foreman_wreckingball 3.0.0 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 91f8e9b4e8ec69fe49517364365ff0ea5e46435998461cd967718539c9e69546
-  data.tar.gz: 444176c10728b0457d50ab41adf8a923d66d30f383bb0564e9b172973bace129
+  metadata.gz: d61b28b92f7f4ed29367841c4bec7b80ea38cc4610daf6e4ec78f1181ac8b5c9
+  data.tar.gz: 89f264e68c658e9135a07f761584f23e51b543ba8264bb4a0ead2aef132449b5
 SHA512:
-  metadata.gz: 21d17ab1949782bf8a6b0f2c0f2e5d7d4fa43d8c25d93112b3ac3e1412f16b5418357b82c05643248fff7c57671bbbe31bdfc04c11559b34db5d7351f90e6514
-  data.tar.gz: 489a9097ef263bc2e1eb4cff7d0ae695e1e53fd7462066ad8f06be48efc7aedadc5b013287198a4350f9c22908c1d99f9abe78ba46dd11bd254b8d3b9b545bd0
+  metadata.gz: 0e24c4e6c7ad4cd4eb6bb6f6e66a18712bc090fb41f60d0b639448b9763aad0655aa49a4f80206b036b25fc70d9acae8319a5d027becb8f43d6a26263152232a
+  data.tar.gz: 76271354a6bd79fd6263bca07ffdc8cba779b1be3ad9744f0675bc5b80c4498c214c473d2b7825af3af5f73d0f20def793bceeffcecfd784f8e0d78f2e6c8a20

data/app/controllers/foreman_wreckingball/hosts_controller.rb

@@ -10,7 +10,8 @@ module ForemanWreckingball
       statuses = [
         ToolsStatus,
         OperatingsystemStatus,
-        CpuHotAddStatus
+        CpuHotAddStatus,
+        SpectreV2Status
       ]
 
       @newest_data = Host.authorized(:view_hosts, Host).joins(:vmware_facet).maximum('vmware_facets.updated_at')

data/app/helpers/foreman_wreckingball/hypervisors_helper.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ForemanWreckingball
+  module HypervisorsHelper
+    def wreckingball_spectre_v2_status(vmware_hypervisor_facet)
+      if vmware_hypervisor_facet.feature_capabilities.blank?
+        icon_text('unknown', '', kind: 'pficon', title: _('N/A'))
+      elsif vmware_hypervisor_facet.provides_spectre_features?
+        icon_text('ok', '', kind: 'pficon', title: _('CPU-Features are present on this host.'))
+      else
+        icon_text('error-circle-o', '', kind: 'pficon', title: _('Required CPU features are missing. This host is most likely vulnerable.'))
+      end
+    end
+  end
+end

data/app/lib/fog_extensions/foreman_wreckingball/vsphere/host.rb

@@ -4,33 +4,8 @@ module FogExtensions
       module Host
         extend ActiveSupport::Concern
 
-        module Overrides
-          def vm_ids
-            attributes[:vm_ids] = attributes[:vm_ids].call if attributes[:vm_ids].is_a?(Proc)
-            attributes[:vm_ids]
-          end
-        end
-
         included do
-          prepend Overrides
-
-          attribute :cpu_cores
-          attribute :cpu_sockets
-          attribute :cpu_threads
-          attribute :memory
-          attribute :uuid
-          attribute :model
-          attribute :vendor
-          attribute :ipaddress
-          attribute :ipaddress6
-          attribute :product_name
-          attribute :product_version
-          attribute :hostname
-          attribute :domainname
-        end
-
-        def memory_mb
-          memory / 1024 / 1024
+          attribute :feature_capabilities
         end
       end
     end

data/app/lib/fog_extensions/foreman_wreckingball/vsphere/real.rb

@@ -5,80 +5,20 @@ module FogExtensions
         extend ActiveSupport::Concern
 
         module Overrides
-          def list_hosts(filters = {})
-            cluster = get_raw_cluster(filters[:cluster], filters[:datacenter])
-
-            results = property_collector_results(host_system_filter_spec(cluster))
+          def host_system_attribute_mapping
+            super.merge(
+              feature_capabilities: 'config.featureCapability'
+            )
+          end
 
-            results.map do |host|
-              hsh = map_attrs_to_hash(host, host_system_attribute_mapping)
-              hsh.merge(
-                datacenter: filters[:datacenter],
-                cluster: filters[:cluster],
-                ipaddress: (host['config.network.vnic'].first.spec.ip.ipAddress rescue nil),
-                ipaddress6: (host['config.network.vnic'].first.spec.ip.ipV6Config.ipV6Address.first.ipAddress rescue nil),
-                vm_ids: Proc.new { host['vm'].map {|vm| vm.config.instanceUuid rescue nil} }
-              )
-            end
+          def list_hosts(filters = {})
+            super.map { |h| h[:feature_capabilities] = h[:feature_capabilities].map(&:key); h }
           end
         end
 
         included do
           prepend Overrides
         end
-
-        protected
-
-        def map_attrs_to_hash(obj, attribute_mapping)
-          attribute_mapping.each_with_object({}) do |(k, v), hsh|
-            hsh[k] = obj[v]
-          end
-        end
-
-        def property_collector_results(filter_spec)
-          property_collector = connection.serviceContent.propertyCollector
-          property_collector.RetrieveProperties(:specSet => [filter_spec])
-        end
-
-        def compute_resource_host_traversal_spec
-          RbVmomi::VIM.TraversalSpec(
-            :name => 'computeResourceHostTraversalSpec',
-            :type => 'ComputeResource',
-            :path => 'host',
-            :skip => false
-          )
-        end
-
-        def host_system_filter_spec(obj)
-          RbVmomi::VIM.PropertyFilterSpec(
-            :objectSet => [
-              :obj => obj,
-              :selectSet => [
-                compute_resource_host_traversal_spec
-              ]
-            ],
-            :propSet => [
-              { :type => 'HostSystem', :pathSet => host_system_attribute_mapping.values + ['config.network.vnic', 'vm'] }
-            ]
-          )
-        end
-
-        def host_system_attribute_mapping
-          {
-            name:            'name',
-            cpu_cores:       'hardware.cpuInfo.numCpuCores',
-            cpu_sockets:     'hardware.cpuInfo.numCpuPackages',
-            cpu_threads:     'hardware.cpuInfo.numCpuThreads',
-            memory:          'hardware.memorySize',
-            uuid:            'hardware.systemInfo.uuid',
-            model:           'hardware.systemInfo.model',
-            vendor:          'hardware.systemInfo.vendor',
-            product_name:    'summary.config.product.name',
-            product_version: 'summary.config.product.version',
-            hostname:        'config.network.dnsConfig.hostName',
-            domainname:      'config.network.dnsConfig.domainName'
-          }
-        end
       end
     end
   end

data/app/models/concerns/foreman_wreckingball/compute_resource_extensions.rb

@@ -8,6 +8,11 @@ module ForemanWreckingball
     included do
       has_many :vmware_clusters, :class_name => 'ForemanWreckingball::VmwareCluster',
                                  :inverse_of => :compute_resource, :dependent => :destroy
+
+      has_many :vmware_hypervisor_facets, :class_name => '::ForemanWreckingball::VmwareHypervisorFacet', :through => :vmware_clusters,
+                                          :inverse_of => :compute_resource
+
+      has_many :hypervisor_hosts, :class_name => 'Host::Managed', :through => :vmware_hypervisor_facets, :source => :host, :inverse_of => :compute_resource
     end
 
     def action_input_key

data/app/models/concerns/foreman_wreckingball/host_extensions.rb

@@ -21,6 +21,11 @@ module ForemanWreckingball
               :foreign_key => 'host_id',
               :inverse_of => :host,
               :dependent => :destroy
+      has_one :vmware_spectre_v2_status_object,
+              :class_name => 'ForemanWreckingball::SpectreV2Status',
+              :foreign_key => 'host_id',
+              :inverse_of => :host,
+              :dependent => :destroy
     end
 
     def action_input_key

data/app/models/foreman_wreckingball/spectre_v2_status.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module ForemanWreckingball
+  class SpectreV2Status < ::HostStatus::Status
+    ENABLED = 0
+    MISSING = 1
+
+    def self.status_name
+      N_('Spectre v2 Guest Mitigation Enabled')
+    end
+
+    def self.host_association
+      :vmware_spectre_v2_status_object
+    end
+
+    def self.description
+      N_('In order to use hardware based branch target injection mitigation within virtual machines, Hypervisor-Assisted Guest Mitigation must be enabled.')
+    end
+
+    def self.supports_remediate?
+      false
+    end
+
+    def to_status(_options = {})
+      guest_mitigation_enabled? ? ENABLED : MISSING
+    end
+
+    def to_global(_options = {})
+      case status
+      when MISSING
+        HostStatus::Global::ERROR
+      else
+        HostStatus::Global::OK
+      end
+    end
+
+    def to_label(_options = {})
+      case status
+      when MISSING
+        N_('Guest Mitigation Missing')
+      else
+        N_('Guest Mitigation Enabled')
+      end
+    end
+
+    def relevant?(_options = {})
+      host && host&.vmware_facet && host.vmware_facet.cpu_features.any?
+    end
+
+    def guest_mitigation_enabled?
+      recent_hw_version? && required_cpu_features_present?
+    end
+
+    def recent_hw_version?
+      host.vmware_facet.hardware_version.gsub(/^vmx-/, '').to_i >= 9
+    end
+
+    def required_cpu_features_present?
+      !(host.vmware_facet.cpu_features & ['cpuid.IBRS', 'cpuid.IBPB', 'cpuid.STIBP']).empty?
+    end
+  end
+end

data/app/models/foreman_wreckingball/vmware_facet.rb

@@ -19,6 +19,8 @@ module ForemanWreckingball
 
     validates :host, :presence => true, :allow_blank => false
 
+    serialize :cpu_features, JSON
+
     def tools_state_label
       case tools_state.to_sym
       when :toolsNotInstalled
@@ -35,22 +37,35 @@ module ForemanWreckingball
     def refresh!
       vm = host.compute_object
       return unless vm
-      update(
-        :vmware_cluster => ::ForemanWreckingball::VmwareCluster.find_by(:name => vm.cluster, :compute_resource => host.compute_resource),
-        :cpus => vm.cpus,
-        :corespersocket => vm.corespersocket,
-        :memory_mb => vm.memory_mb,
-        :tools_state => vm.tools_state,
-        :guest_id => vm.guest_id,
-        :cpu_hot_add => vm.cpuHotAddEnabled
-      )
+      data_for_update = {
+        vmware_cluster: ::ForemanWreckingball::VmwareCluster.find_by(name: vm.cluster, compute_resource: host.compute_resource),
+        cpus: vm.cpus,
+        corespersocket: vm.corespersocket,
+        memory_mb: vm.memory_mb,
+        tools_state: vm.tools_state,
+        guest_id: vm.guest_id,
+        cpu_hot_add: vm.cpuHotAddEnabled,
+        hardware_version: vm.hardware_version,
+        cpu_features: []
+      }
+      data_for_update[:cpu_features] = raw_vm_object.runtime.featureRequirement.map(&:key) if vm.ready?
+      update(data_for_update)
     end
 
     def refresh_statuses
       host.get_status(::ForemanWreckingball::ToolsStatus).refresh!
       host.get_status(::ForemanWreckingball::CpuHotAddStatus).refresh!
       host.get_status(::ForemanWreckingball::OperatingsystemStatus).refresh!
+      host.get_status(::ForemanWreckingball::SpectreV2Status).refresh!
       host.refresh_global_status!
     end
+
+    private
+
+    def raw_vm_object
+      instance_uuid = host.compute_object.try(:instance_uuid)
+      return unless instance_uuid
+      host.compute_resource.send(:client).send(:get_vm_ref, instance_uuid)
+    end
   end
 end

data/app/models/foreman_wreckingball/vmware_hypervisor_facet.rb

@@ -10,11 +10,19 @@ module ForemanWreckingball
 
     belongs_to :vmware_cluster, :inverse_of => :vmware_hypervisor_facets, :class_name => 'ForemanWreckingball::VmwareCluster'
 
+    has_one :compute_resource, :inverse_of => :vmware_hypervisor_facets, :through => :vmware_cluster
+
     has_many :vmware_facets, :class_name => '::ForemanWreckingball::VmwareFacet', :through => :vmware_clusters,
                              :inverse_of => :vmware_hypervisor_facets
 
+    serialize :feature_capabilities, JSON
+
     def self.sanitize_name(name)
       name.tr('_', '-').chomp('.').downcase
     end
+
+    def provides_spectre_features?
+      !((feature_capabilities || []) & ['cpuid.IBRS', 'cpuid.IBPB', 'cpuid.STIBP']).empty?
+    end
   end
 end

data/app/services/foreman_wreckingball/debris_collector.rb

@@ -0,0 +1,249 @@
+require 'rbvmomi'
+
+module ForemanWreckingball
+  class DebrisCollector
+
+    PROPERTY_MAPPING = {
+      :VirtualMachine => {
+        mapped: {
+          cpus: 'config.hardware.numCPU',
+          corespersocket: 'config.hardware.numCoresPerSocket',
+          memory_mb: 'config.hardware.memoryMB',
+          tools_state: 'guest.toolsStatus',
+          guest_id: 'config.guestId',
+          cpu_hot_add: 'config.cpuHotAddEnabled',
+          hardware_version: 'config.version',
+          #cpu_features: ''
+        },
+        additional: [
+          'name',
+          'config.instanceUuid'
+        ]
+      },
+      :Folder => {
+        mapped: {
+          name: 'name'
+        },
+        additional: [
+          'childEntity'
+        ]
+      },
+    }.freeze
+
+    attr_reader :compute_resource
+    attr_accessor :version, :stop_requested
+
+    delegate :logger, to: ::Rails
+
+    def initialize(compute_resource:)
+      logger.debug "Wreckingball Debris Collector: Initializing."
+      @compute_resource = compute_resource
+      self.version = ''
+      self.stop_requested = false
+    end
+
+
+    def run
+      logger.debug "Wreckingball Debris Collector: Started."
+
+      property_filter
+
+      logger.debug "Wreckingball Debris Collector: Starting initial import."
+      initial_refresh
+      logger.debug "Wreckingball Debris Collector: Finished initial import."
+
+      logger.debug "Wreckingball Debris Collector: Finished."
+    ensure
+      destroy_property_filter
+    end
+
+    def stop
+      logger.debug "Wreckingball Debris Collector: Stop requested."
+      self.stop_requested = true
+    end
+
+    private
+
+    def initial_refresh
+      monitor_updates
+    end
+
+    def monitor_updates
+      begin
+        update_set = wait_for_updates
+        return version if update_set.nil?
+
+        self.version = update_set.version
+        process_update_set(update_set)
+      end while update_set.truncated
+    end
+
+    def process_update_set(update_set)
+      property_filter_update = update_set.filterSet.to_a.detect do |update|
+        update.filter == property_filter
+      end
+      return if property_filter_update.nil?
+
+      object_update_set = property_filter_update.objectSet
+      return if object_update_set.blank?
+
+      logger.debug "Wreckingball Debris Collector: Processing #{object_update_set.count} updates..."
+
+      process_object_update_set(object_update_set)
+
+      logger.debug "Wreckingball Debris Collector: Processing #{object_update_set.count} updates... completed."
+    end
+
+    def process_object_update_set(object_update_set)
+      object_update_set.each do |object_update|
+        process_object_update(object_update)
+      end
+    end
+
+    def process_object_update(object_update)
+      managed_object = object_update.obj
+
+      logger.debug "#{object_update.kind} #{object_update.obj.class.wsdl_name}:#{object_update.obj._ref}"
+
+      case object_update.obj.class.wsdl_name
+      when 'VirtualMachine'
+        process_virtual_machine_update(object_update)
+      else
+        # Ignore this for now
+      end
+    end
+
+    def process_virtual_machine_update(object_update)
+      managed_object = object_update.obj
+      # TODO: Cache this
+      uuid = managed_object.config.instanceUuid
+
+      logger.error "Processing for uuid #{uuid}"
+
+      host = Host::Managed.find_by(compute_resource: compute_resource, uuid: uuid)
+
+      return unless host
+
+      facet = host.vmware_facet || host.build_vmware_facet
+
+      # TODO: Cluster
+      facet.update(
+        map_update_to_properties(:VirtualMachine, object_update.changeSet)
+      )
+    end
+
+    def map_update_to_properties(type, change_set)
+      mapping = PROPERTY_MAPPING[type][:mapped]
+
+      change_set.each_with_object({}) do |property_change, hsh|
+        hsh[mapping.key(property_change.name)] = property_change.val if mapping.key(property_change.name)
+      end
+    end
+
+    def wait_for_updates
+      connection.propertyCollector.WaitForUpdatesEx(
+        :version => version,
+        :options => wait_for_updates_options
+      )
+    end
+
+    def wait_for_updates_options
+      RbVmomi::VIM.WaitOptions(
+        :maxWaitSeconds => 10
+      )
+    end
+
+    def property_filter
+      @property_filter ||= create_property_filter
+    end
+
+    def property_set
+      PROPERTY_MAPPING.map do |type, properties|
+        RbVmomi::VIM::PropertySpec(
+          type: type,
+          pathSet: properties[:mapped].values + (properties[:additional] || [])
+        )
+      end
+    end
+
+    def traversal_spec_folder_to_child_entity
+      RbVmomi::VIM.TraversalSpec(
+        :name => 'FolderTraversalSpec',
+        :type => 'Folder',
+        :path => 'childEntity',
+        :skip => false,
+        :selectSet => [
+          RbVmomi::VIM.SelectionSpec(:name => 'FolderTraversalSpec'),
+          #RbVmomi::VIM.SelectionSpec(:name => 'tsDcToDsFolder'),
+          #RbVmomi::VIM.SelectionSpec(:name => 'tsDcToHostFolder'),
+          #RbVmomi::VIM.SelectionSpec(:name => 'tsDcToNetworkFolder'),
+          RbVmomi::VIM.SelectionSpec(:name => 'DatacenterToVmFolderTraversalSpec'),
+          #RbVmomi::VIM.SelectionSpec(:name => 'tsCrToHost'),
+          #RbVmomi::VIM.SelectionSpec(:name => 'tsCrToRp'),
+          #RbVmomi::VIM.SelectionSpec(:name => 'tsRpToRp'),
+          #RbVmomi::VIM.SelectionSpec(:name => 'tsRpToVm')
+        ]
+      )
+    end
+
+    def traversal_spec_datacenter_to_vm_folder
+      RbVmomi::VIM.TraversalSpec(
+        :name => 'DatacenterToVmFolderTraversalSpec',
+        :type => 'Datacenter',
+        :path => 'vmFolder',
+        :skip => false,
+        :selectSet => [
+          RbVmomi::VIM.SelectionSpec(:name => 'FolderTraversalSpec')
+        ]
+      )
+    end
+
+    def object_set(root)
+      traversal_spec = [
+        traversal_spec_folder_to_child_entity,
+        #datacenter_to_datastore_folder,
+        #datacenter_to_host_folder,
+        #datacenter_to_network_folder,
+        traversal_spec_datacenter_to_vm_folder
+        #compute_resource_to_host,
+        #compute_resource_to_resource_pool,
+        #resource_pool_to_resource_pool,
+        #resource_pool_to_vm,
+      ]
+
+      RbVmomi::VIM.ObjectSpec(
+        :obj => root,
+        :selectSet => traversal_spec
+      )
+    end
+
+    def create_property_filter
+      property_filter_spec = RbVmomi::VIM.PropertyFilterSpec(
+        :objectSet => [
+          object_set(
+            root_folder
+          )
+        ],
+        :propSet => property_set
+      )
+
+      connection.propertyCollector.CreateFilter(
+        :spec => property_filter_spec,
+        :partialUpdates => true
+      )
+    end
+
+    def destroy_property_filter
+      return unless @property_filter
+      @property_filter.DestroyPropertyFilter
+    end
+
+    def root_folder
+      connection.serviceContent.rootFolder
+    end
+
+    def connection
+      compute_resource.send(:client).send(:connection)
+    end
+  end
+end

data/app/services/foreman_wreckingball/vmware_hypervisor_importer.rb

@@ -63,7 +63,8 @@ module ForemanWreckingball
           :cpu_sockets => hypervisor.cpu_sockets,
           :cpu_threads => hypervisor.cpu_threads,
           :memory => hypervisor.memory,
-          :uuid => hypervisor.uuid
+          :uuid => hypervisor.uuid,
+          :feature_capabilities => hypervisor.feature_capabilities
         }
       )
       if result

data/app/views/compute_resources/_hypervisors_tab.html.erb

@@ -0,0 +1,22 @@
+<table class="<%= table_css_classes 'table-fixed' %>">
+  <thead>
+    <tr>
+      <th><%= _('Name') %></th>
+      <th class="col-md-3"><%= _('Cluster') %></th>
+      <th class="col-md-1"><%= _('Cores') %></th>
+      <th class="col-md-1"><%= _('Sockets') %></th>
+      <th class="col-md-1"><%= _('Spectre v2') %></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @compute_resource.hypervisor_hosts.includes(:vmware_hypervisor_facet, :vmware_cluster).each do |host| %>
+      <tr>
+        <td class="ellipsis"><%= link_to_if_authorized(host.name, hash_for_host_path(:id => host)) %></td>
+        <td><%= host.vmware_cluster.name %></td>
+        <td><%= host.vmware_hypervisor_facet.cpu_cores %></td>
+        <td><%= host.vmware_hypervisor_facet.cpu_sockets %></td>
+        <td><%= wreckingball_spectre_v2_status(host.vmware_hypervisor_facet) %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>

data/db/migrate/20180504135345_add_cpu_features_to_vmware_facets.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddCpuFeaturesToVmwareFacets < ActiveRecord::Migration[5.1]
+  def change
+    add_column :vmware_facets, :cpu_features, :text
+  end
+end

data/db/migrate/20180504135515_add_hardware_version_to_vmware_facets.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddHardwareVersionToVmwareFacets < ActiveRecord::Migration[5.1]
+  def change
+    add_column :vmware_facets, :hardware_version, :string
+  end
+end

data/db/migrate/20180614105545_add_feature_capabilities_to_vmware_hypervisor_facets.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddFeatureCapabilitiesToVmwareHypervisorFacets < ActiveRecord::Migration[5.1]
+  def change
+    add_column :vmware_hypervisor_facets, :feature_capabilities, :text
+  end
+end

data/lib/foreman_wreckingball/engine.rb

@@ -55,6 +55,14 @@ module ForemanWreckingball
         register_facet(ForemanWreckingball::VmwareHypervisorFacet, :vmware_hypervisor_facet)
 
         add_controller_action_scope(HostsController, :index) { |base_scope| base_scope.includes(:vmware_facet) }
+
+        # extend host show page
+        extend_page('compute_resources/show') do |context|
+          context.add_pagelet :main_tabs,
+                              :name => N_('Hypervisors'),
+                              :partial => 'compute_resources/hypervisors_tab',
+                              :onlyif => proc { |cr| cr.provider_friendly_name == 'VMware' && cr.vmware_hypervisor_facets.any? }
+        end
       end
     end
 
@@ -95,7 +103,7 @@ module ForemanWreckingball
     require 'fog/vsphere'
     require 'fog/vsphere/compute'
     require 'fog/vsphere/models/compute/host'
-    !::Fog::Compute::Vsphere::Host.instance_methods.include?(:uuid)
+    !::Fog::Compute::Vsphere::Host.instance_methods.include?(:feature_capabilities)
   rescue LoadError
     false
   end

data/lib/foreman_wreckingball/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanWreckingball
-  VERSION = '3.0.0'
+  VERSION = '3.0.1'
 end

data/test/actions/foreman_wreckingball/host/refresh_vmware_facet_test.rb

@@ -7,8 +7,15 @@ module Actions
     module Vmware
       class RefreshVmwareFacetTest < ActiveSupport::TestCase
         include ::Dynflow::Testing
+
+        let(:uuid) { '5032c8a5-9c5e-ba7a-3804-832a03e16381' }
+        let(:vm) { compute_resource.find_vm_by_uuid(uuid) }
+
         setup do
           ::Fog.mock!
+          ::Fog::Compute::Vsphere::Mock.any_instance.stubs(:get_vm_ref).returns(vm)
+          ::Fog::Compute::Vsphere::Server.any_instance.stubs(:ready?).returns(false)
+          ::ForemanWreckingball::SpectreV2Status.any_instance.stubs(:recent_hw_version?).returns(true)
           # this is not stubbed correctly in fog-vsphere
           Fog::Compute::Vsphere::Server.any_instance.stubs(:cpuHotAddEnabled).returns(false)
         end
@@ -18,8 +25,6 @@ module Actions
           cr = FactoryBot.create(:compute_resource, :vmware, :uuid => 'Solutions')
           ComputeResource.find(cr.id)
         end
-        let(:uuid) { '5032c8a5-9c5e-ba7a-3804-832a03e16381' }
-        let(:vm) { compute_resource.find_vm_by_uuid(uuid) }
 
         let(:host) do
           FactoryBot.create(

data/test/actions/foreman_wreckingball/host/remediate_vmware_operatingsystem_test.rb

@@ -11,6 +11,7 @@ module Actions
           ::Fog.mock!
           # this is not stubbed correctly in fog-vsphere
           Fog::Compute::Vsphere::Server.any_instance.stubs(:cpuHotAddEnabled).returns(false)
+          ::ForemanWreckingball::SpectreV2Status.any_instance.stubs(:recent_hw_version?).returns(true)
         end
         teardown { ::Fog.unmock! }
 

data/test/controllers/compute_resources_controller_test.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class ComputeResourcesControllerTest < ActionController::TestCase
+  describe '#show' do
+    let(:compute_resource) { FactoryBot.create(:compute_resource, :vmware) }
+    let(:vmware_cluster) { FactoryBot.create(:vmware_cluster, compute_resource: compute_resource) }
+
+    test 'shows a compute resource with hypervisors' do
+      skip if Gem::Version.new(Foreman::Version.new.to_s) < Gem::Version.new('1.19.0')
+      FactoryBot.create_list(:vmware_hypervisor_facet, 5, vmware_cluster: vmware_cluster)
+
+      get :show, params: { :id => compute_resource.to_param }, session: set_session_user
+      assert_response :success
+      assert @response.body.match(/Hypervisors/)
+    end
+  end
+end

data/test/factories/foreman_wreckingball_factories.rb

@@ -9,6 +9,29 @@ FactoryBot.define do
     memory_mb 8192
     guest_id 'rhel6_64Guest'
     cpu_hot_add false
+    hardware_version 'vmx-10'
+    cpu_features [
+      'cpuid.SSE3',
+      'cpuid.PCLMULQDQ',
+      'cpuid.SSSE3',
+      'cpuid.CMPXCHG16B',
+      'cpuid.PCID',
+      'cpuid.SSE41',
+      'cpuid.SSE42',
+      'cpuid.POPCNT',
+      'cpuid.AES',
+      'cpuid.XSAVE',
+      'cpuid.AVX',
+      'cpuid.DS',
+      'cpuid.SS',
+      'cpuid.XCR0_MASTER_SSE',
+      'cpuid.XCR0_MASTER_YMM_H',
+      'cpuid.LAHF64',
+      'cpuid.NX',
+      'cpuid.RDTSCP',
+      'cpuid.LM',
+      'cpuid.Intel'
+    ]
     host
   end
 
@@ -20,6 +43,88 @@ FactoryBot.define do
     cpu_threads 36
     memory 412_046_372_864
     uuid { SecureRandom.uuid }
+    feature_capabilities [
+      'cpuid.3DNOW',
+      'cpuid.3DNOWPLUS',
+      'cpuid.3DNPREFETCH',
+      'cpuid.ABM',
+      'cpuid.ADX',
+      'cpuid.AES',
+      'cpuid.AMD',
+      'cpuid.AVX',
+      'cpuid.AVX2',
+      'cpuid.BMI1',
+      'cpuid.BMI2',
+      'cpuid.CMPXCHG16B',
+      'cpuid.CR8AVAIL',
+      'cpuid.Cyrix',
+      'cpuid.DS',
+      'cpuid.ENFSTRG',
+      'cpuid.EXTAPICSPC',
+      'cpuid.F16C',
+      'cpuid.FFXSR',
+      'cpuid.FMA',
+      'cpuid.FMA4',
+      'cpuid.FSGSBASE',
+      'cpuid.HLE',
+      'cpuid.IBPB',
+      'cpuid.IBRS',
+      'cpuid.INVPCID',
+      'cpuid.Intel',
+      'cpuid.LAHF64',
+      'cpuid.LM',
+      'cpuid.MISALIGNED_SSE',
+      'cpuid.MMXEXT',
+      'cpuid.MOVBE',
+      'cpuid.MWAIT',
+      'cpuid.NX',
+      'cpuid.PCID',
+      'cpuid.PCLMULQDQ',
+      'cpuid.PDPE1GB',
+      'cpuid.POPCNT',
+      'cpuid.PSN',
+      'cpuid.RDRAND',
+      'cpuid.RDSEED',
+      'cpuid.RDTSCP',
+      'cpuid.RTM',
+      'cpuid.SMAP',
+      'cpuid.SMEP',
+      'cpuid.SS',
+      'cpuid.SSE3',
+      'cpuid.SSE41',
+      'cpuid.SSE42',
+      'cpuid.SSE4A',
+      'cpuid.SSSE3',
+      'cpuid.STIBP',
+      'cpuid.SVM',
+      'cpuid.SVM_DECODE_ASSISTS',
+      'cpuid.SVM_FLUSH_BY_ASID',
+      'cpuid.SVM_NPT',
+      'cpuid.SVM_NRIP',
+      'cpuid.SVM_VMCB_CLEAN',
+      'cpuid.TBM',
+      'cpuid.VIA',
+      'cpuid.VMX',
+      'cpuid.XCR0_MASTER_SSE',
+      'cpuid.XCR0_MASTER_YMM_H',
+      'cpuid.XOP',
+      'cpuid.XSAVE',
+      'cpuid.XSAVEOPT',
+      'hv.capable',
+      'misc.cpuidFaulting',
+      'vpmc.fixctr.0',
+      'vpmc.fixedWidth',
+      'vpmc.genWidth',
+      'vpmc.genctr.0',
+      'vpmc.genctr.1',
+      'vpmc.genctr.2',
+      'vpmc.genctr.3',
+      'vpmc.microarchitecture.ivybridge',
+      'vpmc.numFixedCtrs',
+      'vpmc.numGenCtrs',
+      'vpmc.version',
+      'vt.realmode'
+    ]
   end
 
   factory :vmware_cluster, class: 'ForemanWreckingball::VmwareCluster' do

data/test/models/compute_resource_test.rb

@@ -4,4 +4,6 @@ require 'test_plugin_helper'
 
 class ComputeResourceTest < ActiveSupport::TestCase
   should have_many(:vmware_clusters)
+  should have_many(:vmware_hypervisor_facets)
+  should have_many(:hypervisor_hosts)
 end

data/test/models/foreman_wreckingball/spectre_v2_status_test.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanWreckingball
+  class SpectreV2StatusTest < ActiveSupport::TestCase
+    setup do
+      User.current = users(:admin)
+    end
+
+    should belong_to(:host)
+
+    let(:host) do
+      FactoryBot.create(
+        :host,
+        :managed,
+        :with_vmware_facet
+      )
+    end
+    let(:status) { ForemanWreckingball::SpectreV2Status.new(host: host) }
+
+    test 'has a host association' do
+      status.save!
+      assert_equal status, host.public_send(status.class.host_association)
+    end
+
+    test '#relevant is only for hosts with a vmware facet' do
+      h = FactoryBot.build(:host, :managed)
+      refute ForemanWreckingball::ToolsStatus.new(host: h).relevant?
+      assert status.relevant?
+    end
+
+    test '#relevant is for hosts with cpu features' do
+      assert status.relevant?
+      host.vmware_facet.cpu_features = []
+      refute status.relevant?
+    end
+
+    describe 'status calculation' do
+      test 'is missing when mitigations are missing' do
+        status.stubs(:guest_mitigation_enabled?).returns(false)
+        assert_equal SpectreV2Status::MISSING, status.to_status
+      end
+
+      test 'is enabled when mitigations are present' do
+        status.stubs(:guest_mitigation_enabled?).returns(true)
+        assert_equal SpectreV2Status::ENABLED, status.to_status
+      end
+
+      test 'is missing when hardware version is ancient' do
+        status.stubs(:recent_hw_version?).returns(false)
+        assert_equal SpectreV2Status::MISSING, status.to_status
+      end
+    end
+
+    describe 'status labels' do
+      test 'when mitigations are missing' do
+        status.status = SpectreV2Status::MISSING
+        assert_equal 'Guest Mitigation Missing', status.to_label
+      end
+
+      test 'when mitigations are present' do
+        status.status = SpectreV2Status::ENABLED
+        assert_equal 'Guest Mitigation Enabled', status.to_label
+      end
+    end
+
+    describe 'global status' do
+      test 'is error when mitigations are missing' do
+        status.status = SpectreV2Status::MISSING
+        assert_equal HostStatus::Global::ERROR, status.to_global
+      end
+
+      test 'is ok when mitigations are present' do
+        status.status = SpectreV2Status::ENABLED
+        assert_equal HostStatus::Global::OK, status.to_global
+      end
+    end
+
+    describe '#recent_hw_version?' do
+      test 'is true when hw version is quite new' do
+        assert status.recent_hw_version?
+      end
+
+      test 'is false when hw version is ancient' do
+        host.vmware_facet.hardware_version = 'vmx-3'
+        refute status.recent_hw_version?
+      end
+    end
+
+    describe '#required_cpu_features_present?' do
+      test 'is false when neither cpuid.IBRS, cpuid.IBPB nor cpuid.STIBP is present' do
+        host.vmware_facet.cpu_features = ['cpuid.SSE42']
+        refute status.required_cpu_features_present?
+      end
+
+      test 'is true when cpuid.IBRS is present' do
+        host.vmware_facet.cpu_features = ['cpuid.IBRS']
+        assert status.required_cpu_features_present?
+      end
+
+      test 'is true when cpuid.IBPB is present' do
+        host.vmware_facet.cpu_features = ['cpuid.IBPB']
+        assert status.required_cpu_features_present?
+      end
+
+      test 'is true when cpuid.STIBP is present' do
+        host.vmware_facet.cpu_features = ['cpuid.STIBP']
+        assert status.required_cpu_features_present?
+      end
+    end
+  end
+end

data/test/models/foreman_wreckingball/vmware_facet_test.rb

@@ -7,5 +7,61 @@ module ForemanWreckingball
     should validate_presence_of(:host)
     should belong_to(:vmware_cluster)
     should have_many(:vmware_hypervisor_facets)
+
+    describe '#refresh!' do
+      let(:uuid) { '5032c8a5-9c5e-ba7a-3804-832a03e16381' }
+      let(:vm) do
+        OpenStruct.new(
+          runtime: OpenStruct.new(
+            featureRequirement: [
+              'cpuid.SSE3',
+              'cpuid.AES',
+              'cpuid.Intel'
+            ].map do |cpu_feature|
+              OpenStruct.new(key: cpu_feature)
+            end
+          )
+        )
+      end
+
+      let(:compute_resource) do
+        cr = FactoryBot.create(:compute_resource, :vmware, :uuid => 'Solutions')
+        ComputeResource.find(cr.id)
+      end
+
+      let(:host) do
+        FactoryBot.create(
+          :host,
+          :managed,
+          :with_vmware_facet,
+          compute_resource: compute_resource,
+          uuid: uuid
+        )
+      end
+      let(:vmware_facet) { host.vmware_facet }
+
+      setup do
+        ::Fog.mock!
+        ::Fog::Compute::Vsphere::Mock.any_instance.stubs(:get_vm_ref).returns(vm)
+        # this is not stubbed correctly in fog-vsphere
+        ::Fog::Compute::Vsphere::Server.any_instance.stubs(:cpuHotAddEnabled).returns(false)
+        ::Fog::Compute::Vsphere::Server.any_instance.stubs(:hardware_version).returns('vmx-9')
+        ::Fog::Compute::Vsphere::Server.any_instance.stubs(:corespersocket).returns(1)
+        ::Fog::Compute::Vsphere::Server.any_instance.stubs(:ready?).returns(true)
+      end
+      teardown { ::Fog.unmock! }
+
+      test 'refreshes facet data from vm data' do
+        vmware_facet.refresh!
+        assert_equal 1, vmware_facet.cpus
+        assert_equal 1, vmware_facet.corespersocket
+        assert_equal 2196, vmware_facet.memory_mb
+        assert_equal 'rhel6_64Guest', vmware_facet.guest_id
+        assert_equal 'toolsOk', vmware_facet.tools_state
+        assert_equal false, vmware_facet.cpu_hot_add
+        assert_equal ['cpuid.SSE3', 'cpuid.AES', 'cpuid.Intel'], vmware_facet.cpu_features
+        assert_equal 'vmx-9', vmware_facet.hardware_version
+      end
+    end
   end
 end

data/test/models/foreman_wreckingball/vmware_hypervisor_facet_test.rb

@@ -7,9 +7,36 @@ module ForemanWreckingball
     should validate_presence_of(:host)
     should belong_to(:vmware_cluster)
     should have_many(:vmware_facets)
+    should have_one(:compute_resource)
 
     test 'should sanitize name' do
       assert_equal 'abc-server.example.com', ForemanWreckingball::VmwareHypervisorFacet.sanitize_name('abc_server.example.com.')
     end
+
+    describe '#provides_spectre_features?' do
+      let(:facet) do
+        FactoryBot.build(:vmware_hypervisor_facet)
+      end
+
+      test 'should be true when IBRS is available' do
+        facet.feature_capabilities = ['cpuid.IBRS']
+        assert_equal true, facet.provides_spectre_features?
+      end
+
+      test 'should be true when IBPB is available' do
+        facet.feature_capabilities = ['cpuid.IBPB']
+        assert_equal true, facet.provides_spectre_features?
+      end
+
+      test 'should be true when STIBP is available' do
+        facet.feature_capabilities = ['cpuid.STIBP']
+        assert_equal true, facet.provides_spectre_features?
+      end
+
+      test 'should be false when neither IBRS, IBPB nor STIBP is available' do
+        facet.feature_capabilities = ['cpuid.WHATEVER']
+        assert_equal false, facet.provides_spectre_features?
+      end
+    end
   end
 end

data/test/models/host_test.rb

@@ -9,4 +9,5 @@ class Host::ManagedTest < ActiveSupport::TestCase
   should have_one(:vmware_tools_status_object)
   should have_one(:vmware_operatingsystem_status_object)
   should have_one(:vmware_cpu_hot_add_status_object)
+  should have_one(:vmware_spectre_v2_status_object)
 end

metadata

@@ -1,27 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: foreman_wreckingball
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.1
 platform: ruby
 authors:
 - Timo Goebel
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-11 00:00:00.000000000 Z
+date: 2018-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: foreman-tasks
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.13.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.13.1
 - !ruby/object:Gem::Dependency
@@ -65,6 +65,7 @@ files:
 - app/assets/javascripts/foreman_wreckingball/modal.js
 - app/controllers/foreman_wreckingball/hosts_controller.rb
 - app/helpers/concerns/foreman_wreckingball/hosts_helper_extensions.rb
+- app/helpers/foreman_wreckingball/hypervisors_helper.rb
 - app/jobs/update_hosts_vmware_facets.rb
 - app/lib/actions/foreman_wreckingball/host/refresh_vmware_facet.rb
 - app/lib/actions/foreman_wreckingball/host/remediate_vmware_operatingsystem.rb
@@ -82,12 +83,15 @@ files:
 - app/models/concerns/foreman_wreckingball/vmware_hypervisor_facet_host_extensions.rb
 - app/models/foreman_wreckingball/cpu_hot_add_status.rb
 - app/models/foreman_wreckingball/operatingsystem_status.rb
+- app/models/foreman_wreckingball/spectre_v2_status.rb
 - app/models/foreman_wreckingball/tools_status.rb
 - app/models/foreman_wreckingball/vmware_cluster.rb
 - app/models/foreman_wreckingball/vmware_facet.rb
 - app/models/foreman_wreckingball/vmware_hypervisor_facet.rb
+- app/services/foreman_wreckingball/debris_collector.rb
 - app/services/foreman_wreckingball/vmware_cluster_importer.rb
 - app/services/foreman_wreckingball/vmware_hypervisor_importer.rb
+- app/views/compute_resources/_hypervisors_tab.html.erb
 - app/views/foreman_wreckingball/hosts/_status_dashboard_content.erb
 - app/views/foreman_wreckingball/hosts/_status_dashboard_empty.erb
 - app/views/foreman_wreckingball/hosts/_status_row.html.erb
@@ -95,6 +99,9 @@ files:
 - app/views/foreman_wreckingball/hosts/status_dashboard.html.erb
 - config/routes.rb
 - db/migrate/20171106155000_create_vmware_facets.rb
+- db/migrate/20180504135345_add_cpu_features_to_vmware_facets.rb
+- db/migrate/20180504135515_add_hardware_version_to_vmware_facets.rb
+- db/migrate/20180614105545_add_feature_capabilities_to_vmware_hypervisor_facets.rb
 - lib/foreman_wreckingball.rb
 - lib/foreman_wreckingball/engine.rb
 - lib/foreman_wreckingball/scheduled_jobs.rb
@@ -108,6 +115,7 @@ files:
 - test/actions/foreman_wreckingball/host/remediate_vmware_operatingsystem_test.rb
 - test/actions/foreman_wreckingball/vmware/schedule_vmware_sync_test.rb
 - test/actions/foreman_wreckingball/vmware/sync_compute_resource_test.rb
+- test/controllers/compute_resources_controller_test.rb
 - test/controllers/foreman_wreckingball/hosts_controller_test.rb
 - test/factories/compute_resource.rb
 - test/factories/foreman_wreckingball_factories.rb
@@ -116,6 +124,7 @@ files:
 - test/models/compute_resources/vmware_test.rb
 - test/models/foreman_wreckingball/cpu_hot_add_status_test.rb
 - test/models/foreman_wreckingball/operatingsystem_status_test.rb
+- test/models/foreman_wreckingball/spectre_v2_status_test.rb
 - test/models/foreman_wreckingball/tools_status_test.rb
 - test/models/foreman_wreckingball/vmware_cluster_test.rb
 - test/models/foreman_wreckingball/vmware_facet_test.rb
@@ -154,6 +163,7 @@ test_files:
 - test/models/compute_resource_test.rb
 - test/models/host_test.rb
 - test/models/foreman_wreckingball/operatingsystem_status_test.rb
+- test/models/foreman_wreckingball/spectre_v2_status_test.rb
 - test/models/foreman_wreckingball/vmware_hypervisor_facet_test.rb
 - test/models/foreman_wreckingball/cpu_hot_add_status_test.rb
 - test/models/foreman_wreckingball/vmware_cluster_test.rb
@@ -168,4 +178,5 @@ test_files:
 - test/actions/foreman_wreckingball/vmware/sync_compute_resource_test.rb
 - test/actions/foreman_wreckingball/vmware/schedule_vmware_sync_test.rb
 - test/test_plugin_helper.rb
+- test/controllers/compute_resources_controller_test.rb
 - test/controllers/foreman_wreckingball/hosts_controller_test.rb