trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: [VOTE] Release Apache Traffic Server 7.1.1 (RC1)
Date Wed, 13 Sep 2017 22:38:27 GMT


> On Sep 12, 2017, at 2:41 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
> 
> 
> 
>> Am 12.09.2017 um 22:31 schrieb Bryan Call:
>> proxy.config.disable_configuration_modification was a feature that was requested
and the group didn’t use it.
>> We are planning on having the configuration to be read-only for ATS 8.
> 
> frankly ATS 8 is way too late after years of complaining when you need to have Letsencrypt
enabled in a few weeks because Google Chrome will warn on every page with a from tag and no
SSL
> 
> it's just UNACCEPTABLE that you have to HARD RESTART Trafficserver for every remamp/ssl
change, it was UNACCEPTABLE the last years too but now it's becoming a joke
> 
> where is the rocket science just read the fucking config file and shut up like every
other software on this plant is able to do?

You need to stop whining like a spoiled brat! There are / were several reasons why this was
done, e.g. it's a requirement for the cluster config to work. Clustering is dead now, and
gives us a way to remove this code and behavior for 8.0.

That much said, as much complaining as you have done on this subject, the amount of code contributions
from you or anyone else that has a problem with this feature is exactly zero. Which open source
projects lets you dictate others to do your work for you? We all have our priorities as (usually)
dictated by the respective companies paying our salaries.

Sincerely,

-- Leif (not speaking on behalf of anyone other than myself)

> 
> [root@proxy:/var/log/trafficserver]$ nano /etc/trafficserver/ssl_multicert.config
> [root@proxy:/var/log/trafficserver]$ cat *
> [root@proxy:/var/log/trafficserver]$ systemctl reload trafficserver.service
> [root@proxy:/var/log/trafficserver]$ cat *
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: [Rollback::openFile] Open of ssl_multicert.config
failed: Read-only file system
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: [Rollback::internalUpdate] Unable
to create new version of ssl_multicert.config : Read-only file system
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: [Rollback::checkForUserUpdate] Failed
to roll changed user file ssl_multicert.config: System Call Error
> [Sep 12 17:52:47.317] Manager {0x7f2581dea700} NOTE: User has changed config file ssl_multicert.config
> [root@proxy:/var/log/trafficserver]$
> 
>>> On Sep 12, 2017, at 8:45 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
>>> 
>>> 
>>> 
>>>> Am 02.09.2017 um 04:51 schrieb Miles Libbey:
>>>>> On Fri, Sep 1, 2017 at 6:40 PM, Reindl Harald <h.reindl@thelounge.net>
wrote:
>>>>> 
>>>>> 
>>>>>> Am 01.09.2017 um 22:43 schrieb Alan Carroll:
>>>>>> 
>>>>>> Is that addressed by
>>>>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=records%20config#proxy-config-disable-configuration-modification
>>>>> 
>>>>> sounds good - when is 8.0 planned to be released?
>>>> It's also available in 7.  We do a terrible job of having the
>>>> documentation match the actual version (eg why we default to a version
>>>> that won't be released for quite some time is beyond me,
>>> 
>>> IT DON'T WORK
>>> 
>>>>> that you currently need a hard restart for config changes is a pain and
will
>>>>> be much more pain when you have to use letsencrypt with it's frequent
>>>>> certificate updates in the next month after Chrome is starting to warn
about
>>>>> any site containing a from-tag without TLS
>>>> They don't. Remap, SSL cert, and parents just need reloads, not
>>>> restarts. Many record config values are also reloads
>>> 
>>> IT DON'T RELOAD because of readonly /etc
>>> 
>>> "/usr/bin/traffic_ctl config reload" don't do anything beause of this "[Rollback::Rollback]
Config file is read-only : ssl_multicert.config" bullshit and i am currently working to implement
letsencrypt for hundrets of domains which means that at every point in time certificates can
be changed and a reload is needed and HARD RESTART IS A NO-GO
>>> 
>>> why in the world is that broken-by-design not fixed after 5 years of complaining
or at least a option called "proxy.config.disable_configuration_modification" not tested at
all?
>>> 
>>> is it really that hard to create a basic systemd unit and set the OS to redonly
which should be the case for every network service in 2017 and test BASIC OPERATIONS?
>>> 
>>> ReadOnlyDirectories=/etc
>>> ReadOnlyDirectories=/usr
>>> ReadOnlyDirectories=/var/lib
>>> ReadWriteDirectories=/etc/trafficserver/internal
>>> ReadWriteDirectories=/etc/trafficserver/snapshots
>>> 
>>> [root@proxy:~]$ cat records.config | grep configuration
>>> # Main threads configuration (worker threads). Also see configurations for  
#
>>> # parent proxy configuration     #
>>> CONFIG proxy.config.disable_configuration_modification INT 1
>>> CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
>>> 
>>> IT JUST DON'T WORK


Mime
View raw message