--- # Todo : selinux configuration - name: Confirm selinux deployed stat: path: /etc/selinux/config get_attributes: false get_checksum: false get_mime: false when: - ansible_os_family == "RedHat" - "'Amazon' not in ansible_distribution" register: slc - name: Set selinux policy ansible.posix.selinux: policy: targeted state: "{{ preinstall_selinux_state }}" when: - ansible_os_family == "RedHat" - "'Amazon' not in ansible_distribution" - slc.stat.exists tags: - bootstrap-os - name: Disable IPv6 DNS lookup lineinfile: dest: /etc/gai.conf line: "precedence ::ffff:0:0/96 100" state: present create: true backup: true mode: "0644" when: - disable_ipv6_dns - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] tags: - bootstrap-os - name: Clean previously used sysctl file locations file: path: "/etc/sysctl.d/{{ item }}" state: absent with_items: - ipv4-ip_forward.conf - bridge-nf-call.conf - name: Stat sysctl file configuration stat: path: "{{ sysctl_file_path }}" get_attributes: false get_checksum: false get_mime: false register: sysctl_file_stat tags: - bootstrap-os - name: Change sysctl file path to link source if linked set_fact: sysctl_file_path: "{{ sysctl_file_stat.stat.lnk_source }}" when: - sysctl_file_stat.stat.islnk is defined - sysctl_file_stat.stat.islnk tags: - bootstrap-os - name: Make sure sysctl file path folder exists file: name: "{{ sysctl_file_path | dirname }}" state: directory mode: "0755" - name: Enable ip forwarding ansible.posix.sysctl: sysctl_file: "{{ sysctl_file_path }}" name: net.ipv4.ip_forward value: "1" state: present reload: true - name: Enable ipv6 forwarding ansible.posix.sysctl: sysctl_file: "{{ sysctl_file_path }}" name: net.ipv6.conf.all.forwarding value: "1" state: present reload: true when: enable_dual_stack_networks | bool - name: Check if we need to set fs.may_detach_mounts stat: path: /proc/sys/fs/may_detach_mounts get_attributes: false get_checksum: false get_mime: false register: fs_may_detach_mounts ignore_errors: true # noqa ignore-errors - name: Set fs.may_detach_mounts if needed ansible.posix.sysctl: sysctl_file: "{{ sysctl_file_path }}" name: fs.may_detach_mounts value: 1 state: present reload: true when: fs_may_detach_mounts.stat.exists | d(false) - name: Ensure kubelet expected parameters are set ansible.posix.sysctl: sysctl_file: "{{ sysctl_file_path }}" name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: true with_items: - { name: kernel.keys.root_maxbytes, value: 25000000 } - { name: kernel.keys.root_maxkeys, value: 1000000 } - { name: kernel.panic, value: 10 } - { name: kernel.panic_on_oops, value: 1 } - { name: vm.overcommit_memory, value: 1 } - { name: vm.panic_on_oom, value: 0 } when: kubelet_protect_kernel_defaults | bool - name: Check dummy module community.general.modprobe: name: dummy state: present params: 'numdummies=0' when: enable_nodelocaldns - name: Set additional sysctl variables ansible.posix.sysctl: sysctl_file: "{{ sysctl_file_path }}" name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: true with_items: "{{ additional_sysctl }}" - name: Disable fapolicyd service failed_when: false systemd_service: name: fapolicyd state: stopped enabled: false when: disable_fapolicyd