compute_tsx¶
About The Role¶
An Ansible role to verify that the compute nodes have the appropriate TSX flags before proceeding with an upgrade.
RHEL-8.3 kernel disabled the Intel TSX (Transactional Synchronization
Extensions) feature by default as a preemptive security measure, but it breaks
live migration from RHEL-7.9 (or even RHEL-8.1 or RHEL-8.2) to
RHEL-8.3.
Operators are expected to explicitly define the TSX flag in their KernelArgs for the compute role to prevent live-migration issues during the upgrade process.
This role is intended to be called by tripleo via the kernel deployment templates.
It’s also possible to call the role as a standalone.
This also impacts upstream CentOS systems
Requirements¶
This role needs to be run on an Undercloud with a deployed Overcloud.
Dependencies¶
No dependencies.
Example Playbook¶
Standard playbook:
- hosts: nova_libvirt
roles:
- { role: compute_tsx}
Reporting playbook with no failure:
- hosts: nova_libvirt
vars:
- compute_tsx_warning: true
roles:
- { role: compute_tsx }
License¶
Apache
Full Description¶
Role Documentation¶
Welcome to the “compute_tsx” role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the “compute_tsx” role.
# All variables intended for modification should place placed in this file.
# All variables within this role should have a prefix of "compute_tsx"
# Debugging mode - Whether or not to print the computed variables during execution
compute_tsx_debug: false
# If set to `true` it will not return a failure, but will simply print the failure
compute_tsx_warning: false
# Variable used when this validation is called by tripleo-heat-templates
compute_tsx_kernel_args: ''
# Information message to be printed in warning/failure mode
compute_tsx_information_msg: |
For more information on why we must explicitly define the TSX flag, please visit:
https://access.redhat.com/solutions/6036141
Role Variables: main.yml¶
# While options found within the vars/ path can be overridden using extra
# vars, items within this path are considered part of the role and not
# intended to be modified.
# All variables within this role should have a prefix of "compute_tsx"
# This is the kernel version that changed the tsx default from true to false
compute_tsx_8_3_version: 4.18.0-240
Molecule Scenarios¶
Molecule is being used to test the “compute_tsx” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
- Driver: podman:
Scenario: default¶
Molecule Platform(s)¶
- name: centos
hostname: centos
image: centos/centos:stream8
registry:
url: quay.io
dockerfile: ../../../../.config/molecule/Dockerfile
pkg_extras: python*-setuptools python*-pyyaml
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
privileged: true
environment:
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
ulimits:
- host
Molecule Inventory¶
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
Example default playbook¶
- name: Converge
hosts: all
vars:
tsx_assertion: {}
tasks:
- name: Assert a failure
block:
- name: Loading role with failure
include_role:
name: compute_tsx
vars:
tsx_rhel_8_2: true
tsx_cmdline: false
tsx_cpu_support: true
tsx_grub: false
rescue:
- name: Fail if no failure
fail:
msg: |
{{ tsx_assertion }}
when:
# The logic is reversed here
- tsx_assertion.failed
- name: Assert a failure, with warning only
block:
- name: Loading role with failure
include_role:
name: compute_tsx
vars:
tsx_rhel_8_2: true
tsx_cmdline: false
tsx_cpu_support: true
tsx_grub: false
compute_tsx_warning: true
rescue:
- name: Fail if failure
fail:
msg: |
{{ tsx_assertion }}
when:
# The logic is reversed here
- not tsx_assertion.failed
- name: Assert a success
block:
- name: Loading role with passed
include_role:
name: compute_tsx
vars:
tsx_rhel_8_2: true
tsx_cmdline: true
tsx_cpu_support: true
tsx_grub: false
rescue:
- name: Fail if failure
fail:
msg: |
{{ tsx_assertion }}
when:
# The logic is reversed here
- not tsx_assertion.failed
