What is the uscase of sysctl_overwrite over ansible.posix.sysctl?

[CybotTM]

Hi,

can you explain that's the usecase or when to use sysctl_overwrite?

Especially as there is ansible.posix.sysctl (https://docs.ansible.com/ansible/latest/collections/ansible/posix/sysctl_module.html).

We have the problem, that we need to define different settings in sysctl in different groups, with overlapping settings, which makes it a little bit error prone and hard to manage. We may need to witch to ansible.posix.sysctl, but I was curious why sysctl_overwrite was implemented originally?

Thank You.

[rndmh3ro]

sysctl_overwrite is a variable that you can use to overwrite our sysctl-defaults, see here: https://github.com/dev-sec/ansible-collection-hardening/tree/master/roles/os_hardening#changing-sysctl-variables.
We use a dict for all sysctl-variables. If you want to overwrite a single setting in this dict, you'd normally have to overwrite the whole dict. With sysctl_overwrite it is possible to overwrite only a single parameter in the dict.

To actually st the sysctl-parameters, we already use ansible.posix.sysctl here: https://github.com/dev-sec/ansible-collection-hardening/blob/master/roles/os_hardening/tasks/sysctl.yml#L63-L72

We have the problem, that we need to define different settings in sysctl in different groups, with overlapping settings, which makes it a little bit error prone and hard to manage.

I agree here. I'd love to have a better implementation where you can set default parameters, operating-system-specific parameters and user-provided variables. If you have an idea, please let me know.

[rndmh3ro]

Closing, feel free to reopen if you need further info.

[CybotTM]

Hi @rndmh3ro,

Thanks for the explanation.
And please don't get me wrong, I don't blame your code or your handling of sysctl for our problem with setting sysctl correctly. I hope it didn't sound like that.

[rndmh3ro]

No worries! :)