From 86afa84167c12cbb22c7fb40033e396ef1a606e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kai=20L=C3=BCke?= Date: Mon, 14 Dec 2020 20:48:15 +0100 Subject: [PATCH] sys-apps/systemd: Drop sysctl rp_filter patches The patches were not taking effect because they did not set net.ipv4.conf.default.rp_filter for new interfaces. Also, they got overwritten by the baselayout configuration which takes precedence and is the place for Flatcar-specific sysctl settings. The desired configuration was enfored there: https://github.com/kinvolk/baselayout/pull/13 --- ...ult.conf-remove-.all-source-route-se.patch | 57 ------------------ ...ult-better-comments-re-activate-prom.patch | 58 ------------------- ...ult.conf-re-activate-default-accept_.patch | 32 ---------- .../sys-apps/systemd/systemd-9999.ebuild | 3 - 4 files changed, 150 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch deleted file mode 100644 index 82feee1111..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 25b772a9ec9b4f36e9cd97948c6bafb7765d5113 Mon Sep 17 00:00:00 2001 -From: Thilo Fromm -Date: Thu, 10 Sep 2020 11:16:01 +0200 -Subject: [PATCH 1/3] sysctl.d/50-default.conf: remove *, .all source route - settings - -The rules were added in systemd-245 and break cluster -networking, e.g. cilium. Please see -https://github.com/flatcar-linux/Flatcar/issues/181 -for details. - -Signed-off-by: Thilo Fromm ---- - sysctl.d/50-default.conf | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf -index 14378b24af..82cc49587b 100644 ---- a/sysctl.d/50-default.conf -+++ b/sysctl.d/50-default.conf -@@ -23,18 +23,27 @@ kernel.core_uses_pid = 1 - - # Source route verification - net.ipv4.conf.default.rp_filter = 2 --net.ipv4.conf.*.rp_filter = 2 ---net.ipv4.conf.all.rp_filter -+# the below deviates from upstream systemd-245 (and later) since the default -+# rule causes a regression with cluster networking (e.g. cilium; see -+# https://github.com/flatcar-linux/Flatcar/issues/181) -+#net.ipv4.conf.*.rp_filter = 2 -+#-net.ipv4.conf.all.rp_filter - - # Do not accept source routing - net.ipv4.conf.default.accept_source_route = 0 --net.ipv4.conf.*.accept_source_route = 0 ---net.ipv4.conf.all.accept_source_route -+# the below deviates from upstream systemd-245 (and later) since the default -+# rule causes a regression with cluster networking (e.g. cilium; see -+# https://github.com/flatcar-linux/Flatcar/issues/181) -+#net.ipv4.conf.*.accept_source_route = 0 -+#-net.ipv4.conf.all.accept_source_route - - # Promote secondary addresses when the primary address is removed - net.ipv4.conf.default.promote_secondaries = 1 --net.ipv4.conf.*.promote_secondaries = 1 ---net.ipv4.conf.all.promote_secondaries -+# the below deviates from upstream systemd-245 (and later) since the default -+# rule causes a regression with cluster networking (e.g. cilium; see -+# https://github.com/flatcar-linux/Flatcar/issues/181) -+#net.ipv4.conf.*.promote_secondaries = 1 -+#-net.ipv4.conf.all.promote_secondaries - - # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW - # The upper limit is set to 2^31-1. Values greater than that get rejected by --- -2.26.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch deleted file mode 100644 index 6bd574055d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 1e608a8f47e0472e910c08d06014d1ef9ddd0cfc Mon Sep 17 00:00:00 2001 -From: Thilo Fromm -Date: Thu, 10 Sep 2020 11:47:53 +0200 -Subject: [PATCH 2/3] sysctl.d/50-default: better comments, re-activate - promote_secondaries - -This change updates comments as well as re-activates the -promote_secondaries wildcard since networkd's DHCP relies on this -(see https://github.com/systemd/systemd/issues/7163) - -Signed-off-by: Thilo Fromm ---- - sysctl.d/50-default.conf | 19 ++++++++----------- - 1 file changed, 8 insertions(+), 11 deletions(-) - -diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf -index 82cc49587b..8457fb38aa 100644 ---- a/sysctl.d/50-default.conf -+++ b/sysctl.d/50-default.conf -@@ -23,27 +23,24 @@ kernel.core_uses_pid = 1 - - # Source route verification - net.ipv4.conf.default.rp_filter = 2 --# the below deviates from upstream systemd-245 (and later) since the default --# rule causes a regression with cluster networking (e.g. cilium; see --# https://github.com/flatcar-linux/Flatcar/issues/181) -+# We deviate from upstream systemd-245 (and later) since the new default -+# rp_filter wildcard rule causes a regression with cluster networking -+# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) - #net.ipv4.conf.*.rp_filter = 2 - #-net.ipv4.conf.all.rp_filter - - # Do not accept source routing - net.ipv4.conf.default.accept_source_route = 0 --# the below deviates from upstream systemd-245 (and later) since the default --# rule causes a regression with cluster networking (e.g. cilium; see --# https://github.com/flatcar-linux/Flatcar/issues/181) -+# We deviate from upstream systemd-245 (and later) since the new default -+# source route wildcard rule causes a regression with cluster networking -+# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) - #net.ipv4.conf.*.accept_source_route = 0 - #-net.ipv4.conf.all.accept_source_route - - # Promote secondary addresses when the primary address is removed - net.ipv4.conf.default.promote_secondaries = 1 --# the below deviates from upstream systemd-245 (and later) since the default --# rule causes a regression with cluster networking (e.g. cilium; see --# https://github.com/flatcar-linux/Flatcar/issues/181) --#net.ipv4.conf.*.promote_secondaries = 1 --#-net.ipv4.conf.all.promote_secondaries -+net.ipv4.conf.*.promote_secondaries = 1 -+-net.ipv4.conf.all.promote_secondaries - - # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW - # The upper limit is set to 2^31-1. Values greater than that get rejected by --- -2.26.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch deleted file mode 100644 index 4a87ad1f01..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 5b1ed0e98a8a8225dc3f662483287a380643ab96 Mon Sep 17 00:00:00 2001 -From: Thilo Fromm -Date: Thu, 10 Sep 2020 13:39:14 +0200 -Subject: [PATCH 3/3] sysctl.d/50-default.conf: re-activate default - accept_source_route - -Signed-off-by: Thilo Fromm ---- - sysctl.d/50-default.conf | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf -index 8457fb38aa..b7dd7c7ef3 100644 ---- a/sysctl.d/50-default.conf -+++ b/sysctl.d/50-default.conf -@@ -31,11 +31,8 @@ net.ipv4.conf.default.rp_filter = 2 - - # Do not accept source routing - net.ipv4.conf.default.accept_source_route = 0 --# We deviate from upstream systemd-245 (and later) since the new default --# source route wildcard rule causes a regression with cluster networking --# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) --#net.ipv4.conf.*.accept_source_route = 0 --#-net.ipv4.conf.all.accept_source_route -+net.ipv4.conf.*.accept_source_route = 0 -+-net.ipv4.conf.all.accept_source_route - - # Promote secondary addresses when the primary address is removed - net.ipv4.conf.default.promote_secondaries = 1 --- -2.26.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild index a7ad60dc8c..c1aebc7792 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild @@ -183,9 +183,6 @@ src_prepare() { # Add local patches here PATCHES+=( # Flatcar: Adding our own patches here. - "${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch" - "${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch" - "${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch" "${FILESDIR}/0004-wait-online-set-any-by-default.patch" "${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch" "${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch"