feat: add option to add custom sysctl configs #2

Merged
xoxys merged 1 commits from custom-conf into main 2023-01-29 14:31:09 +00:00
11 changed files with 71 additions and 14 deletions

View File

@ -13,13 +13,23 @@ kernel_disable_modules:
kernel_blacklist_modules: [] kernel_blacklist_modules: []
# @var kernel_ipv4_ping_group_range: $ "_unset" kernel_custom_config: []
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000" # @var kernel_custom_config:example: >
# kernel_custom_config:
# - file: 90-example
# content:
# - name: vm.panic_on_oom
# value: 0
# - name: vm.overcommit_memory
# value: 1
# @end
kernel_namespace_support_enabled: False kernel_namespace_support_enabled: False
kernel_coredump_enabled: True kernel_coredump_enabled: True
# @var kernel_ipv4_ping_group_range: $ "_unset"
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
kernel_ipv4_forwarding_enabled: False
kernel_ipv6_enabled: False kernel_ipv6_enabled: False
kernel_ipv6_forwarding_enabled: False kernel_ipv6_forwarding_enabled: False
kernel_ipv4_forwarding_enabled: False

View File

@ -4,5 +4,12 @@
vars: vars:
kernel_coredump_enabled: False kernel_coredump_enabled: False
kernel_ipv6_enabled: True kernel_ipv6_enabled: True
kernel_custom_config:
- file: 90-example
content:
- name: vm.panic_on_oom
value: 0
- name: vm.overcommit_memory
value: 1
roles: roles:
- role: xoxys.kernel - role: xoxys.kernel

View File

@ -1,4 +1,5 @@
import os import os
import pytest
import testinfra.utils.ansible_runner import testinfra.utils.ansible_runner
@ -8,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
def test_sysctl_file(host): def test_sysctl_file(host):
sysctl = host.file("/etc/sysctl.d/local.conf") sysctl = host.file("/etc/sysctl.d/99-local.conf")
assert sysctl.exists assert sysctl.exists
assert sysctl.user == "root" assert sysctl.user == "root"
@ -16,6 +17,18 @@ def test_sysctl_file(host):
assert sysctl.mode == 0o644 assert sysctl.mode == 0o644
@pytest.mark.parametrize(
"name,value", [
("net.ipv4.ip_forward", 0),
("net.ipv6.conf.all.forwarding", 0),
("vm.panic_on_oom", 0),
("vm.overcommit_memory", 1),
]
)
def test_sysctl_values(host, name, value):
assert host.sysctl(name) == value
def test_modprobe_file(host): def test_modprobe_file(host):
modprobe = host.file("/etc/modprobe.d/custom.conf") modprobe = host.file("/etc/modprobe.d/custom.conf")
@ -28,6 +41,6 @@ def test_modprobe_file(host):
def test_coredump_config(host): def test_coredump_config(host):
assert host.file("/etc/sysctl.d/dump.conf").exists assert host.file("/etc/sysctl.d/99-dump.conf").exists
assert host.file("/etc/security/limits.d/dump.conf").exists assert host.file("/etc/security/limits.d/dump.conf").exists
assert host.file("/etc/profile.d/dump.sh").exists assert host.file("/etc/profile.d/dump.sh").exists

View File

@ -1 +1 @@
rocky8 rocky9

View File

@ -4,5 +4,12 @@
vars: vars:
kernel_coredump_enabled: False kernel_coredump_enabled: False
kernel_ipv6_enabled: True kernel_ipv6_enabled: True
kernel_custom_config:
- file: 90-example
content:
- name: vm.panic_on_oom
value: 0
- name: vm.overcommit_memory
value: 1
roles: roles:
- role: xoxys.kernel - role: xoxys.kernel

View File

@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
def test_sysctl_file(host): def test_sysctl_file(host):
sysctl = host.file("/etc/sysctl.d/local.conf") sysctl = host.file("/etc/sysctl.d/99-local.conf")
assert sysctl.exists assert sysctl.exists
assert sysctl.user == "root" assert sysctl.user == "root"
@ -21,6 +21,8 @@ def test_sysctl_file(host):
"name,value", [ "name,value", [
("net.ipv4.ip_forward", 0), ("net.ipv4.ip_forward", 0),
("net.ipv6.conf.all.forwarding", 0), ("net.ipv6.conf.all.forwarding", 0),
("vm.panic_on_oom", 0),
("vm.overcommit_memory", 1),
] ]
) )
def test_sysctl_values(host, name, value): def test_sysctl_values(host, name, value):
@ -39,6 +41,6 @@ def test_modprobe_file(host):
def test_coredump_config(host): def test_coredump_config(host):
assert host.file("/etc/sysctl.d/dump.conf").exists assert host.file("/etc/sysctl.d/99-dump.conf").exists
assert host.file("/etc/security/limits.d/dump.conf").exists assert host.file("/etc/security/limits.d/dump.conf").exists
assert host.file("/etc/profile.d/dump.sh").exists assert host.file("/etc/profile.d/dump.sh").exists

View File

@ -2,8 +2,8 @@
- block: - block:
- name: Disable core dump for setuid programs - name: Disable core dump for setuid programs
template: template:
src: etc/sysctl.d/dump.conf.j2 src: etc/sysctl.d/99-dump.conf.j2
dest: /etc/sysctl.d/dump.conf dest: /etc/sysctl.d/99-dump.conf
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644

View File

@ -1,14 +1,26 @@
--- ---
- block: - block:
- name: Set kernel hardening parameters - name: Set default kernel hardening parameters
template: template:
src: etc/sysctl.d/local.conf.j2 src: etc/sysctl.d/99-local.conf.j2
dest: /etc/sysctl.d/local.conf dest: /etc/sysctl.d/99-local.conf
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: __kernel_reload notify: __kernel_reload
- name: Deploy custom kernel configurations
template:
src: etc/sysctl.d/xx-custom.conf.j2
dest: "/etc/sysctl.d/{{ item.file }}.conf"
owner: root
group: root
mode: 0644
loop: "{{ kernel_custom_config }}"
loop_control:
label: "{{ item.file }}"
notify: __kernel_reload
- name: Deploy custom modprobe - name: Deploy custom modprobe
template: template:
src: etc/modprobe.d/custom.conf.j2 src: etc/modprobe.d/custom.conf.j2

View File

@ -1,3 +1,4 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
# Controls whether core dumps will append the PID to the core filename # Controls whether core dumps will append the PID to the core filename
kernel.core_uses_pid = 1 kernel.core_uses_pid = 1

View File

@ -0,0 +1,5 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
{% for option in item.content %}
{{ option.name }} = {{ option.value }}
{% endfor %}