2016-11-07 14:00:57 +01:00
|
|
|
---
|
2017-03-30 15:33:23 +02:00
|
|
|
|
2022-10-19 16:32:36 +02:00
|
|
|
- name: "Use Cloud kernel on virtual servers"
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.builtin.apt:
|
2022-10-19 16:32:36 +02:00
|
|
|
name: "linux-image-cloud-amd64"
|
|
|
|
state: present
|
|
|
|
when:
|
|
|
|
- ansible_machine == "x86_64"
|
|
|
|
- ansible_virtualization_role == "guest"
|
|
|
|
- evolinux_kernel_cloud_auto | bool
|
|
|
|
|
|
|
|
- name: "Remove non-Cloud kernel on virtual servers"
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.builtin.apt:
|
2022-10-19 16:32:36 +02:00
|
|
|
name: "linux-image-amd64"
|
|
|
|
state: absent
|
|
|
|
when:
|
|
|
|
- ansible_machine == "x86_64"
|
|
|
|
- ansible_virtualization_role == "guest"
|
|
|
|
- evolinux_kernel_cloud_auto | bool
|
|
|
|
|
2017-03-30 15:33:23 +02:00
|
|
|
- name: Reboot after panic
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.posix.sysctl:
|
2016-11-07 14:00:57 +01:00
|
|
|
name: "{{ item.name }}"
|
|
|
|
value: "{{ item.value }}"
|
2017-03-30 15:33:23 +02:00
|
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
2016-11-07 14:00:57 +01:00
|
|
|
state: present
|
|
|
|
reload: yes
|
2021-05-04 14:18:40 +02:00
|
|
|
loop:
|
2021-08-27 11:01:26 +02:00
|
|
|
- { name: kernel.panic_on_oops, value: 1 }
|
|
|
|
- { name: kernel.panic, value: 60 }
|
2021-05-09 23:06:42 +02:00
|
|
|
when: evolinux_kernel_reboot_after_panic | bool
|
2016-11-07 14:00:57 +01:00
|
|
|
|
2017-03-30 15:33:23 +02:00
|
|
|
- name: Don't reboot after panic
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.posix.sysctl:
|
2017-03-30 15:33:23 +02:00
|
|
|
name: "{{ item }}"
|
|
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
|
|
|
state: absent
|
|
|
|
reload: yes
|
2021-05-04 14:18:40 +02:00
|
|
|
loop:
|
2021-08-27 11:01:26 +02:00
|
|
|
- kernel.panic_on_oops
|
|
|
|
- kernel.panic
|
2021-05-09 23:06:42 +02:00
|
|
|
when: not evolinux_kernel_reboot_after_panic | bool
|
2017-03-30 15:33:23 +02:00
|
|
|
|
2016-11-07 14:00:57 +01:00
|
|
|
- name: Disable net.ipv4.tcp_timestamps
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.posix.sysctl:
|
2016-11-07 14:00:57 +01:00
|
|
|
name: net.ipv4.tcp_timestamps
|
2021-05-01 22:12:27 +02:00
|
|
|
value: '0'
|
2017-03-30 15:33:23 +02:00
|
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
2016-11-07 14:00:57 +01:00
|
|
|
state: present
|
|
|
|
reload: yes
|
2021-05-09 23:06:42 +02:00
|
|
|
when: evolinux_kernel_disable_tcp_timestamps | bool
|
2016-11-07 14:00:57 +01:00
|
|
|
|
2020-09-01 14:08:39 +02:00
|
|
|
- name: Customize the swappiness
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.posix.sysctl:
|
2016-11-07 14:00:57 +01:00
|
|
|
name: vm.swappiness
|
2020-09-01 14:08:39 +02:00
|
|
|
value: "{{ evolinux_kernel_swappiness }}"
|
2017-03-30 15:33:23 +02:00
|
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
2016-11-07 14:00:57 +01:00
|
|
|
state: present
|
|
|
|
reload: yes
|
2021-05-09 23:06:42 +02:00
|
|
|
when: evolinux_kernel_customize_swappiness | bool
|
2016-11-07 14:00:57 +01:00
|
|
|
|
|
|
|
- name: Patch for TCP stack vulnerability CVE-2016-5696
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.posix.sysctl:
|
2016-11-07 14:00:57 +01:00
|
|
|
name: net.ipv4.tcp_challenge_ack_limit
|
2021-05-10 09:07:18 +02:00
|
|
|
value: "1073741823"
|
2017-03-30 15:33:23 +02:00
|
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
2016-11-07 14:00:57 +01:00
|
|
|
state: present
|
|
|
|
reload: yes
|
2021-05-09 23:06:42 +02:00
|
|
|
when: evolinux_kernel_cve20165696 | bool
|
2017-01-03 17:02:23 +01:00
|
|
|
|
2018-08-20 16:08:45 +02:00
|
|
|
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
|
2023-03-18 18:35:54 +01:00
|
|
|
ansible.posix.sysctl:
|
2018-08-20 16:08:45 +02:00
|
|
|
name: "{{ item.name }}"
|
|
|
|
value: "{{ item.value }}"
|
2018-08-17 21:28:14 +02:00
|
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
|
|
|
state: present
|
|
|
|
reload: yes
|
2021-05-04 14:18:40 +02:00
|
|
|
loop:
|
2021-05-10 09:07:18 +02:00
|
|
|
- { name: "net.ipv4.ipfrag_low_thresh", value: "196608" }
|
|
|
|
- { name: "net.ipv6.ip6frag_low_thresh", value: "196608" }
|
|
|
|
- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }
|
|
|
|
- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }
|
2018-08-17 21:28:14 +02:00
|
|
|
|
2023-03-18 18:35:54 +01:00
|
|
|
- ansible.builtin.meta: flush_handlers
|