Re: policy for shipping sysctl.d snippets in packages?

To: debian-devel@lists.debian.org
Subject: Re: policy for shipping sysctl.d snippets in packages?
From: Marc Haber <mh+debian-devel@zugschlus.de>
Date: Mon, 24 Apr 2017 20:20:41 +0200
Message-id: <[🔎] E1d2ibJ-00077Q-Tw@swivel.zugschlus.de>
In-reply-to: <[🔎] 20170423181136.xbkwc6dwpz3km7eg@x>
References: <[🔎] 20170423120845.GA12266@khazad-dum.debian.net> <[🔎] 20170423181136.xbkwc6dwpz3km7eg@x>

On Sun, 23 Apr 2017 11:11:37 -0700, Josh Triplett
<josh@joshtriplett.org> wrote:
>Henrique de Moraes Holschuh wrote:
>> 1. read current levels (using sysctl, not directly).
>> 
>> 2. if they are above the default, don't change the state of the system:
>>    if your config file is there, let ucf handle its update normally.  if
>>    your config file is *NOT* there, assume deleted and help ucf a little
>>    (ucf can do this by itself most of the time: we have always handled
>>    deletion of config files in /etc as an action to be preserved, but
>>    *not* at first install)
>> 
>> 3. if they are at a dangerous level, install your config file to /etc
>>    normally, using ucf.  And document that the user needs to reboot
>>    somewhere.
>
>This seems like a recipe for a very confused sysadmin, wondering what
>non-standard mechanism is messing with sysctls out-of-band and making
>configuration file editing/preservation decisions based on sysctl values
>rather than just the files themselves.
>
>I would suggest, instead, working with sysctl upstream to add an
>"increase if not at least this value, but don't decrease if above this
>value" mechanism.  That'll take a while to propagate widely enough, but
>once it does, you could use such a mechanism to ensure you have a large
>enough value to function without overriding a larger value set in
>another file.
>
>Also, you don't generally need to reboot to apply changed sysctls.

Please note that the current sysctl interface doesn't play well with
network interfaces that get created on the fly, such as bonding, VLAN
interfaces or bridges. One needs to first initialize the network, then
do the sysctl business to catch those interfaces, to catch even the
dynamically created interfaces.


Or it was the other way round. I remember going through bizarre
contortions to set IPv6 ip_forwarding on jessie without
systemd-networkd supporting this "exotic" use case.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Reply to:

Follow-Ups:
- Re: policy for shipping sysctl.d snippets in packages?
  - From: Christian Seiler <christian@iwakd.de>
- Re: policy for shipping sysctl.d snippets in packages?
  - From: Philipp Kern <pkern@debian.org>

References:
- Re: policy for shipping sysctl.d snippets in packages?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: policy for shipping sysctl.d snippets in packages?
  - From: Josh Triplett <josh@joshtriplett.org>

Prev by Date: AWS Cloud users contact DB
Next by Date: Re: policy for shipping sysctl.d snippets in packages?
Previous by thread: Re: policy for shipping sysctl.d snippets in packages?
Next by thread: Re: policy for shipping sysctl.d snippets in packages?
Index(es):
- Date
- Thread