Memory limits #63

2025-06-06 15:13:56 +02:00 · 2016-08-22 23:01:43 +03:00 · 2016-08-22 23:01:43 +03:00 · 09c39627d9
commit 09c39627d9
parent c51fe5dac0
5 changed files with 23 additions and 8 deletions
--- a/config.cfg
+++ b/config.cfg
@ -7,12 +7,16 @@ easyrsa_cert_expire: 3650
 # If True re-init all existing certificates. (True or False)
 easyrsa_reinit_existent: False

+# Strongswan cgroup limitations
+ipsec_memory_limit: 67108864
+
 vpn_network: 10.19.48.0/24
 vpn_network_ipv6: 'fd9d:bc11:4020::/48'
 # https://www.sixxs.net/tools/whois/?fd9d:bc11:4020::/48
 server_name: "{{ ansible_ssh_host }}"
 IP_subject_alt_name: "{{ ansible_ssh_host }}"

+
 # Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False)
 service_dns: True

--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -53,6 +53,7 @@
    - sendmail
    - unattended-upgrades
    - iptables-persistent
+    - cgroup-tools

 - name: Configure unattended-upgrades
  template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -1,5 +1,5 @@
 - name: restart strongswan
-  service: name=strongswan state=restarted
+  systemd: name=strongswan state=restarted daemon_reload=yes

 - name: restart apparmor
  service: name=apparmor state=restarted
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -11,7 +11,7 @@
    - /usr/lib/ipsec/lookip
    - /usr/lib/ipsec/stroke
  notify:
-  - restart apparmor
+    - restart apparmor

 - name: Enable services
  service: name={{ item }} enabled=yes
@ -26,20 +26,28 @@
 - name: Ensure that the strongswan user exist
  user: name=strongswan group=strongswan state=present
  
+- name: Ensure that the strongswan service directory exist
+  file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755  owner=root group=root
+  
+- name: Setup the cgroup limitations for the ipsec daemon
+  template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
+  notify:
+    - restart strongswan
+  
 - name: Setup the strongswan.conf file from our template
  template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644
  notify:
-  - restart strongswan  
+    - restart strongswan  

 - name: Setup the ipsec.conf file from our template
  template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644
  notify:
-  - restart strongswan
+    - restart strongswan

 - name: Setup the ipsec.secrets file
  template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=strongswan group=root mode=0600
  notify:
-  - restart strongswan
+    - restart strongswan

 - name: Fetch easy-rsa-ipsec from git
  git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}"
@ -100,17 +108,17 @@
 - name: Copy the CA cert to the strongswan directory
  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=strongswan group=root mode=0600
  notify:
-  - restart strongswan
+    - restart strongswan

 - name: Copy the server cert to the strongswan directory
  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group=root mode=0600
  notify:
-  - restart strongswan
+    - restart strongswan

 - name: Copy the server key to the strongswan directory
  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group=root mode=0600
  notify:
-  - restart strongswan
+    - restart strongswan

 - name: Register p12 PayloadContent
  shell: >
--- a/roles/vpn/templates/100-CustomLimitations.conf.j2
+++ b/roles/vpn/templates/100-CustomLimitations.conf.j2
@ -0,0 +1,2 @@
+[Service]
+MemoryLimit={{ ipsec_memory_limit }}