Puppet Class: base::kernel

Defined in:
modules/base/manifests/kernel.pp

Overview

Parameters:

  • overlayfs (Any) 


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'modules/base/manifests/kernel.pp', line 8

class base::kernel(
    $overlayfs,
    ) {
    if ! $overlayfs {
        kmod::blacklist { 'wmf_overlay':
            modules => [
                'overlayfs',
                'overlay',
            ],
        }
    } else {
        kmod::blacklist { 'wmf_overlay':
            ensure => absent,
        }
    }

    kmod::blacklist { 'wmf':
        modules => [
            'aufs',
            'usbip-core',
            'usbip-host',
            'vhci-hcd',
            'dccp',
            'dccp_ipv6',
            'dccp_ipv4',
            'dccp_probe',
            'dccp_diag',
            'n_hdlc',
            'intel_cstate',
            'intel_rapl_perf',
            'intel_uncore',
            'parport',
            'parport_pc',
            'ppdev',
            'acpi_power_meter',
            'bluetooth',
            'v4l2-common',
            'floppy',
            'cdrom',
        ],
    }

    if (versioncmp($::kernelversion, '4.4') >= 0) {
        kmod::blacklist { 'linux44':
            modules => [ 'asn1_decoder', 'macsec' ],
        }
    }

    # This section is for blacklisting modules per server model.
    # It was originally started for acpi_pad issues on R320 (T162850)
    # but is meant to be extended as needed.
    case $::productname {
      'PowerEdge R320': {
        kmod::blacklist { 'r320':
            modules => [ 'acpi_pad' ],
        }
      }
      default: {}
    }

    # Settings to mitigate fragmentsmack. The low settings need to be applied
    # before the high settings, otherwise the new high settings are lower than
    # the current kernel defaults which results in sysctl rejecting the value
    # The latest kernel update for stretch also pushes these settings by default
    # in the kernel, so at some point this can be removed in puppet
    sysctl::parameters { 'ipfrag_low':
        values   => {
            'net.ipv4.ipfrag_low_thresh'  => '196608',
            'net.ipv6.ip6frag_low_thresh' => '196608',
        },
        priority => 10,
        before   => Sysctl::Parameters['ipfrag_high']
    }

    sysctl::parameters { 'ipfrag_high':
        values   => {
            'net.ipv4.ipfrag_high_thresh'  => '262144',
            'net.ipv6.ip6frag_high_thresh' => '262144',
        },
        priority => 11,
    }
    file { '/usr/lib/nagios/plugins/check_microcode':
        ensure => absent,
    }
    file { '/usr/local/lib/nagios/plugins/check_microcode':
        source => 'puppet:///modules/base/check-microcode.py',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    nrpe::monitor_service { 'cpu_microcode_status':
        ensure         => 'present',
        description    => 'Check whether microcode mitigations for CPU vulnerabilities are applied',
        nrpe_command   => '/usr/local/lib/nagios/plugins/check_microcode',
        require        => File['/usr/local/lib/nagios/plugins/check_microcode'],
        contact_group  => 'admins',
        check_interval => 1440,
        retry_interval => 5,
        notes_url      => 'https://wikitech.wikimedia.org/wiki/Microcode',
    }
}