guidugli.kernel_config
Ansible Role: kernel_config
This is an Ansible Role that installs and sets up sysctl on RHEL/CentOS, Fedora, and Debian/Ubuntu systems. It can also disable certain kernel modules, blacklist them, or set them to start automatically. Additionally, it can set UDEV rules for power management.
IMPORTANT: Disabling kernel modules or changing device sleep settings (udev settings) might affect how the system operates and could require system recovery (like logging in as a single user or using a live boot).
Requirements
This role works on physical machines or virtual machines. It might not function properly on containerized systems.
Role Variables
Below are the available variables and their default values (see defaults/main.yml):
kernel_disable_modules: List of kernel modules to disable. Adding
usb-storagehere will make all USB storage devices stop working. It's better to use USBGuard. The default values are fine for most systems. Change this list if your system needs some of these modules.kernel_blacklist_modules: List of kernel modules to blacklist. As with the previous list, the default values work for most systems. You can change this if needed.
#kernel_autostart_modules: List of modules to start automatically.
kernel_sysctl: A list of sysctl parameters to set on the system. The default settings are suitable for systems that are not routers or using IPv6. Update these settings if necessary.
kernel_sysctl_flush_network_routes: If set to yes, this will refresh network routes.
#kernel_udev_sata_link_power_mgmt: Configure SATA link power management policy. Options include min_power, max_performance, medium_power, or med_power_with_dipm.
#kernel_udev_autosuspend_ahci_devices: Enable autosuspend for AHCI controllers and ATA devices.
#kernel_udev_disable_bluetooth: Disable Bluetooth if set to yes.
#kernel_udev_disable_wake_on_lan: Disable wake on LAN if set to yes.
#kernel_udev_usb_autosuspend_devices: List of USB devices to autosuspend.
#kernel_udev_pci_autosuspend_devices: List of PCI devices to autosuspend.
#kernel_udev_enable_wlan_powersave: Enable power saving mode for wireless LAN?
The following variables do not need to be changed for targeted systems (see vars/main.yml):
- kernel_udev_reload_cmd: Command to reload udev rules.
Dependencies
None.
Example Playbook
- hosts: servers
vars:
kernel_disable_modules: ['cramfs', 'freevxfs', 'jjfs2', 'hfs', 'hfsplus', 'udf', 'vfat', 'squashfs']
kernel_blacklist_modules: ['radeon', 'amdgpu']
kernel_sysctl:
- { name: net.ipv4.conf.all.forwarding, value: "0" }
- { name: net.ipv4.conf.all.send_redirects, value: "0" }
- { name: net.ipv4.conf.default.send_redirects, value: "0" }
- { name: net.ipv4.conf.all.accept_source_route, value: "0" }
- { name: net.ipv4.conf.default.accept_source_route, value: "0" }
- { name: net.ipv4.conf.all.accept_redirects, value: "0" }
- { name: net.ipv4.conf.default.accept_redirects, value: "0" }
- { name: net.ipv4.conf.all.secure_redirects, value: "0" }
- { name: net.ipv4.conf.default.secure_redirects, value: "0" }
- { name: net.ipv4.conf.all.log_martians, value: "1" }
- { name: net.ipv4.conf.default.log_martians, value: "1" }
- { name: net.ipv4.icmp_echo_ignore_broadcasts, value: "1" }
- { name: net.ipv4.icmp_ignore_bogus_error_responses, value: "1" }
- { name: net.ipv4.conf.all.rp_filter, value: "1" }
- { name: net.ipv4.conf.default.rp_filter, value: "1" }
- { name: net.ipv4.tcp_syncookies, value: "1" }
kernel_sysctl_flush_network_routes: yes
roles:
- { role: guidugli.kernel_config }
License
MIT / BSD
Author Information
This role was created in 2020 by Carlos Guidugli.
Disable kernel modules and configure sysctl settings on linux
ansible-galaxy install guidugli.kernel_config