Skip to content

feat: add systemd memory and OOM protection for SSM agent and Redis worker#248

Merged
l50 merged 2 commits into
mainfrom
feat/ansible-resource-limits-and-impacket-fix
Apr 30, 2026
Merged

feat: add systemd memory and OOM protection for SSM agent and Redis worker#248
l50 merged 2 commits into
mainfrom
feat/ansible-resource-limits-and-impacket-fix

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented Apr 30, 2026

Key Changes:

  • Added systemd overrides to protect AWS SSM agent from OOM killer and cap its memory usage
  • Introduced cgroup resource limits for Redis worker processes to prevent system memory exhaustion
  • Ensured compatibility of noPac tool dependencies by pinning setuptools version in its virtual environment

Added:

  • Systemd OOM protection template for SSM agent (ssm-oom-protect.conf.j2) and related Ansible tasks to deploy it, including variables for enabling protection and setting memory limits
  • Role variables for Redis worker service memory and task limits (redis_ares_worker_memory_high, redis_ares_worker_memory_max, redis_ares_worker_tasks_max) with defaults and documentation
  • Task to install a compatible version of setuptools in the noPac virtual environment to provide pkg_resources for impacket

Changed:

  • Updated AWS SSM Agent role documentation and defaults to describe and enable OOM protection, including new variables and tasks for systemd overrides
  • Modified Redis worker systemd service template to apply memory and task limits, and updated documentation and defaults to reflect these changes
  • Updated noPac installation workflow to ensure pkg_resources is available by explicitly installing setuptools<81 before installing requirements

l50 added 2 commits April 30, 2026 13:01
@l50
feat: add systemd memory and OOM protection for SSM agent and Ares wo…
58bf309 
…rkers

**Added:**

- Added `aws_ssm_agent_oom_protect` and `aws_ssm_agent_memory_max` variables to enable SSM agent OOM protection and cap its memory - aws_ssm_agent/defaults/main.yml
- Created systemd override template for SSM agent to adjust OOM score and set memory limit - aws_ssm_agent/templates/ssm-oom-protect.conf.j2
- Added tasks to create systemd override directory and deploy OOM protection config for SSM agent when enabled - aws_ssm_agent/tasks/linux.yml
- Documented new variables and tasks in aws_ssm_agent/README.md
- Added `redis_ares_worker_memory_high`, `redis_ares_worker_memory_max`, and `redis_ares_worker_tasks_max` variables to control resource limits for Ares worker processes - redis/defaults/main.yml
- Applied corresponding systemd resource limits in ares@.service template - redis/templates/ares@.service.j2
- Documented new Redis worker resource limit variables in redis/README.md
- Added step to install setuptools<81 in noPac venv to provide pkg_resources for legacy impacket compatibility - privesc_tools/tasks/linux.yml
- Documented setuptools installation step for noPac in privesc_tools/README.md
@l50
docs: clarify ssm agent oom protection comments for ares workers
553524b 
**Changed:**

- Updated comments in ssm-oom-protect.conf.j2 to clarify the behavior of OOMScoreAdjust and MemoryMax, explaining their independent roles in protecting the SSM agent when Ares workers exhaust memory
@l50 l50 merged commit af12103 into main Apr 30, 2026
9 checks passed
@l50 l50 deleted the feat/ansible-resource-limits-and-impacket-fix branch April 30, 2026 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50