c12s-kubespray/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml

139 lines
3.3 KiB
YAML
Raw Permalink Normal View History

2018-09-06 14:26:57 +00:00
---
2018-08-23 14:51:52 +00:00
# Todo : selinux configuration
- name: Confirm selinux deployed
stat:
path: /etc/selinux/config
get_attributes: no
get_checksum: no
get_mime: no
when:
- ansible_os_family == "RedHat"
- "'Amazon' not in ansible_distribution"
2018-08-23 14:51:52 +00:00
register: slc
- name: Set selinux policy
selinux:
policy: targeted
state: "{{ preinstall_selinux_state }}"
when:
- ansible_os_family == "RedHat"
- "'Amazon' not in ansible_distribution"
- slc.stat.exists
2018-08-23 14:51:52 +00:00
changed_when: False
tags:
- bootstrap-os
- name: Disable IPv6 DNS lookup
lineinfile:
dest: /etc/gai.conf
line: "precedence ::ffff:0:0/96 100"
state: present
create: yes
2018-08-23 14:51:52 +00:00
backup: yes
mode: 0644
2018-08-23 14:51:52 +00:00
when:
- disable_ipv6_dns
- not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
2018-08-23 14:51:52 +00:00
tags:
- bootstrap-os
- name: Clean previously used sysctl file locations
file:
path: "/etc/sysctl.d/{{ item }}"
state: absent
with_items:
- ipv4-ip_forward.conf
- bridge-nf-call.conf
2018-08-23 14:51:52 +00:00
- name: Stat sysctl file configuration
stat:
path: "{{ sysctl_file_path }}"
get_attributes: no
get_checksum: no
get_mime: no
2018-08-23 14:51:52 +00:00
register: sysctl_file_stat
tags:
- bootstrap-os
- name: Change sysctl file path to link source if linked
set_fact:
sysctl_file_path: "{{ sysctl_file_stat.stat.lnk_source }}"
2018-08-23 14:51:52 +00:00
when:
- sysctl_file_stat.stat.islnk is defined
- sysctl_file_stat.stat.islnk
tags:
- bootstrap-os
- name: Make sure sysctl file path folder exists
file:
name: "{{ sysctl_file_path | dirname }}"
state: directory
mode: 0755
2018-08-23 14:51:52 +00:00
- name: Enable ip forwarding
sysctl:
sysctl_file: "{{ sysctl_file_path }}"
2018-08-23 14:51:52 +00:00
name: net.ipv4.ip_forward
value: "1"
2018-08-23 14:51:52 +00:00
state: present
reload: yes
- name: Enable ipv6 forwarding
sysctl:
sysctl_file: "{{ sysctl_file_path }}"
name: net.ipv6.conf.all.forwarding
value: 1
state: present
reload: yes
when: enable_dual_stack_networks | bool
- name: Check if we need to set fs.may_detach_mounts
stat:
path: /proc/sys/fs/may_detach_mounts
get_attributes: no
get_checksum: no
get_mime: no
register: fs_may_detach_mounts
ignore_errors: true # noqa ignore-errors
- name: Set fs.may_detach_mounts if needed
sysctl:
sysctl_file: "{{ sysctl_file_path }}"
name: fs.may_detach_mounts
value: 1
state: present
reload: yes
when: fs_may_detach_mounts.stat.exists | d(false)
- name: Ensure kube-bench parameters are set
sysctl:
sysctl_file: "{{ sysctl_file_path }}"
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
reload: yes
with_items:
- { name: kernel.keys.root_maxbytes, value: 25000000 }
- { name: kernel.keys.root_maxkeys, value: 1000000 }
- { name: kernel.panic, value: 10 }
- { name: kernel.panic_on_oops, value: 1 }
- { name: vm.overcommit_memory, value: 1 }
- { name: vm.panic_on_oom, value: 0 }
when: kubelet_protect_kernel_defaults|bool
- name: Check dummy module
modprobe:
name: dummy
state: present
params: 'numdummies=0'
when: enable_nodelocaldns
2022-10-03 06:06:14 +00:00
- name: Set additional sysctl variables
sysctl:
sysctl_file: "{{ sysctl_file_path }}"
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
reload: yes
with_items: "{{ additional_sysctl }}"