1226464 – AUDIT-WHITELIST: aaa_base: sysctl.d/50-default.conf has new defaults

Bug 1226464 - AUDIT-WHITELIST: aaa_base: sysctl.d/50-default.conf has new defaults

Summary: AUDIT-WHITELIST: aaa_base: sysctl.d/50-default.conf has new defaults

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Matthias Gerstner
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-18 07:18 UTC by Thorsten Kukuk
Modified:	2024-07-05 12:39 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thorsten Kukuk 2024-06-18 07:18:57 UTC

sysctl.d/50-default.conf in aaa_base has new defaults:

    Remove kernel.pid_max limit (bsc#1219038)
    
    kernel.pid_max is one of multiple mechanisms to restrict number of
    processes [1]. Its kernel default is scaled with nr_cpus but 1024
    tasks/cpu cap is too much if they were all running and it is also too
    little when they are idle (memory being bottleneck).
    
    Bump the limit to maximum kernel-accepted value and defer to other
    mechanisms for tasks limit enforcing.
    
    (This way we converge to same config like upstream systemd [2] but we
    ship distro defaults together from this package.)
    
    [1] https://www.suse.com/support/kb/doc/?id=000020429
    [2] https://github.com/systemd/systemd/blob/72192b6cc9b856c10abc7f1e5f98240fde17b8b4/sysctl.d/50-pid-max.conf

Comment 1 Matthias Gerstner 2024-06-18 08:08:24 UTC

Thank you for creating the AUDIT bug. We will schedule the review and
whitelisting.

Comment 2 Matthias Gerstner 2024-06-20 09:11:26 UTC

I will handle this

Comment 3 Matthias Gerstner 2024-06-20 10:00:00 UTC

Change should be fine, we can start the whitelisting adaption process.

Comment 4 OBSbugzilla Bot 2024-06-24 14:55:04 UTC

This is an autogenerated message for OBS integration:
This bug (1226464) was mentioned in
https://build.opensuse.org/request/show/1183027 Factory / rpmlint

Comment 5 Matthias Gerstner 2024-07-05 12:39:08 UTC

the whitelisting is now in Factory, closing as fixed