projects
/
noc.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
ansible/users: Update email address for nicoo
[noc.git]
/
ansible
/
roles
/
base
/
tasks
/
06net.yml
diff --git
a/ansible/roles/base/tasks/06net.yml
b/ansible/roles/base/tasks/06net.yml
index
17a5950
..
e257b9b
100644
(file)
--- a/
ansible/roles/base/tasks/06net.yml
+++ b/
ansible/roles/base/tasks/06net.yml
@@
-1,14
+1,13
@@
---
---
-- name: Configure to load network-related kernel modules
+- name: Load the tcp_bbr kernel module
+ modprobe:
+ name: tcp_bbr
+
+- name: Persist the tcp_bbr module to configuration
copy:
dest: /etc/modules-load.d/local-network.conf
copy:
dest: /etc/modules-load.d/local-network.conf
- content: '{{ network_modules | join("\n") }}'
+ content: tcp_bbr
-- name: Load network-related kernel modules
- modprobe:
- name: "{{ item }}"
- with_items: "{{ network_modules }}"
-
- name: Set network-related sysctl options
sysctl:
sysctl_file: /etc/sysctl.d/local-network.conf
- name: Set network-related sysctl options
sysctl:
sysctl_file: /etc/sysctl.d/local-network.conf
@@
-25,5
+24,10
@@
# C.f. https://queue.acm.org/detail.cfm?id=3022184
net.ipv4.tcp_congestion_control: bbr
# C.f. https://queue.acm.org/detail.cfm?id=3022184
net.ipv4.tcp_congestion_control: bbr
+ # Disable Selective Acknowledgement (SACK)
+ # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
+ # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ net.ipv4.tcp_sack: 0
+
loop_control:
label: "{{ item.key }}"
loop_control:
label: "{{ item.key }}"