compute_tsx

Compute-TSX
===========

An Ansible role to verify that the compute nodes have the appropriate TSX flags before
proceeding with an upgrade.

RHEL-8.3 kernel disabled the Intel TSX (Transactional Synchronization Extensions)
feature by default as a preemptive security measure, but it breaks live migration from
RHEL-7.9 (or even RHEL-8.1 or RHEL-8.2) to RHEL-8.3.

Operators are expected to explicitly define the TSX flag in their KernelArgs for the
compute role to prevent live-migration issues during the upgrade process.

This role is intended to be called by tripleo via the kernel deployment templates.

It's also possible to call the role as a standalone.

This also impacts upstream CentOS systems

Requirements
------------

This role needs to be run on an Undercloud with a deployed Overcloud.

Role Variables
--------------

- `compute_tsx_debug`: <'false'> -- Whether or not to print the computed variables during execution
- `compute_tsx_warning`: <'false'> -- Will not return a failure, but will simply print the failure
- `compute_tsx_kernel_args`: <''> -- This is meant to be used when called by tripleo-heat-templates.
- `compute_tsx_8_3_version`: <'4.18.0-240'> -- This is the kernel version that requires to have TSX flag enabled

Dependencies
------------

No dependencies.

Example Playbook
----------------

Standard playbook

    - hosts: nova_libvirt
      roles:
      - { role: compute_tsx}


Reporting playbook with no failure

    - hosts: nova_libvirt
      vars:
      - compute_tsx_warning: true
      roles:
      - { role: compute_tsx}

License
-------

Apache

Author Information
------------------

Red Hat TripleO DFG:Compute Deployment Squad

Role Documentation

Welcome to the “compute_tsx” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “compute_tsx” role.

compute_tsx_debug: false
compute_tsx_information_msg: 'For more information on why we must explicitly define
  the TSX flag, please visit:

  https://access.redhat.com/solutions/6036141

  '
compute_tsx_kernel_args: ''
compute_tsx_warning: false

Role Variables: main.yml

compute_tsx_8_3_version: 4.18.0-240

Molecule Scenarios

Molecule is being used to test the “compute_tsx” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Example default configuration
driver:
  name: podman
log: true
platforms:
- dockerfile: ../../../../.config/molecule/Dockerfile
  environment:
    http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
    https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
  hostname: centos
  image: centos/centos:stream8
  name: centos
  pkg_extras: python*-setuptools python*-pyyaml
  privileged: true
  registry:
    url: quay.io
  ulimits:
  - host
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
provisioner:
  env:
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
    ANSIBLE_ROLES_PATH: ${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles
    ANSIBLE_STDOUT_CALLBACK: yaml
  inventory:
    hosts:
      all:
        hosts:
          centos:
            ansible_python_interpreter: /usr/bin/python3
  log: true
  name: ansible
  options:
    vvv: true
scenario:
  test_sequence:
  - destroy
  - create
  - prepare
  - converge
  - verify
  - destroy
verifier:
  name: ansible
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example default playbook
- hosts: all
  name: Converge
  tasks:
  - block:
    - include_role:
        name: compute_tsx
      name: Loading role with failure
      vars:
        tsx_cmdline: false
        tsx_cpu_support: true
        tsx_grub: false
        tsx_rhel_8_2: true
    name: Assert a failure
    rescue:
    - fail:
        msg: '{{ tsx_assertion }}

          '
      name: Fail if no failure
      when:
      - tsx_assertion.failed
  - block:
    - include_role:
        name: compute_tsx
      name: Loading role with failure
      vars:
        compute_tsx_warning: true
        tsx_cmdline: false
        tsx_cpu_support: true
        tsx_grub: false
        tsx_rhel_8_2: true
    name: Assert a failure, with warning only
    rescue:
    - fail:
        msg: '{{ tsx_assertion }}

          '
      name: Fail if failure
      when:
      - not tsx_assertion.failed
  - block:
    - include_role:
        name: compute_tsx
      name: Loading role with passed
      vars:
        tsx_cmdline: true
        tsx_cpu_support: true
        tsx_grub: false
        tsx_rhel_8_2: true
    name: Assert a success
    rescue:
    - fail:
        msg: '{{ tsx_assertion }}

          '
      name: Fail if failure
      when:
      - not tsx_assertion.failed
  vars:
    tsx_assertion: {}