trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: [VOTE] Release Apache Traffic Server 7.1.1 (RC1)
Date Tue, 12 Sep 2017 15:54:22 GMT
https://github.com/apache/trafficserver/issues/2505

[root@proxy:/var/log/trafficserver]$ nano 
/etc/trafficserver/ssl_multicert.config
[root@proxy:/var/log/trafficserver]$ cat *
[root@proxy:/var/log/trafficserver]$ systemctl reload trafficserver.service
[root@proxy:/var/log/trafficserver]$ cat *
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: 
[Rollback::openFile] Open of ssl_multicert.config failed: Read-only file 
system
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: 
[Rollback::internalUpdate] Unable to create new version of 
ssl_multicert.config : Read-only file system
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: 
[Rollback::checkForUserUpdate] Failed to roll changed user file 
ssl_multicert.config: System Call Error
[Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: User has changed 
config file ssl_multicert.config
[root@proxy:/var/log/trafficserver]$

FUCK IT

Am 12.09.2017 um 17:45 schrieb Reindl Harald:
> Am 02.09.2017 um 04:51 schrieb Miles Libbey:
>> On Fri, Sep 1, 2017 at 6:40 PM, Reindl Harald <h.reindl@thelounge.net> 
>> wrote:
>>>
>>>
>>> Am 01.09.2017 um 22:43 schrieb Alan Carroll:
>>>>
>>>> Is that addressed by
>>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=records%20config#proxy-config-disable-configuration-modification

>>>>
>>>
>>> sounds good - when is 8.0 planned to be released?
>>
>> It's also available in 7.  We do a terrible job of having the
>> documentation match the actual version (eg why we default to a version
>> that won't be released for quite some time is beyond me,
> 
> IT DON'T WORK
> 
>>> that you currently need a hard restart for config changes is a pain 
>>> and will
>>> be much more pain when you have to use letsencrypt with it's frequent
>>> certificate updates in the next month after Chrome is starting to 
>>> warn about
>>> any site containing a from-tag without TLS
>>
>> They don't. Remap, SSL cert, and parents just need reloads, not
>> restarts. Many record config values are also reloads
> 
> IT DON'T RELOAD because of readonly /etc
> 
> "/usr/bin/traffic_ctl config reload" don't do anything beause of this 
> "[Rollback::Rollback] Config file is read-only : ssl_multicert.config" 
> bullshit and i am currently working to implement letsencrypt for 
> hundrets of domains which means that at every point in time certificates 
> can be changed and a reload is needed and HARD RESTART IS A NO-GO
> 
> why in the world is that broken-by-design not fixed after 5 years of 
> complaining or at least a option called 
> "proxy.config.disable_configuration_modification" not tested at all?
> 
> is it really that hard to create a basic systemd unit and set the OS to 
> redonly which should be the case for every network service in 2017 and 
> test BASIC OPERATIONS?
> 
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
> ReadOnlyDirectories=/var/lib
> ReadWriteDirectories=/etc/trafficserver/internal
> ReadWriteDirectories=/etc/trafficserver/snapshots
> 
> [root@proxy:~]$ cat records.config | grep configuration
> # Main threads configuration (worker threads). Also see configurations 
> for   #
> # parent proxy configuration     #
> CONFIG proxy.config.disable_configuration_modification INT 1
> CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
> 
> IT JUST DON'T WORK

Mime
View raw message