Bug 995478
Summary: | /etc/sysctl.conf contains no IPv6 parameters | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Răzvan Sandu <rsandu2004> | |
Component: | initscripts | Assignee: | initscripts Maintenance Team <initscripts-maint-list> | |
Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons | |
Severity: | unspecified | Docs Contact: | ||
Priority: | high | |||
Version: | 6.6 | CC: | albert, deekej, lnykryn, mleitner, network-qe, ovasik | |
Target Milestone: | rc | Keywords: | Documentation | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1243352 1243508 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-09 16:36:12 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1243352 |
Description
Răzvan Sandu
2013-08-09 13:43:42 UTC
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux. Hello Răzvan. Even when the sysctl tool itself is a part of the procps packages, the /etc/sysctl.conf config file belongs to the initscripts component. I'm changing the component to initscripts. Regards, Jaromir. There no such settings because we don't want to modify default kernel values. Hello and thanks, One that configures a Red Hat system as a router *needs* to have a well documented way to make it "permeable" (IP forwarding) for both IPv4 and IPv6 packets. So we can't rely on the idea "we don't want to modify default kernel values". Any suggestions, please? Răzvan That this looks more like a documentation issue. If you only need to know the ipv6 variants of the variables, then I suggest you to type all the variables with 'sysctl -a' and then choose the ones you need to override, so that you could modify your local copy of the sysctl.conf according to your needs. You're probably interested in the following two variables: net.ipv6.conf.default.forwarding=1 net.ipv6.conf.all.forwarding=1 Thank you, :) IMHO, it is both a: - "bug" concerning the maintainer of the stock (default) /etc/sysctl.conf file distributed in RHEL/CentOS/Fedora - documentation "bug" (Red Hat official guides, etc.) Since GNU/Linux systems are frequently used as routers or NAT gateways, the file and the docs should clearly state, for both IPv4 and IPv6: - what kernel parameters make the system "permeable" for IPv4 and IPv6 traffic (i.e. allow the passing of IP packets from one network interface to another) - the /etc/sysctl.conf file distributed in the official distro image should contain lines and clear comments for those parameters, for both IPv4 and IPv6, even if the lines are commented out by default. These aspects became even more important in recent times, since new versions of these OSes have the IPv6 functions of the network interfaces *enabled* by default, after installation. For being useful in practice, all these should integrate smoothly with popular firewall solutions for IPv4 and IPv6, such as firewalld or shorewall (http://shorewall.net/). Thanks a lot, Răzvan I see what you mean. The idea of having a pre-filled sysctl.conf file with comments might be a good way how to make the kernel tuning faster/easier/intuitive. That way it could play a role of config file and template at once. Lukáši, I think we could start at least with the forwarding settings and at your opinion also other variables often overridden by the users. What do you think? Hello I believe this subject comes under the heading of: Reverse Path Forwarding https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Reverse_Path_Forwarding.html Perhaps I could add a section there. Thank you Hello, Thanks to Stephen for the piece of info in comment no 12. There are *two* issues in this thread; one of them is only collateral. The *main* issue here is the lack of parallelism for IPv4 and IPv6 parameters in /etc/sysctl.conf and their default values. Users should be able to configure the system in IPv6 as easy as in IPv4. IMHO, this is not a "documentation bug", but one addresed to the team writing the config files that are distributed by default in the distro. Who wites the /etc/sysctl.conf default file? The second, which is only collateral - I used it just as an example above - is the necessary IPv6 parameter for making a system "permeable" to IPv6 packets. How should one make a system "permeable" to IPv6 packets? For the second issue, I think the correct, elegant answer is available in /usr/share/doc/initscripts-*/sysconfig.txt: one must set IPV6FORWARDING=yes in /etc/sysconfig/network and that's all. If you agree, *please* mention this in Red Hat manuals, in a more visible place (/usr/share/doc/initscripts-*/sysconfig.txt is too obscure). Best regards, Răzvan Problem is that officially initscripts don't know the default settings, it is kernel stuff, in ideal case kernel should ship some /etc/sysctl.d/* confs with commented defaults. Hello I would like to summarise this issue. As per comment 0, if you look in /etc/sysctl.conf you see some values for IPv4 which are overriding the kernel default values. What was meant in comment 4, is that initscripts *itself* does not want to modify the default values. As per comment 7 and 8, if the user wants to change the values they can run `sysctl -a` to see what the values currently are, and check the kernel docs for the definitions. For examples, ~]$ less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt As is being implied in comment 15, initscripts is not the best place to override kernel default values. In an ideal world the kernel would have values widely agreed to be sensible, or patches would be applied by the distro to make changes deemed necessary for that distro. Therefore, the feeling is that the "lack of parallelism for IPv4 and IPv6 parameters in /etc/sysctl.conf" should be addressed by removing the need to use that file to change defaults in the kernel, rather than adding IPv6 versions of the current IPv4 settings. Thank you I will clone to ask kernel team to consider comment 15 while I review the Deployment Guide to see what improvements I can make. On second thoughts, to reduce confusion, I will clone for my Docs review and reassign this original bug to kernel team (as the bug history will be easier to follow). Sorry for the noise. Hello kernel team Please consider comment 10 and comment 15 Thank you We support several kernel rpms to be installed in parallel to be able to boot different kernel versions. I don't see how the kernel package can write anything to /etc/sysctl.d/ without causing horrendous rpm conflicts. And having the file names in /etc/sysctl.d/ contain kernel version doesn't make sense, either (especially when multiple kernel rpms are installed). We would need another package to contain this. Creating just a kernel-sysctl package with a single file sounds silly, though. The sysctl.conf file is part of initscripts for this reason; and this is the only place where this can be added. I don't see anything we can do on the kernel side. I'm reassigning to initscripts for the initscripts maintainer to decide whether the IPv6 options can be added to sysctl.conf - commented out, of course (i.e. for documentation purposes). I find this very reasonable but I don't know all the limitations there and use cases. If there are reasons this can't be done in initscripts, there's nothing we can do and the bug will have to be closed. To sum on what Jiri just said, re comment #15, for getting the defaults, it's just a matter of dumping current configs (sysctl -a) after a boot without special sysctls applied. If you need documentation is available under Documentation/ folder and pleas feel free to get in touch if you feel needed. Yet, we are probably not going to have this for RHEL6 anymore at it's just too late for such improvement on it. If Lukas agree, we should close this bug and open a new one targetting RHEL7/systemd instead. Hello, (In reply to Marcelo Ricardo Leitner from comment #22) > Yet, we are probably not going to have this for RHEL6 anymore at it's just > too late for such improvement on it. If Lukas agree, we should close this > bug and open a new one targetting RHEL7/systemd instead. I agree on closing this BZ. It's unfortunate, but we're in phase2 of RHEL6 lifecycle. I realize, this is inconvenient, but I fail to see this being a bug. Also, cloning this for RHEL7 does not make sense as well, because AFAIK lots of initscripts responsibilites have been taken over by systemd. Here's the content of /etc/sysctl.conf from RHEL7: -------- # Kernel sysctl configuration file # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 |