ansible-roles/evolinux-base/tasks/kernel.yml

67 lines
1.8 KiB
YAML

---
- name: Reboot after panic
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
loop:
- { name: kernel.panic_on_oops, value: 1 }
- { name: kernel.panic, value: 60 }
when: evolinux_kernel_reboot_after_panic | bool
- name: Don't reboot after panic
sysctl:
name: "{{ item }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: absent
reload: yes
loop:
- kernel.panic_on_oops
- kernel.panic
when: not evolinux_kernel_reboot_after_panic | bool
- name: Disable net.ipv4.tcp_timestamps
sysctl:
name: net.ipv4.tcp_timestamps
value: '0'
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
when: evolinux_kernel_disable_tcp_timestamps | bool
- name: Customize the swappiness
sysctl:
name: vm.swappiness
value: "{{ evolinux_kernel_swappiness }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
when: evolinux_kernel_customize_swappiness | bool
- name: Patch for TCP stack vulnerability CVE-2016-5696
sysctl:
name: net.ipv4.tcp_challenge_ack_limit
value: "1073741823"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
when: evolinux_kernel_cve20165696 | bool
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
loop:
- { name: "net.ipv4.ipfrag_low_thresh", value: "196608" }
- { name: "net.ipv6.ip6frag_low_thresh", value: "196608" }
- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }
- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }
- meta: flush_handlers