Ansible sysctl Module: Manage Kernel Parameters (Complete Guide)
By Luca Berton · Published 2024-01-01 · Category: troubleshooting
How to use Ansible sysctl module to set kernel parameters. Configure networking, memory, security settings. Persist changes in sysctl.conf with examples.
Ansible sysctl Module: Manage Kernel Parameters (Complete Guide)
The ansible.builtin.sysctl module manage kernel parameters at runtime. This guide covers all common use cases with practical playbook examples.
See also: Ansible reboot Module: Restart Hosts and Wait for Recovery (Complete Guide)
Set a Kernel Parameter
- name: Enable IP forwarding
ansible.builtin.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: trueNetwork Performance Tuning
- name: Optimize network parameters
ansible.builtin.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_set: true
state: present
reload: true
loop:
- { name: 'net.core.somaxconn', value: '65535' }
- { name: 'net.core.netdev_max_backlog', value: '65535' }
- { name: 'net.ipv4.tcp_max_syn_backlog', value: '65535' }
- { name: 'net.ipv4.tcp_tw_reuse', value: '1' }
- { name: 'net.ipv4.tcp_fin_timeout', value: '15' }See also: Configuring Kernel Parameters in RedHat-like Linux Systems with Ansible System Role
Security Hardening
- name: Security kernel parameters
ansible.builtin.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_set: true
state: present
loop:
- { name: 'net.ipv4.conf.all.rp_filter', value: '1' }
- { name: 'net.ipv4.conf.all.accept_redirects', value: '0' }
- { name: 'net.ipv4.conf.all.send_redirects', value: '0' }
- { name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
- { name: 'kernel.randomize_va_space', value: '2' }Memory Settings
- name: Set VM swappiness
ansible.builtin.sysctl:
name: vm.swappiness
value: '10'
state: present
reload: true
- name: Set max memory map count (for Elasticsearch)
ansible.builtin.sysctl:
name: vm.max_map_count
value: '262144'
state: present
See also: ansible.posix.sysctl Module: Set Kernel Parameters Persistently (Guide)
FAQ
How do I set kernel parameters in Ansible?
Use ansible.builtin.sysctl with name and value. Set sysctl_set: true to apply immediately and state: present to persist in /etc/sysctl.conf.
Are sysctl changes persistent across reboots?
Yes, when state: present is used, Ansible writes to /etc/sysctl.conf (or sysctl.d/). Set reload: true to also apply the change immediately.
Conclusion
The ansible.builtin.sysctl module is a versatile tool for manage kernel parameters at runtime. Use the examples above as starting points and adapt them to your infrastructure needs.
Related Articles
• Ansible Security Hardening Guide • Ansible service ModuleModule Parameters Reference
| Parameter | Required | Default | Description |
|---|---|---|---|
| name | Yes | — | The sysctl key name (e.g., net.ipv4.ip_forward) |
| value | No | — | Desired value of the sysctl key |
| state | No | present | present to set, absent to remove |
| sysctl_set | No | false | Apply the value with the sysctl command immediately |
| reload | No | true | Reload sysctl settings from the configured file |
| sysctl_file | No | /etc/sysctl.conf | Path to the sysctl.conf file to modify |
| ignoreerrors | No | false | Ignore errors about unknown sysctl keys |
Custom sysctl.d Configuration Files
Best practice is to use drop-in files instead of editing /etc/sysctl.conf directly:
- name: Set parameters in custom file
ansible.builtin.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_file: /etc/sysctl.d/99-ansible-networking.conf
sysctl_set: true
state: present
reload: trueRemove a Kernel Parameter
- name: Remove custom sysctl setting
ansible.builtin.sysctl:
name: net.ipv4.ip_forward
state: absent
sysctl_file: /etc/sysctl.d/99-ansible-networking.conf
reload: trueComplete Playbook: Server Hardening with sysctl
---
- name: Harden Linux server kernel parameters
hosts: all
become: true
vars:
sysctl_config_file: /etc/sysctl.d/99-hardening.conf
sysctl_params:
# Network security
- { name: 'net.ipv4.conf.all.rp_filter', value: '1' }
- { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
- { name: 'net.ipv4.conf.all.accept_source_route', value: '0' }
- { name: 'net.ipv4.conf.all.accept_redirects', value: '0' }
- { name: 'net.ipv4.conf.all.send_redirects', value: '0' }
- { name: 'net.ipv4.conf.all.log_martians', value: '1' }
- { name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
# Kernel security
- { name: 'kernel.randomize_va_space', value: '2' }
- { name: 'kernel.sysrq', value: '0' }
- { name: 'kernel.core_uses_pid', value: '1' }
- { name: 'kernel.dmesg_restrict', value: '1' }
# IPv6 (disable if not needed)
- { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }
- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
tasks:
- name: Apply kernel hardening parameters
ansible.builtin.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: "{{ sysctl_config_file }}"
sysctl_set: true
state: present
reload: true
loop: "{{ sysctl_params }}"
- name: Verify IP forwarding is disabled
ansible.builtin.command: sysctl net.ipv4.ip_forward
register: ip_forward_check
changed_when: false
- name: Display result
ansible.builtin.debug:
msg: "{{ ip_forward_check.stdout }}"
How do I check the current value of a kernel parameter?
Use the ansible.builtin.command module with sysctl:
- name: Check current value
ansible.builtin.command: sysctl net.ipv4.ip_forward
register: result
changed_when: false
- name: Display
ansible.builtin.debug:
msg: "{{ result.stdout }}"
Can I use sysctl with check mode?
Yes. The ansible.builtin.sysctl module supports check mode (--check) and will report what would change without making modifications.
Category: troubleshooting