Ansible playbook for Meltdown mitigation (KPI for CentOS/RHEL 7)

mitigate-meltdown.yml

---
- hosts: all
  gather_facts: false
  pre_tasks:
    - name: ensure ipmi tools are installed
      yum:
        name: ipmitool
    - name: retrieve ipmitool address
      shell: >
        ipmitool lan print | grep '^IP Addr' | grep -v Source | cut -d':' -f2 | xargs
      register: ipmitool_lan_print
      changed_when: false
      failed_when: ipmitool_lan_print.stdout == ""
    - name: print ipmi address
      debug:
        msg: "{{ ipmitool_lan_print.stdout }}"
    - name: ensure ipmi is accessible
      delegate_to: localhost
      wait_for:
        host: "{{ ipmitool_lan_print.stdout }}"
        port: 80
        timeout: 5
  tasks:
    - name: install updated kernel
      yum:
        name:
          - kernel-3.10.0-693.11.6.el7
          - microcode_ctl-2.1-22.2.el7
        state: installed
  post_tasks:
    - name: check if system contains fix
      shell:
        cat /boot/config-$(uname -r)
      register: kernel_config
      changed_when: false
    - name: prepare kexec
      when: '"CONFIG_KAISER=y" not in kernel_config.stdout'
      block:
        - name: unload current target
          shell: kexec -u
        - name: load kexec target
          shell: >
            kexec -l /boot/vmlinuz-3.10.0-693.11.6.el7.x86_64 \
                  --initrd=/boot/initramfs-3.10.0-693.11.6.el7.x86_64.img \
                  --reuse-cmdline
        - debug:
            msg: Machine requires reboot and ready for `systemctl kexec`

Added an update that automatically configures kexec for much faster reboots. This is extremely useful for machines with big memory or long POST times (think compute nodes). All you have to do is run systemctl kexec once everything is done.

btw you can tell if kpti is loaded and active with cat /sys/kernel/debug/x86/pti_enabled