Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not persist sysctl when value is invalid #101

Merged
merged 1 commit into from
Oct 21, 2020
Merged

do not persist sysctl when value is invalid #101

merged 1 commit into from
Oct 21, 2020

Conversation

schurzi
Copy link
Contributor

@schurzi schurzi commented Oct 2, 2020

SUMMARY

the order of actions for setting, persisting and activation is changed,
to not persist an invalid sysctl value. This is only enforced when
sysct_set is True.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

sysctl

ADDITIONAL INFORMATION

we had some "fun" with the original behaviour in this PR: dev-sec/ansible-collection-hardening#312

Once a invalid value is persisted every change of a sysctl (with a reload) triggers an error. This complecates debugging and makes the real error non obvious for the user.

Playbook:

- hosts: localhost
  tasks:
    - name: Set sysctl property using module
      sysctl:
        name: vm.mmap_rnd_bits
        value: '1024'
        state: present
        reload: yes
        sysctl_set: True

Before:

# ansible-playbook -vvv test.yml
...
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "ignoreerrors": false,
            "name": "vm.mmap_rnd_bits",
            "reload": true,
            "state": "present",
            "sysctl_file": "/etc/sysctl.conf",
            "sysctl_set": true,
            "value": "1024"
        }
    },
    "msg": "Failed to reload sysctl: vm.mmap_rnd_bits = 1024\nsysctl: setting key \"vm.mmap_rnd_bits\": Invalid argument\n"
# grep mmap /etc/sysctl.conf
vm.mmap_rnd_bits=1024

After

# ansible-playbook -vvv test.yml
...
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "ignoreerrors": false,
            "name": "vm.mmap_rnd_bits",
            "reload": true,
            "state": "present",
            "sysctl_file": "/etc/sysctl.conf",
            "sysctl_set": true,
            "value": "1024"
        }
    },
    "msg": "setting vm.mmap_rnd_bits failed: vm.mmap_rnd_bits = 1024\nsysctl: setting key \"vm.mmap_rnd_bits\": Invalid argument\n"
# grep mmap /etc/sysctl.conf

@schurzi
do not persist sysctl when value is invalid
5935dce 
the order of actions for setting, persisting and activation is changed,
to not persist an invalid sysctl value. This is only enforced when
sysct_set is True.
@maxamillion
Copy link
Collaborator

/recheck

@schurzi
Copy link
Contributor Author

schurzi commented Oct 8, 2020

is there something I need to do or fix to get the tests green?

@maxamillion
Copy link
Collaborator

@schurzi I don't think so, the galaxy import bit is what's failing in CI

@maxamillion
Copy link
Collaborator

/recheck

@maxamillion
Copy link
Collaborator

recheck

@maxamillion maxamillion added the gate Gate PR in Zuul CI (Obsolete: Please set "mergeit" instead of "gate") label Oct 21, 2020
@ansible-zuul ansible-zuul bot merged commit 5988748 into ansible-collections:main Oct 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
gate Gate PR in Zuul CI (Obsolete: Please set "mergeit" instead of "gate")
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@schurzi @maxamillion