Add retp_enabled to adjust-security.yaml playbook
Corrects behavior of adjust-security playbook to match what should be expected. Security On: pti_enabled: 1 retp_enabled: 1 Security Off: pti_enabled: 0 retp_enabled: 0 Change-Id: I643aca84391f78ea9b32c929f64e5a132bed9585
This commit is contained in:
parent
da73d61efe
commit
33fe6d6f87
|
@ -6,26 +6,26 @@
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
#
|
#
|
||||||
# Turn off security on entire overcloud
|
# Turn off security on the entire overcloud
|
||||||
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'security=false'
|
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'security=false'
|
||||||
#
|
#
|
||||||
# Turn on security on entire overcloud
|
# Turn on security on the entire overcloud
|
||||||
# ansible-playbook -i hosts browbeat/adjust-security.yml
|
# ansible-playbook -i hosts browbeat/adjust-security.yml
|
||||||
#
|
#
|
||||||
# Turn off security on just compute nodes
|
# Turn off security on just compute nodes
|
||||||
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'target=compute security=false'
|
# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'target=compute security=false'
|
||||||
#
|
#
|
||||||
# "target" can be any of the typical groups or a specific host in the hosts file
|
# "target" can be any of the typical groups or a specific host in the hosts file
|
||||||
# Also you can force any of the three flags to 0 or 1 (Ex. ibpb_enabled=0 etc)
|
# Also you can force any of the three flags* to 0 or 1 (Ex. retp_enabled=0 etc)
|
||||||
#
|
# * Subject to them being writable
|
||||||
|
|
||||||
- hosts: "{{target|default('overcloud')}}"
|
- hosts: "{{target|default('overcloud')}}"
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
remote_user: "{{ host_remote_user }}"
|
remote_user: "{{ host_remote_user }}"
|
||||||
vars:
|
vars:
|
||||||
ibpb_enabled: 1
|
ibrs_enabled: 0
|
||||||
ibrs_enabled: 1
|
|
||||||
pti_enabled: 1
|
pti_enabled: 1
|
||||||
|
retp_enabled: 1
|
||||||
security: true
|
security: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- ../install/group_vars/all.yml
|
- ../install/group_vars/all.yml
|
||||||
|
@ -39,21 +39,21 @@
|
||||||
|
|
||||||
- name: Check to turn off security
|
- name: Check to turn off security
|
||||||
set_fact:
|
set_fact:
|
||||||
ibpb_enabled: 0
|
|
||||||
ibrs_enabled: 0
|
ibrs_enabled: 0
|
||||||
pti_enabled: 0
|
pti_enabled: 0
|
||||||
|
retp_enabled: 0
|
||||||
when: not security|bool
|
when: not security|bool
|
||||||
|
|
||||||
- name: Debug print the new values for security
|
- name: Debug print the new values for security
|
||||||
debug:
|
debug:
|
||||||
msg: "Setting these: ibpb_enabled- {{ibpb_enabled}} ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}}"
|
msg: "Setting these: ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}} retp_enabled - {{retp_enabled}}"
|
||||||
|
|
||||||
- name: Check /sys/kernel for security performance affecting features
|
- name: Check /sys/kernel for security performance affecting features
|
||||||
become: true
|
become: true
|
||||||
shell: |
|
shell: |
|
||||||
echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
|
|
||||||
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
|
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
|
||||||
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
|
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
|
||||||
|
echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)"
|
||||||
register: security_vars
|
register: security_vars
|
||||||
|
|
||||||
- name: Debug print the security_vars before setting
|
- name: Debug print the security_vars before setting
|
||||||
|
@ -63,16 +63,16 @@
|
||||||
- name: Turn on/off security
|
- name: Turn on/off security
|
||||||
become: true
|
become: true
|
||||||
shell: |
|
shell: |
|
||||||
echo {{ibpb_enabled}} > /sys/kernel/debug/x86/ibpb_enabled
|
|
||||||
echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled
|
echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled
|
||||||
echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled
|
echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled
|
||||||
|
echo {{retp_enabled}} > /sys/kernel/debug/x86/retp_enabled
|
||||||
|
|
||||||
- name: Check /sys/kernel for security performance affecting features
|
- name: Check /sys/kernel for security performance affecting features
|
||||||
become: true
|
become: true
|
||||||
shell: |
|
shell: |
|
||||||
echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
|
|
||||||
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
|
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
|
||||||
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
|
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
|
||||||
|
echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)"
|
||||||
register: security_vars
|
register: security_vars
|
||||||
|
|
||||||
- name: Debug print the security_vars after setting
|
- name: Debug print the security_vars after setting
|
||||||
|
|
Loading…
Reference in New Issue