Skip to content

Commit

Permalink
Add support to managing vm.swappiness, vm.overcommit_memory and trans…
Browse files Browse the repository at this point in the history
…parent_hugepage
  • Loading branch information
Luiz Thiago committed Apr 18, 2023
1 parent 145abdf commit 504bca0
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 34 deletions.
44 changes: 27 additions & 17 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@

Optional[String] $shadow_group = undef,
Optional[String] $shadow_mode = undef,

Boolean $boot_without_password = true,
Boolean $enable_transparent_hugepage = false,
String $swappiness_value = '60',
) {

# Prepare
Expand Down Expand Up @@ -217,23 +221,25 @@

if $configure_sysctl {
class { 'os_hardening::sysctl':
enable_module_loading => $enable_module_loading,
load_modules => $load_modules,
cpu_vendor => $cpu_vendor,
icmp_ratelimit => $icmp_ratelimit,
desktop_enabled => $desktop_enabled,
enable_ipv4_forwarding => $enable_ipv4_forwarding,
manage_ipv6 => $manage_ipv6,
enable_ipv6 => $enable_ipv6,
enable_ipv6_forwarding => $enable_ipv6_forwarding,
arp_restricted => $arp_restricted,
arp_ignore_samenet => $arp_ignore_samenet,
enable_sysrq => $enable_sysrq,
enable_core_dump => $enable_core_dump,
enable_stack_protection => $enable_stack_protection,
enable_rpfilter => $enable_rpfilter,
rpfilter_loose => $rpfilter_loose,
enable_log_martians => $enable_log_martians,
enable_module_loading => $enable_module_loading,
load_modules => $load_modules,
cpu_vendor => $cpu_vendor,
icmp_ratelimit => $icmp_ratelimit,
desktop_enabled => $desktop_enabled,
enable_ipv4_forwarding => $enable_ipv4_forwarding,
manage_ipv6 => $manage_ipv6,
enable_ipv6 => $enable_ipv6,
enable_ipv6_forwarding => $enable_ipv6_forwarding,
arp_restricted => $arp_restricted,
arp_ignore_samenet => $arp_ignore_samenet,
enable_sysrq => $enable_sysrq,
enable_core_dump => $enable_core_dump,
enable_stack_protection => $enable_stack_protection,
enable_rpfilter => $enable_rpfilter,
rpfilter_loose => $rpfilter_loose,
enable_log_martians => $enable_log_martians,
enable_overcommit_memory => $enable_overcommit_memory,
swappiness_value => $swappiness_value,
}
}

Expand All @@ -253,4 +259,8 @@
class { 'os_hardening::umask':
system_umask => $system_umask,
}

class { 'os_hardening::kernel_options':
enable_transparent_hugepage => $enable_transparent_hugepage,
}
}
46 changes: 29 additions & 17 deletions manifests/sysctl.pp
Original file line number Diff line number Diff line change
Expand Up @@ -10,23 +10,25 @@
# Configures Kernel Parameters via sysctl
#
class os_hardening::sysctl (
Boolean $enable_module_loading = true,
Array $load_modules = [],
String $cpu_vendor = 'intel',
String $icmp_ratelimit = '100',
Boolean $desktop_enabled = false,
Boolean $enable_ipv4_forwarding = false,
Boolean $manage_ipv6 = true,
Boolean $enable_ipv6 = false,
Boolean $enable_ipv6_forwarding = false,
Boolean $arp_restricted = true,
Boolean $arp_ignore_samenet = false,
Boolean $enable_sysrq = false,
Boolean $enable_core_dump = false,
Boolean $enable_stack_protection = true,
Boolean $enable_rpfilter = true,
Boolean $rpfilter_loose = false,
Boolean $enable_log_martians = true,
Boolean $enable_module_loading = true,
Array $load_modules = [],
String $cpu_vendor = 'intel',
String $icmp_ratelimit = '100',
Boolean $desktop_enabled = false,
Boolean $enable_ipv4_forwarding = false,
Boolean $manage_ipv6 = true,
Boolean $enable_ipv6 = false,
Boolean $enable_ipv6_forwarding = false,
Boolean $arp_restricted = true,
Boolean $arp_ignore_samenet = false,
Boolean $enable_sysrq = false,
Boolean $enable_core_dump = false,
Boolean $enable_stack_protection = true,
Boolean $enable_rpfilter = true,
Boolean $rpfilter_loose = false,
Boolean $enable_log_martians = true,
Boolean $enable_overcommit_memory = true,
String $swappiness_value = '60',
) {

# set variables
Expand Down Expand Up @@ -236,5 +238,15 @@
}
}

# configure the memory overcommitment
# ** 0 ** - kernel attempts to estimate the amount of free memory left when userspace requests more memory.
# ** 1 ** - kernel pretends there is always enough memory until it actually runs out.
if $enable_overcommit_memory {
sysctl { 'vm.overcommit_memory': value => '1' }
} else {
sysctl { 'vm.overcommit_memory': value => '0' }
}

sysctl { 'vm.swappiness': value => String($swappiness_value) }
}

0 comments on commit 504bca0

Please sign in to comment.