mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 10:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-apps/systemd: Drop sysctl rp_filter patches

Browse Source 
The patches were not taking effect because they did not set
net.ipv4.conf.default.rp_filter for new interfaces. Also, they got
overwritten by the baselayout configuration which takes precedence
and is the place for Flatcar-specific sysctl settings.
The desired configuration was enfored there:
https://github.com/kinvolk/baselayout/pull/13
This commit is contained in:
Kai Lüke 2020-12-14 20:48:15 +01:00
parent 5d698a1083
commit 86afa84167
4 changed files with 0 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch vendored
View File

@ -1,57 +0,0 @@
From 25b772a9ec9b4f36e9cd97948c6bafb7765d5113 Mon Sep 17 00:00:00 2001
From: Thilo Fromm <thilo@kinvolk.io>
Date: Thu, 10 Sep 2020 11:16:01 +0200
Subject: [PATCH 1/3] sysctl.d/50-default.conf: remove *, .all source route
settings
The rules were added in systemd-245 and break cluster
networking, e.g. cilium. Please see
https://github.com/flatcar-linux/Flatcar/issues/181
for details.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
---
sysctl.d/50-default.conf | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index 14378b24af..82cc49587b 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -23,18 +23,27 @@ kernel.core_uses_pid = 1
# Source route verification
net.ipv4.conf.default.rp_filter = 2
-net.ipv4.conf.*.rp_filter = 2
--net.ipv4.conf.all.rp_filter
+# the below deviates from upstream systemd-245 (and later) since the default
+# rule causes a regression with cluster networking (e.g. cilium; see
+# https://github.com/flatcar-linux/Flatcar/issues/181)
+#net.ipv4.conf.*.rp_filter = 2
+#-net.ipv4.conf.all.rp_filter
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
-net.ipv4.conf.*.accept_source_route = 0
--net.ipv4.conf.all.accept_source_route
+# the below deviates from upstream systemd-245 (and later) since the default
+# rule causes a regression with cluster networking (e.g. cilium; see
+# https://github.com/flatcar-linux/Flatcar/issues/181)
+#net.ipv4.conf.*.accept_source_route = 0
+#-net.ipv4.conf.all.accept_source_route
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries = 1
-net.ipv4.conf.*.promote_secondaries = 1
--net.ipv4.conf.all.promote_secondaries
+# the below deviates from upstream systemd-245 (and later) since the default
+# rule causes a regression with cluster networking (e.g. cilium; see
+# https://github.com/flatcar-linux/Flatcar/issues/181)
+#net.ipv4.conf.*.promote_secondaries = 1
+#-net.ipv4.conf.all.promote_secondaries
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
# The upper limit is set to 2^31-1. Values greater than that get rejected by
--
2.26.2

58
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch vendored
View File

@ -1,58 +0,0 @@
From 1e608a8f47e0472e910c08d06014d1ef9ddd0cfc Mon Sep 17 00:00:00 2001
From: Thilo Fromm <thilo@kinvolk.io>
Date: Thu, 10 Sep 2020 11:47:53 +0200
Subject: [PATCH 2/3] sysctl.d/50-default: better comments, re-activate
promote_secondaries
This change updates comments as well as re-activates the
promote_secondaries wildcard since networkd's DHCP relies on this
(see https://github.com/systemd/systemd/issues/7163)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
---
sysctl.d/50-default.conf | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index 82cc49587b..8457fb38aa 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -23,27 +23,24 @@ kernel.core_uses_pid = 1
# Source route verification
net.ipv4.conf.default.rp_filter = 2
-# the below deviates from upstream systemd-245 (and later) since the default
-# rule causes a regression with cluster networking (e.g. cilium; see
-# https://github.com/flatcar-linux/Flatcar/issues/181)
+# We deviate from upstream systemd-245 (and later) since the new default
+# rp_filter wildcard rule causes a regression with cluster networking
+# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181)
#net.ipv4.conf.*.rp_filter = 2
#-net.ipv4.conf.all.rp_filter
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
-# the below deviates from upstream systemd-245 (and later) since the default
-# rule causes a regression with cluster networking (e.g. cilium; see
-# https://github.com/flatcar-linux/Flatcar/issues/181)
+# We deviate from upstream systemd-245 (and later) since the new default
+# source route wildcard rule causes a regression with cluster networking
+# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181)
#net.ipv4.conf.*.accept_source_route = 0
#-net.ipv4.conf.all.accept_source_route
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries = 1
-# the below deviates from upstream systemd-245 (and later) since the default
-# rule causes a regression with cluster networking (e.g. cilium; see
-# https://github.com/flatcar-linux/Flatcar/issues/181)
-#net.ipv4.conf.*.promote_secondaries = 1
-#-net.ipv4.conf.all.promote_secondaries
+net.ipv4.conf.*.promote_secondaries = 1
+-net.ipv4.conf.all.promote_secondaries
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
# The upper limit is set to 2^31-1. Values greater than that get rejected by
--
2.26.2

32
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch vendored
View File

@ -1,32 +0,0 @@
From 5b1ed0e98a8a8225dc3f662483287a380643ab96 Mon Sep 17 00:00:00 2001
From: Thilo Fromm <thilo@kinvolk.io>
Date: Thu, 10 Sep 2020 13:39:14 +0200
Subject: [PATCH 3/3] sysctl.d/50-default.conf: re-activate default
accept_source_route
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
---
sysctl.d/50-default.conf | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index 8457fb38aa..b7dd7c7ef3 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -31,11 +31,8 @@ net.ipv4.conf.default.rp_filter = 2
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
-# We deviate from upstream systemd-245 (and later) since the new default
-# source route wildcard rule causes a regression with cluster networking
-# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181)
-#net.ipv4.conf.*.accept_source_route = 0
-#-net.ipv4.conf.all.accept_source_route
+net.ipv4.conf.*.accept_source_route = 0
+-net.ipv4.conf.all.accept_source_route
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries = 1
--
2.26.2

3
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild vendored
View File

@ -183,9 +183,6 @@ src_prepare() {
# Add local patches here
PATCHES+=(
# Flatcar: Adding our own patches here.
"${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch"
"${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch"
"${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch"
"${FILESDIR}/0004-wait-online-set-any-by-default.patch"
"${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch"
"${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch"