06/14/2020 – 一江春水向东流

未分类

ansible sysctl模块使用

修改系统内核参数,可以使用ansible sysctl模块来做批量修改:

- hosts: test
  gather_facts: false
  vars:
    pana_sys_ctl:
      net.bridge.bridge-nf-call-ip6tables: 1
      net.bridge.bridge-nf-call-iptables: 1
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.forwarding: 1
      net.ipv4.neigh.default.gc_thresh1: 4096
      net.ipv4.neigh.default.gc_thresh2: 6144
      net.ipv4.neigh.default.gc_thresh3: 8192
      net.ipv4.neigh.default.gc_interval: 60
      net.ipv4.neigh.default.gc_stale_time: 120

      # 参考 https://github.com/prometheus/node_exporter#disabled-by-default
      kernel.perf_event_paranoid: -1

      #sysctls for k8s node config
      net.ipv4.tcp_slow_start_after_idle: 0
      net.core.rmem_max: 16777216
      fs.inotify.max_user_watches: 524288
      kernel.softlockup_all_cpu_backtrace: 1

      kernel.softlockup_panic: 0

      kernel.watchdog_thresh: 30
      fs.file-max: 2097152
      fs.inotify.max_user_instances: 8192
      fs.inotify.max_queued_events: 16384
      vm.max_map_count: 262144
      fs.may_detach_mounts: 1
      net.core.netdev_max_backlog: 16384
      net.ipv4.tcp_wmem: 4096 12582912 16777216
      net.core.wmem_max: 16777216
      net.core.somaxconn: 32768
      net.ipv4.ip_forward: 1
      net.ipv4.tcp_max_syn_backlog: 8096
      net.ipv4.tcp_rmem: 4096 12582912 16777216

      net.ipv6.conf.all.disable_ipv6: 1
      net.ipv6.conf.default.disable_ipv6: 1
      net.ipv6.conf.lo.disable_ipv6: 1

      kernel.yama.ptrace_scope: 0
      vm.swappiness: 0

      # 可以控制core文件的文件名中是否添加pid作为扩展。
      kernel.core_uses_pid: 1

      # Do not accept source routing
      net.ipv4.conf.default.accept_source_route: 0
      net.ipv4.conf.all.accept_source_route: 0

      # Promote secondary addresses when the primary address is removed
      net.ipv4.conf.default.promote_secondaries: 1
      net.ipv4.conf.all.promote_secondaries: 1

      # Enable hard and soft link protection
      fs.protected_hardlinks: 1
      fs.protected_symlinks: 1

      # 源路由验证
      # see details in https://help.aliyun.com/knowledge_detail/39428.html
      net.ipv4.conf.all.rp_filter: 0
      net.ipv4.conf.default.rp_filter: 0
      net.ipv4.conf.default.arp_announce :  2
      net.ipv4.conf.lo.arp_announce: 2
      net.ipv4.conf.all.arp_announce: 2

      # see details in https://help.aliyun.com/knowledge_detail/41334.html
      net.ipv4.tcp_max_tw_buckets: 5000
      net.ipv4.tcp_syncookies: 1
      net.ipv4.tcp_fin_timeout: 30
      net.ipv4.tcp_synack_retries: 2
      kernel.sysrq: 1

  tasks:
    - sysctl:
        name: "{{ item[0] }}"
        value: "{{ item[1] }}"
        state: present
        sysctl_set: yes
        reload: yes
      with_items:
        - "{{ pana_sys_ctl|dictsort }}"

- hosts: test

gather_facts: false

vars:

pana_sys_ctl:

net.bridge.bridge-nf-call-ip6tables: 1

net.bridge.bridge-nf-call-iptables: 1

net.ipv4.ip_forward: 1

net.ipv4.conf.all.forwarding: 1

net.ipv4.neigh.default.gc_thresh1: 4096

net.ipv4.neigh.default.gc_thresh2: 6144

net.ipv4.neigh.default.gc_thresh3: 8192

net.ipv4.neigh.default.gc_interval: 60

net.ipv4.neigh.default.gc_stale_time: 120

# 参考 https://github.com/prometheus/node_exporter#disabled-by-default

kernel.perf_event_paranoid: -1

#sysctls for k8s node config

net.ipv4.tcp_slow_start_after_idle: 0

net.core.rmem_max: 16777216

fs.inotify.max_user_watches: 524288

kernel.softlockup_all_cpu_backtrace: 1

kernel.softlockup_panic: 0

kernel.watchdog_thresh: 30

fs.file-max: 2097152

fs.inotify.max_user_instances: 8192

fs.inotify.max_queued_events: 16384

vm.max_map_count: 262144

fs.may_detach_mounts: 1

net.core.netdev_max_backlog: 16384

net.ipv4.tcp_wmem: 4096 12582912 16777216

net.core.wmem_max: 16777216

net.core.somaxconn: 32768

net.ipv4.ip_forward: 1

net.ipv4.tcp_max_syn_backlog: 8096

net.ipv4.tcp_rmem: 4096 12582912 16777216

net.ipv6.conf.all.disable_ipv6: 1

net.ipv6.conf.default.disable_ipv6: 1

net.ipv6.conf.lo.disable_ipv6: 1

kernel.yama.ptrace_scope: 0

vm.swappiness: 0

# 可以控制core文件的文件名中是否添加pid作为扩展。

kernel.core_uses_pid: 1

# Do not accept source routing

net.ipv4.conf.default.accept_source_route: 0

net.ipv4.conf.all.accept_source_route: 0

# Promote secondary addresses when the primary address is removed

net.ipv4.conf.default.promote_secondaries: 1

net.ipv4.conf.all.promote_secondaries: 1

# Enable hard and soft link protection

fs.protected_hardlinks: 1

fs.protected_symlinks: 1

# 源路由验证

# see details in https://help.aliyun.com/knowledge_detail/39428.html

net.ipv4.conf.all.rp_filter: 0

net.ipv4.conf.default.rp_filter: 0

net.ipv4.conf.default.arp_announce : 2

net.ipv4.conf.lo.arp_announce: 2

net.ipv4.conf.all.arp_announce: 2

# see details in https://help.aliyun.com/knowledge_detail/41334.html

net.ipv4.tcp_max_tw_buckets: 5000

net.ipv4.tcp_syncookies: 1

net.ipv4.tcp_fin_timeout: 30

net.ipv4.tcp_synack_retries: 2

kernel.sysrq: 1

tasks:

- sysctl:

name: "{{ item[0] }}"

value: "{{ item[1] }}"

state: present

sysctl_set: yes

reload: yes

with_items:

- "{{ pana_sys_ctl|dictsort }}"

测试发现, 运行很慢, 基本一条一秒, 要是这样, 还不如直接拷贝过去算了, 此模块适合修改条目比较少的选项

By sean, 5 years06/14/2020 ago

June 14, 2020

未分类

ansible sysctl模块使用