diff options
| author | Micah Anderson <micah@leap.se> | 2013-12-17 15:43:58 -0500 |
|---|---|---|
| committer | Micah Anderson <micah@leap.se> | 2013-12-18 13:10:31 -0500 |
| commit | 88af29f3aba662aab4ca5ac3122d43139fb97004 (patch) | |
| tree | 6b6edfdaba96f308b8bd68cdbb29349b45efc35c | |
| parent | 5708e04af02ec7332be84dfb63200008c35b9af4 (diff) | |
Fix for openvpn/unbound not starting at boot (#4506)
This change sets the sysctl net.ipv4.ip_nonlocal_bind to allow
applications to bind to an address, even when the link is down. This is
necessary because applications like unbound and openvpn fail to start on
boot in some situations because interfaces are not fully up (due to a
combination of non-deterministic booting because of the likely potential
setting of allow-hotplug in the interfaces file and the LSB boot
dependency on $network not being sufficient.
The only down-side to setting this is a daemon could bind to an
incorrect ip and we wouldn't get an error, but this would be a
configuration mistake, rather than a fatal condition.
Change-Id: I5c03083e8c20bb25afad85a1230f4555808d341c
| -rw-r--r-- | .gitmodules | 3 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/default.pp | 4 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/sysctl.pp | 8 | ||||
| m--------- | puppet/modules/sysctl | 0 |
4 files changed, 14 insertions, 1 deletions
diff --git a/.gitmodules b/.gitmodules index 0b339593..cc8afdb5 100644 --- a/.gitmodules +++ b/.gitmodules @@ -85,3 +85,6 @@ [submodule "puppet/modules/backupninja"] path = puppet/modules/backupninja url = https://leap.se/git/puppet_backupninja +[submodule "puppet/modules/sysctl"] + path = puppet/modules/sysctl + url = https://leap.se/git/puppet_sysctl diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 33d3df05..d85d9c8f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,7 +12,6 @@ class site_config::default { include site_config::slow - include concat::setup # default class, used by all hosts @@ -22,6 +21,9 @@ class site_config::default { # configure apt include site_apt + # configure sysctl parameters + include site_config::sysctl + # configure ssh and include ssh-keys include site_config::sshd diff --git a/puppet/modules/site_config/manifests/sysctl.pp b/puppet/modules/site_config/manifests/sysctl.pp new file mode 100644 index 00000000..99f75123 --- /dev/null +++ b/puppet/modules/site_config/manifests/sysctl.pp @@ -0,0 +1,8 @@ +class site_config::sysctl { + + sysctl::config { + 'net.ipv4.ip_nonlocal_bind': + value => 1, + comment => 'Allow applications to bind to an address when link is down (see https://leap.se/code/issues/4506)' + } +} diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 +Subproject 975852b7acc1125b4cd9d4d490b9abd8d31217e |