trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject Re: [VOTE] Release Apache Traffic Server 7.1.1 (RC1)
Date Tue, 12 Sep 2017 20:31:12 GMT
proxy.config.disable_configuration_modification was a feature that was requested and the group
didn’t use it.

We are planning on having the configuration to be read-only for ATS 8.

-Bryan


> On Sep 12, 2017, at 8:45 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
> 
> 
> 
> Am 02.09.2017 um 04:51 schrieb Miles Libbey:
>> On Fri, Sep 1, 2017 at 6:40 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
>>> 
>>> 
>>> Am 01.09.2017 um 22:43 schrieb Alan Carroll:
>>>> 
>>>> Is that addressed by
>>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=records%20config#proxy-config-disable-configuration-modification
>>> 
>>> sounds good - when is 8.0 planned to be released?
>> It's also available in 7.  We do a terrible job of having the
>> documentation match the actual version (eg why we default to a version
>> that won't be released for quite some time is beyond me,
> 
> IT DON'T WORK
> 
>>> that you currently need a hard restart for config changes is a pain and will
>>> be much more pain when you have to use letsencrypt with it's frequent
>>> certificate updates in the next month after Chrome is starting to warn about
>>> any site containing a from-tag without TLS
>> They don't. Remap, SSL cert, and parents just need reloads, not
>> restarts. Many record config values are also reloads
> 
> IT DON'T RELOAD because of readonly /etc
> 
> "/usr/bin/traffic_ctl config reload" don't do anything beause of this "[Rollback::Rollback]
Config file is read-only : ssl_multicert.config" bullshit and i am currently working to implement
letsencrypt for hundrets of domains which means that at every point in time certificates can
be changed and a reload is needed and HARD RESTART IS A NO-GO
> 
> why in the world is that broken-by-design not fixed after 5 years of complaining or at
least a option called "proxy.config.disable_configuration_modification" not tested at all?
> 
> is it really that hard to create a basic systemd unit and set the OS to redonly which
should be the case for every network service in 2017 and test BASIC OPERATIONS?
> 
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
> ReadOnlyDirectories=/var/lib
> ReadWriteDirectories=/etc/trafficserver/internal
> ReadWriteDirectories=/etc/trafficserver/snapshots
> 
> [root@proxy:~]$ cat records.config | grep configuration
> # Main threads configuration (worker threads). Also see configurations for   #
> # parent proxy configuration     #
> CONFIG proxy.config.disable_configuration_modification INT 1
> CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
> 
> IT JUST DON'T WORK


Mime
View raw message