diff options
Diffstat (limited to 'sw_config')
-rw-r--r-- | sw_config/bmra/patched_k8s.yml | 4 | ||||
-rw-r--r-- | sw_config/bmra/patched_preflight.yml | 174 | ||||
-rw-r--r-- | sw_config/bmra/patched_rhel_packages.yml | 72 | ||||
-rw-r--r-- | sw_config/bmra/patched_sriov_cni_install.yml | 8 | ||||
-rw-r--r-- | sw_config/bmra/patched_vfio.yml | 2 |
5 files changed, 130 insertions, 130 deletions
diff --git a/sw_config/bmra/patched_k8s.yml b/sw_config/bmra/patched_k8s.yml index fb0d43a..89aba6f 100644 --- a/sw_config/bmra/patched_k8s.yml +++ b/sw_config/bmra/patched_k8s.yml @@ -7,7 +7,7 @@ connection: local tasks: [] roles: - - { role: kubespray_install } + - {role: kubespray_install} environment: "{{ proxy_env | d({}) }}" any_errors_fatal: true @@ -77,7 +77,7 @@ kubelet_node_custom_flags: "{{ kubelet_node_custom_flags_prepare | from_yaml }}" kube_api_anonymous_auth: true kube_feature_gates: - - CPUManager=true # feature gate can be enabled by default, default policy is none in Kubernetes + - CPUManager=true # feature gate can be enabled by default, default policy is none in Kubernetes - TopologyManager={{ topology_manager_enabled | default(true) }} - RotateKubeletServerCertificate=true # Kubernetes cluster hardening diff --git a/sw_config/bmra/patched_preflight.yml b/sw_config/bmra/patched_preflight.yml index ae401f9..c83879e 100644 --- a/sw_config/bmra/patched_preflight.yml +++ b/sw_config/bmra/patched_preflight.yml @@ -130,98 +130,98 @@ # Early check if SELinux is configured properly - block: - - name: "Collect packages facts" - package_facts: - - debug: - msg: - - "Current SELinux status:" - - "status: {{ ansible_selinux.status | default('') }}" - - "policy version: {{ ansible_selinux.policyvers | default('') }}" - - "type: {{ ansible_selinux.type | default('') }}" - - "mode: {{ ansible_selinux.mode | default('') }}" - - "config_mode: {{ ansible_selinux.config_mode | default('') }}" - - - name: check selinux condition possibly causing system boot failure - debug: - msg: - - "Current SELinux setup might cause the system possibly will not boot up on next reboot." - - "Please, check SELinux settings and set it up according to the documentation." - when: - - "'selinux-policy' not in ansible_facts.packages" - - "'selinux-policy-targeted' not in ansible_facts.packages" + - name: "Collect packages facts" + package_facts: + - debug: + msg: + - "Current SELinux status:" + - "status: {{ ansible_selinux.status | default('') }}" + - "policy version: {{ ansible_selinux.policyvers | default('') }}" + - "type: {{ ansible_selinux.type | default('') }}" + - "mode: {{ ansible_selinux.mode | default('') }}" + - "config_mode: {{ ansible_selinux.config_mode | default('') }}" + + - name: check selinux condition possibly causing system boot failure + debug: + msg: + - "Current SELinux setup might cause the system possibly will not boot up on next reboot." + - "Please, check SELinux settings and set it up according to the documentation." + when: + - "'selinux-policy' not in ansible_facts.packages" + - "'selinux-policy-targeted' not in ansible_facts.packages" when: - ansible_os_family == "RedHat" # STORY: "cmk requires isolcpus to be configured" - block: - - debug: - msg: - - cmk_enabled = {{ cmk_enabled }} (group_vars/all.yml) - - cmk_use_all_hosts = {{ cmk_use_all_hosts }} (group_vars/all.yml) - - cmk_hosts_list = {{ cmk_hosts_list | default('') }} (group_vars/all.yml) - - cmk_shared_num_cores = {{ cmk_shared_num_cores }} (group_vars/all.yml) - - cmk_exclusive_num_cores = {{ cmk_exclusive_num_cores }} (group_vars/all.yml) - - isolcpus_enabled = {{ isolcpus_enabled }} (host_vars) - - isolcpus = {{ isolcpus }} (host_vars) - - ansible_processor_count = {{ ansible_processor_count }} - - ansible_processor_cores = {{ ansible_processor_cores }} - - ansible_processor_threads_per_core = {{ ansible_processor_threads_per_core }} - - ansible_processor_vcpus = {{ ansible_processor_vcpus }} - - CPUs Reserved for OS = 0...{{ ansible_processor_count - 1 }} -# - CPUs Reserved for OS = {{ lookup('sequence','0-{{ ansible_processor_count - 1 }}').split(',') }} # [E207] Nested jinja pattern - - - name: Check Intel CMK Config - assert: - that: ({{ cmk_enabled }} and {{ isolcpus_enabled }} and "{{ isolcpus }}" | length > 0) - msg: - - Incorrect configuration pertaining Intel CMK. Conflicting or improper values detected - - When Intel CMK is enabled, CPUs isolation ('isolcpus') must be set according to the example file for host_vars. Please correct the configuration - - - name: Split isolcpus Groups - set_fact: - isolcpus_groups: "{{ isolcpus.split(',') }}" - - - debug: msg="isolcpus_groups = {{ isolcpus_groups }}" - - - name: Filter isolcpus Ranges - set_fact: - isolcpus_ranges: "{{ isolcpus_ranges + [item] }}" - with_items: "{{ isolcpus_groups }}" - when: ("-" in item) - - - debug: msg="isolcpus_ranges = {{ isolcpus_ranges }}" - - - name: Filter isolcpus Discretes - set_fact: - isolcpus_discretes: "{{ isolcpus_discretes + [item] }}" - with_items: "{{ isolcpus_groups }}" - when: ("-" not in item) - - - debug: msg="isolcpus_discretes = {{ isolcpus_discretes }}" - - - name: Build isolcpus List - set_fact: - isolcpus_list: "{{ isolcpus_list | default([]) | union(isolcpus_discretes) | union([item]) }}" - with_sequence: "{{ isolcpus_ranges }}" - - - debug: msg="isolcpus_list = {{ isolcpus_list }}" - - - name: Check isolcpus Total - assert: - that: "{{ isolcpus_list | length }} <= ansible_processor_vcpus" - msg: - - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected - - The number of isolcpus {{ isolcpus_list | length }}, exceeds total CPUs on target {{ ansible_processor_vcpus }}. Please correct the configuration - when: isolcpus is defined - - - name: Check isolcpus IDs - assert: - that: "item | int <= ansible_processor_vcpus" - msg: - - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected - - The CPU ID {{ item }} set for isolcpus is NOT actually present on target. Please correct the configuration - with_items: "{{ isolcpus_list }}" - when: isolcpus is defined + - debug: + msg: + - cmk_enabled = {{ cmk_enabled }} (group_vars/all.yml) + - cmk_use_all_hosts = {{ cmk_use_all_hosts }} (group_vars/all.yml) + - cmk_hosts_list = {{ cmk_hosts_list | default('') }} (group_vars/all.yml) + - cmk_shared_num_cores = {{ cmk_shared_num_cores }} (group_vars/all.yml) + - cmk_exclusive_num_cores = {{ cmk_exclusive_num_cores }} (group_vars/all.yml) + - isolcpus_enabled = {{ isolcpus_enabled }} (host_vars) + - isolcpus = {{ isolcpus }} (host_vars) + - ansible_processor_count = {{ ansible_processor_count }} + - ansible_processor_cores = {{ ansible_processor_cores }} + - ansible_processor_threads_per_core = {{ ansible_processor_threads_per_core }} + - ansible_processor_vcpus = {{ ansible_processor_vcpus }} + - CPUs Reserved for OS = 0...{{ ansible_processor_count - 1 }} +# - CPUs Reserved for OS = {{ lookup('sequence','0-{{ ansible_processor_count - 1 }}').split(',') }} # [E207] Nested jinja pattern + + - name: Check Intel CMK Config + assert: + that: ({{ cmk_enabled }} and {{ isolcpus_enabled }} and "{{ isolcpus }}" | length > 0) + msg: + - Incorrect configuration pertaining Intel CMK. Conflicting or improper values detected + - When Intel CMK is enabled, CPUs isolation ('isolcpus') must be set according to the example file for host_vars. Please correct the configuration + + - name: Split isolcpus Groups + set_fact: + isolcpus_groups: "{{ isolcpus.split(',') }}" + + - debug: msg="isolcpus_groups = {{ isolcpus_groups }}" + + - name: Filter isolcpus Ranges + set_fact: + isolcpus_ranges: "{{ isolcpus_ranges + [item] }}" + with_items: "{{ isolcpus_groups }}" + when: ("-" in item) + + - debug: msg="isolcpus_ranges = {{ isolcpus_ranges }}" + + - name: Filter isolcpus Discretes + set_fact: + isolcpus_discretes: "{{ isolcpus_discretes + [item] }}" + with_items: "{{ isolcpus_groups }}" + when: ("-" not in item) + + - debug: msg="isolcpus_discretes = {{ isolcpus_discretes }}" + + - name: Build isolcpus List + set_fact: + isolcpus_list: "{{ isolcpus_list | default([]) | union(isolcpus_discretes) | union([item]) }}" + with_sequence: "{{ isolcpus_ranges }}" + + - debug: msg="isolcpus_list = {{ isolcpus_list }}" + + - name: Check isolcpus Total + assert: + that: "{{ isolcpus_list | length }} <= ansible_processor_vcpus" + msg: + - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected + - The number of isolcpus {{ isolcpus_list | length }}, exceeds total CPUs on target {{ ansible_processor_vcpus }}. Please correct the configuration + when: isolcpus is defined + + - name: Check isolcpus IDs + assert: + that: "item | int <= ansible_processor_vcpus" + msg: + - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected + - The CPU ID {{ item }} set for isolcpus is NOT actually present on target. Please correct the configuration + with_items: "{{ isolcpus_list }}" + when: isolcpus is defined #TODO relationship between cmk shared/exclusive cores and isolcpus diff --git a/sw_config/bmra/patched_rhel_packages.yml b/sw_config/bmra/patched_rhel_packages.yml index ec54dc9..0107076 100644 --- a/sw_config/bmra/patched_rhel_packages.yml +++ b/sw_config/bmra/patched_rhel_packages.yml @@ -175,8 +175,8 @@ - name: update to the latest kernel and kernel headers on the Red Hat OS family package: name: - - kernel - - kernel-devel + - kernel + - kernel-devel state: latest # noqa 403 notify: - reboot server @@ -188,15 +188,15 @@ - name: ensure selinux is installed on CentOS/RHEL 7 package: name: - - policycoreutils - - policycoreutils-python - - selinux-policy - - selinux-policy-targeted - - libselinux-utils - - setools - - setools-console - - shtool - - lshw + - policycoreutils + - policycoreutils-python + - selinux-policy + - selinux-policy-targeted + - libselinux-utils + - setools + - setools-console + - shtool + - lshw state: present when: - ansible_distribution in ["RedHat", "CentOS"] @@ -224,36 +224,36 @@ - name: install command line tools to collect hardware details package: name: - - hwinfo - - inxi - - jq + - hwinfo + - inxi + - jq state: present when: ansible_distribution in ["RedHat", "CentOS"] - name: Add kubic yum repo and install updated version of podman block: - - name: disable container-tools module - # noqa 305 - shell is used intentionally here - shell: dnf -y module disable container-tools - - name: enable rhcontainerbot/container-selinux repository - # noqa 305 - shell is used intentionally here - shell: dnf -y copr enable rhcontainerbot/container-selinux - - name: Add kubic yum repo - yum_repository: - name: devel_kubic_libcontainers_stable - description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever) - baseurl: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/ - gpgcheck: yes - gpgkey: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key - keepcache: '0' - - name: install runc - dnf: - name: runc - state: present - - name: install podman package - package: - name: podman - state: present + - name: disable container-tools module + # noqa 305 - shell is used intentionally here + shell: dnf -y module disable container-tools + - name: enable rhcontainerbot/container-selinux repository + # noqa 305 - shell is used intentionally here + shell: dnf -y copr enable rhcontainerbot/container-selinux + - name: Add kubic yum repo + yum_repository: + name: devel_kubic_libcontainers_stable + description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever) + baseurl: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/ + gpgcheck: yes + gpgkey: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key + keepcache: '0' + - name: install runc + dnf: + name: runc + state: present + - name: install podman package + package: + name: podman + state: present when: - ansible_os_family == "RedHat" and ansible_distribution_version >= '8.2' - '"docker" not in container_runtime' diff --git a/sw_config/bmra/patched_sriov_cni_install.yml b/sw_config/bmra/patched_sriov_cni_install.yml index ab0dc52..5ac93e5 100644 --- a/sw_config/bmra/patched_sriov_cni_install.yml +++ b/sw_config/bmra/patched_sriov_cni_install.yml @@ -31,10 +31,10 @@ - name: create /opt/cni/bin file: - path: "/opt/cni/bin" - state: directory - recurse: yes - mode: 0755 + path: "/opt/cni/bin" + state: directory + recurse: yes + mode: 0755 - name: install sriov-cni binary to /opt/cni/bin directory copy: diff --git a/sw_config/bmra/patched_vfio.yml b/sw_config/bmra/patched_vfio.yml index f4b7a1d..e79a976 100644 --- a/sw_config/bmra/patched_vfio.yml +++ b/sw_config/bmra/patched_vfio.yml @@ -35,7 +35,7 @@ loop_control: loop_var: vf extended: yes - when: ansible_loop.index < (item.sriov_numvfs | default(0) | int ) + when: ansible_loop.index < (item.sriov_numvfs | default(0) | int ) # get a list of VFs PCI addresses and save the configuration - name: attach VFs driver |