From 9c20ea371b59a19072b124af86dc3817753872a2 Mon Sep 17 00:00:00 2001
From: Michael Polenchuk <mpolenchuk@mirantis.com>
Date: Wed, 31 Jan 2018 14:38:16 +0400
Subject: Turn off Retpoline and KPTI protection

Based on Canonical research (https://goo.gl/QJykMa) there is
low-risk of attack for private clouds environments, therefore
turn off the related kernel patches & regain performance back.

Change-Id: I661fa127241e327b07d21a29d58d584997607123
Signed-off-by: Michael Polenchuk <mpolenchuk@mirantis.com>
---
 mcp/config/states/baremetal_init                   |  2 +-
 mcp/patches/0008-Handle-file_recv-option.patch     | 26 --------
 mcp/patches/0008-Handle-kernel-boot-options.patch  | 69 ++++++++++++++++++++++
 mcp/patches/patches.list                           |  2 +-
 .../baremetal-mcp-pike-common-ha/infra/kvm.yml     |  5 ++
 .../openstack_compute.yml                          |  3 +
 6 files changed, 79 insertions(+), 28 deletions(-)
 delete mode 100644 mcp/patches/0008-Handle-file_recv-option.patch
 create mode 100644 mcp/patches/0008-Handle-kernel-boot-options.patch

diff --git a/mcp/config/states/baremetal_init b/mcp/config/states/baremetal_init
index cd254ddd3..c14772837 100755
--- a/mcp/config/states/baremetal_init
+++ b/mcp/config/states/baremetal_init
@@ -23,7 +23,7 @@ salt -C 'kvm* or cmp*' file.replace $debian_ip_source \
   repl="\n        if not __salt__['pkg.version']('vlan'):\n            __salt__['pkg.install']('vlan')"
 
 salt -C 'kvm*' pkg.install bridge-utils
-salt -C 'kvm*' state.apply linux.network
+salt -C 'kvm*' state.apply linux.network,linux.system.kernel
 salt -C 'kvm* or cmp*' state.apply salt.minion
 salt -C 'cmp*' state.apply linux.system
 salt -C 'cmp*' state.apply linux.network || true
diff --git a/mcp/patches/0008-Handle-file_recv-option.patch b/mcp/patches/0008-Handle-file_recv-option.patch
deleted file mode 100644
index b0c497ae1..000000000
--- a/mcp/patches/0008-Handle-file_recv-option.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-: Copyright (c) 2017 Mirantis Inc., Enea AB and others.
-:
-: All rights reserved. This program and the accompanying materials
-: are made available under the terms of the Apache License, Version 2.0
-: which accompanies this distribution, and is available at
-: http://www.apache.org/licenses/LICENSE-2.0
-::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-From: Michael Polenchuk <mpolenchuk@mirantis.com>
-Date: Mon, 28 Aug 2017 16:17:43 +0400
-Subject: [PATCH] Handle file_recv option
-
-
-diff --git a/salt/files/master.conf b/salt/files/master.conf
-index 329ae0d..a9d9656 100644
---- a/salt/files/master.conf
-+++ b/salt/files/master.conf
-@@ -95,6 +95,8 @@ logstash_zmq_handler:
- order_masters: True
- {%- endif %}
-
-+file_recv: {{ master.get('file_recv', False) }}
-+
- {#-
- vim: syntax=jinja
- -#}
diff --git a/mcp/patches/0008-Handle-kernel-boot-options.patch b/mcp/patches/0008-Handle-kernel-boot-options.patch
new file mode 100644
index 000000000..f5198a2ab
--- /dev/null
+++ b/mcp/patches/0008-Handle-kernel-boot-options.patch
@@ -0,0 +1,69 @@
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+: Copyright (c) 2018 Mirantis Inc., Enea AB and others.
+:
+: All rights reserved. This program and the accompanying materials
+: are made available under the terms of the Apache License, Version 2.0
+: which accompanies this distribution, and is available at
+: http://www.apache.org/licenses/LICENSE-2.0
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+From: Michael Polenchuk <mpolenchuk@mirantis.com>
+Date: Thu, 25 Jan 2018 13:22:39 +0400
+Subject: [PATCH] Handle kernel boot options
+
+The 'system.kernel.elevator' and 'system.kernel.isolcpu' options
+have been kept for backward compatibility and should be used in new
+fashion way with system.kernel.boot_options parameter.
+
+Change-Id: I51f7167b8b8946500df2065ee6b02bcf21809bc9
+
+diff --git a/linux/system/kernel.sls b/linux/system/kernel.sls
+index 59b7177..b1c3f3b 100644
+--- a/linux/system/kernel.sls
++++ b/linux/system/kernel.sls
+@@ -3,39 +3,24 @@
+
+ {%- if system.kernel is defined %}
+
+-{%- if system.kernel.isolcpu is defined or system.kernel.elevator is defined %}
++{%- set kernel_boot_opts = [] %}
++{%- do kernel_boot_opts.append('isolcpus=' ~ system.kernel.isolcpu) if system.kernel.isolcpu is defined %}
++{%- do kernel_boot_opts.append('elevator=' ~ system.kernel.elevator) if system.kernel.elevator is defined %}
++{%- do kernel_boot_opts.extend(system.kernel.boot_options) if system.kernel.boot_options is defined %}
+
++{%- if kernel_boot_opts %}
+ include:
+   - linux.system.grub
+
+-{%- if system.kernel.isolcpu is defined %}
+-
+-/etc/default/grub.d/90-isolcpu.cfg:
+-  file.managed:
+-    - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT isolcpus={{ system.kernel.isolcpu }}"'
+-    - require:
+-      - file: grub_d_directory
+-{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %} 
+-    - watch_in:
+-      - cmd: grub_update
+-
+-{%- endif %}
+-{%- endif %}
+-
+-{%- if system.kernel.elevator is defined %}
+-
+-/etc/default/grub.d/91-elevator.cfg:
++/etc/default/grub.d/99-custom-settings.cfg:
+   file.managed:
+-    - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT elevator={{ system.kernel.elevator }}"'
++    - contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_opts|join(' ') }}"'
+     - require:
+       - file: grub_d_directory
+ {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
+     - watch_in:
+       - cmd: grub_update
+-
+-{%- endif %}
+ {%- endif %}
+-
+ {%- endif %}
+
+ {%- if system.kernel.version is defined %}
diff --git a/mcp/patches/patches.list b/mcp/patches/patches.list
index 34d913ab2..2eb45b272 100644
--- a/mcp/patches/patches.list
+++ b/mcp/patches/patches.list
@@ -12,7 +12,7 @@
 /usr/share/salt-formulas/env: 0005-maas-module-Obtain-fabric-ID-from-CIDR.patch
 /usr/share/salt-formulas/env: 0006-maas-module-Add-VLAN-DHCP-enable-support.patch
 /usr/share/salt-formulas/env: 0007-network.interface-Fix-ifup-OVS-port-with-route.patch
-/usr/share/salt-formulas/env: 0008-Handle-file_recv-option.patch
+/usr/share/salt-formulas/env: 0008-Handle-kernel-boot-options.patch
 /usr/share/salt-formulas/env: 0009-controller-Use-keystoneclient-to-check-project-ID.patch
 /usr/share/salt-formulas/env: 0010-maas-region-allow-timeout-override.patch
 /usr/share/salt-formulas/env: 0011-system.repo-Debian-Add-keyserver-proxy-support.patch
diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
index dcd78a2cf..1e6b3bd0d 100644
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
@@ -37,6 +37,11 @@ parameters:
     network:
       remove_iface_files:
         - '/etc/network/interfaces.d/50-cloud-init.cfg'
+    system:
+      kernel:
+        boot_options:
+          - spectre_v2=off
+          - nopti
   libvirt:
     server:
       service: libvirtd
diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
index 60a01a885..a0cdd98c8 100644
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
@@ -53,6 +53,9 @@ parameters:
         sysctl:
           vm.dirty_ratio: 10
           vm.dirty_background_ratio: 5
+        boot_options:
+          - spectre_v2=off
+          - nopti
   neutron:
     gateway:
       vlan_aware_vms: true
-- 
cgit 1.2.3-korg