Playbook to adjust security parameters

Turn on/off security features if your Overcloud has them. Also update
microcode incase you need to do so.

Change-Id: I9918b58af91550cec22165944bc839cf9559ddf9

ansible/browbeat/adjust-microcode.yml

@@ -0,0 +1,106 @@
+---
+#
+# Playbook to push new microcode.  Please read playbook before running.
+#
+# Examples:
+#
+# Update microcode on Overcloud:
+# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'get_url_base=http://example.com.com/intel-ucode/'
+#
+# Update microcode on Controllers
+# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'target=controller get_url_base=http://example.com.com/intel-ucode/'
+#
+# "target" can be any of the typical groups or a specific host in the hosts file
+# Set get_url_base to the base of a webserver allowing for download of the microcode
+#
+
+- hosts: "{{target|default('overcloud')}}"
+  gather_facts: true
+  remote_user: "{{ host_remote_user }}"
+  vars:
+    get_url_base: http://example.com.com/intel-ucode/
+  vars_files:
+    - ../install/group_vars/all.yml
+  tasks:
+    - name: Get cpu family
+      become: true
+      shell: cat /proc/cpuinfo | egrep "cpu family" | head -n 1 | awk '{print $4}'
+      register: cpu_family
+
+    - name: Get cpu model
+      become: true
+      shell: cat /proc/cpuinfo | egrep "model" | head -n 1 | awk '{print $3}'
+      register: cpu_model
+
+    - name: Get cpu stepping
+      become: true
+      shell: cat /proc/cpuinfo | egrep "stepping" | head -n 1 | awk '{print $3}'
+      register: cpu_stepping
+
+    - name: Set microcode version
+      set_fact:
+        microcode_version: '{{"%02d"|format(cpu_family.stdout|int)}}-{{"%02x"|format(cpu_model.stdout|int)}}-{{"%02d"|format(cpu_stepping.stdout|int)}}'
+
+    - debug:
+        msg: "Setting up Microcode: {{microcode_version}}"
+
+    - name: Get Microcode
+      become: true
+      get_url:
+        url: "{{get_url_base}}/{{microcode_version}}"
+        dest: /lib/firmware/intel-ucode/{{microcode_version}}
+        force: true
+
+    - name: Run dracut
+      become: true
+      command: dracut -f
+
+    - name: Attempt graceful reboot
+      become: true
+      shell: nohup sh -c '( sleep 5 ; reboot )' &
+      async: 0
+      poll: 0
+      ignore_errors: true
+
+    # 8 minute timeout
+    - name: Wait for Machine Ready (1st try)
+      wait_for:
+        host: "{{ansible_default_ipv4.address}}"
+        port: 22
+        delay: 15
+        timeout: 480
+      delegate_to: undercloud
+      remote_user: "{{local_remote_user}}"
+      register: machine_rebooted
+      ignore_errors: true
+
+    # "Rescue" the node
+    - name: Use Ironic to start each machine
+      shell: |
+        . /home/stack/stackrc
+        openstack baremetal node power off {{ironic_uuid}}
+        sleep 30
+        openstack baremetal node power on {{ironic_uuid}}
+      delegate_to: undercloud
+      remote_user: "{{local_remote_user}}"
+      when: machine_rebooted.failed
+
+    - name: Wait for Machine Ready (2nd try)
+      wait_for:
+        host: "{{ansible_default_ipv4.address}}"
+        port: 22
+        delay: 15
+        timeout: 480
+      delegate_to: undercloud
+      remote_user: "{{local_remote_user}}"
+      when: machine_rebooted.failed
+
+    - name: Check if Feat available
+      become: true
+      command: grep "FEATURE" /var/log/dmesg
+      ignore_errors: true
+      register: check_feat
+
+    - name: Debug print results of Feature Grep in dmesg
+      debug:
+        msg: "{{check_feat.stdout_lines}}"

ansible/browbeat/adjust-security.yml

@@ -0,0 +1,90 @@
+---
+#
+# Turn on/off Kernel Security for Meltdown + Spectre
+#
+# Defaults will turn security on, on the Overcloud
+#
+# Examples:
+#
+# Turn off security on entire overcloud
+# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'security=false'
+#
+# Turn on security on entire overcloud
+# ansible-playbook -i hosts browbeat/adjust-security.yml
+#
+# Turn off security on just compute nodes
+# ansible-playbook -i hosts browbeat/adjust-security.yml -e 'target=compute security=false'
+#
+# "target" can be any of the typical groups or a specific host in the hosts file
+# Also you can force any of the three flags to 0 or 1 (Ex. ibpb_enabled=0 etc)
+#
+
+- hosts: "{{target|default('overcloud')}}"
+  gather_facts: true
+  remote_user: "{{ host_remote_user }}"
+  vars:
+    ibpb_enabled: 1
+    ibrs_enabled: 1
+    pti_enabled: 1
+    security: true
+  vars_files:
+    - ../install/group_vars/all.yml
+  tasks:
+    - name: Check if rhel7
+      fail:
+        msg: Only run against RHEL7.X
+      when:
+        - ansible_distribution != "RedHat"
+        - ansible_distribution_major_version < '7'
+
+    - name: Check to turn off security
+      set_fact:
+        ibpb_enabled: 0
+        ibrs_enabled: 0
+        pti_enabled: 0
+      when: not security|bool
+
+    - name: Debug print the new values for security
+      debug:
+        msg: "Setting these: ibpb_enabled- {{ibpb_enabled}} ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}}"
+
+    - name: Check /sys/kernel for security performance affecting features
+      become: true
+      shell: |
+        echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
+        echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
+        echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
+      register: security_vars
+
+    - name: Debug print the security_vars before setting
+      debug:
+        msg: "{{security_vars.stdout_lines}}"
+
+    - name: Turn on/off security
+      become: true
+      shell: |
+        echo {{ibpb_enabled}} > /sys/kernel/debug/x86/ibpb_enabled
+        echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled
+        echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled
+
+    - name: Check /sys/kernel for security performance affecting features
+      become: true
+      shell: |
+        echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
+        echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
+        echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
+      register: security_vars
+
+    - name: Debug print the security_vars after setting
+      debug:
+        msg: "{{security_vars.stdout_lines}}"
+
+    - name: Check if Feat available
+      become: true
+      command: grep "FEATURE" /var/log/dmesg
+      ignore_errors: true
+      register: check_feat
+
+    - name: Debug print results of Feature Grep in dmesg
+      debug:
+        msg: "{{check_feat.stdout_lines}}"

ansible/generate_tripleo_hostfile.sh

@@ -66,6 +66,7 @@ if [ ${#clouds} -gt 0 ]; then
     echo "ERROR: nova list failed to execute properly, please check the openstack-nova-api on the undercloud."
     exit 1
   fi
+  ironic_uuids=$(ssh -tt -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" stack@${tripleo_ip_address} ". ~/stackrc; openstack baremetal node list > >(grep -i -E 'active|running') 2>/dev/null")
   controller_id=$(ssh -tt -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" stack@${tripleo_ip_address} ". ~/stackrc; openstack stack resource show $overcloud_name Controller > >(grep physical_resource_id) 2>/dev/null" | awk '{print $4}')
   if [ ${#controller_id} -lt 3 ]; then
      echo "Error: Controller ID is not reporting correctly. Please see check the openstack-heat-api on the undercloud."
@@ -202,7 +203,7 @@ for line in $nodes; do
  IP=$(echo $line | awk '{print $8}' | cut -d "=" -f2)
  if grep -q $uuid <<< {$controller_uuids}; then
   controller_hn+=("$host")
-elif grep -q $uuid <<< {$blockstorage_uuids}; then
+ elif grep -q $uuid <<< {$blockstorage_uuids}; then
   blockstorage_hn+=("$host")
  elif grep -q $uuid <<< {$objectstorage_uuids}; then
   objectstorage_hn+=("$host")
@@ -220,14 +221,36 @@ elif grep -q $uuid <<< {$blockstorage_uuids}; then
  echo "    IdentityFile ${DIR}/heat-admin-id_rsa" | tee -a ${ssh_config_file}
  echo "    StrictHostKeyChecking no" | tee -a ${ssh_config_file}
  echo "    UserKnownHostsFile=/dev/null" | tee -a ${ssh_config_file}
+ # Substitute the nova instance id for the host name so we can attach the ironic uuid as a host var
+ ironic_uuids=${ironic_uuids/$uuid/$host}
 done
 
-# Sort Controllers
+# Sort Host Types
 controller_hn=( $(
     for item in "${controller_hn[@]}"
     do
         echo "$item"
     done | sort) )
+blockstorage_hn=( $(
+    for item in "${blockstorage_hn[@]}"
+    do
+        echo "$item"
+    done | sort) )
+objectstorage_hn=( $(
+    for item in "${objectstorage_hn[@]}"
+    do
+        echo "$item"
+    done | sort) )
+cephstorage_hn=( $(
+    for item in "${cephstorage_hn[@]}"
+    do
+        echo "$item"
+    done | sort) )
+compute_hn=( $(
+    for item in "${compute_hn[@]}"
+    do
+        echo "$item"
+    done | sort) )
 
 echo ""
 echo "---------------------------"
@@ -250,35 +273,80 @@ echo "" | tee -a ${ansible_inventory_file}
 echo "[controller]" | tee -a ${ansible_inventory_file}
 if [[ ${#controller_hn} -gt 0 ]]; then
  for ct in ${controller_hn[@]}; do
-  echo "${ct}" | tee -a ${ansible_inventory_file}
+   ironic_uuid=''
+   for line in ${ironic_uuids}; do
+     uuid=$(echo $line | awk '{print $2}')
+     host=$(echo $line | awk '{print $6}')
+     if [ "$host" == "$ct" ]; then
+       ironic_uuid=$uuid
+       break
+     fi
+   done
+  echo "${ct} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
  done
 fi
 echo "" | tee -a ${ansible_inventory_file}
 echo "[blockstorage]" | tee -a ${ansible_inventory_file}
 if [[ ${#blockstorage_hn} -gt 0 ]]; then
  for blockstorage in ${blockstorage_hn[@]}; do
-  echo "${blockstorage}" | tee -a ${ansible_inventory_file}
+  ironic_uuid=''
+  for line in ${ironic_uuids}; do
+   uuid=$(echo $line | awk '{print $2}')
+   host=$(echo $line | awk '{print $6}')
+   if [ "$host" == "$blockstorage" ]; then
+    ironic_uuid=$uuid
+    break
+   fi
+  done
+  echo "${blockstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
  done
 fi
 echo "" | tee -a ${ansible_inventory_file}
 echo "[objectstorage]" | tee -a ${ansible_inventory_file}
 if [[ ${#objectstorage_hn} -gt 0 ]]; then
  for objectstorage in ${objectstorage_hn[@]}; do
-  echo "${objectstorage}" | tee -a ${ansible_inventory_file}
+  ironic_uuid=''
+  for line in ${ironic_uuids}; do
+   uuid=$(echo $line | awk '{print $2}')
+   host=$(echo $line | awk '{print $6}')
+   if [ "$host" == "$objectstorage" ]; then
+    ironic_uuid=$uuid
+    break
+   fi
+  done
+  echo "${objectstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
  done
 fi
 echo "" | tee -a ${ansible_inventory_file}
 echo "[cephstorage]" | tee -a ${ansible_inventory_file}
 if [[ ${#cephstorage_hn} -gt 0 ]]; then
  for cephstorage in ${cephstorage_hn[@]}; do
-  echo "${cephstorage}" | tee -a ${ansible_inventory_file}
+  ironic_uuid=''
+  for line in ${ironic_uuids}; do
+   uuid=$(echo $line | awk '{print $2}')
+   host=$(echo $line | awk '{print $6}')
+   if [ "$host" == "$cephstorage" ]; then
+    ironic_uuid=$uuid
+    break
+   fi
+  done
+  echo "${cephstorage} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
  done
 fi
 echo "" | tee -a ${ansible_inventory_file}
 echo "[compute]" | tee -a ${ansible_inventory_file}
 if [[ ${#compute_hn} -gt 0 ]]; then
- for c in ${compute_hn[@]}; do
-  echo "${c}" | tee -a ${ansible_inventory_file}
+ for compute in ${compute_hn[@]}; do
+   ironic_uuid=''
+   for line in ${ironic_uuids}; do
+     uuid=$(echo $line | awk '{print $2}')
+     host=$(echo $line | awk '{print $6}')
+     if [ "$host" == "$compute" ]; then
+       ironic_uuid=$uuid
+       break
+     fi
+   done
+  echo "${compute} ironic_uuid=${ironic_uuid}" | tee -a ${ansible_inventory_file}
  done
 fi
 if [[ ${#controller_hn} -gt 0 ]] || [[ ${#blockstorage_hn} -gt 0 ]] || [[ ${#objectstorage_hn} -gt 0 ]] || [[ ${#cephstorage_hn} -gt 0 ]] || [[ ${#compute_hn} -gt 0 ]]; then