From 9c20ea371b59a19072b124af86dc3817753872a2 Mon Sep 17 00:00:00 2001
From: Michael Polenchuk <mpolenchuk@mirantis.com>
Date: Wed, 31 Jan 2018 14:38:16 +0400
Subject: Turn off Retpoline and KPTI protection

Based on Canonical research (https://goo.gl/QJykMa) there is
low-risk of attack for private clouds environments, therefore
turn off the related kernel patches & regain performance back.

Change-Id: I661fa127241e327b07d21a29d58d584997607123
Signed-off-by: Michael Polenchuk <mpolenchuk@mirantis.com>
---
 .../classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml       | 5 +++++
 .../cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml       | 3 +++
 2 files changed, 8 insertions(+)

(limited to 'mcp/reclass/classes')

diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
index dcd78a2cf..1e6b3bd0d 100644
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/infra/kvm.yml
@@ -37,6 +37,11 @@ parameters:
     network:
       remove_iface_files:
         - '/etc/network/interfaces.d/50-cloud-init.cfg'
+    system:
+      kernel:
+        boot_options:
+          - spectre_v2=off
+          - nopti
   libvirt:
     server:
       service: libvirtd
diff --git a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
index 60a01a885..a0cdd98c8 100644
--- a/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
+++ b/mcp/reclass/classes/cluster/baremetal-mcp-pike-common-ha/openstack_compute.yml
@@ -53,6 +53,9 @@ parameters:
         sysctl:
           vm.dirty_ratio: 10
           vm.dirty_background_ratio: 5
+        boot_options:
+          - spectre_v2=off
+          - nopti
   neutron:
     gateway:
       vlan_aware_vms: true
-- 
cgit 1.2.3-korg