Optimize Kernel
---
- name: Optimize Kernel
sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes state=present reload=yes
with_items:
#core文件名中添加pid作为扩展名
- {name: 'kernel.core_uses_pid', value: '1'}
# 关闭sysrq功能
- {name: 'kernel.sysrq', value: '0'}
# 修改消息队列长度
- {name: 'kernel.msgmnb', value: '65536'}
- {name: 'kernel.msgmax', value: '65536'}
# 设置最大内存共享段大小bytes
- {name: 'kernel.shmmax', value: '68719476736'}
- {name: 'kernel.shmall', value: '4294967296'}
- {name: 'vm.min_free_kbytes', value: '65535'}
- {name: 'vm.swappiness', value: '0'}
- {name: 'vm.overcommit_memory', value: '1'}
# 关闭ipv6
- {name: 'net.ipv6.conf.all.disable_ipv6', value: '1'}
- {name: 'net.ipv6.conf.default.disable_ipv6', value: '1'}
- {name: 'net.ipv6.conf.lo.disable_ipv6', value: '1'}
# 避免放大攻击
- {name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1'}
# 开启恶意icmp错误消息保护
- {name: 'net.ipv4.icmp_ignore_bogus_error_responses', value: '1'}
# 开启路由转发
- {name: 'net.ipv4.ip_forward', value: '1'}
# 一次性处理TCP队列中的数量
- {name: 'net.core.somaxconn', value: '32768'}
# 每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
- {name: 'net.core.netdev_max_backlog', value: '32768'}
# 未收到客户端确认信息的连接请求的最大值
- {name: 'net.ipv4.tcp_max_syn_backlog', value: '4096'}
# 验证时间戳
- {name: 'net.ipv4.tcp_timestamps', value: '1'}
# 开启SYN洪水攻击保护
- {name: 'net.ipv4.tcp_syncookies', value: '1'}
#限制仅仅是为了防止简单的DoS 攻击
- {name: 'net.ipv4.tcp_max_orphans', value: '3276800'}
# timewait的数量,默认180000
- {name: 'net.ipv4.tcp_max_tw_buckets', value: '6000'}
# 用来查找特定的遗失的数据包---因此有助于快速恢复状态
- {name: 'net.ipv4.tcp_sack', value: '1'}
# 设置tcp/ip会话的滑动窗口大小是否可变
- {name: 'net.ipv4.tcp_window_scaling', value: '1'}
# 设置TCP缓存区配置
- {name: 'net.core.wmem_default', value: '8388608'}
- {name: 'net.core.rmem_default', value: '8388608'}
- {name: 'net.core.rmem_max', value: '16777216'}
- {name: 'net.core.wmem_max', value: '16777216'}
- {name: 'net.ipv4.tcp_rmem', value: '4096 87380 4194304'}
- {name: 'net.ipv4.tcp_wmem', value: '4096 16384 4194304'}
- {name: 'net.ipv4.tcp_no_metrics_save', value: '1'}
# 内核放弃建立连接之前发送SYN 包的数量
- {name: 'net.ipv4.tcp_syn_retries', value: '1'}
# 内核放弃建立连接之前发送SYNACK 包的数量
- {name: 'net.ipv4.tcp_synack_retries', value: '1'}
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
- {name: 'net.ipv4.tcp_tw_reuse', value: '1'}
# 启用timewait 快速回收
- {name: 'net.ipv4.tcp_tw_recycle', value: '0'}
# 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间
- {name: 'net.ipv4.tcp_fin_timeout', value: '30'}
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
- {name: 'net.ipv4.tcp_keepalive_time', value: '300'}
- {name: 'net.ipv4.tcp_orphan_retries', value: '3'}
- {name: 'net.ipv4.tcp_keepalive_probes', value: '3'}
# 处理无源路由的包
- {name: 'net.ipv4.conf.default.accept_source_route', value: '0'}
# ARP参数,检查一次相邻层记录的有效性的周期。当相邻层记录失效时,将在给它发送数据前,再解析一次。缺省值是60秒。
- {name: 'net.ipv4.neigh.default.gc_stale_time', value: '120'}
- {name: 'net.ipv4.conf.all.rp_filter', value: '0'}
- {name: 'net.ipv4.conf.default.rp_filter', value: '0'}
- {name: 'net.ipv4.conf.default.arp_announce', value: '2'}
- {name: 'net.ipv4.conf.lo.arp_announce', value: '2'}
- {name: 'net.ipv4.conf.all.arp_announce', value: '2'}limit
---
- name: Set Sysctl File Limits
pam_limits: dest={{ item.dest }} domain='*' limit_type={{ item.limit_type }} limit_item={{ item.limit_item }} value={{ item.value }}
with_items:
- { dest: '/etc/security/limits.conf' , limit_type: 'soft' , limit_item: 'nofile' , value: '655350' }
- { dest: '/etc/security/limits.conf' , limit_type: 'hard' , limit_item: 'nofile' , value: '655350'}
- { dest: '/etc/security/limits.conf' , limit_type: 'soft' , limit_item: 'nproc' , value: '102400' }
- { dest: '/etc/security/limits.conf' , limit_type: 'hard' , limit_item: 'nproc' , value: '102400' }
- { dest: '/etc/security/limits.conf' , limit_type: 'soft' , limit_item: 'sigpending' , value: '255377' }
- { dest: '/etc/security/limits.conf' , limit_type: 'hard' , limit_item: 'sigpending' , value: '255377' }
- { dest: '/etc/security/limits.d/90-nproc.conf', limit_type: 'soft', limit_item: 'nproc' , value: '262144' }
- { dest: '/etc/security/limits.d/90-nproc.conf', limit_type: 'hard', limit_item: 'nproc' , value: '262144' }