tripleo-heat-templates/deployment/kernel/kernel-baremetal-ansible.yaml
Bogdan Dobrelya c43d69c5d8 Enable post-copy by setting unprivileged_userfaultfd
The setting vm.unprivileged_userfaultfd = 1 is required to
make post-copy working for containerised libvirt.

Related: rhbz#2110556
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Change-Id: I40cf17a971e5c52e145fc7b760fd64c086284a03
2022-08-01 14:29:53 +00:00

209 lines
7.7 KiB
YAML

heat_template_version: wallaby
description: >
Load kernel modules with kmod and configure kernel options with sysctl.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
KernelPidMax:
default: 1048576
description: Configures sysctl kernel.pid_max key
type: number
KernelDisableIPv6:
default: 0
description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
type: number
KernelIpForward:
default: 1
description: Configures net.ipv4.ip_forward key
type: number
KernelIpv6ConfAllForwarding:
default: 0
description: Configures the net.ipv6.conf.all.forwarding key
type: number
KernelIpv4ConfAllRpFilter:
default: 1
description: Configures the net.ipv4.conf.all.rp_filter key
type: number
KernelIpNonLocalBind:
default: 1
description: Configures net.ipv{4,6}.ip_nonlocal_bind key
type: number
NeighbourGcThreshold1:
default: 1024
description: Configures sysctl net.ipv4.neigh.default.gc_thresh1 value.
This is the minimum number of entries to keep in the ARP
cache. The garbage collector will not run if there are
fewer than this number of entries in the cache.
type: number
NeighbourGcThreshold2:
default: 2048
description: Configures sysctl net.ipv4.neigh.default.gc_thresh2 value.
This is the soft maximum number of entries to keep in the
ARP cache. The garbage collector will allow the number of
entries to exceed this for 5 seconds before collection will
be performed.
type: number
NeighbourGcThreshold3:
default: 4096
description: Configures sysctl net.ipv4.neigh.default.gc_thresh3 value.
This is the hard maximum number of entries to keep in the
ARP cache. The garbage collector will always run if there
are more than this number of entries in the cache.
type: number
InotifyInstancesMax:
default: 1024
description: Configures sysctl fs.inotify.max_user_instances key
type: number
BridgeNfCallArpTables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-arptables key
type: number
BridgeNfCallIpTables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-iptables key
type: number
BridgeNfCallIp6Tables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
type: number
ExtraKernelModules:
default: {}
description: Hash of extra Kernel modules to load.
type: json
tags:
- role_specific
ExtraKernelPackages:
default: {}
description: List of extra kernel related packages to install.
type: json
tags:
- role_specific
ExtraSysctlSettings:
default: {}
description: Hash of extra sysctl settings to apply.
type: json
tags:
- role_specific
FsAioMaxNumber:
default: 0
description: >
The kernel allocates aio memory on demand, and this number limits the
number of parallel aio requests; the only drawback of a larger limit is
that a malicious guest could issue parallel requests to cause the kernel
to set aside memory. Set this number at least as large as
128 * (number of virtual disks on the host)
Libvirt uses a default of 1M requests to allow 8k disks, with at most
64M of kernel memory if all disks hit an aio request at the same time.
type: number
tags:
- role_specific
conditions:
ipv6_disabled: {equals: [{get_param: KernelDisableIPv6}, 1]}
fs_aio_max_number_set:
and:
- not: {equals: [{get_param: [RoleParameters, FsAioMaxNumber]}, 0]}
- not: {equals: [{get_param: [RoleParameters, FsAioMaxNumber]}, '']}
resources:
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- extra_kernel_modules: ExtraKernelModules
extra_kernel_packages: ExtraKernelPackages
extra_sysctl_settings: ExtraSysctlSettings
- values: {get_param: [RoleParameters]}
- values:
ExtraKernelModules: {get_param: ExtraKernelModules}
ExtraKernelPackages: {get_param: ExtraKernelPackages}
ExtraSysctlSettings: {get_param: ExtraSysctlSettings}
outputs:
role_data:
description: Role data for the Kernel modules
value:
service_name: kernel
host_prep_tasks:
- include_role:
name: tripleo_kernel
ansible_group_vars:
hieradata_localhost_address:
if:
- ipv6_disabled
- '127.0.0.1'
- 'localhost'
tripleo_kernel_extra_modules: {get_attr: [RoleParametersValue, value, extra_kernel_modules]}
tripleo_kernel_extra_packages: {get_attr: [RoleParametersValue, value, extra_kernel_packages]}
tripleo_kernel_sysctl_extra_settings:
map_merge:
- net.ipv6.conf.default.disable_ipv6:
value: {get_param: KernelDisableIPv6}
net.ipv4.ip_local_reserved_ports:
value: "35357,49000-49001"
net.ipv6.conf.all.disable_ipv6:
value: {get_param: KernelDisableIPv6}
net.ipv6.conf.lo.disable_ipv6:
value: 0
net.ipv4.ip_forward:
value: {get_param: KernelIpForward}
net.ipv4.conf.all.rp_filter:
value: {get_param: KernelIpv4ConfAllRpFilter}
net.ipv6.conf.all.forwarding:
value: {get_param: KernelIpv6ConfAllForwarding}
net.ipv4.ip_nonlocal_bind:
value: {get_param: KernelIpNonLocalBind}
net.ipv6.ip_nonlocal_bind:
value: {get_param: KernelIpNonLocalBind}
kernel.pid_max:
value: {get_param: KernelPidMax}
net.ipv4.neigh.default.gc_thresh1:
value: {get_param: NeighbourGcThreshold1}
net.ipv4.neigh.default.gc_thresh2:
value: {get_param: NeighbourGcThreshold2}
net.ipv4.neigh.default.gc_thresh3:
value: {get_param: NeighbourGcThreshold3}
net.bridge.bridge-nf-call-arptables:
value: {get_param: BridgeNfCallArpTables}
net.bridge.bridge-nf-call-iptables:
value: {get_param: BridgeNfCallIpTables}
net.bridge.bridge-nf-call-ip6tables:
value: {get_param: BridgeNfCallIp6Tables}
fs.inotify.max_user_instances:
value: {get_param: InotifyInstancesMax}
vm.unprivileged_userfaultfd:
value: 1
- if:
- fs_aio_max_number_set
- fs.aio-max-nr:
value: {get_param: [RoleParameters, FsAioMaxNumber]}
- {get_attr: [RoleParametersValue, value, extra_sysctl_settings]}