ensure disabled mitigations does not overwrite all parameters

mageops · Jun 28, 2024 · 035894f · 035894f
1 parent 139a790
commit 035894f
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 7 deletions.
diff --git a/roles/cs.optimize-kernel/defaults/main.yml b/roles/cs.optimize-kernel/defaults/main.yml
@@ -1,2 +1,3 @@
 optimize_kernel_disable_mitigations: yes
 optimize_kernel_network_tune: yes
+optimize_kernel_reboot_system: yes
diff --git a/roles/cs.optimize-kernel/handlers/main.yml b/roles/cs.optimize-kernel/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: Reboot System
+  ansible.builtin.reboot:
+  when: optimize_kernel_reboot_system
diff --git a/roles/cs.optimize-kernel/tasks/main.yml b/roles/cs.optimize-kernel/tasks/main.yml
@@ -1,10 +1,18 @@
-- name: Disable mitigations
-  replace:
-    path: /etc/default/grub
-    regexp: '^GRUB_CMDLINE_LINUX=[^\n]*$'
-    replace: GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto net.ifnames=0 console=ttyS0 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"
+- name: Check if mitigations are already disabled
+  ansible.builtin.shell:
+    cmd: grubby --info=ALL | grep 'args.*mitigations=off'
+  register: _mitigations_check
+  changed_when: false
+  failed_when: _mitigations_check.rc > 1
   when: optimize_kernel_disable_mitigations
 
+- name: Disable mitigations
+  ansible.builtin.shell:
+    cmd: |
+      grubby --update-kernel=ALL --args="noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"
+  when: _mitigations_check.stdout == "" and optimize_kernel_disable_mitigations
+  notify: Reboot System
+
 - name: Set modern network congestion algorithm
   block:
   - sysctl:

diff --git a/roles/cs.systemd-oomd/tasks/main.yml b/roles/cs.systemd-oomd/tasks/main.yml
@@ -12,13 +12,13 @@
 
 - name: Check if psi=1 is already in kernel parameters
   ansible.builtin.shell:
-    cmd: grubby --info=DEFAULT | grep 'args.*psi=1'
+    cmd: grubby --info=ALL | grep 'args.*psi=1'
   register: _psi_check
   changed_when: false
   failed_when: _psi_check.rc > 1
 
 - name: Add psi=1 to kernel parameters using grubby
   ansible.builtin.shell:
-    cmd: grubby --update-kernel=DEFAULT --args=psi=1
+    cmd: grubby --update-kernel=ALL --args=psi=1
   when: _psi_check.stdout == ""
   notify: Reboot System
diff --git a/site.step-40-app-node.yml b/site.step-40-app-node.yml
@@ -48,6 +48,7 @@
     - role: cs.selinux-disable
 
     - role: cs.optimize-kernel
+      optimize_kernel_reboot_system: no
 
     - role: cs.tuned