CPU and memory limitations of the services #63

config.cfg

@@ -7,9 +7,6 @@ easyrsa_cert_expire: 3650
 # If True re-init all existing certificates. (True or False)
 easyrsa_reinit_existent: False
 
-# Strongswan cgroup limitations
-ipsec_memory_limit: 67108864
-
 vpn_network: 10.19.48.0/24
 vpn_network_ipv6: 'fd9d:bc11:4020::/48'
 # https://www.sixxs.net/tools/whois/?fd9d:bc11:4020::/48

roles/dns_adblocking/tasks/main.yml

@@ -15,6 +15,17 @@
 - name: Enforce the dnsmasq AppArmor policy
   shell: aa-enforce usr.sbin.dnsmasq
 
+- name: Ensure that the dnsmasq service directory exist
+  file: path=/etc/systemd/system/dnsmasq.service.d/ state=directory mode=0755  owner=root group=root
+  
+- name: Setup the cgroup limitations for the ipsec daemon
+  template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
+  notify:
+    - daemon-reload    
+    - restart dnsmasq
+    
+- meta: flush_handlers    
+  
 - name: Dnsmasq configured
   template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
   notify:

roles/dns_adblocking/templates/100-CustomLimitations.conf.j2

@@ -0,0 +1,4 @@
+[Service]
+MemoryLimit=16777216
+CPUAccounting=true
+CPUQuota=5%

roles/proxy/handlers/main.yml

@@ -1,5 +1,8 @@
 - name: restart privoxy
   service: name=privoxy state=restarted
+  
+- name: daemon-reload
+  shell: systemctl daemon-reload  
 
 - name: restart apparmor
   service: name=apparmor state=restarted

roles/proxy/tasks/main.yml

@@ -16,6 +16,17 @@
 
 - name: Enforce the privoxy AppArmor policy
   shell: aa-enforce usr.sbin.privoxy
+  
+- name: Ensure that the privoxy service directory exist
+  file: path=/etc/systemd/system/privoxy.service.d/ state=directory mode=0755  owner=root group=root
+  
+- name: Setup the cgroup limitations for the privoxy daemon
+  template: src=privoxy_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/privoxy.service.d/100-CustomLimitations.conf
+  notify:
+    - daemon-reload    
+    - restart privoxy
+    
+- meta: flush_handlers    
 
 - name: Privoxy enabled and started
   service: name=privoxy state=started enabled=yes
@@ -59,3 +70,14 @@
   template: src=ports.conf.j2 dest=/etc/apache2/ports.conf
   notify:
     - restart apache2
+    
+- name: Ensure that the apache2 service directory exist
+  file: path=/etc/systemd/system/apache2.service.d/ state=directory mode=0755  owner=root group=root
+  
+- name: Setup the cgroup limitations for the apache2 daemon
+  template: src=apache2_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/apache2.service.d/100-CustomLimitations.conf
+  notify:
+    - daemon-reload    
+    - restart apache2
+    
+- meta: flush_handlers    

roles/proxy/templates/apache2_100-CustomLimitations.conf.j2

@@ -0,0 +1,4 @@
+[Service]
+MemoryLimit=134217728
+CPUAccounting=true
+CPUQuota=15%

roles/proxy/templates/privoxy_100-CustomLimitations.conf.j2

@@ -0,0 +1,4 @@
+[Service]
+MemoryLimit=33554432
+CPUAccounting=true
+CPUQuota=15%

roles/vpn/tasks/main.yml

@@ -34,6 +34,8 @@
   notify:
     - daemon-reload    
     - restart strongswan
+    
+- meta: flush_handlers    
   
 - name: Setup the strongswan.conf file from our template
   template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644

roles/vpn/templates/100-CustomLimitations.conf.j2

@@ -1,2 +1,2 @@
 [Service]
-MemoryLimit={{ ipsec_memory_limit }}
+MemoryLimit=16777216