From a082bb1e4ad995592521f2177778381da93eeae8b2ed94aa5eeed2fb1d17b246 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= Date: Sat, 28 May 2011 20:50:18 +0000 Subject: [PATCH] Accepting request 71353 from home:lnussel:branches:Base:System - load sysctls earlier (bnc#664550) - move distro defaults to /lib/sysctl.d to avoid .rpmnew files - enable IPv6 privacy by default (bnc#678066) I've sent the --system and --pattern path upstream but they weren't accepted yet. So this is tentative but we need the /lib/sysctl.d feature to be able to provide distro defaults in a sane way. OBS-URL: https://build.opensuse.org/request/show/71353 OBS-URL: https://build.opensuse.org/package/show/Base:System/procps?expand=0&rev=46 --- boot.sysctl | 43 ++---- procps-3.2.8-add-system-switch.diff | 68 ++++++++ procps-3.2.8-implement-pattern-option.diff | 146 ++++++++++++++++++ ...o-from-boot-sysctl.conf-kernelversion.diff | 46 ++++++ procps.changes | 7 + procps.spec | 19 ++- sysctl.conf | 46 +++++- 7 files changed, 335 insertions(+), 40 deletions(-) create mode 100644 procps-3.2.8-add-system-switch.diff create mode 100644 procps-3.2.8-implement-pattern-option.diff create mode 100644 procps-3.2.8-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff diff --git a/boot.sysctl b/boot.sysctl index 131af39..1c4bcfd 100644 --- a/boot.sysctl +++ b/boot.sysctl @@ -1,51 +1,36 @@ #! /bin/sh # -# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. +# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. +# Copyright (c) 2011 SUSE Linux Products GmbH Nuernberg, Germany. # # /etc/init.d/boot.sysctl # ### BEGIN INIT INFO # Provides: boot.sysctl -# Required-Start: boot.proc $local_fs -# Should-Start: setserial boot.isapnp -# Required-Stop: boot.proc $local_fs +# Required-Start: $null +# Should-Start: $null +# Required-Stop: $null # Should-Stop: $null # Default-Start: B # Default-Stop: -# Description: run sysctl with a given config file or create it +# Short-Description: Apply sysctl settings +# Description: Apply sysctl settings ### END INIT INFO -test -x /sbin/sysctl || exit 0 - . /etc/rc.status -. /etc/sysconfig/sysctl rc_reset case "$1" in start) - - # Load per-kernel defaults from /boot. This file is provided - # by the kernel package and will be replaced on update. - if test -e "/boot/sysctl.conf-$(uname -r)"; then - echo -n "Loading sysctl defaults from /boot/sysctl.conf-$(uname -r)" - sysctl -e -q -p /boot/sysctl.conf-$(uname -r) - rc_status -v -r - fi - # - # run sysctl if the config file exists - # otherwise generate it - # the values set here might be overridden by the settings - # in /etc/sysconfig/sysctl - # - if test ! -e /etc/sysctl.conf ; then - echo -n "Sysctl: no file /etc/sysctl.conf" - rc_failed 5 - else - echo -n "Setting current sysctl status from /etc/sysctl.conf" - sysctl -e -q -p /etc/sysctl.conf - fi + echo -n "Applying sysctl settings" + /sbin/sysctl -e -q --system rc_status -v -r + if [ -s /etc/sysconfig/sysctl -a -x /lib/aaa_base/convert_sysctl ]; then + echo -n " Warning: applying settings from obsolete /etc/sysconfig/sysctl" + /lib/aaa_base/convert_sysctl --stdout | sysctl -e -q -f - + rc_status -v -r + fi ;; stop) # skip / do nothing diff --git a/procps-3.2.8-add-system-switch.diff b/procps-3.2.8-add-system-switch.diff new file mode 100644 index 0000000..d702217 --- /dev/null +++ b/procps-3.2.8-add-system-switch.diff @@ -0,0 +1,68 @@ +From 45915cfc03fb82b68425445063a0bcebab1ff230 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 18 May 2011 08:16:39 +0200 +Subject: [PATCH procps 1/3] add --system switch + +instead of requiring distributions to construct a loop around sysctl +in boot scripts just scan a set of default directories if the --system +switch is used. +--- + sysctl.c | 35 +++++++++++++++++++++++++++++++++++ + 1 files changed, 35 insertions(+), 0 deletions(-) + +diff --git a/sysctl.c b/sysctl.c +index 9be79ce..3445efe 100644 +--- a/sysctl.c ++++ b/sysctl.c +@@ -453,6 +453,37 @@ static int Preload(const char *restrict const filename) { + return rc; + } + ++static int PreloadSystem(void) { ++ unsigned i; ++ const char* dirs[] = { ++ "/lib/sysctl.d", ++ "/usr/lib/sysctl.d", ++ "/usr/local/lib/sysctl.d", ++ "/etc/sysctl.d", ++ }; ++ for (i=0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) { ++ struct dirent* de; ++ DIR* dp = opendir(dirs[i]); ++ if (!dp) ++ continue; ++ while (( de = readdir(dp) )) { ++ char buf[PATH_MAX]; ++ if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) { ++ continue; ++ } ++ if (strlen(de->d_name) < 6 || !strcmp(de->d_name+strlen(de->d_name)-6, ".conf")) ++ continue; ++ snprintf(buf, sizeof(buf), "%s/%s", dirs[i], de->d_name); ++ if (!Quiet) ++ printf("* Applying %s ...\n", buf); ++ Preload(buf); ++ } ++ closedir(dp); ++ } ++ if (!Quiet) ++ printf("* Applying %s ...\n", DEFAULT_PRELOAD); ++ return Preload(DEFAULT_PRELOAD); ++} + + + /* +@@ -488,6 +519,10 @@ int main(int argc, char *argv[]) { + fprintf(stdout, "sysctl (%s)\n",procps_version); + exit(0); + } ++ if (!strcmp("--system",*argv)) { ++ IgnoreError = true; ++ return PreloadSystem(); ++ } + fprintf(stderr, ERR_UNKNOWN_PARAMETER, *argv); + return Usage(me); + } +-- +1.7.3.4 + diff --git a/procps-3.2.8-implement-pattern-option.diff b/procps-3.2.8-implement-pattern-option.diff new file mode 100644 index 0000000..a0ca7e7 --- /dev/null +++ b/procps-3.2.8-implement-pattern-option.diff @@ -0,0 +1,146 @@ +From b73ff507f616c74ac94e7b1bef2ce51fa9bb2806 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 18 May 2011 08:20:09 +0200 +Subject: [PATCH procps 2/3] implement --pattern option + +Useful for e.g network hook scripts together with --system to only apply +sysctls for a specific network interface. +--- + sysctl.8 | 14 ++++++++++++++ + sysctl.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 66 insertions(+), 0 deletions(-) + +diff --git a/sysctl.8 b/sysctl.8 +index e26c4fb..9f6de65 100644 +--- a/sysctl.8 ++++ b/sysctl.8 +@@ -64,6 +64,16 @@ Display all values currently available. + .TP + .B "-A" + Display all values currently available in table form. ++.TP ++.B "--system" ++Load settings from system configuration files (/lib/sysctl.d/*.conf, ++/usr/lib/sysctl.d/*.conf, /usr/local/lib/sysctl.d/*.conf, ++/etc/sysctl.d/*.conf, /etc/sysctl.conf) ++.TP ++.B "--pattern" PATTERN ++Ignore settings that don't patch PATTERN. A star '*' is recognized ++as wildcard. It matches strings until the next dot. '**' at the end ++of the pattern matches until the end of the string. + .SH EXAMPLES + .TP + /sbin/sysctl -a +@@ -73,6 +83,10 @@ Display all values currently available in table form. + /sbin/sysctl -w kernel.domainname="example.com" + .TP + /sbin/sysctl -p /etc/sysctl.conf ++.TP ++/sbin/sysctl --pattern 'net.ipv4.conf.*.forwarding' -a ++.TP ++/sbin/sysctl --pattern 'net.ipv6.**' --system + .SH FILES + .I /proc/sys + .I /etc/sysctl.conf +diff --git a/sysctl.c b/sysctl.c +index 3445efe..b68170b 100644 +--- a/sysctl.c ++++ b/sysctl.c +@@ -50,6 +50,7 @@ static bool PrintName; + static bool PrintNewline; + static bool IgnoreError; + static bool Quiet; ++static char* pattern; + + /* error messages */ + static const char ERR_UNKNOWN_PARAMETER[] = "error: Unknown parameter \"%s\"\n"; +@@ -63,6 +64,7 @@ static const char ERR_OPENING_DIR[] = "error: unable to open directory \"%s\"\n" + static const char ERR_PRELOAD_FILE[] = "error: unable to open preload file \"%s\"\n"; + static const char WARN_BAD_LINE[] = "warning: %s(%d): invalid syntax, continuing...\n"; + ++static int pattern_match(const char* name); + + static void slashdot(char *restrict p, char old, char new){ + p = strpbrk(p,"/."); +@@ -145,6 +147,10 @@ static int ReadSetting(const char *restrict const name) { + outname = strdup(name); + slashdot(outname,'/','.'); /* change / to . */ + ++ if (pattern && !pattern_match(outname)){ ++ goto out; ++ } ++ + if (stat(tmpname, &ts) < 0) { + if (!IgnoreError) { + perror(tmpname); +@@ -391,7 +397,39 @@ out: + return rc; + } + ++static int pattern_match(const char* name) { ++ const char* p = pattern; ++ if (!p || !name) ++ return 0; ++ ++ while (*p && *name) { ++ if (*p == '*') { ++ ++p; ++ // collapse stars. if at end match rest of string ++ while (*p == '*') { ++ ++p; ++ if (!*p) ++ return 1; ++ } ++ while (*name) { ++ if (*name == '.') { ++ break; ++ } ++ ++name; ++ } ++ continue; ++ } ++ if (*p != *name) ++ return 0; + ++ ++p; ++ ++name; ++ continue; ++ } ++ if (!*p && !*name) ++ return 1; ++ return 0; ++} + + /* + * Preload the sysctl's from the conf file +@@ -435,6 +473,10 @@ static int Preload(const char *restrict const filename) { + + StripLeadingAndTrailingSpaces(name); + ++ if (pattern && !pattern_match(name)){ ++ continue; ++ } ++ + value = strtok(NULL, "\n\r"); + if (!value || !*value) { + fprintf(stderr, WARN_BAD_LINE, filename, n); +@@ -523,6 +565,16 @@ int main(int argc, char *argv[]) { + IgnoreError = true; + return PreloadSystem(); + } ++ if (!strcmp("--pattern",*argv)) { ++ ++argv; ++ if (*argv && **argv) { ++ pattern = strdup(*argv); ++ continue; ++ } else { ++ fprintf(stderr, "error: --pattern requires an argument\n"); ++ return 1; ++ } ++ } + fprintf(stderr, ERR_UNKNOWN_PARAMETER, *argv); + return Usage(me); + } +-- +1.7.3.4 + diff --git a/procps-3.2.8-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff b/procps-3.2.8-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff new file mode 100644 index 0000000..37772fe --- /dev/null +++ b/procps-3.2.8-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff @@ -0,0 +1,46 @@ +From 40c2bfe16c9a9e9562c686afa9d6b7f754a5c8d9 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 17 May 2011 16:35:18 +0200 +Subject: [PATCH procps 3/3] read sysctls also from /boot/sysctl.conf-$kernelversion + +--- + sysctl.c | 10 ++++++++++ + 1 files changed, 10 insertions(+), 0 deletions(-) + +diff --git a/sysctl.c b/sysctl.c +index b68170b..6967ca8 100644 +--- a/sysctl.c ++++ b/sysctl.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -497,12 +498,21 @@ static int Preload(const char *restrict const filename) { + + static int PreloadSystem(void) { + unsigned i; ++ struct utsname uts; + const char* dirs[] = { + "/lib/sysctl.d", + "/usr/lib/sysctl.d", + "/usr/local/lib/sysctl.d", + "/etc/sysctl.d", + }; ++ if (uname(&uts) == 0) { ++ char buf[PATH_MAX]; ++ snprintf(buf, sizeof(buf), "/boot/sysctl.conf-%s", uts.release); ++ if (access(buf, R_OK) == 0) { ++ printf("* Applying %s ...\n", buf); ++ Preload(buf); ++ } ++ } + for (i=0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) { + struct dirent* de; + DIR* dp = opendir(dirs[i]); +-- +1.7.3.4 + diff --git a/procps.changes b/procps.changes index a0d14f6..d05e274 100644 --- a/procps.changes +++ b/procps.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue May 17 14:42:31 UTC 2011 - lnussel@suse.de + +- load sysctls earlier (bnc#664550) +- move distro defaults to /lib/sysctl.d to avoid .rpmnew files +- enable IPv6 privacy by default (bnc#678066) + ------------------------------------------------------------------- Thu May 5 17:49:30 CEST 2011 - jeffm@suse.de diff --git a/procps.spec b/procps.spec index ef016e7..727d779 100644 --- a/procps.spec +++ b/procps.spec @@ -73,6 +73,9 @@ Patch35: bug-634840.patch Patch36: procps-3.2.8.dif # bnc #649501, apparently the initialization is depending on linking order... Patch37: procps-3.2.8-fix-unknown-HZ.dif +Patch38: procps-3.2.8-add-system-switch.diff +Patch39: procps-3.2.8-implement-pattern-option.diff +Patch40: procps-3.2.8-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -138,6 +141,9 @@ Authors: %patch35 -p1 %patch36 %patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 %build make %{?_smp_mflags} CFLAGS="-Wall -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $RPM_OPT_FLAGS -pipe" \ @@ -150,10 +156,12 @@ make DESTDIR=$RPM_BUILD_ROOT install install -d $RPM_BUILD_ROOT/etc/init.d $RPM_BUILD_ROOT/etc/xinetd.d install -m 755 %SOURCE1 $RPM_BUILD_ROOT/etc/init.d install -m 644 %SOURCE2 $RPM_BUILD_ROOT/etc/xinetd.d/systat +install -d $RPM_BUILD_ROOT/lib/sysctl.d $RPM_BUILD_ROOT/etc/sysctl.d +install -m 644 %SOURCE3 $RPM_BUILD_ROOT/lib/sysctl.d/sysctl.conf case "$RPM_ARCH" in -s390*) install -m 644 %SOURCE4 $RPM_BUILD_ROOT/etc/sysctl.conf ;; -*) install -m 644 %SOURCE3 $RPM_BUILD_ROOT/etc/sysctl.conf ;; +s390*) install -m 644 %SOURCE4 $RPM_BUILD_ROOT/lib/sysctl.d/sysctl-s390.conf ;; esac + # clean unwanted files (coreutils) rm -f $RPM_BUILD_ROOT/bin/kill rm -f $RPM_BUILD_ROOT/usr/bin/uptime @@ -168,6 +176,8 @@ rm -rf $RPM_BUILD_ROOT %post %{fillup_and_insserv -ny boot.sysctl boot.sysctl} +# +test -e /etc/sysctl.conf || > /etc/sysctl.conf %postun %insserv_cleanup @@ -176,7 +186,7 @@ rm -rf $RPM_BUILD_ROOT %defattr (-,root,root,755) %doc NEWS README COPYING %config /etc/init.d/boot.sysctl -%config(noreplace) /etc/sysctl.conf +%config(noreplace) %ghost %attr(0644,root,root) /etc/sysctl.conf %config(noreplace) /etc/xinetd.d/systat /bin/ps /bin/pgrep @@ -195,6 +205,9 @@ rm -rf $RPM_BUILD_ROOT /usr/bin/vmstat /usr/bin/w /usr/bin/watch +%dir /etc/sysctl.d +%dir /lib/sysctl.d +/lib/sysctl.d/*.conf %_mandir/man1/free.1.gz %_mandir/man1/pgrep.1.gz %_mandir/man1/pkill.1.gz diff --git a/sysctl.conf b/sysctl.conf index fa5964f..a002736 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -1,14 +1,44 @@ -# Disable response to broadcasts. -# You don't want yourself becoming a Smurf amplifier. +# +# Distribution defaults. +# Use /etc/sysctl.conf to override. +# +# Disable response to broadcast pings to avoid smurf attacks. net.ipv4.icmp_echo_ignore_broadcasts = 1 + # enable route verification on all interfaces net.ipv4.conf.all.rp_filter = 1 -# disable IPv6 completely -#net.ipv6.conf.all.disable_ipv6 = 1 -# enable IPv6 forwarding -#net.ipv6.conf.all.forwarding = 1 -# increase the number of possible inotify(7) watches -fs.inotify.max_user_watches = 65536 + # avoid deleting secondary IPs on deleting the primary IP net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.all.promote_secondaries = 1 + +# disable IPv6 completely +#net.ipv6.conf.all.disable_ipv6 = 1 + +# enable IPv6 forwarding +#net.ipv6.conf.all.forwarding = 1 + +# enable IPv6 privacy (bnc#678066) +net.ipv6.conf.default.use_tempaddr = 2 + +# increase the number of possible inotify(7) watches +fs.inotify.max_user_watches = 65536 + +# Magic SysRq Keys enable some control over the system even if it +# crashes (e.g. during kernel debugging). +# +# 0 - disable sysrq completely +# 1 - enable all functions of sysrq +# >1 - bitmask of allowed sysrq functions: +# 2 - enable control of console logging level +# 4 - enable control of keyboard (SAK, unraw) +# 8 - enable debugging dumps of processes etc. +# 16 - enable sync command +# 32 - enable remount read-only +# 64 - enable signalling of processes (term, kill, oom-kill) +# 128 - allow reboot/poweroff +# 256 - allow nicing of all RT tasks +# +# For further information see /usr/src/linux/Documentation/sysrq.txt +# default 176 = 128+32+16 +kernel.sysrq = 176