compute_tsx¶
Compute-TSX
===========
An Ansible role to verify that the compute nodes have the appropriate TSX flags before
proceeding with an upgrade.
RHEL-8.3 kernel disabled the Intel TSX (Transactional Synchronization Extensions)
feature by default as a preemptive security measure, but it breaks live migration from
RHEL-7.9 (or even RHEL-8.1 or RHEL-8.2) to RHEL-8.3.
Operators are expected to explicitly define the TSX flag in their KernelArgs for the
compute role to prevent live-migration issues during the upgrade process.
This role is intended to be called by tripleo via the kernel deployment templates.
It's also possible to call the role as a standalone.
This also impacts upstream CentOS systems
Requirements
------------
This role needs to be run on an Undercloud with a deployed Overcloud.
Role Variables
--------------
- `compute_tsx_debug`: <'false'> -- Whether or not to print the computed variables during execution
- `compute_tsx_warning`: <'false'> -- Will not return a failure, but will simply print the failure
- `compute_tsx_kernel_args`: <''> -- This is meant to be used when called by tripleo-heat-templates.
- `compute_tsx_8_3_version`: <'4.18.0-240'> -- This is the kernel version that requires to have TSX flag enabled
Dependencies
------------
No dependencies.
Example Playbook
----------------
Standard playbook
- hosts: nova_libvirt
roles:
- { role: compute_tsx}
Reporting playbook with no failure
- hosts: nova_libvirt
vars:
- compute_tsx_warning: true
roles:
- { role: compute_tsx}
License
-------
Apache
Author Information
------------------
Red Hat TripleO DFG:Compute Deployment Squad
Role Documentation¶
Welcome to the “compute_tsx” role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the “compute_tsx” role.
compute_tsx_debug: false
compute_tsx_information_msg: 'For more information on why we must explicitly define
the TSX flag, please visit:
https://access.redhat.com/solutions/6036141
'
compute_tsx_kernel_args: ''
compute_tsx_warning: false
Role Variables: main.yml¶
compute_tsx_8_3_version: 4.18.0-240
Molecule Scenarios¶
Molecule is being used to test the “compute_tsx” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
Scenario: default¶
Example default configuration¶
driver:
name: podman
log: true
platforms:
- dockerfile: ../../../../.config/molecule/Dockerfile
environment:
http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
hostname: centos
image: centos/centos:stream8
name: centos
pkg_extras: python*-setuptools python*-pyyaml
privileged: true
registry:
url: quay.io
ulimits:
- host
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
provisioner:
env:
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
ANSIBLE_ROLES_PATH: ${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles
ANSIBLE_STDOUT_CALLBACK: yaml
inventory:
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
log: true
name: ansible
options:
vvv: true
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
verifier:
name: ansible
Molecule Inventory¶
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
Example default playbook¶
- hosts: all
name: Converge
tasks:
- block:
- include_role:
name: compute_tsx
name: Loading role with failure
vars:
tsx_cmdline: false
tsx_cpu_support: true
tsx_grub: false
tsx_rhel_8_2: true
name: Assert a failure
rescue:
- fail:
msg: '{{ tsx_assertion }}
'
name: Fail if no failure
when:
- tsx_assertion.failed
- block:
- include_role:
name: compute_tsx
name: Loading role with failure
vars:
compute_tsx_warning: true
tsx_cmdline: false
tsx_cpu_support: true
tsx_grub: false
tsx_rhel_8_2: true
name: Assert a failure, with warning only
rescue:
- fail:
msg: '{{ tsx_assertion }}
'
name: Fail if failure
when:
- not tsx_assertion.failed
- block:
- include_role:
name: compute_tsx
name: Loading role with passed
vars:
tsx_cmdline: true
tsx_cpu_support: true
tsx_grub: false
tsx_rhel_8_2: true
name: Assert a success
rescue:
- fail:
msg: '{{ tsx_assertion }}
'
name: Fail if failure
when:
- not tsx_assertion.failed
vars:
tsx_assertion: {}
