ansible-roles/evolinux-base/tasks/kernel.yml

---

- name: "Use Cloud kernel on virtual servers"
  ansible.builtin.apt:
    name: "linux-image-cloud-amd64"
    state: present
  register: _use_cloud_kernel
  when:
    - ansible_machine == "x86_64"
    - ansible_virtualization_role == "guest"
    - evolinux_kernel_cloud_auto | bool
    - ansible_distribution_major_version is version('10', '>=')

- name: "Remove non-Cloud kernel on virtual servers"
  ansible.builtin.apt:
    name: "linux-image-amd64"
    state: absent
  when:
    - ansible_machine == "x86_64"
    - ansible_virtualization_role == "guest"
    - evolinux_kernel_cloud_auto | bool
   
- name: "Reboot the server to enable the new kernel"
  ansible.builtin.reboot:
    reboot_timeout: 600
    search_paths: ['/lib/molly-guard', '/sbin']
  when:
    - _use_cloud_kernel is changed
    - evolinux_kernel_cloud_reboot | bool

- name: Reboot after panic
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  loop:
    - { name: kernel.panic_on_oops, value: 1 }
    - { name: kernel.panic, value: 60 }
  when: evolinux_kernel_reboot_after_panic | bool

- name: Don't reboot after panic
  ansible.posix.sysctl:
    name: "{{ item }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: absent
    reload: yes
  loop:
    - kernel.panic_on_oops
    - kernel.panic
  when: not evolinux_kernel_reboot_after_panic | bool

- name: Disable net.ipv4.tcp_timestamps
  ansible.posix.sysctl:
    name: net.ipv4.tcp_timestamps
    value: '0'
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  when: evolinux_kernel_disable_tcp_timestamps | bool

- name: Customize the swappiness
  ansible.posix.sysctl:
    name: vm.swappiness
    value: "{{ evolinux_kernel_swappiness }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  when: evolinux_kernel_customize_swappiness | bool

- name: Patch for TCP stack vulnerability CVE-2016-5696
  ansible.posix.sysctl:
    name: net.ipv4.tcp_challenge_ack_limit
    value: "1073741823"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  when: evolinux_kernel_cve20165696 | bool

- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  loop:
    - { name: "net.ipv4.ipfrag_low_thresh",   value: "196608" }
    - { name: "net.ipv6.ip6frag_low_thresh",  value: "196608" }
    - { name: "net.ipv4.ipfrag_high_thresh",  value: "262144" }
    - { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }

- ansible.builtin.meta: flush_handlers
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`---`
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00
evolinux-base: replace regular kernel by cloud kernel on virtual servers 2022-10-19 16:32:36 +02:00			`- name: "Use Cloud kernel on virtual servers"`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.builtin.apt:`
evolinux-base: replace regular kernel by cloud kernel on virtual servers 2022-10-19 16:32:36 +02:00			`name: "linux-image-cloud-amd64"`
			`state: present`
evolinux-base: reboot the server if the Cloud kernel has been installed 2023-08-18 12:09:56 +02:00			`register: _use_cloud_kernel`
evolinux-base: replace regular kernel by cloud kernel on virtual servers 2022-10-19 16:32:36 +02:00			`when:`
			`- ansible_machine == "x86_64"`
			`- ansible_virtualization_role == "guest"`
			`- evolinux_kernel_cloud_auto \| bool`
evolinux-base: Don’t try to install unavailable linux-image-cloud-amd64 before Buster 2023-11-30 15:45:48 +01:00			`- ansible_distribution_major_version is version('10', '>=')`
evolinux-base: replace regular kernel by cloud kernel on virtual servers 2022-10-19 16:32:36 +02:00
			`- name: "Remove non-Cloud kernel on virtual servers"`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.builtin.apt:`
evolinux-base: replace regular kernel by cloud kernel on virtual servers 2022-10-19 16:32:36 +02:00			`name: "linux-image-amd64"`
			`state: absent`
			`when:`
			`- ansible_machine == "x86_64"`
			`- ansible_virtualization_role == "guest"`
			`- evolinux_kernel_cloud_auto \| bool`
evolinux-base: reboot the server if the Cloud kernel has been installed 2023-08-18 12:09:56 +02:00
			`- name: "Reboot the server to enable the new kernel"`
			`ansible.builtin.reboot:`
			`reboot_timeout: 600`
			`search_paths: ['/lib/molly-guard', '/sbin']`
			`when:`
evolinux-base/tasks/kernel.yml > fix typo, 'is changed' vs '\| changed' 2023-08-22 12:28:57 +02:00			`- _use_cloud_kernel is changed`
evolinux-base: reboot the server if the Cloud kernel has been installed 2023-08-18 12:09:56 +02:00			`- evolinux_kernel_cloud_reboot \| bool`
evolinux-base: replace regular kernel by cloud kernel on virtual servers 2022-10-19 16:32:36 +02:00
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00			`- name: Reboot after panic`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.posix.sysctl:`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`name: "{{ item.name }}"`
			`value: "{{ item.value }}"`
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00			`sysctl_file: "{{ evolinux_kernel_sysctl_path }}"`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`state: present`
			`reload: yes`
Use 'loop' syntax instead of 'with_items' 2021-05-04 14:18:40 +02:00			`loop:`
loop syntax and whitespaces 2021-08-27 11:01:26 +02:00			`- { name: kernel.panic_on_oops, value: 1 }`
			`- { name: kernel.panic, value: 60 }`
Improve Ansible syntax replace « x \| changed » by « x is changed » add explicit « bool » filter use « length » filter instead of string comparison 2021-05-09 23:06:42 +02:00			`when: evolinux_kernel_reboot_after_panic \| bool`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00			`- name: Don't reboot after panic`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.posix.sysctl:`
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00			`name: "{{ item }}"`
			`sysctl_file: "{{ evolinux_kernel_sysctl_path }}"`
			`state: absent`
			`reload: yes`
Use 'loop' syntax instead of 'with_items' 2021-05-04 14:18:40 +02:00			`loop:`
loop syntax and whitespaces 2021-08-27 11:01:26 +02:00			`- kernel.panic_on_oops`
			`- kernel.panic`
Improve Ansible syntax replace « x \| changed » by « x is changed » add explicit « bool » filter use « length » filter instead of string comparison 2021-05-09 23:06:42 +02:00			`when: not evolinux_kernel_reboot_after_panic \| bool`
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`- name: Disable net.ipv4.tcp_timestamps`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.posix.sysctl:`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`name: net.ipv4.tcp_timestamps`
quote numeric values 2021-05-01 22:12:27 +02:00			`value: '0'`
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00			`sysctl_file: "{{ evolinux_kernel_sysctl_path }}"`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`state: present`
			`reload: yes`
Improve Ansible syntax replace « x \| changed » by « x is changed » add explicit « bool » filter use « length » filter instead of string comparison 2021-05-09 23:06:42 +02:00			`when: evolinux_kernel_disable_tcp_timestamps \| bool`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00
evolinux-base: swappiness is customizable 2020-09-01 14:08:39 +02:00			`- name: Customize the swappiness`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.posix.sysctl:`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`name: vm.swappiness`
evolinux-base: swappiness is customizable 2020-09-01 14:08:39 +02:00			`value: "{{ evolinux_kernel_swappiness }}"`
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00			`sysctl_file: "{{ evolinux_kernel_sysctl_path }}"`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`state: present`
			`reload: yes`
Improve Ansible syntax replace « x \| changed » by « x is changed » add explicit « bool » filter use « length » filter instead of string comparison 2021-05-09 23:06:42 +02:00			`when: evolinux_kernel_customize_swappiness \| bool`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00
			`- name: Patch for TCP stack vulnerability CVE-2016-5696`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.posix.sysctl:`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`name: net.ipv4.tcp_challenge_ack_limit`
evolinux-base: quote values 2021-05-10 09:07:18 +02:00			`value: "1073741823"`
evolinux: finer grained kernel configuration 2017-03-30 15:33:23 +02:00			`sysctl_file: "{{ evolinux_kernel_sysctl_path }}"`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`state: present`
			`reload: yes`
Improve Ansible syntax replace « x \| changed » by « x is changed » add explicit « bool » filter use « length » filter instead of string comparison 2021-05-09 23:06:42 +02:00			`when: evolinux_kernel_cve20165696 \| bool`
evolinux-base: flush handlers at end of each include 2017-01-03 17:02:23 +01:00
evolinux-base: compact multiple systctl tasks into one 2018-08-20 16:08:45 +02:00			`- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)`
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`ansible.posix.sysctl:`
evolinux-base: compact multiple systctl tasks into one 2018-08-20 16:08:45 +02:00			`name: "{{ item.name }}"`
			`value: "{{ item.value }}"`
Workaround by Evolix security team for old kernels and vulnerabiliy CVE-2018-5391 (FragmentSmack) 2018-08-17 21:28:14 +02:00			`sysctl_file: "{{ evolinux_kernel_sysctl_path }}"`
			`state: present`
			`reload: yes`
Use 'loop' syntax instead of 'with_items' 2021-05-04 14:18:40 +02:00			`loop:`
evolinux-base: quote values 2021-05-10 09:07:18 +02:00			`- { name: "net.ipv4.ipfrag_low_thresh", value: "196608" }`
			`- { name: "net.ipv6.ip6frag_low_thresh", value: "196608" }`
			`- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }`
			`- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }`
Workaround by Evolix security team for old kernels and vulnerabiliy CVE-2018-5391 (FragmentSmack) 2018-08-17 21:28:14 +02:00
evolinux-base: syntax 2023-03-18 18:35:54 +01:00			`- ansible.builtin.meta: flush_handlers`