feat: add option to add custom sysctl configs #2
@ -13,13 +13,23 @@ kernel_disable_modules:
|
|||||||
|
|
||||||
kernel_blacklist_modules: []
|
kernel_blacklist_modules: []
|
||||||
|
|
||||||
# @var kernel_ipv4_ping_group_range: $ "_unset"
|
kernel_custom_config: []
|
||||||
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
|
# @var kernel_custom_config:example: >
|
||||||
|
# kernel_custom_config:
|
||||||
|
# - file: 90-example
|
||||||
|
# content:
|
||||||
|
# - name: vm.panic_on_oom
|
||||||
|
# value: 0
|
||||||
|
# - name: vm.overcommit_memory
|
||||||
|
# value: 1
|
||||||
|
# @end
|
||||||
|
|
||||||
kernel_namespace_support_enabled: False
|
kernel_namespace_support_enabled: False
|
||||||
kernel_coredump_enabled: True
|
kernel_coredump_enabled: True
|
||||||
|
|
||||||
|
# @var kernel_ipv4_ping_group_range: $ "_unset"
|
||||||
|
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
|
||||||
|
kernel_ipv4_forwarding_enabled: False
|
||||||
|
|
||||||
kernel_ipv6_enabled: False
|
kernel_ipv6_enabled: False
|
||||||
kernel_ipv6_forwarding_enabled: False
|
kernel_ipv6_forwarding_enabled: False
|
||||||
|
|
||||||
kernel_ipv4_forwarding_enabled: False
|
|
||||||
|
@ -4,5 +4,12 @@
|
|||||||
vars:
|
vars:
|
||||||
kernel_coredump_enabled: False
|
kernel_coredump_enabled: False
|
||||||
kernel_ipv6_enabled: True
|
kernel_ipv6_enabled: True
|
||||||
|
kernel_custom_config:
|
||||||
|
- file: 90-example
|
||||||
|
content:
|
||||||
|
- name: vm.panic_on_oom
|
||||||
|
value: 0
|
||||||
|
- name: vm.overcommit_memory
|
||||||
|
value: 1
|
||||||
roles:
|
roles:
|
||||||
- role: xoxys.kernel
|
- role: xoxys.kernel
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
import os
|
import os
|
||||||
|
import pytest
|
||||||
|
|
||||||
import testinfra.utils.ansible_runner
|
import testinfra.utils.ansible_runner
|
||||||
|
|
||||||
@ -8,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
|||||||
|
|
||||||
|
|
||||||
def test_sysctl_file(host):
|
def test_sysctl_file(host):
|
||||||
sysctl = host.file("/etc/sysctl.d/local.conf")
|
sysctl = host.file("/etc/sysctl.d/99-local.conf")
|
||||||
|
|
||||||
assert sysctl.exists
|
assert sysctl.exists
|
||||||
assert sysctl.user == "root"
|
assert sysctl.user == "root"
|
||||||
@ -16,6 +17,18 @@ def test_sysctl_file(host):
|
|||||||
assert sysctl.mode == 0o644
|
assert sysctl.mode == 0o644
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.parametrize(
|
||||||
|
"name,value", [
|
||||||
|
("net.ipv4.ip_forward", 0),
|
||||||
|
("net.ipv6.conf.all.forwarding", 0),
|
||||||
|
("vm.panic_on_oom", 0),
|
||||||
|
("vm.overcommit_memory", 1),
|
||||||
|
]
|
||||||
|
)
|
||||||
|
def test_sysctl_values(host, name, value):
|
||||||
|
assert host.sysctl(name) == value
|
||||||
|
|
||||||
|
|
||||||
def test_modprobe_file(host):
|
def test_modprobe_file(host):
|
||||||
modprobe = host.file("/etc/modprobe.d/custom.conf")
|
modprobe = host.file("/etc/modprobe.d/custom.conf")
|
||||||
|
|
||||||
@ -28,6 +41,6 @@ def test_modprobe_file(host):
|
|||||||
|
|
||||||
|
|
||||||
def test_coredump_config(host):
|
def test_coredump_config(host):
|
||||||
assert host.file("/etc/sysctl.d/dump.conf").exists
|
assert host.file("/etc/sysctl.d/99-dump.conf").exists
|
||||||
assert host.file("/etc/security/limits.d/dump.conf").exists
|
assert host.file("/etc/security/limits.d/dump.conf").exists
|
||||||
assert host.file("/etc/profile.d/dump.sh").exists
|
assert host.file("/etc/profile.d/dump.sh").exists
|
||||||
|
@ -1 +1 @@
|
|||||||
rocky8
|
rocky9
|
@ -4,5 +4,12 @@
|
|||||||
vars:
|
vars:
|
||||||
kernel_coredump_enabled: False
|
kernel_coredump_enabled: False
|
||||||
kernel_ipv6_enabled: True
|
kernel_ipv6_enabled: True
|
||||||
|
kernel_custom_config:
|
||||||
|
- file: 90-example
|
||||||
|
content:
|
||||||
|
- name: vm.panic_on_oom
|
||||||
|
value: 0
|
||||||
|
- name: vm.overcommit_memory
|
||||||
|
value: 1
|
||||||
roles:
|
roles:
|
||||||
- role: xoxys.kernel
|
- role: xoxys.kernel
|
||||||
|
@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
|||||||
|
|
||||||
|
|
||||||
def test_sysctl_file(host):
|
def test_sysctl_file(host):
|
||||||
sysctl = host.file("/etc/sysctl.d/local.conf")
|
sysctl = host.file("/etc/sysctl.d/99-local.conf")
|
||||||
|
|
||||||
assert sysctl.exists
|
assert sysctl.exists
|
||||||
assert sysctl.user == "root"
|
assert sysctl.user == "root"
|
||||||
@ -21,6 +21,8 @@ def test_sysctl_file(host):
|
|||||||
"name,value", [
|
"name,value", [
|
||||||
("net.ipv4.ip_forward", 0),
|
("net.ipv4.ip_forward", 0),
|
||||||
("net.ipv6.conf.all.forwarding", 0),
|
("net.ipv6.conf.all.forwarding", 0),
|
||||||
|
("vm.panic_on_oom", 0),
|
||||||
|
("vm.overcommit_memory", 1),
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
def test_sysctl_values(host, name, value):
|
def test_sysctl_values(host, name, value):
|
||||||
@ -39,6 +41,6 @@ def test_modprobe_file(host):
|
|||||||
|
|
||||||
|
|
||||||
def test_coredump_config(host):
|
def test_coredump_config(host):
|
||||||
assert host.file("/etc/sysctl.d/dump.conf").exists
|
assert host.file("/etc/sysctl.d/99-dump.conf").exists
|
||||||
assert host.file("/etc/security/limits.d/dump.conf").exists
|
assert host.file("/etc/security/limits.d/dump.conf").exists
|
||||||
assert host.file("/etc/profile.d/dump.sh").exists
|
assert host.file("/etc/profile.d/dump.sh").exists
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
- block:
|
- block:
|
||||||
- name: Disable core dump for setuid programs
|
- name: Disable core dump for setuid programs
|
||||||
template:
|
template:
|
||||||
src: etc/sysctl.d/dump.conf.j2
|
src: etc/sysctl.d/99-dump.conf.j2
|
||||||
dest: /etc/sysctl.d/dump.conf
|
dest: /etc/sysctl.d/99-dump.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
@ -1,14 +1,26 @@
|
|||||||
---
|
---
|
||||||
- block:
|
- block:
|
||||||
- name: Set kernel hardening parameters
|
- name: Set default kernel hardening parameters
|
||||||
template:
|
template:
|
||||||
src: etc/sysctl.d/local.conf.j2
|
src: etc/sysctl.d/99-local.conf.j2
|
||||||
dest: /etc/sysctl.d/local.conf
|
dest: /etc/sysctl.d/99-local.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify: __kernel_reload
|
notify: __kernel_reload
|
||||||
|
|
||||||
|
- name: Deploy custom kernel configurations
|
||||||
|
template:
|
||||||
|
src: etc/sysctl.d/xx-custom.conf.j2
|
||||||
|
dest: "/etc/sysctl.d/{{ item.file }}.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
loop: "{{ kernel_custom_config }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.file }}"
|
||||||
|
notify: __kernel_reload
|
||||||
|
|
||||||
- name: Deploy custom modprobe
|
- name: Deploy custom modprobe
|
||||||
template:
|
template:
|
||||||
src: etc/modprobe.d/custom.conf.j2
|
src: etc/modprobe.d/custom.conf.j2
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
#jinja2: lstrip_blocks: True
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
# Controls whether core dumps will append the PID to the core filename
|
# Controls whether core dumps will append the PID to the core filename
|
||||||
kernel.core_uses_pid = 1
|
kernel.core_uses_pid = 1
|
5
templates/etc/sysctl.d/xx-custom.conf.j2
Normal file
5
templates/etc/sysctl.d/xx-custom.conf.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
#jinja2: lstrip_blocks: True
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
{% for option in item.content %}
|
||||||
|
{{ option.name }} = {{ option.value }}
|
||||||
|
{% endfor %}
|
Loading…
Reference in New Issue
Block a user