diff --git a/ansible/browbeat/adjust-microcode.yml b/ansible/browbeat/adjust-microcode.yml new file mode 100644 index 000000000..b32bb97d7 --- /dev/null +++ b/ansible/browbeat/adjust-microcode.yml @@ -0,0 +1,106 @@ +--- +# +# Playbook to push new microcode. Please read playbook before running. +# +# Examples: +# +# Update microcode on Overcloud: +# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'get_url_base=http://example.com.com/intel-ucode/' +# +# Update microcode on Controllers +# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'target=controller get_url_base=http://example.com.com/intel-ucode/' +# +# "target" can be any of the typical groups or a specific host in the hosts file +# Set get_url_base to the base of a webserver allowing for download of the microcode +# + +- hosts: "{{target|default('overcloud')}}" + gather_facts: true + remote_user: "{{ host_remote_user }}" + vars: + get_url_base: http://example.com.com/intel-ucode/ + vars_files: + - ../install/group_vars/all.yml + tasks: + - name: Get cpu family + become: true + shell: cat /proc/cpuinfo | egrep "cpu family" | head -n 1 | awk '{print $4}' + register: cpu_family + + - name: Get cpu model + become: true + shell: cat /proc/cpuinfo | egrep "model" | head -n 1 | awk '{print $3}' + register: cpu_model + + - name: Get cpu stepping + become: true + shell: cat /proc/cpuinfo | egrep "stepping" | head -n 1 | awk '{print $3}' + register: cpu_stepping + + - name: Set microcode version + set_fact: + microcode_version: '{{"%02d"|format(cpu_family.stdout|int)}}-{{"%02x"|format(cpu_model.stdout|int)}}-{{"%02d"|format(cpu_stepping.stdout|int)}}' + + - debug: + msg: "Setting up Microcode: {{microcode_version}}" + + - name: Get Microcode + become: true + get_url: + url: "{{get_url_base}}/{{microcode_version}}" + dest: /lib/firmware/intel-ucode/{{microcode_version}} + force: true + + - name: Run dracut + become: true + command: dracut -f + + - name: Attempt graceful reboot + become: true + shell: nohup sh -c '( sleep 5 ; reboot )' & + async: 0 + poll: 0 + ignore_errors: true + + # 8 minute timeout + - name: Wait for Machine Ready (1st try) + wait_for: + host: "{{ansible_default_ipv4.address}}" + port: 22 + delay: 15 + timeout: 480 + delegate_to: undercloud + remote_user: "{{local_remote_user}}" + register: machine_rebooted + ignore_errors: true + + # "Rescue" the node + - name: Use Ironic to start each machine + shell: | + . /home/stack/stackrc + openstack baremetal node power off {{ironic_uuid}} + sleep 30 + openstack baremetal node power on {{ironic_uuid}} + delegate_to: undercloud + remote_user: "{{local_remote_user}}" + when: machine_rebooted.failed + + - name: Wait for Machine Ready (2nd try) + wait_for: + host: "{{ansible_default_ipv4.address}}" + port: 22 + delay: 15 + timeout: 480 + delegate_to: undercloud + remote_user: "{{local_remote_user}}" + when: machine_rebooted.failed + + - name: Check if Feat available + become: true + command: grep "FEATURE" /var/log/dmesg + ignore_errors: true + register: check_feat + + - name: Debug print results of Feature Grep in dmesg + debug: + msg: "{{check_feat.stdout_lines}}" diff --git a/ansible/browbeat/adjust-security.yml b/ansible/browbeat/adjust-security.yml new file mode 100644 index 000000000..af070f2ce --- /dev/null +++ b/ansible/browbeat/adjust-security.yml @@ -0,0 +1,90 @@ +--- +# +# Turn on/off Kernel Security for Meltdown + Spectre +# +# Defaults will turn security on, on the Overcloud +# +# Examples: +# +# Turn off security on entire overcloud +# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'security=false' +# +# Turn on security on entire overcloud +# ansible-playbook -i hosts browbeat/adjust-security.yml +# +# Turn off security on just compute nodes +# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'target=compute security=false' +# +# "target" can be any of the typical groups or a specific host in the hosts file +# Also you can force any of the three flags to 0 or 1 (Ex. ibpb_enabled=0 etc) +# + +- hosts: "{{target|default('overcloud')}}" + gather_facts: true + remote_user: "{{ host_remote_user }}" + vars: + ibpb_enabled: 1 + ibrs_enabled: 1 + pti_enabled: 1 + security: true + vars_files: + - ../install/group_vars/all.yml + tasks: + - name: Check if rhel7 + fail: + msg: Only run against RHEL7.X + when: + - ansible_distribution != "RedHat" + - ansible_distribution_major_version < '7' + + - name: Check to turn off security + set_fact: + ibpb_enabled: 0 + ibrs_enabled: 0 + pti_enabled: 0 + when: not security|bool + + - name: Debug print the new values for security + debug: + msg: "Setting these: ibpb_enabled- {{ibpb_enabled}} ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}}" + + - name: Check /sys/kernel for security performance affecting features + become: true + shell: | + echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)" + echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)" + echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)" + register: security_vars + + - name: Debug print the security_vars before setting + debug: + msg: "{{security_vars.stdout_lines}}" + + - name: Turn on/off security + become: true + shell: | + echo {{ibpb_enabled}} > /sys/kernel/debug/x86/ibpb_enabled + echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled + echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled + + - name: Check /sys/kernel for security performance affecting features + become: true + shell: | + echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)" + echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)" + echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)" + register: security_vars + + - name: Debug print the security_vars after setting + debug: + msg: "{{security_vars.stdout_lines}}" + + - name: Check if Feat available + become: true + command: grep "FEATURE" /var/log/dmesg + ignore_errors: true + register: check_feat + + - name: Debug print results of Feature Grep in dmesg + debug: + msg: "{{check_feat.stdout_lines}}" diff --git a/ansible/generate_tripleo_hostfile.sh b/ansible/generate_tripleo_hostfile.sh index a2c6b53fc..1bb14be9d 100755 --- a/ansible/generate_tripleo_hostfile.sh +++ b/ansible/generate_tripleo_hostfile.sh @@ -66,6 +66,7 @@ if [ ${#clouds} -gt 0 ]; then echo "ERROR: nova list failed to execute properly, please check the openstack-nova-api on the undercloud." exit 1 fi + ironic_uuids=$(ssh -tt -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" stack@${tripleo_ip_address} ". ~/stackrc; openstack baremetal node list > >(grep -i -E 'active|running') 2>/dev/null") controller_id=$(ssh -tt -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" stack@${tripleo_ip_address} ". ~/stackrc; openstack stack resource show $overcloud_name Controller > >(grep physical_resource_id) 2>/dev/null" | awk '{print $4}') if [ ${#controller_id} -lt 3 ]; then echo "Error: Controller ID is not reporting correctly. Please see check the openstack-heat-api on the undercloud." @@ -202,7 +203,7 @@ for line in $nodes; do IP=$(echo $line | awk '{print $8}' | cut -d "=" -f2) if grep -q $uuid <<< {$controller_uuids}; then controller_hn+=("$host") -elif grep -q $uuid <<< {$blockstorage_uuids}; then + elif grep -q $uuid <<< {$blockstorage_uuids}; then blockstorage_hn+=("$host") elif grep -q $uuid <<< {$objectstorage_uuids}; then objectstorage_hn+=("$host") @@ -220,14 +221,36 @@ elif grep -q $uuid <<< {$blockstorage_uuids}; then echo " IdentityFile ${DIR}/heat-admin-id_rsa" | tee -a ${ssh_config_file} echo " StrictHostKeyChecking no" | tee -a ${ssh_config_file} echo " UserKnownHostsFile=/dev/null" | tee -a ${ssh_config_file} + # Substitute the nova instance id for the host name so we can attach the ironic uuid as a host var + ironic_uuids=${ironic_uuids/$uuid/$host} done -# Sort Controllers +# Sort Host Types controller_hn=( $( for item in "${controller_hn[@]}" do echo "$item" done | sort) ) +blockstorage_hn=( $( + for item in "${blockstorage_hn[@]}" + do + echo "$item" + done | sort) ) +objectstorage_hn=( $( + for item in "${objectstorage_hn[@]}" + do + echo "$item" + done | sort) ) +cephstorage_hn=( $( + for item in "${cephstorage_hn[@]}" + do + echo "$item" + done | sort) ) +compute_hn=( $( + for item in "${compute_hn[@]}" + do + echo "$item" + done | sort) ) echo "" echo "---------------------------" @@ -250,35 +273,80 @@ echo "" | tee -a ${ansible_inventory_file} echo "[controller]" | tee -a ${ansible_inventory_file} if [[ ${#controller_hn} -gt 0 ]]; then for ct in ${controller_hn[@]}; do - echo "${ct}" | tee -a ${ansible_inventory_file} + ironic_uuid='' + for line in ${ironic_uuids}; do + uuid=$(echo $line | awk '{print $2}') + host=$(echo $line | awk '{print $6}') + if [ "$host" == "$ct" ]; then + ironic_uuid=$uuid + break + fi + done + echo "${ct} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file} done fi echo "" | tee -a ${ansible_inventory_file} echo "[blockstorage]" | tee -a ${ansible_inventory_file} if [[ ${#blockstorage_hn} -gt 0 ]]; then for blockstorage in ${blockstorage_hn[@]}; do - echo "${blockstorage}" | tee -a ${ansible_inventory_file} + ironic_uuid='' + for line in ${ironic_uuids}; do + uuid=$(echo $line | awk '{print $2}') + host=$(echo $line | awk '{print $6}') + if [ "$host" == "$blockstorage" ]; then + ironic_uuid=$uuid + break + fi + done + echo "${blockstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file} done fi echo "" | tee -a ${ansible_inventory_file} echo "[objectstorage]" | tee -a ${ansible_inventory_file} if [[ ${#objectstorage_hn} -gt 0 ]]; then for objectstorage in ${objectstorage_hn[@]}; do - echo "${objectstorage}" | tee -a ${ansible_inventory_file} + ironic_uuid='' + for line in ${ironic_uuids}; do + uuid=$(echo $line | awk '{print $2}') + host=$(echo $line | awk '{print $6}') + if [ "$host" == "$objectstorage" ]; then + ironic_uuid=$uuid + break + fi + done + echo "${objectstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file} done fi echo "" | tee -a ${ansible_inventory_file} echo "[cephstorage]" | tee -a ${ansible_inventory_file} if [[ ${#cephstorage_hn} -gt 0 ]]; then for cephstorage in ${cephstorage_hn[@]}; do - echo "${cephstorage}" | tee -a ${ansible_inventory_file} + ironic_uuid='' + for line in ${ironic_uuids}; do + uuid=$(echo $line | awk '{print $2}') + host=$(echo $line | awk '{print $6}') + if [ "$host" == "$cephstorage" ]; then + ironic_uuid=$uuid + break + fi + done + echo "${cephstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file} done fi echo "" | tee -a ${ansible_inventory_file} echo "[compute]" | tee -a ${ansible_inventory_file} if [[ ${#compute_hn} -gt 0 ]]; then - for c in ${compute_hn[@]}; do - echo "${c}" | tee -a ${ansible_inventory_file} + for compute in ${compute_hn[@]}; do + ironic_uuid='' + for line in ${ironic_uuids}; do + uuid=$(echo $line | awk '{print $2}') + host=$(echo $line | awk '{print $6}') + if [ "$host" == "$compute" ]; then + ironic_uuid=$uuid + break + fi + done + echo "${compute} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file} done fi if [[ ${#controller_hn} -gt 0 ]] || [[ ${#blockstorage_hn} -gt 0 ]] || [[ ${#objectstorage_hn} -gt 0 ]] || [[ ${#cephstorage_hn} -gt 0 ]] || [[ ${#compute_hn} -gt 0 ]]; then