Last active
March 23, 2021 23:05
-
-
Save mnaser/480f9b5b890b20d0f4977835df515799 to your computer and use it in GitHub Desktop.
Ansible playbook for Meltdown mitigation (KPI for CentOS/RHEL 7)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: all | |
| gather_facts: false | |
| pre_tasks: | |
| - name: ensure ipmi tools are installed | |
| yum: | |
| name: ipmitool | |
| - name: retrieve ipmitool address | |
| shell: > | |
| ipmitool lan print | grep '^IP Addr' | grep -v Source | cut -d':' -f2 | xargs | |
| register: ipmitool_lan_print | |
| changed_when: false | |
| failed_when: ipmitool_lan_print.stdout == "" | |
| - name: print ipmi address | |
| debug: | |
| msg: "{{ ipmitool_lan_print.stdout }}" | |
| - name: ensure ipmi is accessible | |
| delegate_to: localhost | |
| wait_for: | |
| host: "{{ ipmitool_lan_print.stdout }}" | |
| port: 80 | |
| timeout: 5 | |
| tasks: | |
| - name: install updated kernel | |
| yum: | |
| name: | |
| - kernel-3.10.0-693.11.6.el7 | |
| - microcode_ctl-2.1-22.2.el7 | |
| state: installed | |
| post_tasks: | |
| - name: check if system contains fix | |
| shell: | |
| cat /boot/config-$(uname -r) | |
| register: kernel_config | |
| changed_when: false | |
| - name: prepare kexec | |
| when: '"CONFIG_KAISER=y" not in kernel_config.stdout' | |
| block: | |
| - name: unload current target | |
| shell: kexec -u | |
| - name: load kexec target | |
| shell: > | |
| kexec -l /boot/vmlinuz-3.10.0-693.11.6.el7.x86_64 \ | |
| --initrd=/boot/initramfs-3.10.0-693.11.6.el7.x86_64.img \ | |
| --reuse-cmdline | |
| - debug: | |
| msg: Machine requires reboot and ready for `systemctl kexec` |
Added an update that automatically configures kexec for much faster reboots. This is extremely useful for machines with big memory or long POST times (think compute nodes). All you have to do is run systemctl kexec once everything is done.
btw you can tell if kpti is loaded and active with cat /sys/kernel/debug/x86/pti_enabled
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you do not use IPMI, you can drop the entire
pre_taskssection but it's useful to make sure that you don't have a server that gets rebooted but disappears forever.The playbook also checks if the mitigation is already done, making it idempotent. If you run it once you reboot, it should skip the installation by checking the kernel configuration.