|
 |
6f381c |
From ffe4233155085b479c69abe844a34de212b8e5e1 Mon Sep 17 00:00:00 2001
|
|
|
6f381c |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
6f381c |
Date: Thu, 16 Jan 2020 14:45:28 +0100
|
|
|
6f381c |
Subject: [PATCH] sysctl: downgrade message when we have no permission
|
|
|
6f381c |
|
|
|
6f381c |
We need to run sysctl also in containers, because the network
|
|
|
6f381c |
subtree is namespaces and may legitimately be writable. But logging
|
|
|
6f381c |
all "errors" at notice level creates unwanted noise.
|
|
|
6f381c |
|
|
|
6f381c |
Also downgrade message about missing sysctls to log_info. This might also be
|
|
|
6f381c |
relatively common when configuration is targeted at different kernel
|
|
|
6f381c |
versions. With log_debug it'll still end up in the logs, but isn't really worth
|
|
|
6f381c |
of "notice" most of the time.
|
|
|
6f381c |
|
|
|
6f381c |
https://bugzilla.redhat.com/show_bug.cgi?id=1609806
|
|
|
6f381c |
(cherry picked from commit 32458cc9687c1b60ff0f22c0e71da93ce78b1534)
|
|
|
6f381c |
|
|
|
6f381c |
Resolves: #2158160
|
|
|
6f381c |
---
|
|
|
6f381c |
src/sysctl/sysctl.c | 16 +++++++++-------
|
|
|
6f381c |
1 file changed, 9 insertions(+), 7 deletions(-)
|
|
|
6f381c |
|
|
|
6f381c |
diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c
|
|
|
6f381c |
index 4c85d6887f..dc14e1aaf1 100644
|
|
|
6f381c |
--- a/src/sysctl/sysctl.c
|
|
|
6f381c |
+++ b/src/sysctl/sysctl.c
|
|
|
6f381c |
@@ -82,13 +82,15 @@ static int apply_all(OrderedHashmap *sysctl_options) {
|
|
|
6f381c |
k = sysctl_write(option->key, option->value);
|
|
|
6f381c |
if (k < 0) {
|
|
|
6f381c |
/* If the sysctl is not available in the kernel or we are running with reduced
|
|
|
6f381c |
- * privileges and cannot write it, then log about the issue at LOG_NOTICE level, and
|
|
|
6f381c |
- * proceed without failing. (EROFS is treated as a permission problem here, since
|
|
|
6f381c |
- * that's how container managers usually protected their sysctls.) In all other cases
|
|
|
6f381c |
- * log an error and make the tool fail. */
|
|
|
6f381c |
-
|
|
|
6f381c |
- if (IN_SET(k, -EPERM, -EACCES, -EROFS, -ENOENT) || option->ignore_failure)
|
|
|
6f381c |
- log_notice_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
|
|
|
6f381c |
+ * privileges and cannot write it, then log about the issue, and proceed without
|
|
|
6f381c |
+ * failing. (EROFS is treated as a permission problem here, since that's how
|
|
|
6f381c |
+ * container managers usually protected their sysctls.) In all other cases log an
|
|
|
6f381c |
+ * error and make the tool fail. */
|
|
|
6f381c |
+
|
|
|
6f381c |
+ if (option->ignore_failure || k == -EROFS || ERRNO_IS_PRIVILEGE(k))
|
|
|
6f381c |
+ log_debug_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
|
|
|
6f381c |
+ else if (k == -ENOENT)
|
|
|
6f381c |
+ log_info_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
|
|
|
6f381c |
else {
|
|
|
6f381c |
log_error_errno(k, "Couldn't write '%s' to '%s': %m", option->value, option->key);
|
|
|
6f381c |
if (r == 0)
|