From 626c156b74fb43878dc699d2d22286e27ad37ad5 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 29 Jan 2023 15:31:08 +0100 Subject: [PATCH] feat: add option to add custom sysctl configs (#2) --- defaults/main.yml | 18 ++++++++++++++---- molecule/centos7/converge.yml | 7 +++++++ molecule/centos7/tests/test_default.py | 17 +++++++++++++++-- molecule/default | 2 +- molecule/rocky9/converge.yml | 7 +++++++ molecule/rocky9/tests/test_default.py | 6 ++++-- tasks/coredump.yml | 4 ++-- tasks/kernel.yml | 18 +++++++++++++++--- .../sysctl.d/{dump.conf.j2 => 99-dump.conf.j2} | 1 + .../{local.conf.j2 => 99-local.conf.j2} | 0 templates/etc/sysctl.d/xx-custom.conf.j2 | 5 +++++ 11 files changed, 71 insertions(+), 14 deletions(-) rename templates/etc/sysctl.d/{dump.conf.j2 => 99-dump.conf.j2} (89%) rename templates/etc/sysctl.d/{local.conf.j2 => 99-local.conf.j2} (100%) create mode 100644 templates/etc/sysctl.d/xx-custom.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index cfc66f3..492ce1d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,13 +13,23 @@ kernel_disable_modules: kernel_blacklist_modules: [] -# @var kernel_ipv4_ping_group_range: $ "_unset" -# @var kernel_ipv4_ping_group_range:example: $ "0 2000000" +kernel_custom_config: [] +# @var kernel_custom_config:example: > +# kernel_custom_config: +# - file: 90-example +# content: +# - name: vm.panic_on_oom +# value: 0 +# - name: vm.overcommit_memory +# value: 1 +# @end kernel_namespace_support_enabled: False kernel_coredump_enabled: True +# @var kernel_ipv4_ping_group_range: $ "_unset" +# @var kernel_ipv4_ping_group_range:example: $ "0 2000000" +kernel_ipv4_forwarding_enabled: False + kernel_ipv6_enabled: False kernel_ipv6_forwarding_enabled: False - -kernel_ipv4_forwarding_enabled: False diff --git a/molecule/centos7/converge.yml b/molecule/centos7/converge.yml index 0810ee7..9863e75 100644 --- a/molecule/centos7/converge.yml +++ b/molecule/centos7/converge.yml @@ -4,5 +4,12 @@ vars: kernel_coredump_enabled: False kernel_ipv6_enabled: True + kernel_custom_config: + - file: 90-example + content: + - name: vm.panic_on_oom + value: 0 + - name: vm.overcommit_memory + value: 1 roles: - role: xoxys.kernel diff --git a/molecule/centos7/tests/test_default.py b/molecule/centos7/tests/test_default.py index e60bca0..b9f591c 100644 --- a/molecule/centos7/tests/test_default.py +++ b/molecule/centos7/tests/test_default.py @@ -1,4 +1,5 @@ import os +import pytest import testinfra.utils.ansible_runner @@ -8,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def test_sysctl_file(host): - sysctl = host.file("/etc/sysctl.d/local.conf") + sysctl = host.file("/etc/sysctl.d/99-local.conf") assert sysctl.exists assert sysctl.user == "root" @@ -16,6 +17,18 @@ def test_sysctl_file(host): assert sysctl.mode == 0o644 +@pytest.mark.parametrize( + "name,value", [ + ("net.ipv4.ip_forward", 0), + ("net.ipv6.conf.all.forwarding", 0), + ("vm.panic_on_oom", 0), + ("vm.overcommit_memory", 1), + ] +) +def test_sysctl_values(host, name, value): + assert host.sysctl(name) == value + + def test_modprobe_file(host): modprobe = host.file("/etc/modprobe.d/custom.conf") @@ -28,6 +41,6 @@ def test_modprobe_file(host): def test_coredump_config(host): - assert host.file("/etc/sysctl.d/dump.conf").exists + assert host.file("/etc/sysctl.d/99-dump.conf").exists assert host.file("/etc/security/limits.d/dump.conf").exists assert host.file("/etc/profile.d/dump.sh").exists diff --git a/molecule/default b/molecule/default index 62ea184..afa9fc6 120000 --- a/molecule/default +++ b/molecule/default @@ -1 +1 @@ -rocky8 \ No newline at end of file +rocky9 \ No newline at end of file diff --git a/molecule/rocky9/converge.yml b/molecule/rocky9/converge.yml index 0810ee7..9863e75 100644 --- a/molecule/rocky9/converge.yml +++ b/molecule/rocky9/converge.yml @@ -4,5 +4,12 @@ vars: kernel_coredump_enabled: False kernel_ipv6_enabled: True + kernel_custom_config: + - file: 90-example + content: + - name: vm.panic_on_oom + value: 0 + - name: vm.overcommit_memory + value: 1 roles: - role: xoxys.kernel diff --git a/molecule/rocky9/tests/test_default.py b/molecule/rocky9/tests/test_default.py index b038100..b9f591c 100644 --- a/molecule/rocky9/tests/test_default.py +++ b/molecule/rocky9/tests/test_default.py @@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def test_sysctl_file(host): - sysctl = host.file("/etc/sysctl.d/local.conf") + sysctl = host.file("/etc/sysctl.d/99-local.conf") assert sysctl.exists assert sysctl.user == "root" @@ -21,6 +21,8 @@ def test_sysctl_file(host): "name,value", [ ("net.ipv4.ip_forward", 0), ("net.ipv6.conf.all.forwarding", 0), + ("vm.panic_on_oom", 0), + ("vm.overcommit_memory", 1), ] ) def test_sysctl_values(host, name, value): @@ -39,6 +41,6 @@ def test_modprobe_file(host): def test_coredump_config(host): - assert host.file("/etc/sysctl.d/dump.conf").exists + assert host.file("/etc/sysctl.d/99-dump.conf").exists assert host.file("/etc/security/limits.d/dump.conf").exists assert host.file("/etc/profile.d/dump.sh").exists diff --git a/tasks/coredump.yml b/tasks/coredump.yml index 2bd38a2..f301def 100644 --- a/tasks/coredump.yml +++ b/tasks/coredump.yml @@ -2,8 +2,8 @@ - block: - name: Disable core dump for setuid programs template: - src: etc/sysctl.d/dump.conf.j2 - dest: /etc/sysctl.d/dump.conf + src: etc/sysctl.d/99-dump.conf.j2 + dest: /etc/sysctl.d/99-dump.conf owner: root group: root mode: 0644 diff --git a/tasks/kernel.yml b/tasks/kernel.yml index 9fe04bf..edb45d8 100644 --- a/tasks/kernel.yml +++ b/tasks/kernel.yml @@ -1,14 +1,26 @@ --- - block: - - name: Set kernel hardening parameters + - name: Set default kernel hardening parameters template: - src: etc/sysctl.d/local.conf.j2 - dest: /etc/sysctl.d/local.conf + src: etc/sysctl.d/99-local.conf.j2 + dest: /etc/sysctl.d/99-local.conf owner: root group: root mode: 0644 notify: __kernel_reload + - name: Deploy custom kernel configurations + template: + src: etc/sysctl.d/xx-custom.conf.j2 + dest: "/etc/sysctl.d/{{ item.file }}.conf" + owner: root + group: root + mode: 0644 + loop: "{{ kernel_custom_config }}" + loop_control: + label: "{{ item.file }}" + notify: __kernel_reload + - name: Deploy custom modprobe template: src: etc/modprobe.d/custom.conf.j2 diff --git a/templates/etc/sysctl.d/dump.conf.j2 b/templates/etc/sysctl.d/99-dump.conf.j2 similarity index 89% rename from templates/etc/sysctl.d/dump.conf.j2 rename to templates/etc/sysctl.d/99-dump.conf.j2 index 155b772..de4e65d 100644 --- a/templates/etc/sysctl.d/dump.conf.j2 +++ b/templates/etc/sysctl.d/99-dump.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: True {{ ansible_managed | comment }} # Controls whether core dumps will append the PID to the core filename kernel.core_uses_pid = 1 diff --git a/templates/etc/sysctl.d/local.conf.j2 b/templates/etc/sysctl.d/99-local.conf.j2 similarity index 100% rename from templates/etc/sysctl.d/local.conf.j2 rename to templates/etc/sysctl.d/99-local.conf.j2 diff --git a/templates/etc/sysctl.d/xx-custom.conf.j2 b/templates/etc/sysctl.d/xx-custom.conf.j2 new file mode 100644 index 0000000..391c46c --- /dev/null +++ b/templates/etc/sysctl.d/xx-custom.conf.j2 @@ -0,0 +1,5 @@ +#jinja2: lstrip_blocks: True +{{ ansible_managed | comment }} +{% for option in item.content %} +{{ option.name }} = {{ option.value }} +{% endfor %}