Managing CPU vulnerability patches

Enabling and disabling node CPU vulnerability patches

Procedure

Run the following command on the node to enable or disable CPU vulnerability patches:

zbs-node grub cpu_vulnerabilities_patches

Parameter	Description
`--disable`	Disables CPU vulnerability patches.
`--enable`	Enables CPU vulnerability patches.

Note:

To apply the configuration, restart the host through AOC.

Output example

$ zbs-node  grub cpu_vulnerabilities_patches --disable
2024-07-08 14:59:41,005 node.py 1577 [90899] [INFO] disable cpu vulnerabilities patches
2024-07-08 14:59:41,008 grub2_manager.py 185 [90899] [INFO] Will add ['noibrs', 'noibpb', 'nopti', 'nospectre_v2', 'nospectre_v1', 'l1tf=off', 'nosp
ec_store_bypass_disable', 'no_stf_barrier', 'mds=off', 'tsx_async_abort=off', 'mitigations=off', 'tsx=on'] to grub cmdline
2024-07-08 14:59:41,008 grub2_manager.py 86 [90899] [INFO] Start update grub file /etc/default/grub
2024-07-08 14:59:41,009 grub2_manager.py 93 [90899] [INFO] Old config:
GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200
n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 crashkernel=512M spectre_v2=retpoline rd.md.uuid=92204985
:309b4907:5e172ae5:3ce75de7   nf_conntrack.hashsize=262144"

2024-07-08 14:59:41,009 grub2_manager.py 97 [90899] [INFO] New config:
GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200
n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 crashkernel=512M spectre_v2=retpoline rd.md.uuid=92204985
:309b4907:5e172ae5:3ce75de7 nf_conntrack.hashsize=262144 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_b
arrier mds=off tsx_async_abort=off mitigations=off"
2024-07-08 14:59:41,010 grub2_manager.py 99 [90899] [INFO] Replace /etc/default/grub with new generated config file
2024-07-08 14:59:41,010 grub2_manager.py 102 [90899] [INFO] Finish update grub file /etc/default/grub
2024-07-08 14:59:41,011 grub2_manager.py 68 [90899] [INFO] Start generate boot config /boot/grub2/grub.cfg
2024-07-08 14:59:41,011 cmdline.py 119 [90899] [INFO] run cmd: grub2-mkconfig -o /boot/grub2/grub.cfg.bak
2024-07-08 14:59:41,665 grub2_manager.py 78 [90899] [INFO] Replace /boot/grub2/grub.cfg with new generated config file
2024-07-08 14:59:41,666 grub2_manager.py 81 [90899] [INFO] Finish generate boot config /boot/grub2/grub.cfg
2024-07-08 14:59:41,666 node.py 1582 [90899] [INFO] Done

Output note

The configuration process and results are displayed.

Enabling and disabling CPU vulnerability patches on all nodes

Procedure

Run the following command on existing nodes to enable or disable CPU vulnerability patches on all nodes:

zbs-cluster grub cpu_vulnerabilities_patches

Parameter	Description
`--disable`	Disables CPU vulnerability patches.
`--enable`	Enables CPU vulnerability patches.

Note:

To apply the configuration, restart all cluster node hosts. You can restart the cluster hosts one by one through AOC.

Output example

$ zbs-cluster grub cpu_vulnerabilities_patches --disable
2024-07-08 15:23:20,452 ansible_manager.py 160 [78574] [INFO] Exec cmd with ansible: ansible -i /etc/zbs/inventory cluster -m raw -a 'zbs-node grub cpu_vulnerabilities_patches --disable' --ssh-common-args='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
2024-07-08 15:23:25,770 cmdline.py 188 [78574] [INFO] 10.234.103.12 | CHANGED | rc=0 >>
2024-07-08 15:23:25,771 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,014 node.py 1577 [85073] [INFO] disable cpu vulnerabilities patches
2024-07-08 15:23:25,771 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,016 grub2_manager.py 185 [85073] [INFO] Will add ['noibrs', 'noibpb', 'nopti', 'nospectre_v2', 'nospectre_v1', 'l1tf=off', 'nospec_store_bypass_disable', 'no_stf_barrier', 'mds=off', 'tsx_async_abort=off', 'mitigations=off', 'tsx=on'] to grub cmdline
2024-07-08 15:23:25,771 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,017 grub2_manager.py 86 [85073] [INFO] Start update grub file /etc/default/grub
2024-07-08 15:23:25,771 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,017 grub2_manager.py 93 [85073] [INFO] Old config:
2024-07-08 15:23:25,771 cmdline.py 188 [78574] [INFO] GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 no5lvl rd.md.uuid=667caa2d:a65fcb77:3aca94a4:cfc30103 selinux=0 crashk
ernel=512M nf_conntrack.hashsize=262144"
2024-07-08 15:23:25,771 cmdline.py 188 [78574] [INFO]
2024-07-08 15:23:25,772 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,018 grub2_manager.py 97 [85073] [INFO] New config:
2024-07-08 15:23:25,772 cmdline.py 188 [78574] [INFO] GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 no5lvl rd.md.uuid=667caa2d:a65fcb77:3aca94a4:cfc30103 selinux=0 crashk
ernel=512M nf_conntrack.hashsize=262144 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx_async_abort=off mitigations=off"
2024-07-08 15:23:25,772 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,018 grub2_manager.py 99 [85073] [INFO] Replace /etc/default/grub with new generated config file
2024-07-08 15:23:25,772 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,018 grub2_manager.py 102 [85073] [INFO] Finish update grub file /etc/default/grub
2024-07-08 15:23:25,772 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,018 grub2_manager.py 68 [85073] [INFO] Start generate boot config /boot/grub2/grub.cfg
2024-07-08 15:23:25,772 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,018 cmdline.py 119 [85073] [INFO] run cmd: grub2-mkconfig -o /boot/grub2/grub.cfg.bak
2024-07-08 15:23:25,773 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,435 grub2_manager.py 78 [85073] [INFO] Replace /boot/grub2/grub.cfg with new generated config file
2024-07-08 15:23:25,773 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,435 grub2_manager.py 81 [85073] [INFO] Finish generate boot config /boot/grub2/grub.cfg
2024-07-08 15:23:25,773 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,435 node.py 1582 [85073] [INFO] Done
2024-07-08 15:23:25,773 cmdline.py 188 [78574] [INFO] Warning: Permanently added '10.234.103.12' (ED25519) to the list of known hosts.
2024-07-08 15:23:25,773 cmdline.py 188 [78574] [INFO] Connection to 10.234.103.12 closed.
2024-07-08 15:23:25,773 cmdline.py 188 [78574] [INFO]
2024-07-08 15:23:25,773 cmdline.py 188 [78574] [INFO] 10.234.103.13 | CHANGED | rc=0 >>
2024-07-08 15:23:25,774 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,076 node.py 1577 [77908] [INFO] disable cpu vulnerabilities patches
2024-07-08 15:23:25,774 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,079 grub2_manager.py 185 [77908] [INFO] Will add ['noibrs', 'noibpb', 'nopti', 'nospectre_v2', 'nospectre_v1', 'l1tf=off', 'nospec_store_bypass_disable', 'no_stf_barrier', 'mds=off', 'tsx_async_abort=off', 'mitigations=off', 'tsx=on'] to grub cmdline
2024-07-08 15:23:25,774 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,079 grub2_manager.py 86 [77908] [INFO] Start update grub file /etc/default/grub
2024-07-08 15:23:25,774 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,080 grub2_manager.py 93 [77908] [INFO] Old config:
2024-07-08 15:23:25,774 cmdline.py 188 [78574] [INFO] GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 no5lvl rd.md.uuid=667caa2d:a65fcb77:3aca94a4:cfc30103 selinux=0 crashk
ernel=512M nf_conntrack.hashsize=262144"
2024-07-08 15:23:25,775 cmdline.py 188 [78574] [INFO]
2024-07-08 15:23:25,775 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,080 grub2_manager.py 97 [77908] [INFO] New config:
2024-07-08 15:23:25,775 cmdline.py 188 [78574] [INFO] GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 no5lvl rd.md.uuid=667caa2d:a65fcb77:3aca94a4:cfc30103 selinux=0 crashk
ernel=512M nf_conntrack.hashsize=262144 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx_async_abort=off mitigations=off"
2024-07-08 15:23:25,775 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,080 grub2_manager.py 99 [77908] [INFO] Replace /etc/default/grub with new generated config file
2024-07-08 15:23:25,775 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,081 grub2_manager.py 102 [77908] [INFO] Finish update grub file /etc/default/grub
2024-07-08 15:23:25,775 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,081 grub2_manager.py 68 [77908] [INFO] Start generate boot config /boot/grub2/grub.cfg
2024-07-08 15:23:25,776 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:24,081 cmdline.py 119 [77908] [INFO] run cmd: grub2-mkconfig -o /boot/grub2/grub.cfg.bak
2024-07-08 15:23:25,776 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,603 grub2_manager.py 78 [77908] [INFO] Replace /boot/grub2/grub.cfg with new generated config file
2024-07-08 15:23:25,776 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,603 grub2_manager.py 81 [77908] [INFO] Finish generate boot config /boot/grub2/grub.cfg
2024-07-08 15:23:25,776 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,603 node.py 1582 [77908] [INFO] Done
2024-07-08 15:23:25,776 cmdline.py 188 [78574] [INFO] Warning: Permanently added '10.234.103.13' (ED25519) to the list of known hosts.
2024-07-08 15:23:25,776 cmdline.py 188 [78574] [INFO] Connection to 10.234.103.13 closed.
2024-07-08 15:23:25,777 cmdline.py 188 [78574] [INFO]
2024-07-08 15:23:25,777 cmdline.py 188 [78574] [INFO] 10.234.103.11 | CHANGED | rc=0 >>
2024-07-08 15:23:25,777 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,931 node.py 1577 [78764] [INFO] disable cpu vulnerabilities patches
2024-07-08 15:23:25,777 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,933 grub2_manager.py 185 [78764] [INFO] Will add ['noibrs', 'noibpb', 'nopti', 'nospectre_v2', 'nospectre_v1', 'l1tf=off', 'nospec_store_bypass_disable', 'no_stf_barrier', 'mds=off', 'tsx_async_abort=off', 'mitigations=off', 'tsx=on'] to grub cmdline
2024-07-08 15:23:25,777 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,934 grub2_manager.py 86 [78764] [INFO] Start update grub file /etc/default/grub
2024-07-08 15:23:25,777 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,935 grub2_manager.py 93 [78764] [INFO] Old config:
2024-07-08 15:23:25,777 cmdline.py 188 [78574] [INFO] GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 no5lvl rd.md.uuid=667caa2d:a65fcb77:3aca94a4:cfc30103 selinux=0 crashk
ernel=512M nf_conntrack.hashsize=262144"
2024-07-08 15:23:25,778 cmdline.py 188 [78574] [INFO]
2024-07-08 15:23:25,778 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,935 grub2_manager.py 97 [78764] [INFO] New config:
2024-07-08 15:23:25,778 cmdline.py 188 [78574] [INFO] GRUB_CMDLINE_LINUX="intel_idle.max_cstate=0 processor.max_cstate=1 intel_pstate=disable transparent_hugepage=never slab_nomerge console=ttyS0,115200n8 console=tty0 precise_iostat=0 tsx=on megaraid_sas.scmd_timeout=20 nvme_core.multipath=0 no5lvl rd.md.uuid=667caa2d:a65fcb77:3aca94a4:cfc30103 selinux=0 crashk
ernel=512M nf_conntrack.hashsize=262144 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx_async_abort=off mitigations=off"
2024-07-08 15:23:25,778 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,935 grub2_manager.py 99 [78764] [INFO] Replace /etc/default/grub with new generated config file
2024-07-08 15:23:25,778 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,936 grub2_manager.py 102 [78764] [INFO] Finish update grub file /etc/default/grub
2024-07-08 15:23:25,778 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,936 grub2_manager.py 68 [78764] [INFO] Start generate boot config /boot/grub2/grub.cfg
2024-07-08 15:23:25,779 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:23,937 cmdline.py 119 [78764] [INFO] run cmd: grub2-mkconfig -o /boot/grub2/grub.cfg.bak
2024-07-08 15:23:25,779 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,630 grub2_manager.py 78 [78764] [INFO] Replace /boot/grub2/grub.cfg with new generated config file
2024-07-08 15:23:25,779 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,631 grub2_manager.py 81 [78764] [INFO] Finish generate boot config /boot/grub2/grub.cfg
2024-07-08 15:23:25,779 cmdline.py 188 [78574] [INFO] 2024-07-08 15:23:25,631 node.py 1582 [78764] [INFO] Done
2024-07-08 15:23:25,779 cmdline.py 188 [78574] [INFO] Warning: Permanently added '10.234.103.11' (ED25519) to the list of known hosts.
2024-07-08 15:23:25,780 cmdline.py 188 [78574] [INFO] Connection to 10.234.103.11 closed.
2024-07-08 15:23:25,780 cmdline.py 188 [78574] [INFO]
2024-07-08 15:23:26,981 cluster.py 771 [78574] [INFO] disable cpu vulnerabilities patches successfully

Output note

The configuration process and results are displayed.

In this article

Enabling and disabling node CPU vulnerability patches
Enabling and disabling CPU vulnerability patches on all nodes