Commit 25a57e39 authored by Adam Robinson's avatar Adam Robinson
Browse files

initial import

parents
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
vmware_foreshadow_mitigation
=========
Configure a host for mitigation against the Foreshadow CPU vulnerability at the specified level.
Requirements
------------
pyvmomi is required. This role assumes your inventory file contains each ESXi host you are managing.
Role Variables
--------------
### Defaults
- `scheduler` - The default value is `SCAv1`. Other options are `unmitigated` or `SCAv2`. Note that if you specify
a mitigation level that cannot be applied to a host, it will be skipped. If you specify `SCAv2` for a host that
only supports `SCAv1` only `SCAv1` mitigations will be applied.
### Required
- `vcenter_hostname` - The hostname or address of the vCenter server.
- `inventory_hostname` - The hostname or address of the ESXi server.
Dependencies
------------
None
Example Playbook
----------------
TODO
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
---
# defaults file for vmware_foreshadow_mitigation
scheduler: "SCAv1"
schedulers:
- "unmitigated"
- "SCAv1"
- "SCAv2"
\ No newline at end of file
---
# handlers file for vmware_foreshadow_mitigation
\ No newline at end of file
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.4
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
---
# tasks file for vmware_foreshadow_mitigation
- assert:
that: scheduler in shedulers
fail_msg: "`scheduler` must be set to unmitigated, SCAv1, or SCAv2"
- name: Set unmitigated variables
set_variable:
hyperthreadingMitigation: false
hyperthreadingMitigationIntraVM: true
when: scheduler == "unmitigated"
- name: Set SCAv1 variables
set_variable:
hyperthreadingMitigation: true
hyperthreadingMitigationIntraVM: true
when: scheduler == "SCAv1"
- name: Set SCAv2 variables
set_variable:
hyperthreadingMitigation: true
hyperthreadingMitigationIntraVM: false
when: scheduler == "SCAv2"
- name: Configure hyperthreadingMitigation Advanced Option
vmware_host_config_manager:
hostname: '{{ vcenter_hostname }}'
esxi_hostname: '{{ inventory_hostname }}'
options:
'VMkernel.Boot.hyperthreadingMitigation': '{{ hyperthreadingMitigation }}'
delegate_to: localhost
when: (ansible_distribution_version == "6.7.0" and ansible_distribution_build|int >= 9484548) or (ansible_distribution_version == "6.5.0" and ansible_distribution_build|int >= 9298722) or (ansible_distribution_version == "6.0.0" and ansible_distribution_build|int >= 9313334) or (ansible_distribution_version == "5.5.0" and ansible_distribution_build|int >= 9313066)
- name: Configure hyperthreadingMitigationIntraVM Advanced Option
vmware_host_config_manager:
hostname: '{{ vcenter_hostname }}'
esxi_hostname: '{{ inventory_hostname }}'
options:
'VMkernel.Boot.hyperthreadingMitigationIntraVM': '{{ hyperthreadingMitigationIntraVM }}'
delegate_to: localhost
when: (ansible_distribution_version == "6.7.0" and ansible_distribution_build|int >= 13006603)
\ No newline at end of file
---
- hosts: localhost
remote_user: root
roles:
- vmware_foreshadow_mitigation
\ No newline at end of file
---
# vars file for vmware_foreshadow_mitigation
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment