--- - name: "Use Cloud kernel on virtual servers" ansible.builtin.apt: name: "linux-image-cloud-amd64" state: present register: _use_cloud_kernel when: - ansible_machine == "x86_64" - ansible_virtualization_role == "guest" - evolinux_kernel_cloud_auto | bool - name: "Remove non-Cloud kernel on virtual servers" ansible.builtin.apt: name: "linux-image-amd64" state: absent when: - ansible_machine == "x86_64" - ansible_virtualization_role == "guest" - evolinux_kernel_cloud_auto | bool - name: "Reboot the server to enable the new kernel" ansible.builtin.reboot: reboot_timeout: 600 search_paths: ['/lib/molly-guard', '/sbin'] when: - _use_cloud_kernel | changed - evolinux_kernel_cloud_reboot | bool - name: Reboot after panic ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes loop: - { name: kernel.panic_on_oops, value: 1 } - { name: kernel.panic, value: 60 } when: evolinux_kernel_reboot_after_panic | bool - name: Don't reboot after panic ansible.posix.sysctl: name: "{{ item }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: absent reload: yes loop: - kernel.panic_on_oops - kernel.panic when: not evolinux_kernel_reboot_after_panic | bool - name: Disable net.ipv4.tcp_timestamps ansible.posix.sysctl: name: net.ipv4.tcp_timestamps value: '0' sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes when: evolinux_kernel_disable_tcp_timestamps | bool - name: Customize the swappiness ansible.posix.sysctl: name: vm.swappiness value: "{{ evolinux_kernel_swappiness }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes when: evolinux_kernel_customize_swappiness | bool - name: Patch for TCP stack vulnerability CVE-2016-5696 ansible.posix.sysctl: name: net.ipv4.tcp_challenge_ack_limit value: "1073741823" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes when: evolinux_kernel_cve20165696 | bool - name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack) ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes loop: - { name: "net.ipv4.ipfrag_low_thresh", value: "196608" } - { name: "net.ipv6.ip6frag_low_thresh", value: "196608" } - { name: "net.ipv4.ipfrag_high_thresh", value: "262144" } - { name: "net.ipv6.ip6frag_high_thresh", value: "262144" } - ansible.builtin.meta: flush_handlers