From 8d75c03e830f572023bbb7172789794e030fb209 Mon Sep 17 00:00:00 2001
From: Vladimir Khlyunev <vkhlyunev@mirantis.com>
Date: Thu, 2 May 2019 21:20:05 +0400
Subject: [PATCH] Disable spectre-class fixes for mos image

We do not need this security level but we heavily need
fast virtual jenkins slaves

Change-Id: Iaadf073120611668c25c66d9940218a155126e96
---
 maintenance-ci/common/data/jenkins-slave.yml           |  9 ++++++++-
 maintenance-ci/common/data/mos-dev-slave.yml           |  9 ++++++++-
 maintenance-ci/common/data/mos-slave.yml               |  9 ++++++++-
 .../common/scripts/build_base_swarm_slave_image.sh     |  2 +-
 .../common/scripts/build_mos_swarm_slave_image.sh      |  2 +-
 .../common/scripts/prepare_build_upload_image.sh       | 10 ++++++----
 6 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/maintenance-ci/common/data/jenkins-slave.yml b/maintenance-ci/common/data/jenkins-slave.yml
index df56b02..bd310a2 100644
--- a/maintenance-ci/common/data/jenkins-slave.yml
+++ b/maintenance-ci/common/data/jenkins-slave.yml
@@ -116,8 +116,15 @@ resources:
             echo "FLAVOR LABELS" > /etc/jenkins-agent/labels
             echo "127.0.0.1 $(hostname)" >> /etc/hosts
             echo "FLOATING" > /etc/jenkins-agent/description
-            service jenkins-swarm-agent restart
+            systemctl enable jenkins-swarm-agent
+            #service jenkins-swarm-agent start
+            apt update
+            sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT=\).*$/\1\"console=tty1 console=ttyS0 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier\"/g' /etc/default/grub.d/50-cloudimg-settings.cfg
+            apt install -y linux-generic-hwe-16.04 linux-tools-generic-hwe-16.04 linux-cloud-tools-generic-hwe-16.04 linux-tools-common
+            update-grub
+
             wc_notify --data-binary '{"status": "SUCCESS"}'
+            reboot
           params:
            FLAVOR: {get_param: flavor}
            LABELS: {get_param: jenkins_labels}
diff --git a/maintenance-ci/common/data/mos-dev-slave.yml b/maintenance-ci/common/data/mos-dev-slave.yml
index 3f044b8..ce0fb7d 100644
--- a/maintenance-ci/common/data/mos-dev-slave.yml
+++ b/maintenance-ci/common/data/mos-dev-slave.yml
@@ -116,8 +116,15 @@ resources:
             echo "LABELS" > /etc/jenkins-agent/labels
             echo "127.0.0.1 $(hostname)" >> /etc/hosts
             echo "FLOATING" > /etc/jenkins-agent/description
-            service jenkins-swarm-agent restart
+
+            apt update
+            sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT=\).*$/\1\"console=tty1 console=ttyS0 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier\"/g' /etc/default/grub.d/50-cloudimg-settings.cfg
+            apt install -y linux-generic-hwe-16.04 linux-tools-generic-hwe-16.04 linux-cloud-tools-generic-hwe-16.04 linux-tools-common
+            update-grub
+
+            systemctl enable jenkins-swarm-agent
             wc_notify --data-binary '{"status": "SUCCESS"}'
+            reboot
           params:
            LABELS: {get_param: jenkins_labels}
            wc_notify: { get_attr: [wait_handle, curl_cli] }
diff --git a/maintenance-ci/common/data/mos-slave.yml b/maintenance-ci/common/data/mos-slave.yml
index d5884fa..91e6621 100644
--- a/maintenance-ci/common/data/mos-slave.yml
+++ b/maintenance-ci/common/data/mos-slave.yml
@@ -116,8 +116,15 @@ resources:
             echo "FLAVOR LABELS" > /etc/jenkins-agent/labels
             echo "127.0.0.1 $(hostname)" >> /etc/hosts
             echo "FLOATING" > /etc/jenkins-agent/description
-            service jenkins-swarm-agent restart
+
+            apt update
+            sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT=\).*$/\1\"console=tty1 console=ttyS0 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier\"/g' /etc/default/grub.d/50-cloudimg-settings.cfg
+            apt install -y linux-generic-hwe-16.04 linux-tools-generic-hwe-16.04 linux-cloud-tools-generic-hwe-16.04 linux-tools-common
+            update-grub
+
+            systemctl enable jenkins-swarm-agent
             wc_notify --data-binary '{"status": "SUCCESS"}'
+            reboot
           params:
            FLAVOR: {get_param: flavor}
            LABELS: {get_param: jenkins_labels}
diff --git a/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh b/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh
index 0429e79..915ec34 100644
--- a/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh
+++ b/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh
@@ -74,6 +74,7 @@ java -jar /home/jenkins/jenkins-swarm-client.jar -fsroot \${fsroot:-/home/jenkin
 
 EOF
 chmod +x /home/jenkins/launch_jenkins_agent.sh
+# service jenkins-swarm-agent must be "enable"d in heat template
 cat > /etc/systemd/system/jenkins-swarm-agent.service << EOF
 [Unit]
 Description=jenkins-swarm-agent
@@ -89,7 +90,6 @@ ExecStart=/home/jenkins/launch_jenkins_agent.sh
 [Install]
 WantedBy=cloud-init.target
 EOF
-systemctl enable jenkins-swarm-agent
 
 shopt -s dotglob
 chown -R jenkins:jenkins /home/jenkins/
diff --git a/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh b/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh
index 8123cc5..9d68247 100644
--- a/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh
+++ b/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh
@@ -118,6 +118,7 @@ java -jar /home/jenkins/jenkins-swarm-client.jar -fsroot \${fsroot:-/home/jenkin
 
 EOF
 chmod +x /home/jenkins/launch_jenkins_agent.sh
+# service jenkins-swarm-agent must be "enable"d in heat template
 cat > /etc/systemd/system/jenkins-swarm-agent.service << EOF
 [Unit]
 Description=jenkins-swarm-agent
@@ -133,7 +134,6 @@ ExecStart=/home/jenkins/launch_jenkins_agent.sh
 [Install]
 WantedBy=cloud-init.target
 EOF
-systemctl enable jenkins-swarm-agent
 
 pg_version=$(dpkg-query --show --showformat='${version;3}' postgresql)
 pg_createcluster $pg_version main --start || true
diff --git a/maintenance-ci/common/scripts/prepare_build_upload_image.sh b/maintenance-ci/common/scripts/prepare_build_upload_image.sh
index 9187bd8..929d55a 100755
--- a/maintenance-ci/common/scripts/prepare_build_upload_image.sh
+++ b/maintenance-ci/common/scripts/prepare_build_upload_image.sh
@@ -15,11 +15,11 @@ if [[ ! -z ${CUSTOM_UPDATE_SCRIPT} ]] ; then
 fi
 echo "${UPDATE_SCRIPT?} will be used for image building"
 
-if [[ ! -f /tmp/xenial-server-cloudimg-amd64-disk1.img ]] ; then
-  wget -q https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img -O /tmp/xenial-server-cloudimg-amd64-disk1.img
-  cp /tmp/xenial-server-cloudimg-amd64-disk1.img xenial-server-cloudimg-amd64-disk1.img
+if [[ ! -f /home/jenkins/xenial-server-cloudimg-amd64-disk1.img.bpk ]] ; then
+  wget -q https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img -O /home/jenkins/xenial-server-cloudimg-amd64-disk1.img.bpk
+  cp /home/jenkins/xenial-server-cloudimg-amd64-disk1.img.bpk xenial-server-cloudimg-amd64-disk1.img
 else
-  cp /tmp/xenial-server-cloudimg-amd64-disk1.img xenial-server-cloudimg-amd64-disk1.img
+  cp /home/jenkins/xenial-server-cloudimg-amd64-disk1.img.bpk xenial-server-cloudimg-amd64-disk1.img
 fi
 
 # collect maintenance team ssh keys from reclass-system
@@ -48,6 +48,7 @@ sudo mkdir -p /mnt/image
 sudo mount /dev/nbd0p1 /mnt/image
 sudo mount --bind /dev /mnt/image/dev
 sudo mount --bind /proc /mnt/image/proc
+sudo mount --bind /sys /mnt/image/sys
 sudo mv /mnt/image/etc/resolv.conf /mnt/image/etc/resolv.conf.bak
 sudo cp -f /etc/resolv.conf /mnt/image/etc/resolv.conf
 
@@ -64,6 +65,7 @@ sudo mv /mnt/image/etc/resolv.conf.bak /mnt/image/etc/resolv.conf
 sudo rm -rf /mtn/image/tmp/*
 sudo umount -l /mnt/image/dev/
 sudo umount -l /mnt/image/proc/
+sudo umount -l /mnt/image/sys/
 sudo umount -l /mnt/image
 sudo qemu-nbd -d /dev/nbd0
 sudo rm -rf /mnt/image
-- 
2.45.2