From 19797bc020074022d494fdd0af7a738f108eb8db Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 23 Aug 2016 16:10:42 +0300 Subject: [PATCH] CPU and memory limitations of the services #63 --- config.cfg | 3 --- roles/dns_adblocking/tasks/main.yml | 11 ++++++++++ .../templates/100-CustomLimitations.conf.j2 | 4 ++++ roles/proxy/handlers/main.yml | 3 +++ roles/proxy/tasks/main.yml | 22 +++++++++++++++++++ .../apache2_100-CustomLimitations.conf.j2 | 4 ++++ .../privoxy_100-CustomLimitations.conf.j2 | 4 ++++ roles/vpn/tasks/main.yml | 2 ++ .../templates/100-CustomLimitations.conf.j2 | 2 +- 9 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 create mode 100644 roles/proxy/templates/apache2_100-CustomLimitations.conf.j2 create mode 100644 roles/proxy/templates/privoxy_100-CustomLimitations.conf.j2 diff --git a/config.cfg b/config.cfg index e380970..7f52270 100644 --- a/config.cfg +++ b/config.cfg @@ -7,9 +7,6 @@ easyrsa_cert_expire: 3650 # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False -# Strongswan cgroup limitations -ipsec_memory_limit: 67108864 - vpn_network: 10.19.48.0/24 vpn_network_ipv6: 'fd9d:bc11:4020::/48' # https://www.sixxs.net/tools/whois/?fd9d:bc11:4020::/48 diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index a74e455..df0fc37 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -15,6 +15,17 @@ - name: Enforce the dnsmasq AppArmor policy shell: aa-enforce usr.sbin.dnsmasq +- name: Ensure that the dnsmasq service directory exist + file: path=/etc/systemd/system/dnsmasq.service.d/ state=directory mode=0755 owner=root group=root + +- name: Setup the cgroup limitations for the ipsec daemon + template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf + notify: + - daemon-reload + - restart dnsmasq + +- meta: flush_handlers + - name: Dnsmasq configured template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf notify: diff --git a/roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 b/roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 new file mode 100644 index 0000000..98cbbdd --- /dev/null +++ b/roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 @@ -0,0 +1,4 @@ +[Service] +MemoryLimit=16777216 +CPUAccounting=true +CPUQuota=5% diff --git a/roles/proxy/handlers/main.yml b/roles/proxy/handlers/main.yml index 269a0ff..bea23c7 100644 --- a/roles/proxy/handlers/main.yml +++ b/roles/proxy/handlers/main.yml @@ -1,5 +1,8 @@ - name: restart privoxy service: name=privoxy state=restarted + +- name: daemon-reload + shell: systemctl daemon-reload - name: restart apparmor service: name=apparmor state=restarted diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index e45124c..1157a97 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -16,6 +16,17 @@ - name: Enforce the privoxy AppArmor policy shell: aa-enforce usr.sbin.privoxy + +- name: Ensure that the privoxy service directory exist + file: path=/etc/systemd/system/privoxy.service.d/ state=directory mode=0755 owner=root group=root + +- name: Setup the cgroup limitations for the privoxy daemon + template: src=privoxy_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/privoxy.service.d/100-CustomLimitations.conf + notify: + - daemon-reload + - restart privoxy + +- meta: flush_handlers - name: Privoxy enabled and started service: name=privoxy state=started enabled=yes @@ -59,3 +70,14 @@ template: src=ports.conf.j2 dest=/etc/apache2/ports.conf notify: - restart apache2 + +- name: Ensure that the apache2 service directory exist + file: path=/etc/systemd/system/apache2.service.d/ state=directory mode=0755 owner=root group=root + +- name: Setup the cgroup limitations for the apache2 daemon + template: src=apache2_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/apache2.service.d/100-CustomLimitations.conf + notify: + - daemon-reload + - restart apache2 + +- meta: flush_handlers diff --git a/roles/proxy/templates/apache2_100-CustomLimitations.conf.j2 b/roles/proxy/templates/apache2_100-CustomLimitations.conf.j2 new file mode 100644 index 0000000..5e9774e --- /dev/null +++ b/roles/proxy/templates/apache2_100-CustomLimitations.conf.j2 @@ -0,0 +1,4 @@ +[Service] +MemoryLimit=134217728 +CPUAccounting=true +CPUQuota=15% diff --git a/roles/proxy/templates/privoxy_100-CustomLimitations.conf.j2 b/roles/proxy/templates/privoxy_100-CustomLimitations.conf.j2 new file mode 100644 index 0000000..cd9b628 --- /dev/null +++ b/roles/proxy/templates/privoxy_100-CustomLimitations.conf.j2 @@ -0,0 +1,4 @@ +[Service] +MemoryLimit=33554432 +CPUAccounting=true +CPUQuota=15% diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 0dd10ea..1592db4 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -34,6 +34,8 @@ notify: - daemon-reload - restart strongswan + +- meta: flush_handlers - name: Setup the strongswan.conf file from our template template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644 diff --git a/roles/vpn/templates/100-CustomLimitations.conf.j2 b/roles/vpn/templates/100-CustomLimitations.conf.j2 index b855e4e..d7430af 100644 --- a/roles/vpn/templates/100-CustomLimitations.conf.j2 +++ b/roles/vpn/templates/100-CustomLimitations.conf.j2 @@ -1,2 +1,2 @@ [Service] -MemoryLimit={{ ipsec_memory_limit }} +MemoryLimit=16777216