From e392ba625c8ce2dd9a17e4431194a3c1f4cc0f06 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 27 Nov 2020 20:51:51 -0500 Subject: [PATCH 1/8] 2-common/tasks/main.yml: try to reconcile sysctl settings --- roles/2-common/tasks/main.yml | 35 ++++++++++++++++------------------- scripts/ansible | 9 ++++++--- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index c4dc34309..ab6f774fe 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -21,25 +21,22 @@ - include_tasks: packages.yml - include_tasks: iptables.yml -# 2020-11-27 emergency patch+experiment til this is answered more methodically: -# https://github.com/iiab/iiab/issues/2650 -# https://github.com/iiab/iiab/pull/2651 -# -#- name: Use 'sysctl' to set 10 network/kernel settings, turning off IPv6 if possible -# sysctl: -# name: "{{ item.name }}" -# value: "{{ item.value }}" -# with_items: -# - { name: 'net.ipv4.ip_forward', value: '1' } -# - { name: 'net.ipv4.conf.default.rp_filter', value: '1' } -# - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } -# - { name: 'kernel.sysrq', value: '1' } -# - { name: 'kernel.core_uses_pid', value: '1' } -# - { name: 'net.ipv4.tcp_syncookies', value: '1' } -# - { name: 'kernel.shmmax', value: '268435456' } -# - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # IPv6 disabled -# - { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } -# - { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' } +# 2020-11-27 ongoing rework arising from ansible.posix collection changes: +- name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible + sysctl: # Places these settings in /etc/sysctl.conf, to survive reboot + name: "{{ item.name }}" + value: "{{ item.value }}" + with_items: + - { name: 'net.ipv4.ip_forward', value: '1' } + - { name: 'net.ipv4.conf.default.rp_filter', value: '1' } + - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } + #- { name: 'kernel.sysrq', value: '1' } # Already set by most Linux OS's + - { name: 'kernel.core_uses_pid', value: '1' } + #- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Should be set by OS + #- { name: 'kernel.shmmax', value: '268435456' } # OS values differ, Ok? + - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # IPv6 disabled + #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } # AUTO-SET + #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' } # BY ABOVE - name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH template: diff --git a/scripts/ansible b/scripts/ansible index 8ee0bd207..4aeb9d264 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -92,9 +92,12 @@ $APT_PATH/apt -y --allow-downgrades install ansible-base \ python3-setuptools python3-packaging python3-venv virtualenv echo -e "\n\nIIAB requires these 2 Ansible Collections: (w/ ansible-base 2.10.0 or higher)\n" -ansible-galaxy collection install community.general # Re-running these -ansible-galaxy collection install community.mysql # appears to be safe!? -#ansible-galaxy collection install ansible.posix # 2020-11-27: See roles/1-prep/tasks/main.yml & PR #2647, PR #2648, #2650, PR #2651 +ansible-galaxy collection install community.general # Re-running collection +ansible-galaxy collection install community.mysql # installs appears safe! +ansible-galaxy collection install ansible.posix # 2020-11-27: For 3 below... +# selinux WAS in /opt/iiab/iiab/roles/1-prep/tasks/main.yml +# sysctl in /opt/iiab/iiab/roles/2-common/tasks/main.yml +# synchronize in /opt/iiab/iiab-admin-console/roles/2-common/tasks/main.yml echo -e "\n\nCreating/verifying directory /etc/ansible & installing /etc/ansible/hosts\n" mkdir -p /etc/ansible From 860d05ec5d9f3c5219a9672def53e59f8ff05fab Mon Sep 17 00:00:00 2001 From: root Date: Fri, 27 Nov 2020 20:57:54 -0500 Subject: [PATCH 2/8] scripts/ansible: 2 -> 3 Ansible Collections --- scripts/ansible | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ansible b/scripts/ansible index 4aeb9d264..8d503d2c0 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -91,7 +91,7 @@ $APT_PATH/apt -y --allow-downgrades install ansible-base \ python3-pymysql python3-psycopg2 python3-passlib python3-pip \ python3-setuptools python3-packaging python3-venv virtualenv -echo -e "\n\nIIAB requires these 2 Ansible Collections: (w/ ansible-base 2.10.0 or higher)\n" +echo -e "\n\nIIAB requires these 3 Ansible Collections: (w/ ansible-base 2.10.0 or higher)\n" ansible-galaxy collection install community.general # Re-running collection ansible-galaxy collection install community.mysql # installs appears safe! ansible-galaxy collection install ansible.posix # 2020-11-27: For 3 below... From 5609e234afd403ce7f420f4eb284e5f3a65e5c3e Mon Sep 17 00:00:00 2001 From: root Date: Fri, 27 Nov 2020 21:00:30 -0500 Subject: [PATCH 3/8] scripts/ansible: Clarify ansible-base 2.10.3+ --- scripts/ansible | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ansible b/scripts/ansible index 8d503d2c0..c0b96831f 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -91,7 +91,7 @@ $APT_PATH/apt -y --allow-downgrades install ansible-base \ python3-pymysql python3-psycopg2 python3-passlib python3-pip \ python3-setuptools python3-packaging python3-venv virtualenv -echo -e "\n\nIIAB requires these 3 Ansible Collections: (w/ ansible-base 2.10.0 or higher)\n" +echo -e "\n\nIIAB requires these 3 Ansible Collections: (w/ ansible-base 2.10.3+)\n" ansible-galaxy collection install community.general # Re-running collection ansible-galaxy collection install community.mysql # installs appears safe! ansible-galaxy collection install ansible.posix # 2020-11-27: For 3 below... From fe6b95e612809eaa16f3b1b1ca8d930167900bd0 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 27 Nov 2020 21:13:00 -0500 Subject: [PATCH 4/8] scripts/ansible: cleaner comment --- scripts/ansible | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ansible b/scripts/ansible index c0b96831f..0f246189a 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -91,7 +91,7 @@ $APT_PATH/apt -y --allow-downgrades install ansible-base \ python3-pymysql python3-psycopg2 python3-passlib python3-pip \ python3-setuptools python3-packaging python3-venv virtualenv -echo -e "\n\nIIAB requires these 3 Ansible Collections: (w/ ansible-base 2.10.3+)\n" +echo -e "\n\nIIAB requires these 3 Ansible Collections: (with ansible-base 2.10.3+)\n" ansible-galaxy collection install community.general # Re-running collection ansible-galaxy collection install community.mysql # installs appears safe! ansible-galaxy collection install ansible.posix # 2020-11-27: For 3 below... From efbc78edf4b93ec9628764ac8a008ac913bfb88b Mon Sep 17 00:00:00 2001 From: root Date: Fri, 27 Nov 2020 21:32:42 -0500 Subject: [PATCH 5/8] 2-common/tasks/main.yml sysctl settings: summarize evolving OS norms --- roles/2-common/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index ab6f774fe..88c48203e 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -30,9 +30,9 @@ - { name: 'net.ipv4.ip_forward', value: '1' } - { name: 'net.ipv4.conf.default.rp_filter', value: '1' } - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } - #- { name: 'kernel.sysrq', value: '1' } # Already set by most Linux OS's + #- { name: 'kernel.sysrq', value: '1' } # OS values differ, Ok? - { name: 'kernel.core_uses_pid', value: '1' } - #- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Should be set by OS + #- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Very standard in 2020 #- { name: 'kernel.shmmax', value: '268435456' } # OS values differ, Ok? - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # IPv6 disabled #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } # AUTO-SET From 511ed729d98144d7cf225851f70169b15586be39 Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 27 Nov 2020 22:04:38 -0500 Subject: [PATCH 6/8] net.ipv4.ip_forward (is for masquerading LAN->Internet) --- roles/2-common/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index 88c48203e..a355b501c 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -27,7 +27,7 @@ name: "{{ item.name }}" value: "{{ item.value }}" with_items: - - { name: 'net.ipv4.ip_forward', value: '1' } + - { name: 'net.ipv4.ip_forward', value: '1' } # Masquerading LAN->Internet - { name: 'net.ipv4.conf.default.rp_filter', value: '1' } - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } #- { name: 'kernel.sysrq', value: '1' } # OS values differ, Ok? From b8c98ced1b84981cdd34ecfc8f1d86e49a04f2a9 Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 27 Nov 2020 22:14:26 -0500 Subject: [PATCH 7/8] scripts/ansible: js-menu path cleanup typo --- scripts/ansible | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ansible b/scripts/ansible index 0f246189a..dbc7d2ee4 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -97,7 +97,7 @@ ansible-galaxy collection install community.mysql # installs appears safe! ansible-galaxy collection install ansible.posix # 2020-11-27: For 3 below... # selinux WAS in /opt/iiab/iiab/roles/1-prep/tasks/main.yml # sysctl in /opt/iiab/iiab/roles/2-common/tasks/main.yml -# synchronize in /opt/iiab/iiab-admin-console/roles/2-common/tasks/main.yml +# synchronize in /opt/iiab/iiab-admin-console/roles/js-menu/tasks/main.yml echo -e "\n\nCreating/verifying directory /etc/ansible & installing /etc/ansible/hosts\n" mkdir -p /etc/ansible From f5157dd98e362816e4671e9a36a80e32c621a7fd Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 27 Nov 2020 23:25:27 -0500 Subject: [PATCH 8/8] 2-common/tasks/main.yml sysctl kernel params: mention PR #2652 --- roles/2-common/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index a355b501c..66fedacd4 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -21,7 +21,7 @@ - include_tasks: packages.yml - include_tasks: iptables.yml -# 2020-11-27 ongoing rework arising from ansible.posix collection changes: +# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes: - name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible sysctl: # Places these settings in /etc/sysctl.conf, to survive reboot name: "{{ item.name }}"