cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wid...@apache.org
Subject [1/2] git commit: updated refs/heads/master to 28d18dc
Date Wed, 09 Sep 2015 08:29:39 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/master 1bc8b6b19 -> 28d18dce0


sysctl: don't modify /etc/sysctl.conf

To configure firewall rules, CloudStack modifies `/etc/sysctl.conf` and
execute those modifications. This may be harmful for several reasons:

 1. `/etc/sysctl.conf` may be managed by some configuration management
    system. Such a system will constantly restore the previous version.

 2. `/etc/sysctl.conf` may contain additional properties that have been
    changed later by some system administrator (for example, once a
    firewall has been configured, forwarding may have been activated
    while it is disabled in `/etc/sysctl.conf`). Executing the file
    again at a later time may disrupt the system.

 3. Entries are added again and again. `/etc/sysctl.conf` will contain
    the same directives repeated several times.

Using a configuration file is not needed as `sysctl` is able to directly
modify sysctl values with `-w` flag.

Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f2b8f2ea
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f2b8f2ea
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f2b8f2ea

Branch: refs/heads/master
Commit: f2b8f2eade26166adc329a4d334fad034c22fd54
Parents: dd9ba48
Author: Vincent Bernat <Vincent.Bernat@exoscale.ch>
Authored: Fri Sep 4 14:31:09 2015 +0200
Committer: Vincent Bernat <Vincent.Bernat@exoscale.ch>
Committed: Fri Sep 4 14:31:09 2015 +0200

----------------------------------------------------------------------
 .../scripts/vm/hypervisor/ovm/OvmSecurityGroupModule.py   | 10 +++-------
 scripts/vm/network/security_group.py                      | 10 +++-------
 2 files changed, 6 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f2b8f2ea/plugins/hypervisors/ovm/scripts/vm/hypervisor/ovm/OvmSecurityGroupModule.py
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/ovm/scripts/vm/hypervisor/ovm/OvmSecurityGroupModule.py b/plugins/hypervisors/ovm/scripts/vm/hypervisor/ovm/OvmSecurityGroupModule.py
index d04d104..8ad41da 100755
--- a/plugins/hypervisors/ovm/scripts/vm/hypervisor/ovm/OvmSecurityGroupModule.py
+++ b/plugins/hypervisors/ovm/scripts/vm/hypervisor/ovm/OvmSecurityGroupModule.py
@@ -75,13 +75,9 @@ class OvmSecurityGroup(OvmObject):
     @staticmethod
     def add_fw_framework(bridge_name):
         try:
-            cfo = ConfigFileOps("/etc/sysctl.conf")
-            cfo.addEntry("net.bridge.bridge-nf-call-arptables", "1")
-            cfo.addEntry("net.bridge.bridge-nf-call-iptables", "1")
-            cfo.addEntry("net.bridge.bridge-nf-call-ip6tables", "1")
-            cfo.save()
-
-            execute("sysctl -p /etc/sysctl.conf")
+            execute("sysctl -w net.bridge.bridge-nf-call-arptables=1")
+            execute("sysctl -w net.bridge.bridge-nf-call-iptables=1")
+            execute("sysctl -w net.bridge.bridge-nf-call-ip6tables=1")
         except:
             logging.debug("failed to turn on bridge netfilter")
             return False

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f2b8f2ea/scripts/vm/network/security_group.py
----------------------------------------------------------------------
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index 31984d2..4392d48 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -960,13 +960,9 @@ def getBrfw(brname):
 
 def addFWFramework(brname):
     try:
-        cfo = configFileOps("/etc/sysctl.conf")
-        cfo.addEntry("net.bridge.bridge-nf-call-arptables", "1")
-        cfo.addEntry("net.bridge.bridge-nf-call-iptables", "1")
-        cfo.addEntry("net.bridge.bridge-nf-call-ip6tables", "1")
-        cfo.save()
-
-        execute("sysctl -p /etc/sysctl.conf")
+        execute("sysctl -w net.bridge.bridge-nf-call-arptables=1")
+        execute("sysctl -w net.bridge.bridge-nf-call-iptables=1")
+        execute("sysctl -w net.bridge.bridge-nf-call-ip6tables=1")
     except:
         logging.debug("failed to turn on bridge netfilter")
         return False


Mime
View raw message