Version information
released May 27th 2020
This version is compatible with:
- Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 3.8.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'eyp-sysctl', '0.3.7'
Learn more about managing modules with a PuppetfileDocumentation
eyp/sysctl — version 0.3.7 May 27th 2020
sysctl
Table of Contents
Overview
manages sysctl settings
Module Description
manages sysctl permanent and temporal settings, does NOT use sysctl.d.
Setup
What sysctl affects
- /etc/sysctl.conf
Setup Requirements
This module requires pluginsync enabled
Beginning with sysctl
sysctl::set { 'vm.dirty_expire_centisecs':
value => '500',
}
Usage
Temporal settings (will not be present on /etc/sysctl.conf):
class { 'sysctl': }
sysctl::set { 'vm.swappiness':
value => '69',
permanent => false,
}
multi value usage:
#kernel.sem=250 32000 100 128
sysctl::set { 'kernel.sem':
value => "250\t32000\t100\t128",
}
disable an an ready set value (useful in hiera setups)
---
sysctlset:
'net.ipv4.conf.eno4.rp_filter':
value: 2
enable: false
Reference
classes
sysctl
- manage_service: determines whether Puppet manages sysctl reloads (default: true)
- manage_docker_service: sysctl reload will fail in a docker container, setting this to false will not refresh changes (default: false)
- disable_ipv6: add the following sysctl settings to disable IPv6:
- net.ipv6.conf.all.disable_ipv6 = 1
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
- disable_netfilter_on_bridges: (default: true)
- net.bridge.bridge-nf-call-ip6tables = 0
- net.bridge.bridge-nf-call-iptables = 0
- net.bridge.bridge-nf-call-arptables = 0
- sysrq: (default: false)
- core_uses_pid: (default: true)
- ipv4_tcp_syncookies: (default: true)
- netfilter_on_bridges: (default: false)
- execshield: (default: true)
- randomize_va_space: (default: true)
- suid_dumpable: (default: false)
- shmall: (default: 4294967296)
- shmmax: (default: 68719476736)
- msgmax: (default: 65536)
- msgmnb: (default: 65536)
- ipv4_ip_forward: (default: false)
- ipv4_icmp_echo_ignore_broadcasts: (default: true)
- ipv4_icmp_ignore_bogus_error_responses: (default: true)
- ipv4_all_log_martians: (default: true)
- ipv4_default_log_martians: (default: true)
- ipv4_all_accept_source_route: (default: false)
- ipv4_default_accept_source_route: (default: false)
- ipv4_all_rp_filter: (default: true)
- ipv4_default_rp_filter: (default: true)
- ipv4_all_accept_redirects: (default: false)
- ipv4_default_accept_redirects: (default: false)
- ipv4_all_secure_redirects: (default: false)
- ipv4_default_secure_redirects: (default: false)
- ipv4_all_send_redirects: (default: false)
- ipv4_default_send_redirects: (default: false)
defines
sysctl::set
- setting: (default: name)
- value:
- permanent: if true, is added to /etc/sysctl.conf, otherwise it's set using sysctl -w (default: true)
- order: minimum value: 59, maximum value: 99 (default: 59)
- enable: enable or disable this setting, intended to be used in hiera based setups to be able to remove a given setting in a higher level (default: true)
Limitations
Tested on:
- CentOS 5
- CentOS 6
- CentOS 7
- Ubuntu 14.04
Development
We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature
TODO
-
Cleanup warning:
[root@ip-172-31-20-15 puppet-masterless]# ./localpuppetmaster.sh -d /tmp/puppet -r https://github.com/jordiprats/eyp-sysctl -s /tmp/puppet/modules/sysctl/examples/demo.pp Checking Puppetfile syntax: Syntax OK Cleanup sysctl module Notice: Preparing to uninstall 'eyp-sysctl' ... Removed 'eyp-sysctl' (v0.3.7) from /tmp/puppet/modules Installing puppet module using a Puppetfile Installing dependencies Dependencies installed Warning: Undefined variable '::eyp_sysctl_net_bridge'; \n (file & line not available) Notice: Compiled catalog for ip-172-31-20-15.eu-west-1.compute.internal in environment production in 0.12 seconds Notice: Applied catalog in 0.04 seconds
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
CHANGELOG
0.3.7
- added support for RHEL 8
0.3.6
- added IPv6 settings:
- ipv6_all_accept_redirects
- ipv6_default_accept_redirects
- ipv6_conf_all_accept_ra
- ipv6_conf_default_accept_ra
0.3.5
- added support for SLES 11.4
0.3.4
- added manage_config_file flag
0.3.3
- added support for SLES 11.3
0.3.2
- added support for SLES 12.3
0.3.1
- added support for Ubuntu 18.04
- execshield is no longer an option in sysctl for kernel tuning, starting RHEL7
- disable bridge netfilter options when br_bridge is not loaded
0.3.0
- changed bool2num to use eyp-lib's bool2number
- INCOMPATIBLE CHANGE: changed ipv4_all_rp_filter and ipv4_default_rp_filter from bool to int
0.2.19
- changed default randomize_va_space to 2 for CentOS 6
0.2.18
- bugfix sysctl::randomize_va_space can be set to 0, 1 and 2
0.2.16
- dirty hack to be able to disable a given sysctl setting already configured
0.2.15
- changed concat and exec name to use $name
0.2.14
- minor bugfix sysctl::set
0.2.12
- added order to sysctl::set: minimum value: 59, maximum value: 99
0.2.11
- ignore errors on sysctl.conf, for example:
[root@localhost ~]# sysctl -p >/dev/null
sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory
Dependencies
- puppetlabs/stdlib (>= 1.0.0 < 9.9.9)
- puppetlabs/concat (>= 1.2.3 < 9.9.9)
- eyp/eyplib (>= 0.1.5 < 0.2.0)