Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42524

Not all net.* per-interface sysctls declared safe by TELCOSTRAT-10 / CNF-3642 are implemented in the default cni-sysctl-allowlist

XMLWordPrintable

    • Low
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, some safe `sysctls` were erroneously omitted from the allow list. With this release, the `sysctls` are added back to the allow list and the issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-29403[*OCPBUGS-29403*])
      Show
      * Previously, some safe `sysctls` were erroneously omitted from the allow list. With this release, the `sysctls` are added back to the allow list and the issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-29403 [* OCPBUGS-29403 *])
    • Bug Fix
    • In Progress

      Description of problem: Not all net.* per-interface sysctls declared safe by TELCOSTRAT-10 / CNF-3642 are implemented in the default cni-sysctl-allowlist.

      E.g.
      net.ipv6.conf.IFNAME.disable_ipv6,
      net.ipv6.conf.IFNAME.disable_policy,
      net.ipv4.conf.IFNAME.rp_filter,
      net.ipv4.conf.IFNAME.forwarding,
      net.ipv4.conf.IFNAME.forwarding,

      and possibly others.

      Version-Release number of selected component (if applicable): 4.14

      How reproducible: Always

      Steps to Reproduce:
      1. Compare the list of per-interface sysctls declared safe in TELCOSTRAT-10 / CNF-3642 / CNF-4093 Google Doc and Jira comments to the default cni-sysctl-allowlist in the code

      Actual results: List of per-interface sysctls declared safe in the default cni-sysctl-allowlist in the code does not match the list in TELCOSTRAT-10 / CNF-3642 / CNF-4093

      Expected results: List of per-interface sysctls declared safe in the default cni-sysctl-allowlist in the code should match the list in TELCOSTRAT-10 / CNF-3642 / CNF-4093

      Additional info: None

              ykashtan Yuval Kashtan
              bnivenje@redhat.com Ben Niven-Jenkins
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: