Bug 1226464

Summary: AUDIT-WHITELIST: aaa_base: sysctl.d/50-default.conf has new defaults
Product: [openSUSE] openSUSE Tumbleweed Reporter: Thorsten Kukuk <kukuk>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: ro, security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thorsten Kukuk 2024-06-18 07:18:57 UTC 
sysctl.d/50-default.conf in aaa_base has new defaults:

    Remove kernel.pid_max limit (bsc#1219038)
    
    kernel.pid_max is one of multiple mechanisms to restrict number of
    processes [1]. Its kernel default is scaled with nr_cpus but 1024
    tasks/cpu cap is too much if they were all running and it is also too
    little when they are idle (memory being bottleneck).
    
    Bump the limit to maximum kernel-accepted value and defer to other
    mechanisms for tasks limit enforcing.
    
    (This way we converge to same config like upstream systemd [2] but we
    ship distro defaults together from this package.)
    
    [1] https://www.suse.com/support/kb/doc/?id=000020429
    [2] https://github.com/systemd/systemd/blob/72192b6cc9b856c10abc7f1e5f98240fde17b8b4/sysctl.d/50-pid-max.conf
Comment 1 Matthias Gerstner 2024-06-18 08:08:24 UTC 
Thank you for creating the AUDIT bug. We will schedule the review and
whitelisting.
Comment 2 Matthias Gerstner 2024-06-20 09:11:26 UTC 
I will handle this
Comment 3 Matthias Gerstner 2024-06-20 10:00:00 UTC 
Change should be fine, we can start the whitelisting adaption process.
Comment 4 OBSbugzilla Bot 2024-06-24 14:55:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1226464) was mentioned in
https://build.opensuse.org/request/show/1183027 Factory / rpmlint
Comment 5 Matthias Gerstner 2024-07-05 12:39:08 UTC 
the whitelisting is now in Factory, closing as fixed