Playbook to adjust security parameters

Turn on/off security features if your Overcloud has them. Also update
microcode incase you need to do so.

Change-Id: I9918b58af91550cec22165944bc839cf9559ddf9
This commit is contained in:
akrzos 2018-01-11 13:27:33 -05:00
parent d8b949060b
commit f8caad3269
3 changed files with 272 additions and 8 deletions

View File

@ -0,0 +1,106 @@
---
#
# Playbook to push new microcode. Please read playbook before running.
#
# Examples:
#
# Update microcode on Overcloud:
# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'get_url_base=http://example.com.com/intel-ucode/'
#
# Update microcode on Controllers
# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'target=controller get_url_base=http://example.com.com/intel-ucode/'
#
# "target" can be any of the typical groups or a specific host in the hosts file
# Set get_url_base to the base of a webserver allowing for download of the microcode
#
- hosts: "{{target|default('overcloud')}}"
gather_facts: true
remote_user: "{{ host_remote_user }}"
vars:
get_url_base: http://example.com.com/intel-ucode/
vars_files:
- ../install/group_vars/all.yml
tasks:
- name: Get cpu family
become: true
shell: cat /proc/cpuinfo | egrep "cpu family" | head -n 1 | awk '{print $4}'
register: cpu_family
- name: Get cpu model
become: true
shell: cat /proc/cpuinfo | egrep "model" | head -n 1 | awk '{print $3}'
register: cpu_model
- name: Get cpu stepping
become: true
shell: cat /proc/cpuinfo | egrep "stepping" | head -n 1 | awk '{print $3}'
register: cpu_stepping
- name: Set microcode version
set_fact:
microcode_version: '{{"%02d"|format(cpu_family.stdout|int)}}-{{"%02x"|format(cpu_model.stdout|int)}}-{{"%02d"|format(cpu_stepping.stdout|int)}}'
- debug:
msg: "Setting up Microcode: {{microcode_version}}"
- name: Get Microcode
become: true
get_url:
url: "{{get_url_base}}/{{microcode_version}}"
dest: /lib/firmware/intel-ucode/{{microcode_version}}
force: true
- name: Run dracut
become: true
command: dracut -f
- name: Attempt graceful reboot
become: true
shell: nohup sh -c '( sleep 5 ; reboot )' &
async: 0
poll: 0
ignore_errors: true
# 8 minute timeout
- name: Wait for Machine Ready (1st try)
wait_for:
host: "{{ansible_default_ipv4.address}}"
port: 22
delay: 15
timeout: 480
delegate_to: undercloud
remote_user: "{{local_remote_user}}"
register: machine_rebooted
ignore_errors: true
# "Rescue" the node
- name: Use Ironic to start each machine
shell: |
. /home/stack/stackrc
openstack baremetal node power off {{ironic_uuid}}
sleep 30
openstack baremetal node power on {{ironic_uuid}}
delegate_to: undercloud
remote_user: "{{local_remote_user}}"
when: machine_rebooted.failed
- name: Wait for Machine Ready (2nd try)
wait_for:
host: "{{ansible_default_ipv4.address}}"
port: 22
delay: 15
timeout: 480
delegate_to: undercloud
remote_user: "{{local_remote_user}}"
when: machine_rebooted.failed
- name: Check if Feat available
become: true
command: grep "FEATURE" /var/log/dmesg
ignore_errors: true
register: check_feat
- name: Debug print results of Feature Grep in dmesg
debug:
msg: "{{check_feat.stdout_lines}}"

View File

@ -0,0 +1,90 @@
---
#
# Turn on/off Kernel Security for Meltdown + Spectre
#
# Defaults will turn security on, on the Overcloud
#
# Examples:
#
# Turn off security on entire overcloud
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'security=false'
#
# Turn on security on entire overcloud
# ansible-playbook -i hosts browbeat/adjust-security.yml
#
# Turn off security on just compute nodes
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'target=compute security=false'
#
# "target" can be any of the typical groups or a specific host in the hosts file
# Also you can force any of the three flags to 0 or 1 (Ex. ibpb_enabled=0 etc)
#
- hosts: "{{target|default('overcloud')}}"
gather_facts: true
remote_user: "{{ host_remote_user }}"
vars:
ibpb_enabled: 1
ibrs_enabled: 1
pti_enabled: 1
security: true
vars_files:
- ../install/group_vars/all.yml
tasks:
- name: Check if rhel7
fail:
msg: Only run against RHEL7.X
when:
- ansible_distribution != "RedHat"
- ansible_distribution_major_version < '7'
- name: Check to turn off security
set_fact:
ibpb_enabled: 0
ibrs_enabled: 0
pti_enabled: 0
when: not security|bool
- name: Debug print the new values for security
debug:
msg: "Setting these: ibpb_enabled- {{ibpb_enabled}} ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}}"
- name: Check /sys/kernel for security performance affecting features
become: true
shell: |
echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
register: security_vars
- name: Debug print the security_vars before setting
debug:
msg: "{{security_vars.stdout_lines}}"
- name: Turn on/off security
become: true
shell: |
echo {{ibpb_enabled}} > /sys/kernel/debug/x86/ibpb_enabled
echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled
echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled
- name: Check /sys/kernel for security performance affecting features
become: true
shell: |
echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
register: security_vars
- name: Debug print the security_vars after setting
debug:
msg: "{{security_vars.stdout_lines}}"
- name: Check if Feat available
become: true
command: grep "FEATURE" /var/log/dmesg
ignore_errors: true
register: check_feat
- name: Debug print results of Feature Grep in dmesg
debug:
msg: "{{check_feat.stdout_lines}}"

View File

@ -66,6 +66,7 @@ if [ ${#clouds} -gt 0 ]; then
echo "ERROR: nova list failed to execute properly, please check the openstack-nova-api on the undercloud."
exit 1
fi
ironic_uuids=$(ssh -tt -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" stack@${tripleo_ip_address} ". ~/stackrc; openstack baremetal node list > >(grep -i -E 'active|running') 2>/dev/null")
controller_id=$(ssh -tt -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" stack@${tripleo_ip_address} ". ~/stackrc; openstack stack resource show $overcloud_name Controller > >(grep physical_resource_id) 2>/dev/null" | awk '{print $4}')
if [ ${#controller_id} -lt 3 ]; then
echo "Error: Controller ID is not reporting correctly. Please see check the openstack-heat-api on the undercloud."
@ -202,7 +203,7 @@ for line in $nodes; do
IP=$(echo $line | awk '{print $8}' | cut -d "=" -f2)
if grep -q $uuid <<< {$controller_uuids}; then
controller_hn+=("$host")
elif grep -q $uuid <<< {$blockstorage_uuids}; then
elif grep -q $uuid <<< {$blockstorage_uuids}; then
blockstorage_hn+=("$host")
elif grep -q $uuid <<< {$objectstorage_uuids}; then
objectstorage_hn+=("$host")
@ -220,14 +221,36 @@ elif grep -q $uuid <<< {$blockstorage_uuids}; then
echo " IdentityFile ${DIR}/heat-admin-id_rsa" | tee -a ${ssh_config_file}
echo " StrictHostKeyChecking no" | tee -a ${ssh_config_file}
echo " UserKnownHostsFile=/dev/null" | tee -a ${ssh_config_file}
# Substitute the nova instance id for the host name so we can attach the ironic uuid as a host var
ironic_uuids=${ironic_uuids/$uuid/$host}
done
# Sort Controllers
# Sort Host Types
controller_hn=( $(
for item in "${controller_hn[@]}"
do
echo "$item"
done | sort) )
blockstorage_hn=( $(
for item in "${blockstorage_hn[@]}"
do
echo "$item"
done | sort) )
objectstorage_hn=( $(
for item in "${objectstorage_hn[@]}"
do
echo "$item"
done | sort) )
cephstorage_hn=( $(
for item in "${cephstorage_hn[@]}"
do
echo "$item"
done | sort) )
compute_hn=( $(
for item in "${compute_hn[@]}"
do
echo "$item"
done | sort) )
echo ""
echo "---------------------------"
@ -250,35 +273,80 @@ echo "" | tee -a ${ansible_inventory_file}
echo "[controller]" | tee -a ${ansible_inventory_file}
if [[ ${#controller_hn} -gt 0 ]]; then
for ct in ${controller_hn[@]}; do
echo "${ct}" | tee -a ${ansible_inventory_file}
ironic_uuid=''
for line in ${ironic_uuids}; do
uuid=$(echo $line | awk '{print $2}')
host=$(echo $line | awk '{print $6}')
if [ "$host" == "$ct" ]; then
ironic_uuid=$uuid
break
fi
done
echo "${ct} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
done
fi
echo "" | tee -a ${ansible_inventory_file}
echo "[blockstorage]" | tee -a ${ansible_inventory_file}
if [[ ${#blockstorage_hn} -gt 0 ]]; then
for blockstorage in ${blockstorage_hn[@]}; do
echo "${blockstorage}" | tee -a ${ansible_inventory_file}
ironic_uuid=''
for line in ${ironic_uuids}; do
uuid=$(echo $line | awk '{print $2}')
host=$(echo $line | awk '{print $6}')
if [ "$host" == "$blockstorage" ]; then
ironic_uuid=$uuid
break
fi
done
echo "${blockstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
done
fi
echo "" | tee -a ${ansible_inventory_file}
echo "[objectstorage]" | tee -a ${ansible_inventory_file}
if [[ ${#objectstorage_hn} -gt 0 ]]; then
for objectstorage in ${objectstorage_hn[@]}; do
echo "${objectstorage}" | tee -a ${ansible_inventory_file}
ironic_uuid=''
for line in ${ironic_uuids}; do
uuid=$(echo $line | awk '{print $2}')
host=$(echo $line | awk '{print $6}')
if [ "$host" == "$objectstorage" ]; then
ironic_uuid=$uuid
break
fi
done
echo "${objectstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
done
fi
echo "" | tee -a ${ansible_inventory_file}
echo "[cephstorage]" | tee -a ${ansible_inventory_file}
if [[ ${#cephstorage_hn} -gt 0 ]]; then
for cephstorage in ${cephstorage_hn[@]}; do
echo "${cephstorage}" | tee -a ${ansible_inventory_file}
ironic_uuid=''
for line in ${ironic_uuids}; do
uuid=$(echo $line | awk '{print $2}')
host=$(echo $line | awk '{print $6}')
if [ "$host" == "$cephstorage" ]; then
ironic_uuid=$uuid
break
fi
done
echo "${cephstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
done
fi
echo "" | tee -a ${ansible_inventory_file}
echo "[compute]" | tee -a ${ansible_inventory_file}
if [[ ${#compute_hn} -gt 0 ]]; then
for c in ${compute_hn[@]}; do
echo "${c}" | tee -a ${ansible_inventory_file}
for compute in ${compute_hn[@]}; do
ironic_uuid=''
for line in ${ironic_uuids}; do
uuid=$(echo $line | awk '{print $2}')
host=$(echo $line | awk '{print $6}')
if [ "$host" == "$compute" ]; then
ironic_uuid=$uuid
break
fi
done
echo "${compute} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
done
fi
if [[ ${#controller_hn} -gt 0 ]] || [[ ${#blockstorage_hn} -gt 0 ]] || [[ ${#objectstorage_hn} -gt 0 ]] || [[ ${#cephstorage_hn} -gt 0 ]] || [[ ${#compute_hn} -gt 0 ]]; then