akrzos f8caad3269 Playbook to adjust security parameters
Turn on/off security features if your Overcloud has them. Also update
microcode incase you need to do so.

Change-Id: I9918b58af91550cec22165944bc839cf9559ddf9
2018-01-13 14:31:14 -05:00

107 lines
3.1 KiB

# Playbook to push new microcode. Please read playbook before running.
# Examples:
# Update microcode on Overcloud:
# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'get_url_base='
# Update microcode on Controllers
# ansible-playbook -i hosts browbeat/adjust-microcode.yml -e 'target=controller get_url_base='
# "target" can be any of the typical groups or a specific host in the hosts file
# Set get_url_base to the base of a webserver allowing for download of the microcode
- hosts: "{{target|default('overcloud')}}"
gather_facts: true
remote_user: "{{ host_remote_user }}"
- ../install/group_vars/all.yml
- name: Get cpu family
become: true
shell: cat /proc/cpuinfo | egrep "cpu family" | head -n 1 | awk '{print $4}'
register: cpu_family
- name: Get cpu model
become: true
shell: cat /proc/cpuinfo | egrep "model" | head -n 1 | awk '{print $3}'
register: cpu_model
- name: Get cpu stepping
become: true
shell: cat /proc/cpuinfo | egrep "stepping" | head -n 1 | awk '{print $3}'
register: cpu_stepping
- name: Set microcode version
microcode_version: '{{"%02d"|format(cpu_family.stdout|int)}}-{{"%02x"|format(cpu_model.stdout|int)}}-{{"%02d"|format(cpu_stepping.stdout|int)}}'
- debug:
msg: "Setting up Microcode: {{microcode_version}}"
- name: Get Microcode
become: true
url: "{{get_url_base}}/{{microcode_version}}"
dest: /lib/firmware/intel-ucode/{{microcode_version}}
force: true
- name: Run dracut
become: true
command: dracut -f
- name: Attempt graceful reboot
become: true
shell: nohup sh -c '( sleep 5 ; reboot )' &
async: 0
poll: 0
ignore_errors: true
# 8 minute timeout
- name: Wait for Machine Ready (1st try)
host: "{{ansible_default_ipv4.address}}"
port: 22
delay: 15
timeout: 480
delegate_to: undercloud
remote_user: "{{local_remote_user}}"
register: machine_rebooted
ignore_errors: true
# "Rescue" the node
- name: Use Ironic to start each machine
shell: |
. /home/stack/stackrc
openstack baremetal node power off {{ironic_uuid}}
sleep 30
openstack baremetal node power on {{ironic_uuid}}
delegate_to: undercloud
remote_user: "{{local_remote_user}}"
when: machine_rebooted.failed
- name: Wait for Machine Ready (2nd try)
host: "{{ansible_default_ipv4.address}}"
port: 22
delay: 15
timeout: 480
delegate_to: undercloud
remote_user: "{{local_remote_user}}"
when: machine_rebooted.failed
- name: Check if Feat available
become: true
command: grep "FEATURE" /var/log/dmesg
ignore_errors: true
register: check_feat
- name: Debug print results of Feature Grep in dmesg
msg: "{{check_feat.stdout_lines}}"