nixos/systemd: install sysctl snippets #66482
Conversation
|
Currently, the systemd test seems to break at another subtest ("file system with x-initrd.mount is not unmounted"), but the I didn't yet test whether coredumps are available via |
| boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; | ||
| boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; | ||
| boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; |
There was a problem hiding this comment.
Why do we have to change this? The sysctl module maps true to 1 for us (since toString true == "1").
There was a problem hiding this comment.
I wondered the same. I think the answer is
In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
There was a problem hiding this comment.
Yes. systemd sets these to "2" (loose) in the snippets already, the hardenened rules set it to "1" (strict).
Having a boolean here doesn't really explain what and why we're doing.
I also updated the comment above, to add the "strict" bit.
|
OK, then it is reasonable IMO.
…On Sun, 11 Aug 2019, 17:13 Joachim F., ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In nixos/modules/profiles/hardened.nix
<#66482 (comment)>:
> boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
- boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
+ boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
I wondered the same. I think the answer is
In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#66482?email_source=notifications&email_token=AAE365D472OZPAH6FBVN223QEAUAVA5CNFSM4IK36MJ2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCBGMVLQ#discussion_r312743279>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAE365ESEUYOM4EY67NES7TQEAUAVANCNFSM4IK36MJQ>
.
|
| <para> | ||
| We now install the sysctl snippets shipped with systemd. Apart from some loose reverse path | ||
| filtering and source routing filtering, this enables <literal>fq_codel</literal> as a packet | ||
| scheduler to fight bufferbloat, and configures <literal>systemd-coredump</literal> properly. |
There was a problem hiding this comment.
I maybe should have left the above comment down a few lines. In general when it comes to release notes and setting changes, avoid weasel words.
There was a problem hiding this comment.
About the rp_filter option from above comment: systemd sets net.ipv4.conf.all.rp_filter to 2 by default, which does enable some reverse path filtering, while we currently don't do any reverse path filtering at all. On hardened and google-compute-config, we set it to 1 (strict).
Detailled explanation about the options:
- 0 No source address validation is performed and any packet is forwarded to the destination network
- 1 Strict Mode as defined in RFC 3074. Each incoming packet to a router is tested against the routing table and if the interface that the packet is received on is not the best return path for the packet then the packet is dropped.
- 2 Loose mode as defines in RFC 3074 Loose Reverse Path. Each incoming packet is tested against the route table and the packet is dropped if the source address is not routable through any interface. The allows for asymmetric routing where the return path may not be the same as the source path.
As a lot of distros enabled the systemd sysctls, they enabled loose reverse path filtering, so I thought it should be fine to do so too. Same goes for net.ipv4.conf.all.accept_source_route = 0.
I didn't want to explicitly list every option currently set in ${systemd}/example/sysctl.d/50-default.conf - only the fact that we now apply these options, plus some broad summary about what's changed, so people are aware when reading release notes.
|
Regarding systemd-coredump: We seem to currently have a I was a bit baffled @nh2, @Jookia @auntieNeo, what do you think? |
flokli
force-pushed
the
systemd-sysctl
branch
2 times, most recently
from
dc7cf28
to
799b767
Compare
|
As long as we keep the ability to use normal |
|
@nh2 Yes, if you set the sysctl parameter as described in the changelog, systemd-coredump won't be handling coredumps at all, and the kernel will dump the coredump file by itself. |
|
I'd be curious to know about when the coredump performance becomes critical though ;-) |
flokli
force-pushed
the
systemd-sysctl
branch
2 times, most recently
from
ccd422d
to
c7363bd
Compare
|
I removed weaselness in the release notes and explained getting back the old coredump behaviour a bit more clearly in the release notes. |
@flokli I have observed many times that when a program with a couple GB resident memory core dumps, systemd's coredump program was spinning on 100% CPU for many minutes, while Probably it's this issue. I didn't investigate it, I just found it very annoying to have to wait so long. |
|
This was fixed upstream February 2016 in bdfd7b2c63cac944a3aa1fc0fafd19f41789e208 - anyways, when setting sysctl, it won't be piped through it. |
|
I found it impossible to suggest this, but my personal preference found this part to read pretty like this diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
index f9363561bdc..3ae0492ebfa 100644
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -435,13 +435,26 @@
</listitem>
<listitem>
<para>
- We now install the sysctl snippets shipped with systemd. Apart from enabling loose reverse path
- filtering and source routing filtering, this enables <literal>fq_codel</literal> as a packet
- scheduler to fight bufferbloat, and configures the kernel to pass coredumps to
- <literal>systemd-coredump</literal>.
- These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
- and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
- (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
+ We now install the sysctl snippets that are shipped with systemd.
+ <itemizedlist>
+ <para>This enables:</para>
+ <listitem>
+ <para>Loose reverse path filtering</para>
+ </listitem>
+ <listitem>
+ <para>Source routing filtering</para>
+ </listitem>
+ <listitem>
+ <para>
+ <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ And configures the kernel to pass its coredumps to <literal>systemd-coredump</literal>.
+ The sysctl snippets that are shipped with systemd can be found in <literal>/etc/sysctl.d/50-*conf</literal> and can
+ be overridden with the <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> option.
+ Note these overrides still go into <literal>/etc/sysctl.d/60-nixos.conf</literal>.
</para>
</listitem>
<listitem>
|
flokli
force-pushed
the
systemd-sysctl
branch
3 times, most recently
from
b42797b
to
2f3e548
Compare
sysctl.d(5) recommends prefixing all filenames in /etc/sysctl.d with a two-digit number and a dash, to simplify the ordering of the files. Some packages provide custom files, often with "50-" prefix. To ensure user-supplied configuration takes precedence over the one specified via `boot.kernel.sysctl`, prefix the file generated there with "60-".
systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit.
|
Docs should be good, any objections? ;-) |
|
This change disables all SysRq keys (except sync) by default. Was this intentional? In any case, this needs to be documented in the release notes. |
|
@gebner I indeed missed that line! It's part of I'll update the release notes accordingly and file a follow-up PR, thanks! |
This was missing from NixOS#66482.
Since NixOS/nixpkgs#66482, it needs an explicit override.
systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.
Apart from some loose reverse path filtering and source routing
filtering, this enables fq_codel as a packet scheduler to fight
bufferbloat, and configures systemd-coredump properly.
Let's start using these, like other distros already do for quite some
time, and remove those duplicate
boot.kernel.sysctloptions wepreviously did set.
In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
sysctl.d(5) recommends prefixing all filenames in /etc/sysctl.d with a
two-digit number and a dash, to simplify the ordering of the files.
Some packages provide custom files, often with "50-" prefix.
To ensure user-supplied configuration takes precedence over the one
specified via
boot.kernel.sysctl, prefix the file generated there with"60-".
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @