debops.sysctl default variables

General configuration

sysctl__enabled

Enable or disable management of the kernel configuration in the /proc/sys/ directory using Ansible.

sysctl__enabled: True
sysctl__writable

List of paths in /proc/sys/ directory that are considered writable in the current namespace (host, VM, container). The path elements need to be separated by a dot (.) instead of a slash (/). See sysctl__writable for more details.

sysctl__writable: '{{ ansible_local.sysctl.writable | d([]) }}'

Shared memory configuration

sysctl__shared_memory_base

Base amount of memory used for shared memory calculations.

sysctl__shared_memory_base: '{{ ((ansible_memtotal_mb | int * 1024 * 1024) - 8192) }}'
sysctl__shared_memory_shmall_limiter

How much of the total memory is reserved for shared memory.

sysctl__shared_memory_shmall_limiter: '{{ 0.8
                                          if (ansible_memtotal_mb | int >= 4096)
                                          else 0.5 }}'
sysctl__shared_memory_shmall

Number of memory pages that can be used for shared memory.

sysctl__shared_memory_shmall: '{{ ((sysctl__shared_memory_base | int *
                                    sysctl__shared_memory_shmall_limiter | float) / 4096)
                                  | round | int }}'
sysctl__shared_memory_max_limiter

Maximum size of shared memory segment as % of available memory

sysctl__shared_memory_max_limiter: '{{ 0.5
                                       if (ansible_memtotal_mb | int >= 4096)
                                       else 0.2 }}'
sysctl__shared_memory_shmmax

Maximum amount of shared memory a process can reserve for itself

sysctl__shared_memory_shmmax: '{{ (sysctl__shared_memory_base | int *
                                   sysctl__shared_memory_max_limiter | float)
                                   | round | int }}'

Hardening

sysctl__hardening_enabled

Should the hardening options be applied?

sysctl__hardening_enabled: True
sysctl__system_ip_forwarding_enabled

Should the system forward IP traffic for all interfaces? Refer to debops.ifupdown which can selectively enable traffic forwarding.

sysctl__system_ip_forwarding_enabled: '{{ True
                                          if ansible_local.docker_server.installed | d(False)
                                          else False }}'
sysctl__hardening_ipv6_disabled

Whether IPv6 should be disabled.

sysctl__hardening_ipv6_disabled: False
sysctl__hardening_experimental_enabled

Should experimental settings in the hardening options be applied?

sysctl__hardening_experimental_enabled: False

Performance parameters

sysctl__tcp_performance_enabled

Should the TCP performance options be applied? The current options are:

  • net.ipv4.tcp_slow_start_after_idle (enabled by default, enabling performance mode will disable this kernel parameter)

sysctl__tcp_performance_enabled: False

Kernel parameters

These variables define the kernel parameters managed by the role. See sysctl__parameters for more details.

sysctl__default_parameters

The default kernel parameters defined by the role.

sysctl__default_parameters:

  - name: 'memory'
    weight: 10
    options:

      - name: 'kernel.shmmax'
        value: '{{ sysctl__shared_memory_shmmax }}'

      - name: 'kernel.shmall'
        value: '{{ sysctl__shared_memory_shmall }}'

      - name: 'vm.swappiness'
        comment: |
          How aggressively the kernel swaps out anonymous memory relative to
          pagecache and other caches. Increasing the value increases the amount
          of swapping. Can be set to values between 0 and 100 inclusive.
        value: 60

      - name: 'vm.vfs_cache_pressure'
        comment: |
          Tendency of the kernel to reclaim the memory which is used for caching of VFS
          caches, versus pagecache and swap. Increasing this value increases the rate
          at which VFS caches are reclaimed.
        value: 100

  - name: 'network'
    weight: 20
    options:

      - name: 'net.ipv4.ip_forward'
        value: '{{ sysctl__system_ip_forwarding_enabled | bool | ternary(1, 0) }}'
        comment: 'Enable or disable IPv4 traffic forwarding'
        state: 'present'

      - name: 'net.ipv6.conf.all.forwarding'
        value: '{{ sysctl__system_ip_forwarding_enabled | bool | ternary(1, 0) }}'
        comment: 'Enable or disable IPv6 traffic forwarding'
        state: 'present'

      - name: 'net.ipv6.conf.all.accept_ra'
        value: 0
        comment: 'Ignore IPv6 RAs.'
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv6.conf.default.accept_ra'
        value: 0
        comment: 'Ignore IPv6 RAs.'
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.all.rp_filter'
        value: 1
        comment: 'Enable RFC-recommended source validation feature.'
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.default.rp_filter'
        value: 1
        comment: 'Enable RFC-recommended source validation feature.'
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_echo_ignore_broadcasts'
        value: 1
        comment: |
          Reduce the surface on SMURF attacks.
          Make sure to ignore ECHO broadcasts, which are only required in broad
          network analysis.
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_ignore_bogus_error_responses'
        value: 1
        comment: |
          Do not log bogus ICMP error responses.
          Nobody would want to accept bogus error responses, so we can safely
          ignore them.
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_ratelimit'
        value: 100
        comment: 'Limit the amount of traffic the system uses for ICMP.'
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_ratemask'
        value: 88089
        comment: |
          Adjust the ICMP ratelimit to include ping, dst unreachable,
          source quench, ime exceed, param problem, timestamp reply,
          information reply
        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv6.conf.all.disable_ipv6'
        value: 1
        comment: 'Disable IPv6.'
        state: '{{ sysctl__hardening_ipv6_disabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.tcp_timestamps'
        value: 0
        comment: 'Protect against wrapping sequence numbers at gigabit speeds.'
        state: '{{ (sysctl__hardening_enabled | bool and
                    not (ansible_virtualization_role == "guest" and ansible_virtualization_type == "openvz"))
                  | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.all.arp_ignore'
        value: 1
        comment: 'Define restriction level for announcing the local source IP.'
        state: '{{ sysctl__hardening_experimental_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.all.arp_announce'
        value: 2
        comment: |
          Define mode for sending replies in response to received ARP requests
          that resolve local target IP addresses
        state: '{{ sysctl__hardening_experimental_enabled | bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.tcp_rfc1337'
        value: 1
        comment: 'RFC 1337 fix F1.'
        state: '{{ (sysctl__hardening_enabled | bool and
                    not (ansible_virtualization_role == "guest" and
                         ansible_virtualization_type == "openvz"))
                  | ternary("present", "absent") }}'

      - name: 'net.ipv4.tcp_slow_start_after_idle'
        value: '{{ sysctl__tcp_performance_enabled | bool | ternary(0, 1) }}'
        comment: |
          If set, provide RFC2861 behavior and time out the congestion window
          after an idle period. An idle period is defined at the current RTO.
          If unset, the congestion window will not be timed out after an idle
          period.
        state: 'present'

  # The '/proc/sys/fs/' namespace is usually read-only in unprivileged LXC
  # containers. The default 'protect-links.conf' file that comes with the
  # 'procps' APT package has the 'fs.*' parameters uncommented, which breaks
  # the 'sysctl' configuration via the role. Therefore, let's divert the
  # original file and regenerate it; the read-only parameters will be
  # automatically commented out in unprivileged LXC containers.
  - name: 'protect-links'
    filename: '{{ "protect-links.conf"
                  if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
                  else "99-protect-links.conf" }}'
    divert: True
    comment: |
      Protected links

      Protects against creating or following links under certain conditions
      Debian kernels have both set to 1 (restricted)
      See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
    options:

      - name: 'fs.protected_fifos'
        value: 1

      - name: 'fs.protected_hardlinks'
        value: 1

      - name: 'fs.protected_regular'
        value: 2

      - name: 'fs.protected_symlinks'
        value: 1

  # The '/proc/sys/kernel/' namespace is usually read-only in uprivileged LXC
  # containers. The '/usr/lib/sysctl.d/50-pid-max.conf' file included in the
  # 'systemd' Debian package has the 'kernel.*' parameters uncommented and this
  # can cause issues inside unprivileged LXC containers. The configuration
  # below creates a "masked" configuration file with kernel parameters
  # commented out when they cannot be modified.
  - name: 'pid-max'
    filename: '50-pid-max.conf'
    comment: |
      This file is part of systemd.

      systemd is free software; you can redistribute it and/or modify it
      under the terms of the GNU Lesser General Public License as published by
      the Free Software Foundation; either version 2.1 of the License, or
      (at your option) any later version.

      See sysctl.d(5) and core(5) for documentation.

      To override settings in this file, create a local file in /etc
      (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
      there.
    options:

      - name: 'kernel.pid_max'
        comment: |
          Bump the numeric PID range to its maximum of 2^22 (from the in-kernel default
          of 2^16), to make PID collisions less likely.
        value: 4194304
sysctl__parameters

This variable is intended to be used in Ansible’s global inventory.

sysctl__parameters: []
sysctl__group_parameters

This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).

sysctl__group_parameters: []
sysctl__host_parameters

This variable is intended to be used in the inventory of hosts.

sysctl__host_parameters: []
sysctl__dependent_parameters

Kernel parameters defined by other Ansible roles via role default variables. These parameters are not tracked by the role, it's best to create configuration files with "weight" number > 50 to ensure that the desired parameters are correctly overridden by sysctl command.

sysctl__dependent_parameters: []
sysctl__combined_parameters

Sysctl configuration file path where all kernel parameters will be configured by debops.sysctl.

sysctl__combined_parameters: '{{ sysctl__default_parameters
                                 + lookup("flattened", sysctl__dependent_parameters, wantlist=True)
                                 + sysctl__parameters
                                 + sysctl__group_parameters
                                 + sysctl__host_parameters }}'