You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
modules/ibm-z-cex: Use Butane's boot_device layouts
Use Butane's boot_device layouts to setup the LUKS encryption with CEX
to properly account for all cases (zVM, LPAR, KVM and DASD or FCP disks).
Remove the NVMe case as it is currently not tested and we don't have
Butane sugar for it.
Do not use the sugar for the zFCP case as there is currently an issue
with mulitpath support with it.
Also comment AsciiDoc callouts in yaml.
See: https://coreos.github.io/butane/upgrading-openshift/#luks-cex-support
See: https://coreos.github.io/butane/upgrading-openshift/#boot_device-layouts-s390x-support
---
modules/ibm-z-nbde & ibm-z-cex: Do not set luks options
This is already set by Butane when translating the Butane config to a
Machine Config.
Also remove the `--pbkdf pbkdf2` as it is the default in RHEL and
cryptsetup will refuse to create a LUKS device with another PBKDF
function in FIPS mode.
See: coreos/rhel-coreos-config#10
Fixes: c8241d6 add NBDE encryption for IBM Z
Copy file name to clipboardExpand all lines: modules/ibm-z-configure-hw-based-cex-encryption.adoc
+78-56Lines changed: 78 additions & 56 deletions
Original file line number
Diff line number
Diff line change
@@ -39,9 +39,9 @@ Enabling hardware-based Linux Unified Key Setup (LUKS) encryption via {ibm-name}
39
39
40
40
.Procedure
41
41
42
-
. Create Butane configuration files for the control plane and compute nodes.
43
-
+
44
-
The following example of a Butane configuration for a control plane node creates a file named `main-storage.bu`for disk encryption:
42
+
ifdef::ibm-z-kvm[]
43
+
. Create Butane configuration files for the control plane and compute nodes:
44
+
** Create a file named `main-storage.bu` by using the following Butane configuration for a control plane node with disk encryption, for example:
45
45
+
46
46
[source,yaml,subs="attributes+"]
47
47
----
@@ -51,91 +51,113 @@ metadata:
51
51
name: main-storage
52
52
labels:
53
53
machineconfiguration.openshift.io/role: master
54
-
storage:
54
+
boot_device:
55
+
layout: s390x-virt
55
56
luks:
56
-
- cex:
57
-
enabled: true
58
-
options: <1>
59
-
- --pbkdf
60
-
- pbkdf2
61
-
ifndef::ibm-z-kvm[]
62
-
device: /dev/disk/by-partlabel/root <2>
63
-
endif::ibm-z-kvm[]
64
-
ifdef::ibm-z-kvm[]
65
-
device: /dev/disk/by-partlabel/root
57
+
cex:
58
+
enabled: true
59
+
openshift:
60
+
fips: true # <1>
61
+
kernel_arguments:
62
+
- rd.luks.key=/etc/luks/cex.key # <2>
63
+
----
64
+
<1> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
65
+
<2> Specifies the location of the key that is required to decrypt the device. You can not change this value.
66
66
endif::ibm-z-kvm[]
67
-
label: luks-root
68
-
name: root
69
-
wipe_volume: true
67
+
ifndef::ibm-z-kvm[]
68
+
. Choose the appropriate method to create Butane configuration files for the control plane and compute nodes:
69
+
** For installations on DASD-type disks, create a file named `main-storage.bu` by using the following Butane configuration for a control plane node with disk encryption, for example:
70
+
+
71
+
[source,yaml,subs="attributes+"]
72
+
----
73
+
variant: openshift
74
+
version: {product-version}.0
75
+
metadata:
76
+
name: main-storage
77
+
labels:
78
+
machineconfiguration.openshift.io/role: master
79
+
boot_device:
80
+
layout: s390x-eckd
81
+
luks:
82
+
device: /dev/dasda
83
+
cex:
84
+
enabled: true
85
+
openshift:
86
+
fips: true # <1>
87
+
kernel_arguments:
88
+
- rd.luks.key=/etc/luks/cex.key # <2>
89
+
----
90
+
<1> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
91
+
<2> Specifies the location of the key that is required to decrypt the device. You can not change this value.
92
+
+
93
+
** For installations on FCP-type disks, create a file named `main-storage.bu` by using the following Butane configuration for a control plane node with disk encryption, for example:
94
+
+
95
+
[source,yaml,subs="attributes+"]
96
+
----
97
+
variant: openshift
98
+
version: {product-version}.0
99
+
metadata:
100
+
name: main-storage
101
+
labels:
102
+
machineconfiguration.openshift.io/role: master
103
+
storage:
70
104
filesystems:
71
105
- device: /dev/mapper/root
72
106
format: xfs
73
107
label: root
74
108
wipe_filesystem: true
109
+
luks:
110
+
- device: /dev/disk/by-label/root
111
+
label: luks-root
112
+
name: root
113
+
wipe_volume: true
114
+
cex:
115
+
enabled: true
75
116
openshift:
76
-
ifndef::ibm-z-kvm[]
77
-
fips: true <3>
78
-
kernel_arguments: <4>
79
-
endif::ibm-z-kvm[]
80
-
ifdef::ibm-z-kvm[]
81
-
fips: true <2>
82
-
kernel_arguments: <3>
83
-
endif::ibm-z-kvm[]
84
-
- rd.luks.key=/etc/luks/cex.key
117
+
fips: true # <1>
118
+
kernel_arguments:
119
+
- rd.luks.key=/etc/luks/cex.key # <2>
85
120
----
86
-
<1> The `pbkdf` option is only required if FIPS mode is enabled. Omit the entry if FIPS is disabled.
87
-
ifndef::ibm-z-kvm[]
88
-
<2> For installations on DASD-type disks, replace with `device: /dev/disk/by-label/root`.
89
-
<3> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
90
-
<4> Specifies the location of the pass key that is required to decrypt the device.
91
-
endif::ibm-z-kvm[]
92
-
ifdef::ibm-z-kvm[]
93
-
<2> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
94
-
<3> Specifies the location of the pass key that is required to decrypt the device.
121
+
<1> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
122
+
<2> Specifies the location of the key that is required to decrypt the device. You can not change this value.
95
123
endif::ibm-z-kvm[]
96
124
97
125
. Create a parameter file that includes `ignition.platform.id=metal` and `ignition.firstboot`.
98
126
+
99
127
.Example kernel parameter file for the control plane machine
<1> Specifies a unique fully qualified path depending on disk type. This can be DASD-type or FCP-type disks.
116
-
endif::ibm-z[]
117
-
ifdef::ibm-z-lpar[]
118
-
<1> Specifies a unique fully qualified path depending on disk type. This can be DASD-type, FCP-type, or NVMe-type disks.
119
-
endif::ibm-z-lpar[]
120
-
<2> Specifies the location of the Ignition config file. Use `master.ign` or `worker.ign`. Only HTTP and HTTPS protocols are supported.
121
-
<3> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported.
122
-
<4> Specifies the root device. For installations on DASD-type disks, replace with `rd.dasd=0.0.xxxx` to specify the DASD device.
141
+
<1> Specifies the location of the Ignition configuration file. Use `master.ign` or `worker.ign`. You can only use the HTTP and HTTPS protocols.
142
+
<2> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` that you want to boot. You can only use the HTTP and HTTPS protocols.
<1> Specifies the location of the Ignition config file. Use `master.ign` or `worker.ign`. Only HTTP and HTTPS protocols are supported.
137
-
<2> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported.
138
-
157
+
<1> Specifies a unique fully qualified path depending on disk type. This can be DASD-type or FCP-type disks.
158
+
<2> Specifies the location of the Ignition configuration file. Use `master.ign` or `worker.ign`. You can only use the HTTP and HTTPS protocols.
159
+
<3> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` that you want to boot. You can only use the HTTP and HTTPS protocols.
160
+
<4> Specifies the root device. For installations on DASD-type disks, replace with `rd.dasd=0.0.xxxx` to specify the DASD device.
Copy file name to clipboardExpand all lines: modules/ibm-z-configure-nbde-with-static-ip.adoc
+6-11Lines changed: 6 additions & 11 deletions
Original file line number
Diff line number
Diff line change
@@ -58,11 +58,8 @@ storage:
58
58
tang:
59
59
- thumbprint: QcPr_NHFJammnRCA3fFMVdNBwjs
60
60
url: http://clevis.example.com:7500
61
-
options: <1>
62
-
- --cipher
63
-
- aes-cbc-essiv:sha256
64
61
ifndef::ibm-z-kvm[]
65
-
device: /dev/disk/by-partlabel/root <2>
62
+
device: /dev/disk/by-partlabel/root # <1>
66
63
endif::ibm-z-kvm[]
67
64
ifdef::ibm-z-kvm[]
68
65
device: /dev/disk/by-partlabel/root
@@ -77,20 +74,18 @@ endif::ibm-z-kvm[]
77
74
wipe_filesystem: true
78
75
openshift:
79
76
ifndef::ibm-z-kvm[]
80
-
fips: true <3>
77
+
fips: true # <2>
81
78
endif::ibm-z-kvm[]
82
79
ifdef::ibm-z-kvm[]
83
-
fips: true <2>
80
+
fips: true # <1>
84
81
endif::ibm-z-kvm[]
85
82
----
86
83
ifdef::ibm-z-kvm[]
87
-
<1> The cipher option is only required if FIPS mode is enabled. Omit the entry if FIPS is disabled.
88
-
<2> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
84
+
<1> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
89
85
endif::ibm-z-kvm[]
90
86
ifndef::ibm-z-kvm[]
91
-
<1> The cipher option is only required if FIPS mode is enabled. Omit the entry if FIPS is disabled.
92
-
<2> For installations on DASD-type disks, replace with `device: /dev/disk/by-label/root`.
93
-
<3> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
87
+
<1> For installations on DASD-type disks, replace with `device: /dev/disk/by-label/root`.
88
+
<2> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
94
89
endif::ibm-z-kvm[]
95
90
96
91
. Create a customized initramfs file to boot the machine, by running the following command:
0 commit comments