djpbessems/ClusterAPI.imageBuilder
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
809574dcd2
ClusterAPI.imageBuilder/ansible/roles/node/tasks/main.yml
Danny Bessems f2b0a5e7c7
Some checks failed
continuous-integration/drone Build is failing
Details
Test dependencies
2023-02-22 21:24:42 +01:00

134 lines
3.8 KiB
YAML
Raw Blame History

# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: photon.yml
when: ansible_os_family == "VMware Photon OS"
- import_tasks: amazonLinux2.yml
when: ansible_distribution == "Amazon"
# This is required until https://github.com/ansible/ansible/issues/77537 is fixed and used.
- name: Override Flatcar's OS family
set_fact:
ansible_os_family: Flatcar
when: ansible_os_family == "Flatcar Container Linux by Kinvolk"
tags:
- facts
- name: Ensure overlay module is present
modprobe:
name: overlay
state: present
- name: Ensure br_netfilter module is present
modprobe:
name: br_netfilter
state: present
- name: Persist required kernel modules
copy:
content: |
overlay
br_netfilter
dest: /etc/modules-load.d/kubernetes.conf
mode: 0644
- name: Set and persist kernel params
sysctl:
name: "{{ item.param }}"
value: "{{ item.val }}"
state: present
sysctl_set: yes
sysctl_file: "{{ sysctl_conf_file }}"
reload: yes
loop:
- { param: net.bridge.bridge-nf-call-iptables, val: 1 }
- { param: net.bridge.bridge-nf-call-ip6tables, val: 1 }
- { param: net.ipv4.ip_forward, val: 1 }
- { param: net.ipv6.conf.all.forwarding, val: 1 }
- { param: net.ipv6.conf.all.disable_ipv6, val: 0 }
- { param: net.ipv4.tcp_congestion_control, val: bbr }
- { param: vm.overcommit_memory, val: 1 }
- { param: kernel.panic, val: 10 }
- { param: kernel.panic_on_oops, val: 1 }
- name: Disable swap memory
shell: |
swapoff -a
when: ansible_memory_mb.swap.total != 0
- name: Edit fstab file to disable swap
shell: sed -ri '/\sswap\s/s/^#?/#/' /etc/fstab
when: ansible_memory_mb.swap.total != 0
- name: Disable conntrackd service
systemd:
name: conntrackd
state: stopped
enabled: false
when: ansible_os_family != "Debian" and ansible_os_family != "Flatcar"
- name: Ensure auditd is running and comes on at reboot
service:
name: auditd
state: started
enabled: yes
- name: configure auditd rules for containerd
copy:
src: etc/audit/rules.d/containerd.rules
dest: /etc/audit/rules.d/containerd.rules
owner: root
group: root
mode: 0644
when: ansible_os_family != "Flatcar"
- name: configure auditd rules for containerd (Flatcar)
copy:
src: etc/audit/rules.d/containerd.rules-flatcar
dest: /etc/audit/rules.d/containerd.rules
owner: root
group: root
mode: 0644
when: ansible_os_family == "Flatcar"
- name: Ensure reverse packet filtering is set as strict
sysctl:
name: net.ipv4.conf.all.rp_filter
value: "1"
state: present
sysctl_set: yes
reload: yes
when: ansible_distribution == "Ubuntu"
- name: Set transparent huge pages to madvise
lineinfile:
path: /etc/default/grub
backrefs: yes
regexp: "^(?!.*transparent_hugepage=madvise)(GRUB_CMDLINE_LINUX=.*)(\"$)"
line: '\1 transparent_hugepage=madvise"'
when: ansible_os_family == "RedHat"
- name: Copy udev etcd network tuning rules
template:
src: etc/udev/rules.d/90-etcd-tuning.rules
dest: /etc/udev/rules.d/90-etcd-tuning.rules
mode: 0744
- name: Copy etcd network tuning script
copy:
src: usr/local/bin/etcd-network-tuning.sh
dest: "{{ external_binary_path }}/etcd-network-tuning.sh"
mode: 0755
View Git Blame Copy Permalink