Memory limits #63

config.cfg

@@ -7,12 +7,16 @@ easyrsa_cert_expire: 3650
 # If True re-init all existing certificates. (True or False)
 easyrsa_reinit_existent: False
 
+# Strongswan cgroup limitations
+ipsec_memory_limit: 67108864
+
 vpn_network: 10.19.48.0/24
 vpn_network_ipv6: 'fd9d:bc11:4020::/48'
 # https://www.sixxs.net/tools/whois/?fd9d:bc11:4020::/48
 server_name: "{{ ansible_ssh_host }}"
 IP_subject_alt_name: "{{ ansible_ssh_host }}"
 
+
 # Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False)
 service_dns: True
 

roles/common/tasks/main.yml

@@ -53,6 +53,7 @@
     - sendmail
     - unattended-upgrades
     - iptables-persistent
+    - cgroup-tools
 
 - name: Configure unattended-upgrades
   template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644

roles/vpn/handlers/main.yml

@@ -1,5 +1,5 @@
 - name: restart strongswan
-  service: name=strongswan state=restarted
+  systemd: name=strongswan state=restarted daemon_reload=yes
 
 - name: restart apparmor
   service: name=apparmor state=restarted

roles/vpn/tasks/main.yml

@@ -26,6 +26,14 @@
 - name: Ensure that the strongswan user exist
   user: name=strongswan group=strongswan state=present
   
+- name: Ensure that the strongswan service directory exist
+  file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755  owner=root group=root
+  
+- name: Setup the cgroup limitations for the ipsec daemon
+  template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
+  notify:
+    - restart strongswan
+  
 - name: Setup the strongswan.conf file from our template
   template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644
   notify:

roles/vpn/templates/100-CustomLimitations.conf.j2

@@ -0,0 +1,2 @@
+[Service]
+MemoryLimit={{ ipsec_memory_limit }}