From 2932ed51a5a745d33909ef9fe3963fcb556a93e9 Mon Sep 17 00:00:00 2001
From: Mark Wong <mark.wong@enterprisedb.com>
Date: Wed, 20 Sep 2023 15:10:00 -0700
Subject: [PATCH] Add manage_operating_system role

This role is for managing operating system tasks.  The first task
included is to enable profiling for unprivileged users.
---
 roles/manage_operating_system/README.md       | 81 +++++++++++++++++++
 .../manage_operating_system/defaults/main.yml |  2 +
 roles/manage_operating_system/meta/main.yml   | 14 ++++
 .../tasks/disable_user_profiling.yml          | 12 +++
 .../tasks/enable_user_profiling.yml           | 18 +++++
 roles/manage_operating_system/tasks/main.yml  |  5 ++
 6 files changed, 132 insertions(+)
 create mode 100644 roles/manage_operating_system/README.md
 create mode 100644 roles/manage_operating_system/defaults/main.yml
 create mode 100644 roles/manage_operating_system/meta/main.yml
 create mode 100644 roles/manage_operating_system/tasks/disable_user_profiling.yml
 create mode 100644 roles/manage_operating_system/tasks/enable_user_profiling.yml
 create mode 100644 roles/manage_operating_system/tasks/main.yml

diff --git a/roles/manage_operating_system/README.md b/roles/manage_operating_system/README.md
new file mode 100644
index 00000000..2e5a7584
--- /dev/null
+++ b/roles/manage_operating_system/README.md
@@ -0,0 +1,81 @@
+# manage_operating_system
+
+This role is for managing operating system settings.
+
+## Requirements
+
+Following are the requirements of this role.
+  1. Ansible
+  2. An already initialized system running Linux.
+
+## Role Variables
+
+When executing the role via Ansible these are the applicable variables:
+
+  * ***enable_user_profiling***
+
+    When `true`, sets relevant operating system settings such that any user and
+    profile the system as well as disabling any masking of operating system
+    kernel memory addresses.  Default: `false`
+
+These variables can be assigned in the `pre_tasks` definition of the Playbook.
+
+## Example Playbook
+
+### Inventory file content
+
+Content of the `inventory.yml`:
+
+```yaml
+all:
+  children:
+    primary:
+      hosts:
+        pgsql1.dbt2.internal:
+          ansible_host: 10.1.1.3
+          private_ip: 10.1.1.3
+```
+
+### Playbook file content
+
+Content of the `inventory.yml` file:
+
+```yaml
+---
+- hosts: all
+  name: Example
+  become: yes
+
+  pre_tasks:
+    - name: Initialize the user defined variables
+      ansible.builtin.set_fact:
+        enable_user_profiling: true
+
+  collections:
+    - edb_devops.edb_postgres
+
+  roles:
+    - role: manage_operating_system
+```
+
+## Playbook execution examples
+
+```bash
+$ ansible-playbook playbook.yml \
+  -i inventory.yml \
+  -u centos \
+  --private-key <key.pem> \
+  --extra-vars="enable_user_profiling=true"
+```
+
+## License
+
+BSD
+
+## Author information
+
+Author:
+
+  * Mark Wong
+  * EDB Postgres
+  * edb-devops@enterprisedb.com www.enterprisedb.com
diff --git a/roles/manage_operating_system/defaults/main.yml b/roles/manage_operating_system/defaults/main.yml
new file mode 100644
index 00000000..e28a9a58
--- /dev/null
+++ b/roles/manage_operating_system/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+enable_user_profiling: false
diff --git a/roles/manage_operating_system/meta/main.yml b/roles/manage_operating_system/meta/main.yml
new file mode 100644
index 00000000..6769ddee
--- /dev/null
+++ b/roles/manage_operating_system/meta/main.yml
@@ -0,0 +1,14 @@
+---
+galaxy_info:
+  author: EDB
+  description: Manage Operating System
+  company: "EnterpriseDB"
+
+  license: BSD
+
+  min_ansible_version: "2.8"
+
+  galaxy_tags:
+    - operating system
+
+dependencies: []
diff --git a/roles/manage_operating_system/tasks/disable_user_profiling.yml b/roles/manage_operating_system/tasks/disable_user_profiling.yml
new file mode 100644
index 00000000..6bfec7ed
--- /dev/null
+++ b/roles/manage_operating_system/tasks/disable_user_profiling.yml
@@ -0,0 +1,12 @@
+---
+- name: reset use of all profiling events by all users
+  ansible.posix.sysctl:
+    name: kernel.perf_event_paranoid
+    state: absent
+  become: true
+
+- name: reset restrictions on exposing kernel address
+  ansible.posix.sysctl:
+    name: kernel.kptr_restrict
+    state: absent
+  become: true
diff --git a/roles/manage_operating_system/tasks/enable_user_profiling.yml b/roles/manage_operating_system/tasks/enable_user_profiling.yml
new file mode 100644
index 00000000..c0e44c41
--- /dev/null
+++ b/roles/manage_operating_system/tasks/enable_user_profiling.yml
@@ -0,0 +1,18 @@
+---
+- name: allow use of all profiling events by all users
+  ansible.posix.sysctl:
+    name: kernel.perf_event_paranoid
+    value: '-1'
+    sysctl_set: true
+    state: present
+    reload: true
+  become: true
+
+- name: remove restrictions on exposing kernel address
+  ansible.posix.sysctl:
+    name: kernel.kptr_restrict
+    value: '0'
+    sysctl_set: true
+    state: present
+    reload: true
+  become: true
diff --git a/roles/manage_operating_system/tasks/main.yml b/roles/manage_operating_system/tasks/main.yml
new file mode 100644
index 00000000..616c1e4b
--- /dev/null
+++ b/roles/manage_operating_system/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Enable user level profiling
+  ansible.builtin.include_tasks: enable_user_profiling.yml
+  when:
+    - enable_user_profiling | bool