diff options
author | Milo Casagrande <milo.casagrande@linaro.org> | 2014-12-22 18:08:08 +0100 |
---|---|---|
committer | Milo Casagrande <milo.casagrande@linaro.org> | 2014-12-22 18:08:08 +0100 |
commit | bb5a4fe080fccf47e33a2bd0313fef247b417c6b (patch) | |
tree | 185680a58a3768227196b3397f284366440ba9e8 | |
parent | 666b3df652737bc5f5e2866ebdf9d6ef28418620 (diff) |
ansible: Fix sysctl configuration.
Change-Id: Ic203c93995dcdfbb4d2c1278b346a0766b39f8a3
-rw-r--r-- | ansible/roles/common/files/sysctl.conf | 49 | ||||
-rw-r--r-- | ansible/roles/common/handlers/main.yml | 1 | ||||
-rw-r--r-- | ansible/roles/common/handlers/sysctl.yml | 3 | ||||
-rw-r--r-- | ansible/roles/common/tasks/main.yml | 2 | ||||
-rw-r--r-- | ansible/roles/common/tasks/sysctl.yml (renamed from ansible/roles/common/tasks/net-sysctl.yml) | 4 |
5 files changed, 57 insertions, 2 deletions
diff --git a/ansible/roles/common/files/sysctl.conf b/ansible/roles/common/files/sysctl.conf index c9ee851..cb3d35a 100644 --- a/ansible/roles/common/files/sysctl.conf +++ b/ansible/roles/common/files/sysctl.conf @@ -26,3 +26,52 @@ net.ipv4.conf.all.rp_filter = 1 # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too net.ipv4.tcp_syncookies = 1 + +# Don't log Martian Packets (impossible addresses) +net.ipv4.conf.all.log_martians = 0 +net.ipv4.conf.default.log_martians = 0 + +# Ignore bogus ICMP errors +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.icmp_echo_ignore_all = 0 + +# Disable ICMP redirects. ICMP redirects are rarely used but can be used in +# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate +# traffic to those sites. +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# This is host and not router +net.ipv6.conf.default.router_solicitations = 0 + +# Accept Router Preference in RA? +net.ipv6.conf.default.accept_ra_rtr_pref = 0 + +# Learn Prefix Information in Router Advertisement +net.ipv6.conf.default.accept_ra_pinfo = 0 + +# Setting controls whether the system will accept Hop Limit settings from +# a router advertisement +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.autoconf = 0 + +#how many neighbor solicitations to send out per address? +net.ipv6.conf.default.dad_transmits = 0 + +# How many global unicast IPv6 addresses can be assigned to each interface? +net.ipv6.conf.default.max_addresses = 2 + +# Send redirects, if router, but this is just server +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +# Enable ExecShield protection +# This is not necessary in Ubuntu nor Debian, it is enabled by default. +# kernel.exec-shield = 1 +kernel.randomize_va_space = 1 + +# Allow more PIDs +kernel.pid_max = 65536 diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml index 3021bd9..12fdf6d 100644 --- a/ansible/roles/common/handlers/main.yml +++ b/ansible/roles/common/handlers/main.yml @@ -2,3 +2,4 @@ - include: apache.yml - include: nginx.yml - include: uwsgi.yml +- include: sysctl.yml diff --git a/ansible/roles/common/handlers/sysctl.yml b/ansible/roles/common/handlers/sysctl.yml new file mode 100644 index 0000000..c15073e --- /dev/null +++ b/ansible/roles/common/handlers/sysctl.yml @@ -0,0 +1,3 @@ +--- +- name: reload-sysctl + command: /sbin/sysctl -p diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 32cb2ca..1b98de8 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -1,2 +1,2 @@ --- -- include: net-sysctl.yml +- include: sysctl.yml diff --git a/ansible/roles/common/tasks/net-sysctl.yml b/ansible/roles/common/tasks/sysctl.yml index 30b9262..3604f28 100644 --- a/ansible/roles/common/tasks/net-sysctl.yml +++ b/ansible/roles/common/tasks/sysctl.yml @@ -1,7 +1,9 @@ --- -- name: Tweak kernel network configuration for performance +- name: Tweak kernel configuration for performance copy: src=sysctl.conf dest=/etc/sysctl.conf owner=root group=root mode=0644 + notify: + - reload-sysctl |