Accepting request 71353 from home:lnussel:branches:Base:System

- load sysctls earlier (bnc#664550)
- move distro defaults to /lib/sysctl.d to avoid .rpmnew files
- enable IPv6 privacy by default (bnc#678066)

I've sent the --system and --pattern path upstream but they weren't accepted
yet. So this is tentative but we need the /lib/sysctl.d feature to be able to
provide distro defaults in a sane way.

OBS-URL: https://build.opensuse.org/request/show/71353
OBS-URL: https://build.opensuse.org/package/show/Base:System/procps?expand=0&rev=46

boot.sysctl

@@ -1,51 +1,36 @@
 #! /bin/sh
 #
-# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany.  All rights reserved.
+# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany.
+# Copyright (c) 2011 SUSE Linux Products GmbH Nuernberg, Germany.
 #
 # /etc/init.d/boot.sysctl
 #
 ### BEGIN INIT INFO
 # Provides:          boot.sysctl
-# Required-Start:    boot.proc $local_fs
+# Required-Start:    $null
-# Should-Start:      setserial boot.isapnp
+# Should-Start:      $null
-# Required-Stop:     boot.proc $local_fs
+# Required-Stop:     $null
 # Should-Stop:       $null
 # Default-Start:     B
 # Default-Stop:
-# Description:       run sysctl with a given config file or create it
+# Short-Description: Apply sysctl settings
+# Description:       Apply sysctl settings
 ### END INIT INFO
 
-test -x /sbin/sysctl || exit 0
-
 . /etc/rc.status
-. /etc/sysconfig/sysctl
 
 rc_reset
 
 case "$1" in
   start)
-
+	echo -n "Applying sysctl settings"
-	# Load per-kernel defaults from /boot. This file is provided
+	/sbin/sysctl -e -q --system
-	# by the kernel package and will be replaced on update.
+	rc_status -v -r
-	if test -e "/boot/sysctl.conf-$(uname -r)"; then
+	if [ -s /etc/sysconfig/sysctl -a -x /lib/aaa_base/convert_sysctl ]; then
-	    echo -n "Loading sysctl defaults from /boot/sysctl.conf-$(uname -r)"
+		echo -n " Warning: applying settings from obsolete /etc/sysconfig/sysctl"
-	    sysctl -e -q -p /boot/sysctl.conf-$(uname -r)
+		/lib/aaa_base/convert_sysctl --stdout | sysctl -e -q -f -
 		rc_status -v -r
 	fi
-	#
-	# run sysctl if the config file exists
-	# otherwise generate it
-	# the values set here might be overridden by the settings
-	# in /etc/sysconfig/sysctl
-	#
-	if test ! -e /etc/sysctl.conf ; then
-	    echo -n "Sysctl: no file /etc/sysctl.conf"
-	    rc_failed 5
-	else
-	    echo -n "Setting current sysctl status from /etc/sysctl.conf"
-	    sysctl -e -q -p /etc/sysctl.conf
-	fi
-	rc_status -v -r
 	;;
     stop)
 	# skip / do nothing

procps-3.2.8-add-system-switch.diff

@@ -0,0 +1,68 @@
+From 45915cfc03fb82b68425445063a0bcebab1ff230 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Wed, 18 May 2011 08:16:39 +0200
+Subject: [PATCH procps 1/3] add --system switch
+
+instead of requiring distributions to construct a loop around sysctl
+in boot scripts just scan a set of default directories if the --system
+switch is used.
+---
+ sysctl.c |   35 +++++++++++++++++++++++++++++++++++
+ 1 files changed, 35 insertions(+), 0 deletions(-)
+
+diff --git a/sysctl.c b/sysctl.c
+index 9be79ce..3445efe 100644
+--- a/sysctl.c
++++ b/sysctl.c
+@@ -453,6 +453,37 @@ static int Preload(const char *restrict const filename) {
+    return rc;
+ }
+ 
++static int PreloadSystem(void) {
++   unsigned i;
++   const char* dirs[] = {
++      "/lib/sysctl.d",
++      "/usr/lib/sysctl.d",
++      "/usr/local/lib/sysctl.d",
++      "/etc/sysctl.d",
++   };
++   for (i=0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) {
++      struct dirent* de;
++      DIR* dp = opendir(dirs[i]);
++      if (!dp)
++         continue;
++      while (( de = readdir(dp) )) {
++         char buf[PATH_MAX];
++         if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) {
++            continue;
++         }
++         if (strlen(de->d_name) < 6 || !strcmp(de->d_name+strlen(de->d_name)-6, ".conf"))
++            continue;
++         snprintf(buf, sizeof(buf), "%s/%s", dirs[i], de->d_name);
++         if (!Quiet)
++             printf("* Applying %s ...\n", buf);
++         Preload(buf);
++      }
++      closedir(dp);
++    }
++    if (!Quiet)
++        printf("* Applying %s ...\n", DEFAULT_PRELOAD);
++    return Preload(DEFAULT_PRELOAD);
++}
+ 
+ 
+ /*
+@@ -488,6 +519,10 @@ int main(int argc, char *argv[]) {
+                  fprintf(stdout, "sysctl (%s)\n",procps_version);
+                  exit(0);
+               }
++              if (!strcmp("--system",*argv)) {
++                 IgnoreError = true;
++                 return PreloadSystem();
++              }
+               fprintf(stderr, ERR_UNKNOWN_PARAMETER, *argv);
+               return Usage(me);
+          }
+-- 
+1.7.3.4
+

procps-3.2.8-implement-pattern-option.diff

@@ -0,0 +1,146 @@
+From b73ff507f616c74ac94e7b1bef2ce51fa9bb2806 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Wed, 18 May 2011 08:20:09 +0200
+Subject: [PATCH procps 2/3] implement --pattern option
+
+Useful for e.g network hook scripts together with --system to only apply
+sysctls for a specific network interface.
+---
+ sysctl.8 |   14 ++++++++++++++
+ sysctl.c |   52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 66 insertions(+), 0 deletions(-)
+
+diff --git a/sysctl.8 b/sysctl.8
+index e26c4fb..9f6de65 100644
+--- a/sysctl.8
++++ b/sysctl.8
+@@ -64,6 +64,16 @@ Display all values currently available.
+ .TP
+ .B "-A"
+ Display all values currently available in table form.
++.TP
++.B "--system"
++Load settings from system configuration files (/lib/sysctl.d/*.conf,
++/usr/lib/sysctl.d/*.conf, /usr/local/lib/sysctl.d/*.conf,
++/etc/sysctl.d/*.conf, /etc/sysctl.conf)
++.TP
++.B "--pattern" PATTERN
++Ignore settings that don't patch PATTERN. A star '*' is recognized
++as wildcard. It matches strings until the next dot. '**' at the end
++of the pattern matches until the end of the string.
+ .SH EXAMPLES
+ .TP
+ /sbin/sysctl -a
+@@ -73,6 +83,10 @@ Display all values currently available in table form.
+ /sbin/sysctl -w kernel.domainname="example.com"
+ .TP
+ /sbin/sysctl -p /etc/sysctl.conf 
++.TP
++/sbin/sysctl --pattern 'net.ipv4.conf.*.forwarding' -a
++.TP
++/sbin/sysctl --pattern 'net.ipv6.**' --system
+ .SH FILES
+ .I /proc/sys
+ .I /etc/sysctl.conf
+diff --git a/sysctl.c b/sysctl.c
+index 3445efe..b68170b 100644
+--- a/sysctl.c
++++ b/sysctl.c
+@@ -50,6 +50,7 @@ static bool PrintName;
+ static bool PrintNewline;
+ static bool IgnoreError;
+ static bool Quiet;
++static char* pattern;
+ 
+ /* error messages */
+ static const char ERR_UNKNOWN_PARAMETER[] = "error: Unknown parameter \"%s\"\n";
+@@ -63,6 +64,7 @@ static const char ERR_OPENING_DIR[] = "error: unable to open directory \"%s\"\n"
+ static const char ERR_PRELOAD_FILE[] = "error: unable to open preload file \"%s\"\n";
+ static const char WARN_BAD_LINE[] = "warning: %s(%d): invalid syntax, continuing...\n";
+ 
++static int pattern_match(const char* name);
+ 
+ static void slashdot(char *restrict p, char old, char new){
+   p = strpbrk(p,"/.");
+@@ -145,6 +147,10 @@ static int ReadSetting(const char *restrict const name) {
+    outname = strdup(name);
+    slashdot(outname,'/','.'); /* change / to . */
+ 
++   if (pattern && !pattern_match(outname)){
++       goto out;
++   }
++
+    if (stat(tmpname, &ts) < 0) {
+       if (!IgnoreError) {
+          perror(tmpname);
+@@ -391,7 +397,39 @@ out:
+    return rc;
+ }
+ 
++static int pattern_match(const char* name) {
++    const char* p = pattern;
++    if (!p || !name)
++        return 0;
++
++    while (*p && *name) {
++        if (*p == '*') {
++	    ++p;
++	    // collapse stars. if at end match rest of string
++	    while (*p == '*') {
++		++p;
++		if (!*p)
++		    return 1;
++	    }
++            while (*name) {
++                if (*name == '.') {
++                    break;
++                }
++                ++name;
++            }
++            continue;
++        }
++        if (*p != *name)
++            return 0;
+ 
++        ++p;
++        ++name;
++        continue;
++    }
++    if (!*p && !*name)
++	return 1;
++    return 0;
++}
+ 
+ /*
+  *     Preload the sysctl's from the conf file
+@@ -435,6 +473,10 @@ static int Preload(const char *restrict const filename) {
+ 
+       StripLeadingAndTrailingSpaces(name);
+ 
++      if (pattern && !pattern_match(name)){
++          continue;
++      }
++
+       value = strtok(NULL, "\n\r");
+       if (!value || !*value) {
+          fprintf(stderr, WARN_BAD_LINE, filename, n);
+@@ -523,6 +565,16 @@ int main(int argc, char *argv[]) {
+                  IgnoreError = true;
+                  return PreloadSystem();
+               }
++              if (!strcmp("--pattern",*argv)) {
++                  ++argv;
++                  if (*argv && **argv) {
++                      pattern = strdup(*argv);
++                      continue;
++                  } else {
++                      fprintf(stderr, "error: --pattern requires an argument\n");
++                      return 1;
++                  }
++              }
+               fprintf(stderr, ERR_UNKNOWN_PARAMETER, *argv);
+               return Usage(me);
+          }
+-- 
+1.7.3.4
+

procps-3.2.8-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff

@@ -0,0 +1,46 @@
+From 40c2bfe16c9a9e9562c686afa9d6b7f754a5c8d9 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Tue, 17 May 2011 16:35:18 +0200
+Subject: [PATCH procps 3/3] read sysctls also from /boot/sysctl.conf-$kernelversion
+
+---
+ sysctl.c |   10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/sysctl.c b/sysctl.c
+index b68170b..6967ca8 100644
+--- a/sysctl.c
++++ b/sysctl.c
+@@ -27,6 +27,7 @@
+ #include <unistd.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <sys/utsname.h>
+ #include <dirent.h>
+ #include <string.h>
+ #include <errno.h>
+@@ -497,12 +498,21 @@ static int Preload(const char *restrict const filename) {
+ 
+ static int PreloadSystem(void) {
+    unsigned i;
++   struct utsname uts;
+    const char* dirs[] = {
+       "/lib/sysctl.d",
+       "/usr/lib/sysctl.d",
+       "/usr/local/lib/sysctl.d",
+       "/etc/sysctl.d",
+    };
++   if (uname(&uts) == 0) {
++       char buf[PATH_MAX];
++       snprintf(buf, sizeof(buf), "/boot/sysctl.conf-%s", uts.release);
++       if (access(buf, R_OK) == 0) {
++           printf("* Applying %s ...\n", buf);
++           Preload(buf);
++       }
++   }
+    for (i=0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) {
+       struct dirent* de;
+       DIR* dp = opendir(dirs[i]);
+-- 
+1.7.3.4
+

procps.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue May 17 14:42:31 UTC 2011 - lnussel@suse.de
+
+- load sysctls earlier (bnc#664550)
+- move distro defaults to /lib/sysctl.d to avoid .rpmnew files
+- enable IPv6 privacy by default (bnc#678066)
+
 -------------------------------------------------------------------
 Thu May  5 17:49:30 CEST 2011 - jeffm@suse.de
 

procps.spec

@@ -73,6 +73,9 @@ Patch35:        bug-634840.patch
 Patch36:        procps-3.2.8.dif
 # bnc #649501, apparently the initialization is depending on linking order...
 Patch37:        procps-3.2.8-fix-unknown-HZ.dif
+Patch38:        procps-3.2.8-add-system-switch.diff
+Patch39:        procps-3.2.8-implement-pattern-option.diff
+Patch40:        procps-3.2.8-read-sysctls-also-from-boot-sysctl.conf-kernelversion.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -138,6 +141,9 @@ Authors:
 %patch35 -p1
 %patch36
 %patch37 -p1
+%patch38 -p1
+%patch39 -p1
+%patch40 -p1
 
 %build
 make %{?_smp_mflags} CFLAGS="-Wall -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $RPM_OPT_FLAGS -pipe" \
@@ -150,10 +156,12 @@ make DESTDIR=$RPM_BUILD_ROOT install
 install -d $RPM_BUILD_ROOT/etc/init.d $RPM_BUILD_ROOT/etc/xinetd.d
 install -m 755 %SOURCE1 $RPM_BUILD_ROOT/etc/init.d
 install -m 644 %SOURCE2 $RPM_BUILD_ROOT/etc/xinetd.d/systat
+install -d $RPM_BUILD_ROOT/lib/sysctl.d $RPM_BUILD_ROOT/etc/sysctl.d
+install -m 644 %SOURCE3 $RPM_BUILD_ROOT/lib/sysctl.d/sysctl.conf
 case "$RPM_ARCH" in
-s390*)  install -m 644 %SOURCE4 $RPM_BUILD_ROOT/etc/sysctl.conf ;;
+s390*)  install -m 644 %SOURCE4 $RPM_BUILD_ROOT/lib/sysctl.d/sysctl-s390.conf ;;
-*)      install -m 644 %SOURCE3 $RPM_BUILD_ROOT/etc/sysctl.conf ;;
 esac
+
 # clean unwanted files (coreutils)
 rm -f $RPM_BUILD_ROOT/bin/kill
 rm -f $RPM_BUILD_ROOT/usr/bin/uptime
@@ -168,6 +176,8 @@ rm -rf $RPM_BUILD_ROOT
 
 %post
 %{fillup_and_insserv -ny boot.sysctl boot.sysctl}
+#
+test -e /etc/sysctl.conf || > /etc/sysctl.conf
 
 %postun
 %insserv_cleanup
@@ -176,7 +186,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr (-,root,root,755)
 %doc NEWS README COPYING
 %config /etc/init.d/boot.sysctl
-%config(noreplace) /etc/sysctl.conf
+%config(noreplace) %ghost %attr(0644,root,root) /etc/sysctl.conf
 %config(noreplace) /etc/xinetd.d/systat
 /bin/ps
 /bin/pgrep
@@ -195,6 +205,9 @@ rm -rf $RPM_BUILD_ROOT
 /usr/bin/vmstat
 /usr/bin/w
 /usr/bin/watch
+%dir /etc/sysctl.d
+%dir /lib/sysctl.d
+/lib/sysctl.d/*.conf
 %_mandir/man1/free.1.gz
 %_mandir/man1/pgrep.1.gz
 %_mandir/man1/pkill.1.gz

sysctl.conf

@@ -1,14 +1,44 @@
-# Disable response to broadcasts.
+#
-# You don't want yourself becoming a Smurf amplifier.
+# Distribution defaults.
+# Use /etc/sysctl.conf to override.
+#
+# Disable response to broadcast pings to avoid smurf attacks.
 net.ipv4.icmp_echo_ignore_broadcasts = 1
+
 # enable route verification on all interfaces
 net.ipv4.conf.all.rp_filter = 1
-# disable IPv6 completely
+
-#net.ipv6.conf.all.disable_ipv6 = 1
-# enable IPv6 forwarding
-#net.ipv6.conf.all.forwarding = 1
-# increase the number of possible inotify(7) watches
-fs.inotify.max_user_watches = 65536
 # avoid deleting secondary IPs on deleting the primary IP
 net.ipv4.conf.default.promote_secondaries = 1
 net.ipv4.conf.all.promote_secondaries = 1
+
+# disable IPv6 completely
+#net.ipv6.conf.all.disable_ipv6 = 1
+
+# enable IPv6 forwarding
+#net.ipv6.conf.all.forwarding = 1
+
+# enable IPv6 privacy (bnc#678066)
+net.ipv6.conf.default.use_tempaddr = 2
+
+# increase the number of possible inotify(7) watches
+fs.inotify.max_user_watches = 65536
+
+# Magic SysRq Keys enable some control over the system even if it
+# crashes (e.g. during kernel debugging).
+#
+#   0 - disable sysrq completely
+#   1 - enable all functions of sysrq
+#  >1 - bitmask of allowed sysrq functions:
+#          2 - enable control of console logging level
+#          4 - enable control of keyboard (SAK, unraw)
+#          8 - enable debugging dumps of processes etc.
+#         16 - enable sync command
+#         32 - enable remount read-only
+#         64 - enable signalling of processes (term, kill, oom-kill)
+#        128 - allow reboot/poweroff
+#        256 - allow nicing of all RT tasks
+#
+# For further information see /usr/src/linux/Documentation/sysrq.txt
+# default 176 = 128+32+16
+kernel.sysrq = 176