fix: disable and blacklist modules from kernel_disable_modules

2022-09-18 13:04:02 +02:00 · 2022-09-18 13:04:02 +02:00 · ca27e64ad4
commit ca27e64ad4
parent 8a824622bc
3 changed files with 6 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,14 +1,14 @@
 ---
 kernel_disable_modules:
  - usb-storage
-
-kernel_blacklist_modules:
  - firewire-core
  - dccp
  - sctp
  - tipc
  - rds

+kernel_blacklist_modules: []
+
 # @var kernel_ipv4_ping_group_range: $ "_unset"
 # @var kernel_ipv4_ping_group_range:example: $ "0 2000000"

--- a/templates/etc/modprobe.d/custom.conf.j2
+++ b/templates/etc/modprobe.d/custom.conf.j2
@ -1,10 +1,11 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
-
 {% for module in kernel_disable_modules %}
 install {{ module }} /bin/true
-
 {% endfor %}
-{% for module in kernel_blacklist_modules %}
+{% if (kernel_blacklist_modules + kernel_disable_modules) | length > 0 %}
+
+{% for module in (kernel_blacklist_modules + kernel_disable_modules) %}
 blacklist {{ module }}
 {% endfor %}
+{% endif %}
--- a/templates/etc/sysctl.d/local.conf.j2
+++ b/templates/etc/sysctl.d/local.conf.j2
@ -19,9 +19,6 @@ kernel.yama.ptrace_scope = 2
 # Command is trapped and sent to the init program to handle a graceful restart
 kernel.ctrl-alt-del = 0

-# Disable loading new modules
-kernel.modules_disabled = 1
-
 # Disable access to performance events by users without CAP_SYS_ADMIN
 kernel.perf_event_paranoid = 3