OS Standardization: Kernel, Power, and Update Policies (#635)

* Pin kernel version and disable unattended-upgrades * Set CPU frequency governor to performance * Use tuneD instead of cpupower for CPU governor * Refresh ansible fact before pinning the kernel
rackerlabs · Jan 6, 2025 · 68c558e · 68c558e
1 parent de1b7f0
commit 68c558e
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 1 deletion.
diff --git a/ansible/roles/host_setup/tasks/CPU_frequency.yml b/ansible/roles/host_setup/tasks/CPU_frequency.yml
@@ -0,0 +1,39 @@
+---
+# Copyright 2024, Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure TuneD is installed
+  ansible.builtin.apt:
+    name: tuned
+    state: present
+
+- name: Ensure TuneD service is enabled and started
+  ansible.builtin.systemd:
+    name: tuned
+    enabled: true
+    state: started
+
+- name: Apply throughput-performance profile using tuned-adm
+  ansible.builtin.command:
+    cmd: "/usr/sbin/tuned-adm profile throughput-performance"
+  changed_when: true
+
+- name: Verify active TuneD profile
+  ansible.builtin.command:
+    cmd: "/usr/sbin/tuned-adm active"
+  register: tuned_active
+
+- name: Show active TuneD profile
+  ansible.builtin.debug:
+    msg: "{{ tuned_active.stdout }}"
diff --git a/ansible/roles/host_setup/tasks/main.yml b/ansible/roles/host_setup/tasks/main.yml
@@ -82,12 +82,22 @@
   tags:
     - always
 
+- name: Pin kernel version and disable unattended-upgrades
+  include_tasks: pin_kernel.yml
+  when: ansible_facts['os_family'] | lower == 'debian'
+  tags:
+    - always
+
 - name: Update package cache
   apt:
     update_cache: true
     cache_valid_time: 600
   when: ansible_facts['os_family'] | lower == 'debian'
 
+- name: Set CPU frequency governor to performance
+  include_tasks: CPU_frequency.yml
+  when: ansible_facts['os_family'] | lower == 'debian'
+
 - name: Install distro packages
   package:
     name: "{{ host_distro_packages }}"
@@ -109,4 +119,3 @@
   until: install_packages is success
   retries: 5
   delay: 2
-
diff --git a/ansible/roles/host_setup/tasks/pin_kernel.yml b/ansible/roles/host_setup/tasks/pin_kernel.yml
@@ -0,0 +1,77 @@
+---
+# Copyright 2024, Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Refresh specific kernel facts
+  ansible.builtin.setup:
+    filter: "ansible_kernel"
+
+- name: Check Kernel Version
+  fail:
+    msg: >
+      Wrong kernel Version found
+      [ {{ ansible_facts['kernel'] }} < {{ host_required_kernel }} ]
+      Resolve this issue before continuing.
+  when:
+    - ansible_facts['kernel'] is version(host_required_kernel, '<')
+
+- name: Pin kernel packages version
+  copy:
+    dest: "{{ apt_preferences }}/pin-kernel"
+    content: |
+      Package: linux-image-{{ ansible_facts['kernel'] }}
+      Pin: release *
+      Pin-Priority: 1001
+
+      Package: linux-headers-{{ ansible_facts['kernel'] }}
+      Pin: release *
+      Pin-Priority: 1001
+
+      Package: linux-modules-{{ ansible_facts['kernel'] }}
+      Pin: release *
+      Pin-Priority: 1001
+
+      Package: linux-image-*
+      Pin: release *
+      Pin-Priority: -1
+
+      Package: linux-headers-*
+      Pin: release *
+      Pin-Priority: -1
+
+      Package: linux-modules-*
+      Pin: release *
+      Pin-Priority: -1
+    mode: '0644'
+  when:
+    - ansible_facts['kernel'] is version(host_required_kernel, '<')
+
+- name: Disable unattended-upgrades
+  ansible.builtin.lineinfile:
+    path: "{{ apt_config_dir }}/20auto-upgrades"
+    regexp: "^APT::Periodic::{{ item.key }}"
+    line: "APT::Periodic::{{ item.key }} \"{{ item.value }}\";"
+    create: true
+    mode: '0644'
+  loop:
+    - { key: "Update-Package-Lists", value: "0" }
+    - { key: "Download-Upgradeable-Packages", value: "0" }
+    - { key: "AutocleanInterval", value: "0" }
+    - { key: "Unattended-Upgrade", value: "0" }
+
+
+- name: Ensure unattended-upgrades package is removed
+  ansible.builtin.apt:
+    name: unattended-upgrades
+    state: absent
diff --git a/ansible/roles/host_setup/vars/debian.yml b/ansible/roles/host_setup/vars/debian.yml
@@ -6,6 +6,8 @@ host_sysstat_file: /etc/default/sysstat
 host_sysstat_cron_file: /etc/cron.d/sysstat
 host_cron_template: sysstat.cron.debian.j2
 host_module_file: /etc/modules
+apt_preferences: /etc/apt/preferences.d
+apt_config_dir: /etc/apt/apt.conf.d
 
 ## Kernel modules loaded on hosts
 host_kernel_modules:

diff --git a/ansible/roles/host_setup/vars/ubuntu.yml b/ansible/roles/host_setup/vars/ubuntu.yml
@@ -6,6 +6,8 @@ host_sysstat_file: /etc/default/sysstat
 host_sysstat_cron_file: /etc/cron.d/sysstat
 host_cron_template: sysstat.cron.debian.j2
 host_module_file: /etc/modules
+apt_preferences: /etc/apt/preferences.d
+apt_config_dir: /etc/apt/apt.conf.d
 
 ## Kernel modules loaded on hosts
 host_kernel_modules: