91 lines
3.0 KiB
YAML
91 lines
3.0 KiB
YAML
---
|
|
#
|
|
# Turn on/off Kernel Security for Meltdown + Spectre
|
|
#
|
|
# Defaults will turn security on, on the Overcloud
|
|
#
|
|
# Examples:
|
|
#
|
|
# Turn off security on the entire overcloud
|
|
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'security=false'
|
|
#
|
|
# Turn on security on the entire overcloud
|
|
# ansible-playbook -i hosts browbeat/adjust-security.yml
|
|
#
|
|
# Turn off security on just compute nodes
|
|
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'target=compute security=false'
|
|
#
|
|
# "target" can be any of the typical groups or a specific host in the hosts file
|
|
# Also you can force any of the three flags* to 0 or 1 (Ex. retp_enabled=0 etc)
|
|
# * Subject to them being writable
|
|
|
|
- hosts: "{{target|default('overcloud')}}"
|
|
gather_facts: true
|
|
remote_user: "{{ host_remote_user }}"
|
|
vars:
|
|
ibrs_enabled: 0
|
|
pti_enabled: 1
|
|
retp_enabled: 1
|
|
security: true
|
|
vars_files:
|
|
- ../install/group_vars/all.yml
|
|
tasks:
|
|
- name: Check if rhel7
|
|
fail:
|
|
msg: Only run against RHEL7.X
|
|
when:
|
|
- ansible_distribution != "RedHat"
|
|
- ansible_distribution_major_version < '7'
|
|
|
|
- name: Check to turn off security
|
|
set_fact:
|
|
ibrs_enabled: 0
|
|
pti_enabled: 0
|
|
retp_enabled: 0
|
|
when: not security|bool
|
|
|
|
- name: Debug print the new values for security
|
|
debug:
|
|
msg: "Setting these: ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}} retp_enabled - {{retp_enabled}}"
|
|
|
|
- name: Check /sys/kernel for security performance affecting features
|
|
become: true
|
|
shell: |
|
|
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
|
|
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
|
|
echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)"
|
|
register: security_vars
|
|
|
|
- name: Debug print the security_vars before setting
|
|
debug:
|
|
msg: "{{security_vars.stdout_lines}}"
|
|
|
|
- name: Turn on/off security
|
|
become: true
|
|
shell: |
|
|
echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled
|
|
echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled
|
|
echo {{retp_enabled}} > /sys/kernel/debug/x86/retp_enabled
|
|
|
|
- name: Check /sys/kernel for security performance affecting features
|
|
become: true
|
|
shell: |
|
|
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
|
|
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
|
|
echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)"
|
|
register: security_vars
|
|
|
|
- name: Debug print the security_vars after setting
|
|
debug:
|
|
msg: "{{security_vars.stdout_lines}}"
|
|
|
|
- name: Check if Feat available
|
|
become: true
|
|
command: grep "FEATURE" /var/log/dmesg
|
|
ignore_errors: true
|
|
register: check_feat
|
|
|
|
- name: Debug print results of Feature Grep in dmesg
|
|
debug:
|
|
msg: "{{check_feat.stdout_lines}}"
|