[OKD only] pkg/asset: disable mitigations for FCOS installs

Vadim Rutkovsky · Vadim Rutkovsky · commit 5814b133153c · 2020-06-05T13:32:15.000+02:00
diff --git a/pkg/asset/ignition/ignition_v2.go b/pkg/asset/ignition/ignition_v2.go
@@ -191,6 +191,12 @@ func ForHyperthreadingDisabled(role string) *mcfgv1.MachineConfig {
 	}
 }
 
+// ForMitigationsDisabled creates the MachineConfig to disable mitigatations.
+// RHCOS doesn't need mitigations disabled, so this function is noop
+func ForMitigationsDisabled(role string) *mcfgv1.MachineConfig {
+	return &mcfgv1.MachineConfig{}
+}
+
 // InjectInstallInfo adds information about the installer and its invoker as a
 // ConfigMap to the provided bootstrap Ignition config.
 func InjectInstallInfo(bootstrap []byte) (string, error) {
diff --git a/pkg/asset/ignition/ignition_v3.go b/pkg/asset/ignition/ignition_v3.go
@@ -192,6 +192,37 @@ func ForHyperthreadingDisabled(role string) *mcfgv1.MachineConfig {
 	}
 }
 
+// ForMitigationsDisabled creates the MachineConfig to disable mitigatations.
+// FCOS uses `/etc/pivot/kernel-args` to override the kernel arguments for hosts during pivot.
+func ForMitigationsDisabled(role string) *mcfgv1.MachineConfig {
+	return &mcfgv1.MachineConfig{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "machineconfiguration.openshift.io/v1",
+			Kind:       "MachineConfig",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf("99-%s-disable-mitigations", role),
+			Labels: map[string]string{
+				"machineconfiguration.openshift.io/role": role,
+			},
+		},
+		Spec: mcfgv1.MachineConfigSpec{
+			Config: runtime.RawExtension{
+				Raw: MarshalOrDie(&igntypes3.Config{
+					Ignition: igntypes3.Ignition{
+						Version: igntypes3.MaxVersion.String(),
+					},
+					Storage: igntypes3.Storage{
+						Files: []igntypes3.File{
+							FileFromString("/etc/pivot/kernel-args", "root", 0600, "DELETE mitigations=auto,nosmt"),
+						},
+					},
+				}),
+			},
+		},
+	}
+}
+
 // InjectInstallInfo adds information about the installer and its invoker as a
 // ConfigMap to the provided bootstrap Ignition config.
 func InjectInstallInfo(bootstrap []byte) (string, error) {
diff --git a/pkg/asset/machines/master.go b/pkg/asset/machines/master.go
@@ -372,6 +372,10 @@ func (m *Master) Generate(dependencies asset.Parents) error {
 		machineConfigs = append(machineConfigs, ignition.ForFIPSEnabled("master"))
 	}
 
+	if ic.IsOKD() {
+		machineConfigs = append(machineConfigs, ignition.ForMitigationsDisabled("master"))
+	}
+
 	m.MachineConfigFiles, err = machineconfig.Manifests(machineConfigs, "master", directory)
 	if err != nil {
 		return errors.Wrap(err, "failed to create MachineConfig manifests for master machines")
diff --git a/pkg/asset/machines/worker.go b/pkg/asset/machines/worker.go
@@ -198,6 +198,9 @@ func (w *Worker) Generate(dependencies asset.Parents) error {
 		if ic.FIPS {
 			machineConfigs = append(machineConfigs, ignition.ForFIPSEnabled("worker"))
 		}
+		if ic.IsOKD() {
+			machineConfigs = append(machineConfigs, ignition.ForMitigationsDisabled("worker"))
+		}
 		switch ic.Platform.Name() {
 		case awstypes.Name:
 			subnets := map[string]string{}

Original file line number	Diff line number	Diff line change
`@@ -191,6 +191,12 @@ func ForHyperthreadingDisabled(role string) *mcfgv1.MachineConfig {`
`191`	`191`	`}`
`192`	`192`	`}`
`193`	`193`
	`194`	`+// ForMitigationsDisabled creates the MachineConfig to disable mitigatations.`
	`195`	`+// RHCOS doesn't need mitigations disabled, so this function is noop`
	`196`	`+func ForMitigationsDisabled(role string) *mcfgv1.MachineConfig {`
	`197`	`+ return &mcfgv1.MachineConfig{}`
	`198`	`+}`
	`199`	`+`
`194`	`200`	`// InjectInstallInfo adds information about the installer and its invoker as a`
`195`	`201`	`// ConfigMap to the provided bootstrap Ignition config.`
`196`	`202`	`func InjectInstallInfo(bootstrap []byte) (string, error) {`