From a7580c1d837ad67887bd16f4b793ad75b996598d Mon Sep 17 00:00:00 2001 From: Kevin Velarde Date: Mon, 12 Jan 2026 16:46:20 -0700 Subject: [PATCH 1/4] Configure vm.max_map_count --- roles/mongodb/defaults/main/kernel_params.yml | 10 ++++ roles/mongodb/defaults/main/pam_limits.yml | 6 +++ .../tasks/install-adjust-kernel-params.yml | 49 ++++++++++--------- .../tasks/install-adjust-pam-limits.yml | 18 +++++++ roles/mongodb/tasks/install-mongodb.yml | 8 ++- 5 files changed, 68 insertions(+), 23 deletions(-) create mode 100644 roles/mongodb/defaults/main/kernel_params.yml create mode 100644 roles/mongodb/defaults/main/pam_limits.yml create mode 100644 roles/mongodb/tasks/install-adjust-pam-limits.yml diff --git a/roles/mongodb/defaults/main/kernel_params.yml b/roles/mongodb/defaults/main/kernel_params.yml new file mode 100644 index 00000000..4f533571 --- /dev/null +++ b/roles/mongodb/defaults/main/kernel_params.yml @@ -0,0 +1,10 @@ +# Copyright (c) 2024, Itential, Inc +# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) +--- +# Kernel parameters +mongodb_sysctl_file: /etc/sysctl.d/98-mongodb.conf +mongodb_net_ipv4_tcp_keepalive_time: 300 +mongodb_net_core_somaxconn: 65535 +mongodb_vm_zone_reclaim_mode: 0 +mongodb_vm_swappiness: 1 +mongodb_vm_max_map_count: 262144 diff --git a/roles/mongodb/defaults/main/pam_limits.yml b/roles/mongodb/defaults/main/pam_limits.yml new file mode 100644 index 00000000..18d2921e --- /dev/null +++ b/roles/mongodb/defaults/main/pam_limits.yml @@ -0,0 +1,6 @@ +# Copyright (c) 2024, Itential, Inc +# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) +--- +# Pluggable Authentication Module (PAM) limits +mongodb_pam_limit_nproc: 32000 +mongodb_pam_limit_nofile: 64000 diff --git a/roles/mongodb/tasks/install-adjust-kernel-params.yml b/roles/mongodb/tasks/install-adjust-kernel-params.yml index 87f7dc99..7db5bc70 100644 --- a/roles/mongodb/tasks/install-adjust-kernel-params.yml +++ b/roles/mongodb/tasks/install-adjust-kernel-params.yml @@ -17,34 +17,39 @@ - name: Adjust keepalive ansible.posix.sysctl: name: net.ipv4.tcp_keepalive_time - value: 300 - -- name: Disable zone reclaim mode - ansible.posix.sysctl: - name: vm.zone_reclaim_mode - value: 0 + value: "{{ mongodb_net_ipv4_tcp_keepalive_time }}" + state: present + sysctl_file: "{{ mongodb_sysctl_file }}" + reload: true - name: Increase throughput settings ansible.posix.sysctl: name: net.core.somaxconn - value: 65535 + value: "{{ mongodb_net_core_somaxconn }}" + state: present + sysctl_file: "{{ mongodb_sysctl_file }}" + reload: true + +- name: Disable zone reclaim mode + ansible.posix.sysctl: + name: vm.zone_reclaim_mode + value: "{{ mongodb_vm_zone_reclaim_mode }}" + state: present + sysctl_file: "{{ mongodb_sysctl_file }}" + reload: true - name: Set vm swappiness ansible.posix.sysctl: name: vm.swappiness - value: 1 + value: "{{ mongodb_vm_swappiness }}" + state: present + sysctl_file: "{{ mongodb_sysctl_file }}" + reload: true -# Set Soft User Limits -- name: Set number of procs - community.general.pam_limits: - domain: mongod - limit_type: soft - limit_item: nproc - value: 32000 - -- name: Set number of files - community.general.pam_limits: - domain: mongod - limit_type: soft - limit_item: nofile - value: 64000 +- name: Set vm max_map_count + ansible.posix.sysctl: + name: vm.max_map_count + value: "{{ mongodb_vm_max_map_count }}" + state: present + sysctl_file: "{{ mongodb_sysctl_file }}" + reload: true diff --git a/roles/mongodb/tasks/install-adjust-pam-limits.yml b/roles/mongodb/tasks/install-adjust-pam-limits.yml new file mode 100644 index 00000000..0ae28ef6 --- /dev/null +++ b/roles/mongodb/tasks/install-adjust-pam-limits.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2024, Itential, Inc +# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) +--- +# Set PAM limits + +- name: Set number of procs + community.general.pam_limits: + domain: mongod + limit_type: soft + limit_item: nproc + value: "{{ mongodb_pam_limit_nproc }}" + +- name: Set number of files + community.general.pam_limits: + domain: mongod + limit_type: soft + limit_item: nofile + value: "{{ mongodb_pam_limit_nofile }}" diff --git a/roles/mongodb/tasks/install-mongodb.yml b/roles/mongodb/tasks/install-mongodb.yml index 7833c7c5..c52b8cf7 100644 --- a/roles/mongodb/tasks/install-mongodb.yml +++ b/roles/mongodb/tasks/install-mongodb.yml @@ -53,7 +53,13 @@ - name: Adjust Kernel parameters ansible.builtin.import_tasks: - file: install-adjust-kernel-params.yml + file: adjust-kernel-params.yml + tags: adjust_kernel_params + +- name: Adjust PAM limits + ansible.builtin.import_tasks: + file: adjust-pam-limits.yml + tags: adjust_pam_limits - name: Configure SELinux ansible.builtin.include_tasks: From a731e869c94e8f799331f2d0ae110ac3c2aa02bb Mon Sep 17 00:00:00 2001 From: Kevin Velarde Date: Mon, 12 Jan 2026 18:01:04 -0700 Subject: [PATCH 2/4] Add separate file for setting PAM limits --- ...ll-adjust-kernel-params.yml => adjust-kernel-params.yml} | 0 roles/mongodb/tasks/install-mongodb.yml | 6 ++---- .../{install-adjust-pam-limits.yml => set-pam-limits.yml} | 0 3 files changed, 2 insertions(+), 4 deletions(-) rename roles/mongodb/tasks/{install-adjust-kernel-params.yml => adjust-kernel-params.yml} (100%) rename roles/mongodb/tasks/{install-adjust-pam-limits.yml => set-pam-limits.yml} (100%) diff --git a/roles/mongodb/tasks/install-adjust-kernel-params.yml b/roles/mongodb/tasks/adjust-kernel-params.yml similarity index 100% rename from roles/mongodb/tasks/install-adjust-kernel-params.yml rename to roles/mongodb/tasks/adjust-kernel-params.yml diff --git a/roles/mongodb/tasks/install-mongodb.yml b/roles/mongodb/tasks/install-mongodb.yml index c52b8cf7..848764c4 100644 --- a/roles/mongodb/tasks/install-mongodb.yml +++ b/roles/mongodb/tasks/install-mongodb.yml @@ -54,12 +54,10 @@ - name: Adjust Kernel parameters ansible.builtin.import_tasks: file: adjust-kernel-params.yml - tags: adjust_kernel_params -- name: Adjust PAM limits +- name: Set PAM limits ansible.builtin.import_tasks: - file: adjust-pam-limits.yml - tags: adjust_pam_limits + file: set-pam-limits.yml - name: Configure SELinux ansible.builtin.include_tasks: diff --git a/roles/mongodb/tasks/install-adjust-pam-limits.yml b/roles/mongodb/tasks/set-pam-limits.yml similarity index 100% rename from roles/mongodb/tasks/install-adjust-pam-limits.yml rename to roles/mongodb/tasks/set-pam-limits.yml From 15598960eacdc3bbfe06ff4f92e63e7e966d7f8e Mon Sep 17 00:00:00 2001 From: Kevin Velarde Date: Tue, 13 Jan 2026 22:27:13 -0700 Subject: [PATCH 3/4] Remove mongodb tasks that set pam limits --- roles/mongodb/tasks/install-mongodb.yml | 4 ---- roles/mongodb/tasks/set-pam-limits.yml | 18 ------------------ 2 files changed, 22 deletions(-) delete mode 100644 roles/mongodb/tasks/set-pam-limits.yml diff --git a/roles/mongodb/tasks/install-mongodb.yml b/roles/mongodb/tasks/install-mongodb.yml index 848764c4..d2d1784b 100644 --- a/roles/mongodb/tasks/install-mongodb.yml +++ b/roles/mongodb/tasks/install-mongodb.yml @@ -55,10 +55,6 @@ ansible.builtin.import_tasks: file: adjust-kernel-params.yml -- name: Set PAM limits - ansible.builtin.import_tasks: - file: set-pam-limits.yml - - name: Configure SELinux ansible.builtin.include_tasks: file: configure-selinux.yml diff --git a/roles/mongodb/tasks/set-pam-limits.yml b/roles/mongodb/tasks/set-pam-limits.yml deleted file mode 100644 index 0ae28ef6..00000000 --- a/roles/mongodb/tasks/set-pam-limits.yml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright (c) 2024, Itential, Inc -# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) ---- -# Set PAM limits - -- name: Set number of procs - community.general.pam_limits: - domain: mongod - limit_type: soft - limit_item: nproc - value: "{{ mongodb_pam_limit_nproc }}" - -- name: Set number of files - community.general.pam_limits: - domain: mongod - limit_type: soft - limit_item: nofile - value: "{{ mongodb_pam_limit_nofile }}" From d5fdcd70115e54f1cac8c4258d29ec984a8977f7 Mon Sep 17 00:00:00 2001 From: Kevin Velarde Date: Tue, 13 Jan 2026 22:47:38 -0700 Subject: [PATCH 4/4] Add new MongoDB kernel parameter variables to docs --- docs/mongodb_guide.md | 6 ++++++ roles/mongodb/defaults/main/pam_limits.yml | 6 ------ 2 files changed, 6 insertions(+), 6 deletions(-) delete mode 100644 roles/mongodb/defaults/main/pam_limits.yml diff --git a/docs/mongodb_guide.md b/docs/mongodb_guide.md index 276fd193..a6a7d3cf 100644 --- a/docs/mongodb_guide.md +++ b/docs/mongodb_guide.md @@ -138,6 +138,12 @@ These variables apply to advanced situations. | `mongodb_mongod_service_delay` | Integer | The time in seconds between retries when starting the mongod service. | 10 | | `mongodb_status_poll` | Integer | The maximum number of times to query for the replicaset status before the set converges or we fail. | 3 | | `mongodb_status_interval` | Integer | The number of seconds to wait between polling executions. | 10 | +| `mongodb_sysctl_file` | String | The name of the MongoDB sysctl file | /etc/sysctl.d/98-mongodb.conf | +| `mongodb_net_ipv4_tcp_keepalive_time` | Integer | Time (in seconds) that a TCP connection remains idle before the kernel starts sending keepalive probes to verify the connection is still alive. | 300 | +| `mongodb_net_core_somaxconn` | Integer | Controls the backlog queue size for incoming connections. When the queue is full, new connection attempts are rejected. | 65535 | +| `mongodb_vm_zone_reclaim_mode` | Integer | Controls whether the kernel reclaims memory from local zones before allocating from remote NUMA nodes. | 0 | +| `mongodb_vm_swappiness` | Integer | Balances between swapping out anonymous pages (process memory) versus dropping page cache (file system buffers). | 1 | +| `mongodb_vm_max_map_count` | Integer | Maximum number of memory map areas (virtual memory areas/VMAs) a process can create. | 262144 | ## Configuring TLS diff --git a/roles/mongodb/defaults/main/pam_limits.yml b/roles/mongodb/defaults/main/pam_limits.yml deleted file mode 100644 index 18d2921e..00000000 --- a/roles/mongodb/defaults/main/pam_limits.yml +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright (c) 2024, Itential, Inc -# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) ---- -# Pluggable Authentication Module (PAM) limits -mongodb_pam_limit_nproc: 32000 -mongodb_pam_limit_nofile: 64000