Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit 25a57e39 authored by Adam Robinson's avatar Adam Robinson
Browse files

initial import

parents
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
vmware_foreshadow_mitigation
=========
Configure a host for mitigation against the Foreshadow CPU vulnerability at the specified level.
Requirements
------------
pyvmomi is required. This role assumes your inventory file contains each ESXi host you are managing.
Role Variables
--------------
### Defaults
- `scheduler` - The default value is `SCAv1`. Other options are `unmitigated` or `SCAv2`. Note that if you specify
a mitigation level that cannot be applied to a host, it will be skipped. If you specify `SCAv2` for a host that
only supports `SCAv1` only `SCAv1` mitigations will be applied.
### Required
- `vcenter_hostname` - The hostname or address of the vCenter server.
- `inventory_hostname` - The hostname or address of the ESXi server.
Dependencies
------------
None
Example Playbook
----------------
TODO
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
---
# defaults file for vmware_foreshadow_mitigation
scheduler: "SCAv1"
schedulers:
- "unmitigated"
- "SCAv1"
- "SCAv2"
\ No newline at end of file
---
# handlers file for vmware_foreshadow_mitigation
\ No newline at end of file
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.4
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
---
# tasks file for vmware_foreshadow_mitigation
- assert:
that: scheduler in shedulers
fail_msg: "`scheduler` must be set to unmitigated, SCAv1, or SCAv2"
- name: Set unmitigated variables
set_variable:
hyperthreadingMitigation: false
hyperthreadingMitigationIntraVM: true
when: scheduler == "unmitigated"
- name: Set SCAv1 variables
set_variable:
hyperthreadingMitigation: true
hyperthreadingMitigationIntraVM: true
when: scheduler == "SCAv1"
- name: Set SCAv2 variables
set_variable:
hyperthreadingMitigation: true
hyperthreadingMitigationIntraVM: false
when: scheduler == "SCAv2"
- name: Configure hyperthreadingMitigation Advanced Option
vmware_host_config_manager:
hostname: '{{ vcenter_hostname }}'
esxi_hostname: '{{ inventory_hostname }}'
options:
'VMkernel.Boot.hyperthreadingMitigation': '{{ hyperthreadingMitigation }}'
delegate_to: localhost
when: (ansible_distribution_version == "6.7.0" and ansible_distribution_build|int >= 9484548) or (ansible_distribution_version == "6.5.0" and ansible_distribution_build|int >= 9298722) or (ansible_distribution_version == "6.0.0" and ansible_distribution_build|int >= 9313334) or (ansible_distribution_version == "5.5.0" and ansible_distribution_build|int >= 9313066)
- name: Configure hyperthreadingMitigationIntraVM Advanced Option
vmware_host_config_manager:
hostname: '{{ vcenter_hostname }}'
esxi_hostname: '{{ inventory_hostname }}'
options:
'VMkernel.Boot.hyperthreadingMitigationIntraVM': '{{ hyperthreadingMitigationIntraVM }}'
delegate_to: localhost
when: (ansible_distribution_version == "6.7.0" and ansible_distribution_build|int >= 13006603)
\ No newline at end of file
---
- hosts: localhost
remote_user: root
roles:
- vmware_foreshadow_mitigation
\ No newline at end of file
---
# vars file for vmware_foreshadow_mitigation
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment