feat: add option to add custom sysctl configs (#2)

2023-01-29 15:31:08 +01:00 · 2023-01-29 15:31:08 +01:00 · 626c156b74
parent 758c687f78
commit 626c156b74
11 changed files with 71 additions and 14 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -13,13 +13,23 @@ kernel_disable_modules:

 kernel_blacklist_modules: []

-# @var kernel_ipv4_ping_group_range: $ "_unset"
-# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
+kernel_custom_config: []
+# @var kernel_custom_config:example: >
+# kernel_custom_config:
+#   - file: 90-example
+#     content:
+#       - name: vm.panic_on_oom
+#         value: 0
+#       - name: vm.overcommit_memory
+#         value: 1
+# @end

 kernel_namespace_support_enabled: False
 kernel_coredump_enabled: True

+# @var kernel_ipv4_ping_group_range: $ "_unset"
+# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
+kernel_ipv4_forwarding_enabled: False
+
 kernel_ipv6_enabled: False
 kernel_ipv6_forwarding_enabled: False
-
-kernel_ipv4_forwarding_enabled: False
--- a/molecule/centos7/converge.yml
+++ b/molecule/centos7/converge.yml
@ -4,5 +4,12 @@
  vars:
    kernel_coredump_enabled: False
    kernel_ipv6_enabled: True
+    kernel_custom_config:
+      - file: 90-example
+        content:
+          - name: vm.panic_on_oom
+            value: 0
+          - name: vm.overcommit_memory
+            value: 1
  roles:
    - role: xoxys.kernel
--- a/molecule/centos7/tests/test_default.py
+++ b/molecule/centos7/tests/test_default.py
@ -1,4 +1,5 @@
 import os
+import pytest

 import testinfra.utils.ansible_runner

@ -8,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(


 def test_sysctl_file(host):
-    sysctl = host.file("/etc/sysctl.d/local.conf")
+    sysctl = host.file("/etc/sysctl.d/99-local.conf")

    assert sysctl.exists
    assert sysctl.user == "root"
@ -16,6 +17,18 @@ def test_sysctl_file(host):
    assert sysctl.mode == 0o644


+@pytest.mark.parametrize(
+    "name,value", [
+        ("net.ipv4.ip_forward", 0),
+        ("net.ipv6.conf.all.forwarding", 0),
+        ("vm.panic_on_oom", 0),
+        ("vm.overcommit_memory", 1),
+    ]
+)
+def test_sysctl_values(host, name, value):
+    assert host.sysctl(name) == value
+
+
 def test_modprobe_file(host):
    modprobe = host.file("/etc/modprobe.d/custom.conf")

@ -28,6 +41,6 @@ def test_modprobe_file(host):


 def test_coredump_config(host):
-    assert host.file("/etc/sysctl.d/dump.conf").exists
+    assert host.file("/etc/sysctl.d/99-dump.conf").exists
    assert host.file("/etc/security/limits.d/dump.conf").exists
    assert host.file("/etc/profile.d/dump.sh").exists
--- a/molecule/default
+++ b/molecule/default
@ -1 +1 @@
-rocky8
+rocky9
--- a/molecule/rocky9/converge.yml
+++ b/molecule/rocky9/converge.yml
@ -4,5 +4,12 @@
  vars:
    kernel_coredump_enabled: False
    kernel_ipv6_enabled: True
+    kernel_custom_config:
+      - file: 90-example
+        content:
+          - name: vm.panic_on_oom
+            value: 0
+          - name: vm.overcommit_memory
+            value: 1
  roles:
    - role: xoxys.kernel
--- a/molecule/rocky9/tests/test_default.py
+++ b/molecule/rocky9/tests/test_default.py
@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(


 def test_sysctl_file(host):
-    sysctl = host.file("/etc/sysctl.d/local.conf")
+    sysctl = host.file("/etc/sysctl.d/99-local.conf")

    assert sysctl.exists
    assert sysctl.user == "root"
@ -21,6 +21,8 @@ def test_sysctl_file(host):
    "name,value", [
        ("net.ipv4.ip_forward", 0),
        ("net.ipv6.conf.all.forwarding", 0),
+        ("vm.panic_on_oom", 0),
+        ("vm.overcommit_memory", 1),
    ]
 )
 def test_sysctl_values(host, name, value):
@ -39,6 +41,6 @@ def test_modprobe_file(host):


 def test_coredump_config(host):
-    assert host.file("/etc/sysctl.d/dump.conf").exists
+    assert host.file("/etc/sysctl.d/99-dump.conf").exists
    assert host.file("/etc/security/limits.d/dump.conf").exists
    assert host.file("/etc/profile.d/dump.sh").exists
--- a/tasks/coredump.yml
+++ b/tasks/coredump.yml
@ -2,8 +2,8 @@
 - block:
    - name: Disable core dump for setuid programs
      template:
-        src: etc/sysctl.d/dump.conf.j2
-        dest: /etc/sysctl.d/dump.conf
+        src: etc/sysctl.d/99-dump.conf.j2
+        dest: /etc/sysctl.d/99-dump.conf
        owner: root
        group: root
        mode: 0644
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -1,14 +1,26 @@
 ---
 - block:
-    - name: Set kernel hardening parameters
+    - name: Set default kernel hardening parameters
      template:
-        src: etc/sysctl.d/local.conf.j2
-        dest: /etc/sysctl.d/local.conf
+        src: etc/sysctl.d/99-local.conf.j2
+        dest: /etc/sysctl.d/99-local.conf
        owner: root
        group: root
        mode: 0644
      notify: __kernel_reload

+    - name: Deploy custom kernel configurations
+      template:
+        src: etc/sysctl.d/xx-custom.conf.j2
+        dest: "/etc/sysctl.d/{{ item.file }}.conf"
+        owner: root
+        group: root
+        mode: 0644
+      loop: "{{ kernel_custom_config }}"
+      loop_control:
+        label: "{{ item.file }}"
+      notify: __kernel_reload
+
    - name: Deploy custom modprobe
      template:
        src: etc/modprobe.d/custom.conf.j2
--- a/templates/etc/sysctl.d/99-dump.conf.j2
+++ b/templates/etc/sysctl.d/99-dump.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
 # Controls whether core dumps will append the PID to the core filename
 kernel.core_uses_pid = 1
--- a/templates/etc/sysctl.d/99-local.conf.j2
+++ b/templates/etc/sysctl.d/99-local.conf.j2
--- a/templates/etc/sysctl.d/xx-custom.conf.j2
+++ b/templates/etc/sysctl.d/xx-custom.conf.j2
@ -0,0 +1,5 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+{% for option in item.content %}
+{{ option.name }} = {{ option.value }}
+{% endfor %}