From b85c6abfbbe5531818df5559c7c82d302de65a32 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Thu, 5 Jun 2025 16:34:42 +0200
Subject: [PATCH] Allow to blacklist kernel modules

This patch implements new functionality which allows operators
not only load or configure kernel modules, but also explicitly
blacklist them.

We don't use community.general.kernel_blacklist for this, as using
copy with content seems more trivial in terms of adding/removing
modules to the list and does not require it to be list of mappings.

Change-Id: I3b7e54e5064ed5bf528ac7fb3d7769777bb5ddf8
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
---
 defaults/main.yml                                 |  6 ++++++
 handlers/main.yml                                 |  3 +++
 ...blacklist_kernel_modules-07cdf91f3473c0eb.yaml |  5 +++++
 tasks/configure_metal_hosts.yml                   | 15 +++++++++++++++
 vars/debian.yml                                   |  1 +
 vars/redhat-10.yml                                |  1 +
 vars/redhat-9.yml                                 |  1 +
 vars/ubuntu.yml                                   |  1 +
 8 files changed, 33 insertions(+)
 create mode 100644 releasenotes/notes/blacklist_kernel_modules-07cdf91f3473c0eb.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 21cc4a6f..6a22f455 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -60,6 +60,12 @@ openstack_host_specific_kernel_modules: []
 ## :param pattern: pattern to grep for in /boot/config-$kernel_version to check how module is configured inside kernel
 ## Our default overrides will be combined with your overrides.
 
+## A simple list of kernel modules to blacklist
+openstack_host_blacklist_kernel_modules: []
+
+# Command to update initramfs
+openstack_host_initramfs_command: "{{ _openstack_host_initramfs_command | default('true') }}"
+
 # Overridable package list is composed of the old override
 # named user_package_list and the standard defaults _openstack_hosts_package_list
 openstack_hosts_package_list: "{{ _openstack_hosts_package_list + (user_package_list | default([])) }}"
diff --git a/handlers/main.yml b/handlers/main.yml
index f5a9dd3a..eb3561fc 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Update initramfs  # noqa: no-changed-when
+  ansible.builtin.command: "{{ openstack_host_initramfs_command }}"
+
 - name: Restart sysstat
   ansible.builtin.service:
     name: "sysstat"
diff --git a/releasenotes/notes/blacklist_kernel_modules-07cdf91f3473c0eb.yaml b/releasenotes/notes/blacklist_kernel_modules-07cdf91f3473c0eb.yaml
new file mode 100644
index 00000000..c34a8b28
--- /dev/null
+++ b/releasenotes/notes/blacklist_kernel_modules-07cdf91f3473c0eb.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added variable ``openstack_host_blacklist_kernel_modules`` which allows to
+    blacklist required kernel modules.
diff --git a/tasks/configure_metal_hosts.yml b/tasks/configure_metal_hosts.yml
index f204a8fb..9a10272d 100644
--- a/tasks/configure_metal_hosts.yml
+++ b/tasks/configure_metal_hosts.yml
@@ -69,6 +69,21 @@
   when:
     - item.name | length > 0
     - item.pattern is undefined or (item.pattern is defined and (modules.content | b64decode).find(item.pattern + '=m') != -1)
+  notify:
+    - Update initramfs
+
+- name: Blacklist kernel modules
+  ansible.builtin.copy:
+    content: |-
+      {% for module in openstack_host_blacklist_kernel_modules %}
+      blacklist {{ module }}
+      {% endfor %}
+    dest: /etc/modprobe.d/blacklist-openstack-ansible.conf
+    mode: "0644"
+    owner: root
+    group: root
+  notify:
+    - Update initramfs
 
 # TODO: Remove after 2026.1 release
 - name: Clean-up ex-default modules location
diff --git a/vars/debian.yml b/vars/debian.yml
index 27be8c64..60b4ae9d 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -18,6 +18,7 @@ openstack_host_required_kernel: 4.9.0-0-amd64
 openstack_host_sysstat_file: /etc/default/sysstat
 openstack_host_sysstat_cron_file: /etc/cron.d/sysstat
 openstack_host_cron_template: sysstat.cron.debian.j2
+_openstack_host_initramfs_command: /usr/sbin/update-initramfs -u
 
 ## Kernel modules loaded on hosts
 openstack_host_kernel_modules:
diff --git a/vars/redhat-10.yml b/vars/redhat-10.yml
index f7fa9f61..06fa9ce6 100644
--- a/vars/redhat-10.yml
+++ b/vars/redhat-10.yml
@@ -18,6 +18,7 @@ openstack_host_required_kernel: 6.12.0
 openstack_host_sysstat_file: /etc/sysconfig/sysstat
 openstack_host_sysstat_cron_file: /etc/cron.d/sysstat
 openstack_host_cron_template: sysstat.cron.redhat.j2
+_openstack_host_initramfs_command: /bin/dracut -f
 
 openstack_host_sysstat_cron_mode: "0600"
 
diff --git a/vars/redhat-9.yml b/vars/redhat-9.yml
index 3baad130..73964f01 100644
--- a/vars/redhat-9.yml
+++ b/vars/redhat-9.yml
@@ -18,6 +18,7 @@ openstack_host_required_kernel: 4.18.0
 openstack_host_sysstat_file: /etc/sysconfig/sysstat
 openstack_host_sysstat_cron_file: /etc/cron.d/sysstat
 openstack_host_cron_template: sysstat.cron.redhat.j2
+_openstack_host_initramfs_command: /bin/dracut -f
 
 openstack_host_sysstat_cron_mode: "0600"
 
diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml
index 52a3dc18..e2ef28cd 100644
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@@ -18,6 +18,7 @@ openstack_host_required_kernel: 5.4.0-0-generic
 openstack_host_sysstat_file: /etc/default/sysstat
 openstack_host_sysstat_cron_file: /etc/cron.d/sysstat
 openstack_host_cron_template: sysstat.cron.debian.j2
+_openstack_host_initramfs_command: /usr/sbin/update-initramfs -u
 
 ## Kernel modules loaded on hosts
 openstack_host_kernel_modules: