aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexandru Avadanii <Alexandru.Avadanii@enea.com>2020-01-29 15:40:12 +0100
committerAlexandru Avadanii <Alexandru.Avadanii@enea.com>2020-01-29 17:42:22 +0000
commit30b8abf04744ec71e4e608bc57e3b29872ed61a8 (patch)
treebae611e50191a9592fd7bd204aef0c6c29687fea
parentebe8fcb9f0b1939d0ce63d92fbae427e05321674 (diff)
aarch64: Add kpti=off similar to x86_64 nopti
arm64 kernels use a different kernel option (kpti=off vs nopti) to disable PTI, so sync the two platform configurations. Conveniently, this also bypasses kernel 4.15 issues described in [1], so apply the kernel option customisation via MaaS too, to allow aarch64 deployments to bootstrap using 4.15 kernel (with the downside of these args being duplicated by Salt later in HA scenarios). PTI is now disabled for baremetal nodes (via MaaS, no matter the scenario) and/or for kvm/cmp hosts (in HA scenarios only). While at it, install missing thin provisioning tools in aarch64 bootstrap image for MaaS deploy stage to succeed. [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1857074 Change-Id: Ibd1f57f24abc690b0f13b6298f25d7e8a1af1567 Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com> (cherry picked from commit d1f1e51f0357266ecddaf63f619c7944c71f5858)
-rw-r--r--mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch20
-rw-r--r--mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j23
-rw-r--r--mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j21
-rw-r--r--mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml1
-rw-r--r--mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j21
-rw-r--r--mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml1
-rw-r--r--mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j21
7 files changed, 18 insertions, 10 deletions
diff --git a/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch b/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch
index 791f8eec7..c69507b20 100644
--- a/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch
+++ b/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch
@@ -12,19 +12,19 @@ Subject: [PATCH] curtin: Add Bionic support
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
---
- .../curtin_userdata_amd64_generic_bionic | 83 +++++++++++++++++++
- .../curtin_userdata_arm64_generic_bionic | 78 +++++++++++++++++
+ .../curtin_userdata_amd64_generic_bionic | 84 +++++++++++++++++++
+ .../curtin_userdata_arm64_generic_bionic | 79 +++++++++++++++++
maas/region.sls | 24 ++++++
- 3 files changed, 185 insertions(+)
+ 3 files changed, 187 insertions(+)
create mode 100644 maas/files/curtin_userdata_amd64_generic_bionic
create mode 100644 maas/files/curtin_userdata_arm64_generic_bionic
diff --git a/maas/files/curtin_userdata_amd64_generic_bionic b/maas/files/curtin_userdata_amd64_generic_bionic
new file mode 100644
-index 0000000..c28721a
+index 0000000..11af3cf
--- /dev/null
+++ b/maas/files/curtin_userdata_amd64_generic_bionic
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,84 @@
+{%- from "maas/map.jinja" import cluster with context %}
+{%- raw %}
+#cloud-config
@@ -33,8 +33,9 @@ index 0000000..c28721a
+ {{for line in str(curtin_preseed).splitlines()}}
+ {{line}}
+ {{endfor}}
-+{{if third_party_drivers and driver}}
+early_commands:
++ thin_tools_install: ["sh", "-c", "apt-get update --quiet && apt-get --assume-yes install thin-provisioning-tools"]
++{{if third_party_drivers and driver}}
+ {{py: key_string = ''.join(['\\x%x' % x for x in map(ord, driver['key_binary'])])}}
+ driver_00_get_key: /bin/echo -en '{{key_string}}' > /tmp/maas-{{driver['package']}}.gpg
+ driver_01_add_key: ["apt-key", "add", "/tmp/maas-{{driver['package']}}.gpg"]
@@ -110,10 +111,10 @@ index 0000000..c28721a
+#}
diff --git a/maas/files/curtin_userdata_arm64_generic_bionic b/maas/files/curtin_userdata_arm64_generic_bionic
new file mode 100644
-index 0000000..d14388a
+index 0000000..006d8c2
--- /dev/null
+++ b/maas/files/curtin_userdata_arm64_generic_bionic
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,79 @@
+{%- from "maas/map.jinja" import cluster with context %}
+{% raw %}
+#cloud-config
@@ -122,8 +123,9 @@ index 0000000..d14388a
+ {{for line in str(curtin_preseed).splitlines()}}
+ {{line}}
+ {{endfor}}
-+{{if third_party_drivers and driver}}
+early_commands:
++ thin_tools_install: ["sh", "-c", "apt-get update --quiet && apt-get --assume-yes install thin-provisioning-tools"]
++{{if third_party_drivers and driver}}
+ {{py: key_string = ''.join(['\\x%x' % x for x in map(ord, driver['key_binary'])])}}
+ driver_00_get_key: /bin/echo -en '{{key_string}}' > /tmp/maas-{{driver['package']}}.gpg
+ driver_01_add_key: ["apt-key", "add", "/tmp/maas-{{driver['package']}}.gpg"]
diff --git a/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2 b/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
index f98040b93..f3b1f79aa 100644
--- a/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
+++ b/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
@@ -33,7 +33,7 @@ parameters:
aarch64_hugepages_1g:
comment: 'Enable 1G pagesizes on aarch64'
definition: '//capability[@id="asimd"]|//capability[@id="cp15_barrier"]'
- kernel_opts: 'default_hugepagesz=1G hugepagesz=1G'
+ kernel_opts: 'default_hugepagesz=1G hugepagesz=1G kpti=off'
{%- endif %}
enable_iframe: False
timeout:
@@ -111,6 +111,7 @@ parameters:
enable_third_party_drivers: true
network_discovery: 'enabled'
default_min_hwe_kernel: ${_param:hwe_kernel}
+ kernel_opts: 'spectre_v2=off nopti kpti=off nospec_store_bypass_disable noibrs noibpb'
cluster:
saltstack_repo_bionic: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/18.04/amd64/2017.7/ bionic main"
region:
diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2 b/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2
index fe337fa5b..37bc42225 100644
--- a/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2
+++ b/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2
@@ -41,6 +41,7 @@ parameters:
boot_options:
- spectre_v2=off
- nopti
+ - kpti=off
- nospec_store_bypass_disable
- noibrs
- noibpb
diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml
index 411fcee5a..af87d9c2f 100644
--- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml
+++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml
@@ -73,6 +73,7 @@ parameters:
boot_options:
- spectre_v2=off
- nopti
+ - kpti=off
- nospec_store_bypass_disable
- noibrs
- noibpb
diff --git a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2 b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2
index cefed963e..14b8a268b 100644
--- a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2
+++ b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2
@@ -41,6 +41,7 @@ parameters:
boot_options:
- spectre_v2=off
- nopti
+ - kpti=off
- nospec_store_bypass_disable
- noibrs
- noibpb
diff --git a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml
index 2dfe0370d..c330b677c 100644
--- a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml
+++ b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml
@@ -48,6 +48,7 @@ parameters:
boot_options:
- spectre_v2=off
- nopti
+ - kpti=off
- nospec_store_bypass_disable
- noibrs
- noibpb
diff --git a/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2 b/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2
index 95b39f637..34372c69c 100644
--- a/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2
+++ b/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2
@@ -62,6 +62,7 @@ parameters:
boot_options:
- spectre_v2=off
- nopti
+ - kpti=off
sysctl:
net.ipv4.ip_forward: 0
libvirt: