revisions and Commits

rOPS Nasqueron Operations
D2905rOPS71ca2f91f5d1 Use node.has_role method

Related Objects
Search...

Event Timeline

dereckson triaged this task as High priority.Mar 23 2023, 23:58
dereckson created this task.
dereckson added a comment.Mar 24 2023, 00:07

Actually, we don't have any unit for the router role.

It's currently only used by roles/core/network/routes.sls with {% if "router" in salt['node.get_list']('roles') %}.

The router important matter is defined by the network pillar information, and _resolve_gre_tunnels_for_router in node execution module.

dereckson added a revision: D2905: Use node.has_role method.Mar 24 2023, 00:11
dereckson added a commit: rOPS71ca2f91f5d1: Use node.has_role method.Mar 24 2023, 00:11
dereckson closed this task as Invalid.Mar 24 2023, 00:15

So roles/core/network/routes.sls provisions a rc file with gateway_enable="YES", and that enables net.inet.ip.forwarding.

If it's not defined, it will be set again to NO, as documented in ef7f71ee761d, so it's OK to overwrite the file, as the setting would be overwritten afterwards.

If ef7f71ee761d would have been fully applied, the network section would already been removed.

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator