@AceArsenault already running sessions should not be affected, i never had problems with it. Touching nftables rules however, that one can really lock you out, which is why I use a little "roll this back in 5 minutes" systemd-timer, which I have to stop manually.
Restarting - yes that works. But what about STOPPING sshd as it is written above? I've never tried and don't want to, but I'd suppose this would lock you out too.
@qbe nftables are so easy to get wrong. And if you edit the live file, a reboot won't help you out.
I am working with two files, and use this small script to check and apply the work-in-progress file. The last good config file will be restored within 15 seconds, during which I check if I can still open new ssh sessions.
@SchwarzeLocke hmm, excuse my undereducated guessing, but would a disconnect after line 5 not kill the session, and thus stop the shell script before it could roll anything back ? Especially so since sudo is relatively picky about having an attached terminal ?
@qbe I think you are right in case of an explit disconnect (or kill/crash of ssh/bash/sleep). But for me, the 15s sleep are way shorter than the ssh connection timeout (I think that is 5 minutes by default), therefore this is good enough for me.
Andrew "Ace" Arsenault
Als Antwort auf Yogthos • • •cube
Als Antwort auf Andrew "Ace" Arsenault • • •Touching nftables rules however, that one can really lock you out, which is why I use a little "roll this back in 5 minutes" systemd-timer, which I have to stop manually.
Andrew "Ace" Arsenault
Als Antwort auf cube • • •@qbe Good points. I have restarted SSHd before without any issues.
smart idea with the systemd-timer roll back. : }
AndiS 🌞🍷🇪🇺
Als Antwort auf cube • •Restarting - yes that works. But what about STOPPING sshd as it is written above? I've never tried and don't want to, but I'd suppose this would lock you out too.
@cube @Andrew "Ace" Arsenault @Yogthos
Andrew "Ace" Arsenault mag das.
cube
Als Antwort auf AndiS 🌞🍷🇪🇺 • • •@andi @AceArsenault It does not. The sshd service is only responsible for accepting new connections.
(sshd.service has KillMode=process , see systemd.kill(5) for what that means)
AndiS 🌞🍷🇪🇺
Als Antwort auf cube • •A I see, and learned something new!
@cube @Andrew "Ace" Arsenault @Yogthos
cube mag das.
Andrew "Ace" Arsenault
Als Antwort auf cube • • •@qbe @andi
Make sense. I know from my experience of upgrading or restart SSHd it never locked me out.
I'm still worried though and always plan those kind of things during the off hours with a backup plan. *lol*
SchwarzeLocke
Als Antwort auf cube • • •@qbe nftables are so easy to get wrong. And if you edit the live file, a reboot won't help you out.
I am working with two files, and use this small script to check and apply the work-in-progress file. The last good config file will be restored within 15 seconds, during which I check if I can still open new ssh sessions.
Perhaps someone wants to copy the approach & script: gist.github.com/Locke/8c76f9f9…
nft-apply-wip.sh
Gistcube
Als Antwort auf SchwarzeLocke • • •SchwarzeLocke
Als Antwort auf cube • • •