From: David Galloway <dgallowa@redhat.com>
Date: Fri, 6 Oct 2017 17:29:04 +0000 (-0400)
Subject: nameserver: Double max amount of concurrent connections
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F344%2Fhead;p=ceph-cm-ansible.git

nameserver: Double max amount of concurrent connections

I observed an unintentional DoS on ns1.front last night right as most of
the nightly scheduled jobs started up.  Lots of "nf_conntrack: table
full, dropping packet" messages in the syslog.

Doubling it should be safe.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---

diff --git a/roles/nameserver/tasks/config.yml b/roles/nameserver/tasks/config.yml
index 90fbcde0..c1305393 100644
--- a/roles/nameserver/tasks/config.yml
+++ b/roles/nameserver/tasks/config.yml
@@ -25,3 +25,10 @@
     name: named_write_master_zones
     state: yes
     persistent: yes
+
+# Helps prevent accidental DoS
+- name: Double maximum configured connections
+  sysctl:
+    name: net.nf_conntrack_max
+    value: 131072
+    state: present