Enable Hyperthreading in BIOS with Ansible on VMware hosts

Recently, I found a configuration issue on a VMware cluster running on DellEMC hardware. Initially, they were vulnerable to the L1 Terminal Fault CVE-2018-3646, to mitigate we disabled HT in the BIOS of the hosts. As time passed, VMware released software updates to mitigate these issues. We did install the patches, but the disabled HT stayed the same. When the problem came to light, I decided to put Ansible to work as I did not want to perform manual work on the entire cluster. So the adventure begins!

First, if you’re on an affected CPU architecture, Intel Skylake in our case, you need to verify that you’ve implemented the Side-Channel-Aware Scheduler in VMware. I’m not going to go into detail in this post, so please read more at https://kb.vmware.com/s/article/55806.

Secondly, you need Ansible installed and also the OpenManage Ansible Modules and the OpenManage Python SDK. I will not invent the wheel for this as jonamiki.com has got an excellent blog post about the entire procedure http://jonamiki.com/2020/02/18/ansible-with-dell-poweredge-servers/.

Let’s get down to it.

Some things to notice in the play, it’s executed in a rolling fashion and takes two hosts at a time, set the hosts into maintenance mode, applies the change, reboots and takes out of maintenance mode. Also, if no changes are made to the BIOS, the play will continue without rebooting the host. The reason for the reboot is that the BIOS changes are only applied upon reboot.

You need to bring your variables into the play, I will not post mine here, but if you are somewhat familiar with Ansible you will figure it out.

One word of caution, I did not find a pretty way of confirming the host was online in vCenter after the reboot, so I just decided to wait 20 minutes and assume the host was online again. As I monitored the entire process, for me, this was not an issue.

---
- hosts: vmware
  connection: local
  name: Enable HT
  gather_facts: False
  serial: 2

  tasks:
  - name: Enable HT in BIOS
    redfish_config:
        category: Systems
        command: SetBiosAttributes
        bios_attributes:
            LogicalProc: "Enabled"
        baseuri: "{{ idrac_ip }}"
        username: "{{ idrac_username }}"
        password: "{{ idrac_password }}"
    register: ht
    
  - name: Enter maintanence mode
    vmware_maintenancemode:
      hostname: "{{ vcenter_hostname }}"
      username: "{{ vcenter_username }}"
      password: "{{ vcenter_password }}"
      esxi_hostname: "{{ inventory_hostname }}"
      validate_certs: False
      state: present
    when: ht.changed

  - name: Create BIOS configuration job
    idrac_redfish_command:
        category: Systems
        command: CreateBiosConfigJob
        baseuri: "{{ idrac_ip }}"
        username: "{{ idrac_username }}"
        password: "{{ idrac_password }}"
    when: ht.changed

  - name: Reboot host
    vmware_host_powerstate:
        hostname: '{{ vcenter_hostname }}'
        username: '{{ vcenter_username }}'
        password: '{{ vcenter_password }}'
        validate_certs: no
        esxi_hostname: "{{ inventory_hostname }}"
        state: reboot-host
    register: reboot_host
    when: ht.changed

  - name: Wait
    wait_for:
        timeout: 1200
    when: reboot_host.changed


  - name: Exit maintanence mode
    vmware_maintenancemode:
      hostname: "{{ vcenter_hostname }}"
      username: "{{ vcenter_username }}"
      password: "{{ vcenter_password }}"
      esxi_hostname: "{{ inventory_hostname }}"
      validate_certs: False
      state: absent

  - name: Wait
    wait_for:
        timeout: 30