aarch64: Add kpti=off similar to x86_64 nopti

arm64 kernels use a different kernel option (kpti=off vs nopti) to
disable PTI, so sync the two platform configurations.

Conveniently, this also bypasses kernel 4.15 issues described in [1],
so apply the kernel option customisation via MaaS too, to allow aarch64
deployments to bootstrap using 4.15 kernel (with the downside of these
args being duplicated by Salt later in HA scenarios).

PTI is now disabled for baremetal nodes (via MaaS, no matter the
scenario) and/or for kvm/cmp hosts (in HA scenarios only).

While at it, install missing thin provisioning tools in aarch64
bootstrap image for MaaS deploy stage to succeed.

[1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1857074

Change-Id: Ibd1f57f24abc690b0f13b6298f25d7e8a1af1567
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>

diff --git a/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch b/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch
index 791f8ee..c69507b 100644 (file)
--- a/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch
+++ b/mcp/patches/salt-formula-maas/0006-curtin-Add-Bionic-support.patch
@@ -12,19 +12,19 @@ Subject: [PATCH] curtin: Add Bionic support
 
 Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
 ---
- .../curtin_userdata_amd64_generic_bionic      | 83 +++++++++++++++++++
- .../curtin_userdata_arm64_generic_bionic      | 78 +++++++++++++++++
+ .../curtin_userdata_amd64_generic_bionic      | 84 +++++++++++++++++++
+ .../curtin_userdata_arm64_generic_bionic      | 79 +++++++++++++++++
  maas/region.sls                               | 24 ++++++
- 3 files changed, 185 insertions(+)
+ 3 files changed, 187 insertions(+)
  create mode 100644 maas/files/curtin_userdata_amd64_generic_bionic
  create mode 100644 maas/files/curtin_userdata_arm64_generic_bionic
 
 diff --git a/maas/files/curtin_userdata_amd64_generic_bionic b/maas/files/curtin_userdata_amd64_generic_bionic
 new file mode 100644
-index 0000000..c28721a
+index 0000000..11af3cf
 --- /dev/null
 +++ b/maas/files/curtin_userdata_amd64_generic_bionic
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,84 @@
 +{%- from "maas/map.jinja" import cluster with context %}
 +{%- raw %}
 +#cloud-config
@@ -33,8 +33,9 @@ index 0000000..c28721a
 +  {{for line in str(curtin_preseed).splitlines()}}
 +  {{line}}
 +  {{endfor}}
-+{{if third_party_drivers and driver}}
 +early_commands:
++  thin_tools_install: ["sh", "-c", "apt-get update --quiet && apt-get --assume-yes install thin-provisioning-tools"]
++{{if third_party_drivers and driver}}
 +  {{py: key_string = ''.join(['\\x%x' % x for x in map(ord, driver['key_binary'])])}}
 +  driver_00_get_key: /bin/echo -en '{{key_string}}' > /tmp/maas-{{driver['package']}}.gpg
 +  driver_01_add_key: ["apt-key", "add", "/tmp/maas-{{driver['package']}}.gpg"]
@@ -110,10 +111,10 @@ index 0000000..c28721a
 +#}
 diff --git a/maas/files/curtin_userdata_arm64_generic_bionic b/maas/files/curtin_userdata_arm64_generic_bionic
 new file mode 100644
-index 0000000..d14388a
+index 0000000..006d8c2
 --- /dev/null
 +++ b/maas/files/curtin_userdata_arm64_generic_bionic
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,79 @@
 +{%- from "maas/map.jinja" import cluster with context %}
 +{% raw %}
 +#cloud-config
@@ -122,8 +123,9 @@ index 0000000..d14388a
 +  {{for line in str(curtin_preseed).splitlines()}}
 +  {{line}}
 +  {{endfor}}
-+{{if third_party_drivers and driver}}
 +early_commands:
++  thin_tools_install: ["sh", "-c", "apt-get update --quiet && apt-get --assume-yes install thin-provisioning-tools"]
++{{if third_party_drivers and driver}}
 +  {{py: key_string = ''.join(['\\x%x' % x for x in map(ord, driver['key_binary'])])}}
 +  driver_00_get_key: /bin/echo -en '{{key_string}}' > /tmp/maas-{{driver['package']}}.gpg
 +  driver_01_add_key: ["apt-key", "add", "/tmp/maas-{{driver['package']}}.gpg"]

diff --git a/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2 b/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
index f98040b..f3b1f79 100644 (file)
--- a/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
+++ b/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
@@ -33,7 +33,7 @@ parameters:
         aarch64_hugepages_1g:
           comment: 'Enable 1G pagesizes on aarch64'
           definition: '//capability[@id="asimd"]|//capability[@id="cp15_barrier"]'
-          kernel_opts: 'default_hugepagesz=1G hugepagesz=1G'
+          kernel_opts: 'default_hugepagesz=1G hugepagesz=1G kpti=off'
 {%- endif %}
       enable_iframe: False
       timeout:
@@ -111,6 +111,7 @@ parameters:
         enable_third_party_drivers: true
         network_discovery: 'enabled'
         default_min_hwe_kernel: ${_param:hwe_kernel}
+        kernel_opts: 'spectre_v2=off nopti kpti=off nospec_store_bypass_disable noibrs noibpb'
     cluster:
       saltstack_repo_bionic: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/18.04/amd64/2017.7/ bionic main"
       region:

diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2 b/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2
index fe337fa..37bc422 100644 (file)
--- a/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2
+++ b/mcp/reclass/classes/cluster/mcp-common-ha/infra/kvm.yml.j2
@@ -41,6 +41,7 @@ parameters:
         boot_options:
           - spectre_v2=off
           - nopti
+          - kpti=off
           - nospec_store_bypass_disable
           - noibrs
           - noibpb

diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml
index 411fcee..af87d9c 100644 (file)
--- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml
+++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml
@@ -73,6 +73,7 @@ parameters:
         boot_options:
           - spectre_v2=off
           - nopti
+          - kpti=off
           - nospec_store_bypass_disable
           - noibrs
           - noibpb

diff --git a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2 b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2
index cefed96..14b8a26 100644 (file)
--- a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2
+++ b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/compute.yml.j2
@@ -41,6 +41,7 @@ parameters:
         boot_options:
           - spectre_v2=off
           - nopti
+          - kpti=off
           - nospec_store_bypass_disable
           - noibrs
           - noibpb

diff --git a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml
index 2dfe037..c330b67 100644 (file)
--- a/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml
+++ b/mcp/reclass/classes/cluster/mcp-fdio-noha/openstack/gateway.yml
@@ -48,6 +48,7 @@ parameters:
         boot_options:
           - spectre_v2=off
           - nopti
+          - kpti=off
           - nospec_store_bypass_disable
           - noibrs
           - noibpb

diff --git a/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2 b/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2
index 95b39f6..34372c6 100644 (file)
--- a/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2
+++ b/mcp/reclass/classes/cluster/mcp-iec-noha/infra/kvm.yml.j2
@@ -62,6 +62,7 @@ parameters:
         boot_options:
           - spectre_v2=off
           - nopti
+          - kpti=off
         sysctl:
           net.ipv4.ip_forward: 0
   libvirt: