aboutsummaryrefslogtreecommitdiffstats
path: root/mcp
diff options
context:
space:
mode:
authorMichael Polenchuk <mpolenchuk@mirantis.com>2018-01-31 14:38:16 +0400
committerMichael Polenchuk <mpolenchuk@mirantis.com>2018-01-31 17:28:02 +0400
commit9c20ea371b59a19072b124af86dc3817753872a2 (patch)
tree51384677120d507b64a0706a8855229dc8afdda4 /mcp
parent9b984e9be0ea5e78d111f57e2ea1c156b7b816a4 (diff)
Turn off Retpoline and KPTI protection
Based on Canonical research (https://goo.gl/QJykMa) there is low-risk of attack for private clouds environments, therefore turn off the related kernel patches & regain performance back. Change-Id: I661fa127241e327b07d21a29d58d584997607123 Signed-off-by: Michael Polenchuk <mpolenchuk@mirantis.com>
Diffstat (limited to 'mcp')
-rwxr-xr-xmcp/config/states/baremetal_init2
-rw-r--r--mcp/patches/0008-Handle-file_recv-option.patch26
-rw-r--r--mcp/patches/0008-Handle-kernel-boot-options.patch69
-rw-r--r--mcp/patches/patches.list2
-rw-r--r--mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml5
-rw-r--r--mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml3
6 files changed, 79 insertions, 28 deletions
diff --git a/mcp/config/states/baremetal_init b/mcp/config/states/baremetal_init
index cd254ddd3..c14772837 100755
--- a/mcp/config/states/baremetal_init
+++ b/mcp/config/states/baremetal_init
@@ -23,7 +23,7 @@ salt -C 'kvm* or cmp*' file.replace $debian_ip_source \
repl="\n if not __salt__['pkg.version']('vlan'):\n __salt__['pkg.install']('vlan')"
salt -C 'kvm*' pkg.install bridge-utils
-salt -C 'kvm*' state.apply linux.network
+salt -C 'kvm*' state.apply linux.network,linux.system.kernel
salt -C 'kvm* or cmp*' state.apply salt.minion
salt -C 'cmp*' state.apply linux.system
salt -C 'cmp*' state.apply linux.network || true
diff --git a/mcp/patches/0008-Handle-file_recv-option.patch b/mcp/patches/0008-Handle-file_recv-option.patch
deleted file mode 100644
index b0c497ae1..000000000
--- a/mcp/patches/0008-Handle-file_recv-option.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-: Copyright (c) 2017 Mirantis Inc., Enea AB and others.
-:
-: All rights reserved. This program and the accompanying materials
-: are made available under the terms of the Apache License, Version 2.0
-: which accompanies this distribution, and is available at
-: http://www.apache.org/licenses/LICENSE-2.0
-::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-From: Michael Polenchuk <mpolenchuk@mirantis.com>
-Date: Mon, 28 Aug 2017 16:17:43 +0400
-Subject: [PATCH] Handle file_recv option
-
-
-diff --git a/salt/files/master.conf b/salt/files/master.conf
-index 329ae0d..a9d9656 100644
---- a/salt/files/master.conf
-+++ b/salt/files/master.conf
-@@ -95,6 +95,8 @@ logstash_zmq_handler:
- order_masters: True
- {%- endif %}
-
-+file_recv: {{ master.get('file_recv', False) }}
-+
- {#-
- vim: syntax=jinja
- -#}
diff --git a/mcp/patches/0008-Handle-kernel-boot-options.patch b/mcp/patches/0008-Handle-kernel-boot-options.patch
new file mode 100644
index 000000000..f5198a2ab
--- /dev/null
+++ b/mcp/patches/0008-Handle-kernel-boot-options.patch
@@ -0,0 +1,69 @@
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+: Copyright (c) 2018 Mirantis Inc., Enea AB and others.
+:
+: All rights reserved. This program and the accompanying materials
+: are made available under the terms of the Apache License, Version 2.0
+: which accompanies this distribution, and is available at
+: http://www.apache.org/licenses/LICENSE-2.0
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+From: Michael Polenchuk <mpolenchuk@mirantis.com>
+Date: Thu, 25 Jan 2018 13:22:39 +0400
+Subject: [PATCH] Handle kernel boot options
+
+The 'system.kernel.elevator' and 'system.kernel.isolcpu' options
+have been kept for backward compatibility and should be used in new
+fashion way with system.kernel.boot_options parameter.
+
+Change-Id: I51f7167b8b8946500df2065ee6b02bcf21809bc9
+
+diff --git a/linux/system/kernel.sls b/linux/system/kernel.sls
+index 59b7177..b1c3f3b 100644
+--- a/linux/system/kernel.sls
++++ b/linux/system/kernel.sls
+@@ -3,39 +3,24 @@
+
+ {%- if system.kernel is defined %}
+
+-{%- if system.kernel.isolcpu is defined or system.kernel.elevator is defined %}
++{%- set kernel_boot_opts = [] %}
++{%- do kernel_boot_opts.append('isolcpus=' ~ system.kernel.isolcpu) if system.kernel.isolcpu is defined %}
++{%- do kernel_boot_opts.append('elevator=' ~ system.kernel.elevator) if system.kernel.elevator is defined %}
++{%- do kernel_boot_opts.extend(system.kernel.boot_options) if system.kernel.boot_options is defined %}
+
++{%- if kernel_boot_opts %}
+ include:
+ - linux.system.grub
+
+-{%- if system.kernel.isolcpu is defined %}
+-
+-/etc/default/grub.d/90-isolcpu.cfg:
+- file.managed:
+- - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT isolcpus={{ system.kernel.isolcpu }}"'
+- - require:
+- - file: grub_d_directory
+-{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
+- - watch_in:
+- - cmd: grub_update
+-
+-{%- endif %}
+-{%- endif %}
+-
+-{%- if system.kernel.elevator is defined %}
+-
+-/etc/default/grub.d/91-elevator.cfg:
++/etc/default/grub.d/99-custom-settings.cfg:
+ file.managed:
+- - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT elevator={{ system.kernel.elevator }}"'
++ - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_opts|join(' ') }}"'
+ - require:
+ - file: grub_d_directory
+ {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
+ - watch_in:
+ - cmd: grub_update
+-
+-{%- endif %}
+ {%- endif %}
+-
+ {%- endif %}
+
+ {%- if system.kernel.version is defined %}
diff --git a/mcp/patches/patches.list b/mcp/patches/patches.list
index 34d913ab2..2eb45b272 100644
--- a/mcp/patches/patches.list
+++ b/mcp/patches/patches.list
@@ -12,7 +12,7 @@
/usr/share/salt-formulas/env: 0005-maas-module-Obtain-fabric-ID-from-CIDR.patch
/usr/share/salt-formulas/env: 0006-maas-module-Add-VLAN-DHCP-enable-support.patch
/usr/share/salt-formulas/env: 0007-network.interface-Fix-ifup-OVS-port-with-route.patch
-/usr/share/salt-formulas/env: 0008-Handle-file_recv-option.patch
+/usr/share/salt-formulas/env: 0008-Handle-kernel-boot-options.patch
/usr/share/salt-formulas/env: 0009-controller-Use-keystoneclient-to-check-project-ID.patch
/usr/share/salt-formulas/env: 0010-maas-region-allow-timeout-override.patch
/usr/share/salt-formulas/env: 0011-system.repo-Debian-Add-keyserver-proxy-support.patch
diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
index dcd78a2cf..1e6b3bd0d 100644
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
@@ -37,6 +37,11 @@ parameters:
network:
remove_iface_files:
- '/etc/network/interfaces.d/50-cloud-init.cfg'
+ system:
+ kernel:
+ boot_options:
+ - spectre_v2=off
+ - nopti
libvirt:
server:
service: libvirtd
diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
index 60a01a885..a0cdd98c8 100644
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
@@ -53,6 +53,9 @@ parameters:
sysctl:
vm.dirty_ratio: 10
vm.dirty_background_ratio: 5
+ boot_options:
+ - spectre_v2=off
+ - nopti
neutron:
gateway:
vlan_aware_vms: true