feat: refine hpc_tuning and add additional tunings

[lixuemin2016]

Enhancement:
Refine existing hpc_tuning and add additional system-level tunings

• Remove azsec-monitor to prevent CPU utilization by azsec-monitor
• Add DefaultLimitMEMLOCK configuration for systemd
• Install sunrpc module via systemd service sunrpc_tcp_settings

Reason:
Add more system-level tunings and refine current hpc_tuning

Result:

cat /etc/systemd/system.conf | grep -i DefaultLimitMEMLOCK=infinity
DefaultLimitMEMLOCK=infinity

cat /etc/systemd/user.conf | grep -i DefaultLimitMEMLOCK=infinity
DefaultLimitMEMLOCK=infinity

systemctl status sunrpc_tcp_settings
● sunrpc_tcp_settings.service - Set sunrpc tcp settings
Loaded: loaded (/etc/systemd/system/sunrpc_tcp_settings.service; enabled; preset: disabled)
Active: active (exited) since Mon 2026-02-09 07:39:18 UTC; 38min ago
Main PID: 19764 (code=exited, status=0/SUCCESS)
CPU: 5ms

systemd[1]: Starting Set sunrpc tcp settings...
systemd[1]: Finished Set sunrpc tcp settings.

systemctl restart sunrpc_tcp_settings

systemctl status sunrpc_tcp_settings

● sunrpc_tcp_settings.service - Set sunrpc tcp settings
Loaded: loaded (/etc/systemd/system/sunrpc_tcp_settings.service; enabled; preset: disabled)
Active: active (exited) since Mon 2026-02-09 08:18:16 UTC; 3s ago
Process: 35183 ExecStart=/usr/sbin/sunrpc_tcp_settings.sh (code=exited, status=0/SUCCESS)
Main PID: 35183 (code=exited, status=0/SUCCESS)
CPU: 5ms

systemd[1]: Starting Set sunrpc tcp settings...
systemd[1]: Finished Set sunrpc tcp settings.

Issue Tracker Tickets (Jira or BZ if any):

JIRA: RHELHPC-109

Summary by Sourcery

Refine HPC system tuning by expanding system-level resource limits, managing azsec-monitor, and replacing direct sunrpc module loading with a dedicated systemd service.

New Features:

• Introduce a sunrpc_tcp_settings systemd service and helper script to load the sunrpc module and apply TCP-related sysctl settings for HPC systems.

Enhancements:

• Remove the azsec-monitor package during HPC tuning to avoid unnecessary CPU utilization on tuned systems.
• Raise default per-user open file limits in the HPC limits configuration to better support high-scale workloads.
• Configure systemd system and user defaults to set DefaultLimitMEMLOCK=infinity and re-exec systemd when these settings are applied.

Documentation:

• Update HPC role documentation to describe loading the sunrpc kernel module via the new sunrpc_tcp_settings systemd service instead of direct module loading.

[sourcery-ai]

Reviewer's Guide

Refines the HPC tuning Ansible role by tightening resource limits, managing sunrpc settings via a dedicated systemd service, and adding safeguards like removing azsec-monitor and re-execing/reloading systemd when configuration changes occur.

Sequence diagram for sunrpc_tcp_settings systemd-based tuning

sequenceDiagram
    participant Ansible
    participant Systemd
    participant SunrpcService as sunrpc_tcp_settings.service
    participant Script as sunrpc_tcp_settings.sh
    participant Kernel as sunrpc_module

    Ansible->>Systemd: Install sunrpc_tcp_settings.service
    Ansible->>Systemd: daemon-reload
    Ansible->>Systemd: Enable sunrpc_tcp_settings
    Ansible->>Systemd: Start sunrpc_tcp_settings
    Systemd->>SunrpcService: Activate service
    SunrpcService->>Script: ExecStart /usr/sbin/sunrpc_tcp_settings.sh
    Script->>Kernel: modprobe sunrpc
    Script->>Systemd: sysctl -p
    SunrpcService-->>Systemd: Exit status 0
    Ansible->>Systemd: systemctl is-active sunrpc_tcp_settings
    Systemd-->>Ansible: active

Loading

Sequence diagram for updating systemd MEMLOCK limits

sequenceDiagram
    participant Ansible
    participant Systemd
    participant SystemConf as system.conf
    participant UserConf as user.conf

    Ansible->>SystemConf: Ensure DefaultLimitMEMLOCK=infinity
    Ansible->>UserConf: Ensure DefaultLimitMEMLOCK=infinity
    Ansible->>Systemd: daemon-reexec
    Systemd-->>Ansible: New limits applied for services

Loading

Flow diagram for HPC tuning Ansible task block

flowchart TD
    A["Start hpc_tuning block"] --> B["Remove azsec-monitor package if present"]
    B --> C["Write 90-hpc-limits.conf with updated nofile limits"]
    C --> D["Set DefaultLimitMEMLOCK=infinity in system.conf"]
    D --> E["Set DefaultLimitMEMLOCK=infinity in user.conf"]
    E --> F["Write 90-hpc-sysctl.conf and reload sysctl"]
    F --> G["Deploy sunrpc_tcp_settings.sh to /usr/sbin"]
    G --> H["Deploy sunrpc_tcp_settings.service to /etc/systemd/system"]
    H --> I["systemctl daemon-reload"]
    I --> J["Enable and start sunrpc_tcp_settings service"]
    J --> K["Verify sunrpc_tcp_settings is active"]
    K --> L["End hpc_tuning block"]

Loading

File-Level Changes

Change	Details	Files
Refine HPC tuning task block to remove azsec-monitor, adjust limits, and manage sunrpc via a systemd service instead of direct module loading.	Add package task to remove azsec-monitor if present, with ostree-aware backend selection and non-fatal failure handling. Increase system-wide nofile limits in the HPC limits template from 65535 to 1048576 for both soft and hard limits. Replace direct sunrpc module loading and manual modprobe checks with templated sunrpc_tcp_settings.sh and sunrpc_tcp_settings.service, enabling and starting the service, and validating its active status via systemctl.	tasks/main.yml templates/90-hpc-limits.conf templates/sunrpc_tcp_settings.sh templates/sunrpc_tcp_settings.service
Introduce systemd handlers and configuration adjustments to support HPC tuning changes.	Add tasks to set DefaultLimitMEMLOCK=infinity in systemd system.conf and user.conf using lineinfile and trigger a systemd daemon re-exec on change. Add handlers to reexec and reload systemd via systemctl daemon-reexec and systemctl daemon-reload to respond to configuration and unit file changes. Update README to document that sunrpc is now configured via sunrpc_tcp_settings systemd service rather than direct kernel module loading.	tasks/main.yml handlers/main.yml README.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The lineinfile tasks for DefaultLimitMEMLOCK=infinity will not update an existing DefaultLimitMEMLOCK entry with a different value; consider using a regexp to replace any existing line rather than just appending a new one.
• The sunrpc_tcp_settings.sh script runs sysctl -p, which reloads all sysctl settings and might have unintended side effects; it would be safer to scope this to the specific sysctl config file(s) you manage (e.g., sysctl -p /etc/sysctl.d/90-hpc-sysctl.conf) or use sysctl -w for the needed keys.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `lineinfile` tasks for `DefaultLimitMEMLOCK=infinity` will not update an existing `DefaultLimitMEMLOCK` entry with a different value; consider using a `regexp` to replace any existing line rather than just appending a new one.
- The `sunrpc_tcp_settings.sh` script runs `sysctl -p`, which reloads all sysctl settings and might have unintended side effects; it would be safer to scope this to the specific sysctl config file(s) you manage (e.g., `sysctl -p /etc/sysctl.d/90-hpc-sysctl.conf`) or use `sysctl -w` for the needed keys.

## Individual Comments

### Comment 1
<location> `templates/sunrpc_tcp_settings.sh:6` </location>
<code_context>
+{{ "system_role:hpc" | comment(prefix="", postfix="") }}
+
+modprobe sunrpc
+sysctl -p
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Using `sysctl -p` without a specific file may reload and depend on global sysctl configuration

This reloads `/etc/sysctl.conf` and all of `/etc/sysctl.d`, which can introduce unrelated changes and fail due to invalid, non-HPC sysctl entries. To limit scope and improve robustness, invoke `sysctl -p` with the specific HPC (or sunrpc-specific) configuration file instead.

Suggested implementation:

```
sysctl -p {{ sunrpc_sysctl_config | default('/etc/sysctl.d/99-hpc-sunrpc-tcp.conf') }}

```

1. Ensure a matching sysctl configuration file (e.g. `/etc/sysctl.d/99-hpc-sunrpc-tcp.conf`) is created/managed by this role, containing only the sunrpc/HPC-specific sysctl settings.
2. Optionally define the `sunrpc_sysctl_config` variable in the role defaults or inventory if a different path is desired.
3. Confirm that the managed sysctl file is written before this script is executed so that `sysctl -p` can successfully load it.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Using sysctl -p without a specific file may reload and depend on global sysctl configuration

This reloads /etc/sysctl.conf and all of /etc/sysctl.d, which can introduce unrelated changes and fail due to invalid, non-HPC sysctl entries. To limit scope and improve robustness, invoke sysctl -p with the specific HPC (or sunrpc-specific) configuration file instead.

Suggested implementation:

sysctl -p {{ sunrpc_sysctl_config | default('/etc/sysctl.d/99-hpc-sunrpc-tcp.conf') }}

1. Ensure a matching sysctl configuration file (e.g. /etc/sysctl.d/99-hpc-sunrpc-tcp.conf) is created/managed by this role, containing only the sunrpc/HPC-specific sysctl settings.
2. Optionally define the sunrpc_sysctl_config variable in the role defaults or inventory if a different path is desired.
3. Confirm that the managed sysctl file is written before this script is executed so that sysctl -p can successfully load it.

[richm]

It looks like the sunrpc service does two things:

• ensures that the sunrpc kernel module is loaded at boot
• ensures that the sysctl settings are applied at boot

Note that you do not need a service to do this - this can be done automatically by the os.

1. Ensure that the kernel module is loaded at boot before systemd-sysctl is run - if you add the module to /etc/modules-load.d/ it should be loaded early enough. Otherwise, you'll need to add a custom udev rule.
2. Then, the systemd-sysctl job should run and load any files in /etc/sysctl.d/

Is there some reason you need a custom systemd service to do this?

[dgchinner]

Two things that will fail linter checks here. You need to use "#!/bin/bash -eu" to pass one of the linters, and then the shellcheck linter is going to fail on the ansible variables in this file. You need to do this:

#!/bin/bash -eu
# This is a template, not an actual shell script, so tell shellcheck to          
# ignore the problematic templated parts                                         
# shellcheck disable=all                                                         
{{ ansible_managed | comment }}                                                  
{{ "system_role:hpc" | comment(prefix="", postfix="") }}                         
# shellcheck enable=all                                                          

[dgchinner]

Technically the name should be "Install the sunrpc_tcp_settings.sh script" - we are not creating it...

Secondly, custom scripts like this go in /opt/hpc/azure/bin, aka "{{ __hpc_azure_resource_dir }}/bin", not in system binary directories.

[dgchinner]

Also, this should fail if the kernel module loading fails. That way the failure gets propagated to teh service that invoked the script. However, I think the '-eu' addition to the shebang line I mentioned above will trigger script failure correctly here.

[dgchinner]

I think this removes the only user of the systemd-modules-load handler. If it is now unused, please remove it from the handlers/main.yml file.