feat: add option to add custom sysctl configs #2
@ -13,13 +13,23 @@ kernel_disable_modules:
|
||||
|
||||
kernel_blacklist_modules: []
|
||||
|
||||
# @var kernel_ipv4_ping_group_range: $ "_unset"
|
||||
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
|
||||
kernel_custom_config: []
|
||||
# @var kernel_custom_config:example: >
|
||||
# kernel_custom_config:
|
||||
# - file: 90-example
|
||||
# content:
|
||||
# - name: vm.panic_on_oom
|
||||
# value: 0
|
||||
# - name: vm.overcommit_memory
|
||||
# value: 1
|
||||
# @end
|
||||
|
||||
kernel_namespace_support_enabled: False
|
||||
kernel_coredump_enabled: True
|
||||
|
||||
# @var kernel_ipv4_ping_group_range: $ "_unset"
|
||||
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
|
||||
kernel_ipv4_forwarding_enabled: False
|
||||
|
||||
kernel_ipv6_enabled: False
|
||||
kernel_ipv6_forwarding_enabled: False
|
||||
|
||||
kernel_ipv4_forwarding_enabled: False
|
||||
|
@ -4,5 +4,12 @@
|
||||
vars:
|
||||
kernel_coredump_enabled: False
|
||||
kernel_ipv6_enabled: True
|
||||
kernel_custom_config:
|
||||
- file: 90-example
|
||||
content:
|
||||
- name: vm.panic_on_oom
|
||||
value: 0
|
||||
- name: vm.overcommit_memory
|
||||
value: 1
|
||||
roles:
|
||||
- role: xoxys.kernel
|
||||
|
@ -1,4 +1,5 @@
|
||||
import os
|
||||
import pytest
|
||||
|
||||
import testinfra.utils.ansible_runner
|
||||
|
||||
@ -8,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||
|
||||
|
||||
def test_sysctl_file(host):
|
||||
sysctl = host.file("/etc/sysctl.d/local.conf")
|
||||
sysctl = host.file("/etc/sysctl.d/99-local.conf")
|
||||
|
||||
assert sysctl.exists
|
||||
assert sysctl.user == "root"
|
||||
@ -16,6 +17,18 @@ def test_sysctl_file(host):
|
||||
assert sysctl.mode == 0o644
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"name,value", [
|
||||
("net.ipv4.ip_forward", 0),
|
||||
("net.ipv6.conf.all.forwarding", 0),
|
||||
("vm.panic_on_oom", 0),
|
||||
("vm.overcommit_memory", 1),
|
||||
]
|
||||
)
|
||||
def test_sysctl_values(host, name, value):
|
||||
assert host.sysctl(name) == value
|
||||
|
||||
|
||||
def test_modprobe_file(host):
|
||||
modprobe = host.file("/etc/modprobe.d/custom.conf")
|
||||
|
||||
@ -28,6 +41,6 @@ def test_modprobe_file(host):
|
||||
|
||||
|
||||
def test_coredump_config(host):
|
||||
assert host.file("/etc/sysctl.d/dump.conf").exists
|
||||
assert host.file("/etc/sysctl.d/99-dump.conf").exists
|
||||
assert host.file("/etc/security/limits.d/dump.conf").exists
|
||||
assert host.file("/etc/profile.d/dump.sh").exists
|
||||
|
@ -1 +1 @@
|
||||
rocky8
|
||||
rocky9
|
@ -4,5 +4,12 @@
|
||||
vars:
|
||||
kernel_coredump_enabled: False
|
||||
kernel_ipv6_enabled: True
|
||||
kernel_custom_config:
|
||||
- file: 90-example
|
||||
content:
|
||||
- name: vm.panic_on_oom
|
||||
value: 0
|
||||
- name: vm.overcommit_memory
|
||||
value: 1
|
||||
roles:
|
||||
- role: xoxys.kernel
|
||||
|
@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||
|
||||
|
||||
def test_sysctl_file(host):
|
||||
sysctl = host.file("/etc/sysctl.d/local.conf")
|
||||
sysctl = host.file("/etc/sysctl.d/99-local.conf")
|
||||
|
||||
assert sysctl.exists
|
||||
assert sysctl.user == "root"
|
||||
@ -21,6 +21,8 @@ def test_sysctl_file(host):
|
||||
"name,value", [
|
||||
("net.ipv4.ip_forward", 0),
|
||||
("net.ipv6.conf.all.forwarding", 0),
|
||||
("vm.panic_on_oom", 0),
|
||||
("vm.overcommit_memory", 1),
|
||||
]
|
||||
)
|
||||
def test_sysctl_values(host, name, value):
|
||||
@ -39,6 +41,6 @@ def test_modprobe_file(host):
|
||||
|
||||
|
||||
def test_coredump_config(host):
|
||||
assert host.file("/etc/sysctl.d/dump.conf").exists
|
||||
assert host.file("/etc/sysctl.d/99-dump.conf").exists
|
||||
assert host.file("/etc/security/limits.d/dump.conf").exists
|
||||
assert host.file("/etc/profile.d/dump.sh").exists
|
||||
|
@ -2,8 +2,8 @@
|
||||
- block:
|
||||
- name: Disable core dump for setuid programs
|
||||
template:
|
||||
src: etc/sysctl.d/dump.conf.j2
|
||||
dest: /etc/sysctl.d/dump.conf
|
||||
src: etc/sysctl.d/99-dump.conf.j2
|
||||
dest: /etc/sysctl.d/99-dump.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
@ -1,14 +1,26 @@
|
||||
---
|
||||
- block:
|
||||
- name: Set kernel hardening parameters
|
||||
- name: Set default kernel hardening parameters
|
||||
template:
|
||||
src: etc/sysctl.d/local.conf.j2
|
||||
dest: /etc/sysctl.d/local.conf
|
||||
src: etc/sysctl.d/99-local.conf.j2
|
||||
dest: /etc/sysctl.d/99-local.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: __kernel_reload
|
||||
|
||||
- name: Deploy custom kernel configurations
|
||||
template:
|
||||
src: etc/sysctl.d/xx-custom.conf.j2
|
||||
dest: "/etc/sysctl.d/{{ item.file }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: "{{ kernel_custom_config }}"
|
||||
loop_control:
|
||||
label: "{{ item.file }}"
|
||||
notify: __kernel_reload
|
||||
|
||||
- name: Deploy custom modprobe
|
||||
template:
|
||||
src: etc/modprobe.d/custom.conf.j2
|
||||
|
@ -1,3 +1,4 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
# Controls whether core dumps will append the PID to the core filename
|
||||
kernel.core_uses_pid = 1
|
5
templates/etc/sysctl.d/xx-custom.conf.j2
Normal file
5
templates/etc/sysctl.d/xx-custom.conf.j2
Normal file
@ -0,0 +1,5 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
{% for option in item.content %}
|
||||
{{ option.name }} = {{ option.value }}
|
||||
{% endfor %}
|
Loading…
Reference in New Issue
Block a user