Merge pull request #2651 from holta/sysctl-experiment

Emergency/Interim Patch + Experiment to help surface which of the 10 sysctl tweaks are still needed + necessary
2025-02-15 04:32:11 +00:00 · 2020-11-27 11:36:53 -05:00 · 2020-11-27 11:36:53 -05:00 · c215445e31
commit c215445e31
parent 49e5dc46ce d70b1766ac
1 changed files with 19 additions and 15 deletions
--- a/roles/2-common/tasks/main.yml
+++ b/roles/2-common/tasks/main.yml
@ -21,21 +21,25 @@
 - include_tasks: packages.yml
 - include_tasks: iptables.yml

- name: Use 'sysctl' to set 10 network/kernel settings, turning off IPv6 if possible
-  sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-  with_items:
-    - { name: 'net.ipv4.ip_forward', value: '1' }
-    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
-    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
-    - { name: 'kernel.sysrq', value: '1' }
-    - { name: 'kernel.core_uses_pid', value: '1' }
-    - { name: 'net.ipv4.tcp_syncookies', value: '1' }
-    - { name: 'kernel.shmmax', value: '268435456' }
-    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
-    - { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
-    - { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }
+# 2020-11-27 emergency patch+experiment til this is answered more methodically:
+# https://github.com/iiab/iiab/issues/2650
+# https://github.com/iiab/iiab/pull/2651
+#
+#- name: Use 'sysctl' to set 10 network/kernel settings, turning off IPv6 if possible
+#  sysctl:
+#    name: "{{ item.name }}"
+#    value: "{{ item.value }}"
+#  with_items:
+#    - { name: 'net.ipv4.ip_forward', value: '1' }
+#    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
+#    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
+#    - { name: 'kernel.sysrq', value: '1' }
+#    - { name: 'kernel.core_uses_pid', value: '1' }
+#    - { name: 'net.ipv4.tcp_syncookies', value: '1' }
+#    - { name: 'kernel.shmmax', value: '268435456' }
+#    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
+#    - { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
+#    - { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }

 - name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
  template: