diff options
| author |   Michael Polenchuk <mpolenchuk@mirantis.com> | 2018-01-31 14:38:16 +0400 |
|---|---|---|
| committer | Michael Polenchuk <mpolenchuk@mirantis.com> | 2018-01-31 17:28:02 +0400 |
| commit | 9c20ea371b59a19072b124af86dc3817753872a2 (patch) | |
| tree | 51384677120d507b64a0706a8855229dc8afdda4 /mcp/patches/0008-Handle-kernel-boot-options.patch | |
| parent | 9b984e9be0ea5e78d111f57e2ea1c156b7b816a4 (diff) | |
Turn off Retpoline and KPTI protection
Based on Canonical research (https://goo.gl/QJykMa) there is
low-risk of attack for private clouds environments, therefore
turn off the related kernel patches & regain performance back.
Change-Id: I661fa127241e327b07d21a29d58d584997607123
Signed-off-by: Michael Polenchuk <mpolenchuk@mirantis.com>
Diffstat (limited to 'mcp/patches/0008-Handle-kernel-boot-options.patch')
| -rw-r--r-- | mcp/patches/0008-Handle-kernel-boot-options.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/mcp/patches/0008-Handle-kernel-boot-options.patch b/mcp/patches/0008-Handle-kernel-boot-options.patch new file mode 100644 index 000000000..f5198a2ab --- /dev/null +++ b/mcp/patches/0008-Handle-kernel-boot-options.patch @@ -0,0 +1,69 @@ +:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +: Copyright (c) 2018 Mirantis Inc., Enea AB and others. +: +: All rights reserved. This program and the accompanying materials +: are made available under the terms of the Apache License, Version 2.0 +: which accompanies this distribution, and is available at +: http://www.apache.org/licenses/LICENSE-2.0 +:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +From: Michael Polenchuk <mpolenchuk@mirantis.com> +Date: Thu, 25 Jan 2018 13:22:39 +0400 +Subject: [PATCH] Handle kernel boot options + +The 'system.kernel.elevator' and 'system.kernel.isolcpu' options +have been kept for backward compatibility and should be used in new +fashion way with system.kernel.boot_options parameter. + +Change-Id: I51f7167b8b8946500df2065ee6b02bcf21809bc9 + +diff --git a/linux/system/kernel.sls b/linux/system/kernel.sls +index 59b7177..b1c3f3b 100644 +--- a/linux/system/kernel.sls ++++ b/linux/system/kernel.sls +@@ -3,39 +3,24 @@ + + {%- if system.kernel is defined %} + +-{%- if system.kernel.isolcpu is defined or system.kernel.elevator is defined %} ++{%- set kernel_boot_opts = [] %} ++{%- do kernel_boot_opts.append('isolcpus=' ~ system.kernel.isolcpu) if system.kernel.isolcpu is defined %} ++{%- do kernel_boot_opts.append('elevator=' ~ system.kernel.elevator) if system.kernel.elevator is defined %} ++{%- do kernel_boot_opts.extend(system.kernel.boot_options) if system.kernel.boot_options is defined %} + ++{%- if kernel_boot_opts %} + include: + - linux.system.grub + +-{%- if system.kernel.isolcpu is defined %} +- +-/etc/default/grub.d/90-isolcpu.cfg: +- file.managed: +- - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT isolcpus={{ system.kernel.isolcpu }}"' +- - require: +- - file: grub_d_directory +-{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %} +- - watch_in: +- - cmd: grub_update +- +-{%- endif %} +-{%- endif %} +- +-{%- if system.kernel.elevator is defined %} +- +-/etc/default/grub.d/91-elevator.cfg: ++/etc/default/grub.d/99-custom-settings.cfg: + file.managed: +- - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT elevator={{ system.kernel.elevator }}"' ++ - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_opts|join(' ') }}"' + - require: + - file: grub_d_directory + {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %} + - watch_in: + - cmd: grub_update +- +-{%- endif %} + {%- endif %} +- + {%- endif %} + + {%- if system.kernel.version is defined %} |