Version information
released May 27th 2020
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 3.8.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'eyp-sysctl', '0.3.7'Learn more about managing modules with a PuppetfileDocumentation
eyp/sysctl — version 0.3.7 May 27th 2020
sysctl 
Table of Contents
Overview
manages sysctl settings
Module Description
manages sysctl permanent and temporal settings, does NOT use sysctl.d.
Setup
What sysctl affects
- /etc/sysctl.conf
Setup Requirements
This module requires pluginsync enabled
Beginning with sysctl
sysctl::set { 'vm.dirty_expire_centisecs':
value => '500',
}
Usage
Temporal settings (will not be present on /etc/sysctl.conf):
class { 'sysctl': }
sysctl::set { 'vm.swappiness':
value => '69',
permanent => false,
}
multi value usage:
#kernel.sem=250 32000 100 128
sysctl::set { 'kernel.sem':
value => "250\t32000\t100\t128",
}
disable an an ready set value (useful in hiera setups)
---
sysctlset:
'net.ipv4.conf.eno4.rp_filter':
value: 2
enable: false
Reference
classes
sysctl
- manage_service: determines whether Puppet manages sysctl reloads (default: true)
- manage_docker_service: sysctl reload will fail in a docker container, setting this to false will not refresh changes (default: false)
- disable_ipv6: add the following sysctl settings to disable IPv6:
- net.ipv6.conf.all.disable_ipv6 = 1
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
- disable_netfilter_on_bridges: (default: true)
- net.bridge.bridge-nf-call-ip6tables = 0
- net.bridge.bridge-nf-call-iptables = 0
- net.bridge.bridge-nf-call-arptables = 0
- sysrq: (default: false)
- core_uses_pid: (default: true)
- ipv4_tcp_syncookies: (default: true)
- netfilter_on_bridges: (default: false)
- execshield: (default: true)
- randomize_va_space: (default: true)
- suid_dumpable: (default: false)
- shmall: (default: 4294967296)
- shmmax: (default: 68719476736)
- msgmax: (default: 65536)
- msgmnb: (default: 65536)
- ipv4_ip_forward: (default: false)
- ipv4_icmp_echo_ignore_broadcasts: (default: true)
- ipv4_icmp_ignore_bogus_error_responses: (default: true)
- ipv4_all_log_martians: (default: true)
- ipv4_default_log_martians: (default: true)
- ipv4_all_accept_source_route: (default: false)
- ipv4_default_accept_source_route: (default: false)
- ipv4_all_rp_filter: (default: true)
- ipv4_default_rp_filter: (default: true)
- ipv4_all_accept_redirects: (default: false)
- ipv4_default_accept_redirects: (default: false)
- ipv4_all_secure_redirects: (default: false)
- ipv4_default_secure_redirects: (default: false)
- ipv4_all_send_redirects: (default: false)
- ipv4_default_send_redirects: (default: false)
defines
sysctl::set
- setting: (default: name)
- value:
- permanent: if true, is added to /etc/sysctl.conf, otherwise it's set using sysctl -w (default: true)
- order: minimum value: 59, maximum value: 99 (default: 59)
- enable: enable or disable this setting, intended to be used in hiera based setups to be able to remove a given setting in a higher level (default: true)
Limitations
Tested on:
- CentOS 5
- CentOS 6
- CentOS 7
- Ubuntu 14.04
Development
We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature
TODO
-
Cleanup warning:
[root@ip-172-31-20-15 puppet-masterless]# ./localpuppetmaster.sh -d /tmp/puppet -r https://github.com/jordiprats/eyp-sysctl -s /tmp/puppet/modules/sysctl/examples/demo.pp Checking Puppetfile syntax: Syntax OK Cleanup sysctl module Notice: Preparing to uninstall 'eyp-sysctl' ... Removed 'eyp-sysctl' (v0.3.7) from /tmp/puppet/modules Installing puppet module using a Puppetfile Installing dependencies Dependencies installed Warning: Undefined variable '::eyp_sysctl_net_bridge'; \n (file & line not available) Notice: Compiled catalog for ip-172-31-20-15.eu-west-1.compute.internal in environment production in 0.12 seconds Notice: Applied catalog in 0.04 seconds
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
CHANGELOG
0.3.7
- added support for RHEL 8
0.3.6
- added IPv6 settings:
- ipv6_all_accept_redirects
- ipv6_default_accept_redirects
- ipv6_conf_all_accept_ra
- ipv6_conf_default_accept_ra
0.3.5
- added support for SLES 11.4
0.3.4
- added manage_config_file flag
0.3.3
- added support for SLES 11.3
0.3.2
- added support for SLES 12.3
0.3.1
- added support for Ubuntu 18.04
- execshield is no longer an option in sysctl for kernel tuning, starting RHEL7
- disable bridge netfilter options when br_bridge is not loaded
0.3.0
- changed bool2num to use eyp-lib's bool2number
- INCOMPATIBLE CHANGE: changed ipv4_all_rp_filter and ipv4_default_rp_filter from bool to int
0.2.19
- changed default randomize_va_space to 2 for CentOS 6
0.2.18
- bugfix sysctl::randomize_va_space can be set to 0, 1 and 2
0.2.16
- dirty hack to be able to disable a given sysctl setting already configured
0.2.15
- changed concat and exec name to use $name
0.2.14
- minor bugfix sysctl::set
0.2.12
- added order to sysctl::set: minimum value: 59, maximum value: 99
0.2.11
- ignore errors on sysctl.conf, for example:
[root@localhost ~]# sysctl -p >/dev/null
sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory
Dependencies
- puppetlabs/stdlib (>= 1.0.0 < 9.9.9)
- puppetlabs/concat (>= 1.2.3 < 9.9.9)
- eyp/eyplib (>= 0.1.5 < 0.2.0)