Sysctl reloading

[rndmh3ro]

See this discussion. @ypid, can you please provide context on what solution you would like to see to make the sysctl-tasks clearer?

[ypid]

As suggested, I would recommend to use a dict in the default variables defining all the sysctr variables and then in the tasks using the dict to install them on the systems.

See also this role https://github.com/picotrading/ansible-sysctl

[rndmh3ro]

You mean something like this, with all variables?

- name: set sysctls
  sysctl: name='' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
  with_items:
    - net.ipv6.conf.all.accept_ra
    - net.ipv6.conf.default.accept_ra
    - net.ipv4.conf.default.accept_source_route

I thought about this, and yes that would make the task clearer and only one reload will happen. But then, I'd have to document all variables inline, e.g. this way:

- name: set sysctls
  sysctl: name='' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
  with_items:
    - net.ipv6.conf.all.accept_ra # dont accept redirects.
    - net.ipv6.conf.default.accept_ra # foo
    - net.ipv4.conf.default.accept_source_route # bar

[ypid]

I am using said role and have in my group configuration something like:

sysctl_group_config:
  #### ipv4 networking ####
  # https:..wiki.archlinux.org.index.php.Sysctl

  ## TCP SYN cookie protection (default)
  ## helps protect against SYN flood attacks
  ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
  net.ipv4.tcp_syncookies: 1

  ## protect against tcp time-wait assassination hazards
  ## drop RST packets for sockets in the time-wait state
  ## (not widely supported outside of linux, but conforms to RFC)
  net.ipv4.tcp_rfc1337: 1

I think this is very nice …

[rndmh3ro]

That actually looks good, though I'd still use a with_items to not rely on another role. E.g like this:

- name: change sysctl-settings
  sysctl: name='{{item}}' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
  with_items:
    #ignore RAs on Ipv6
    - net.ipv6.conf.all.accept_ra
    # Enable RFC-recommended source validation feature.
    - net.ipv4.conf.all.rp_filter
    #  Enable RFC-recommended source validation feature.
    - net.ipv4.conf.default.rp_filter

@chris-rock what do you think? The one up there, or the way it currently is:

- name: ignore RAs on Ipv6
  sysctl: name='net.ipv6.conf.all.accept_ra' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: ignore RAs on Ipv6
  sysctl: name='net.ipv6.conf.default.accept_ra' value=0 sysctl_set=yes ignoreerrors=yes

- name: Enable RFC-recommended source validation feature.
  sysctl: name='net.ipv4.conf.all.rp_filter' value=1 sysctl_set=yes ignoreerrors=yes

The first way only executes one task and is probably faster. Also only one sysctl-reload has to happen. Debugging could be harder, though I didn't test it. The second way is easier to debug/edit and more readable in output and in general.

[chris-rock]

We could also use a third case where we move the items to vars in main.yml. This enables users to overwrite the array. also this may make it easier to document each parameter.

We should double-check, that the output will be still useful. It is essential, that operators know what the tasks does but just looking on the output.

[rndmh3ro]

This sounds like the best idea, @chris-rock.

Output would be along theses lines:

       TASK: [ansible-os-hardening | Only enable IP traffic forwarding, if required.] *** 
       failed: [localhost] => (item={'key': 'net.ipv6.conf.default.forwarding', 'value': 1}) => {"failed": true, "item": {"key": "net.ipv6.conf.default.forwarding", "value": 1}}
       msg: Failed to reload sysctl: net.ipv4.ip_forward = 0
       net.ipv4.conf.default.rp_filter = 1
       net.ipv4.conf.default.accept_source_route = 0
       kernel.sysrq = 0
       kernel.core_uses_pid = 1
       net.ipv4.tcp_syncookies = 1
       kernel.msgmnb = 65536
       kernel.msgmax = 65536
       kernel.shmmax = 68719476736
       kernel.shmall = 4294967296
       net.ipv6.conf.all.forwarding = 0
       net.ipv6.conf.all.accept_ra = 0
       net.ipv4.conf.all.rp_filter = 1
       net.ipv4.icmp_echo_ignore_broadcasts = 1
       net.ipv4.icmp_ignore_bogus_error_responses = 1
       net.ipv4.icmp_ratelimit = 100
       net.ipv4.icmp_ratemask = 88089
       net.ipv6.conf.all.disable_ipv6 = 1
       net.ipv4.tcp_timestamps = 0
       net.ipv4.conf.all.arp_ignore = 1
       net.ipv4.conf.all.arp_announce = 2
       net.ipv4.tcp_rfc1337 = 1
       net.ipv4.conf.all.shared_media = 1
       net.ipv4.conf.default.shared_media = 1
       net.ipv4.conf.all.accept_source_route = 0
       net.ipv4.conf.default.accept_redirects = 0
       net.ipv4.conf.all.accept_redirects = 0
       net.ipv4.conf.all.secure_redirects = 0
       net.ipv4.conf.default.secure_redirects = 0
       net.ipv6.conf.default.accept_redirects = 0
       net.ipv6.conf.all.accept_redirects = 0
       net.ipv4.conf.all.send_redirects = 0
       net.ipv4.conf.all.log_martians = 0
       net.ipv6.conf.default.router_solicitations = 0
       net.ipv6.conf.default.accept_ra_rtr_pref = 0
       net.ipv6.conf.default.accept_ra_pinfo = 0
       net.ipv6.conf.default.accept_ra_defrtr = 0
       net.ipv6.conf.default.autoconf = 0
       net.ipv6.conf.default.dad_transmits = 0
       net.ipv6.conf.default.max_addresses = 1
       fs.suid_dumpable = 0
       net.ipv6.conf.default.forwarding = 1
       error: "Invalid argument" setting key "net.ipv6.conf.default.accept_ra"

       ok: [localhost] => (item={'key': 'net.ipv6.conf.all.forwarding', 'value': 0})

The first lines and second to last line show the failed setting, the last line shows the successful setting. Seems good to me, what do you guys think?

[chris-rock]

The taskname looks strange. Should be something like "set sysctl"

[rndmh3ro]

Yeah, this will be changed, I just used this one to demonstrate the output.

[chris-rock]

cool. then it looks great.