diff --git a/config/common/errors.go b/config/common/errors.go index 1c6e1a91..fca02358 100644 --- a/config/common/errors.go +++ b/config/common/errors.go @@ -53,8 +53,10 @@ var ( ErrMountUnitNoFormat = errors.New("format is required if with_mount_unit is true") // boot device - ErrUnknownBootDeviceLayout = errors.New("layout must be one of: aarch64, ppc64le, x86_64") + ErrUnknownBootDeviceLayout = errors.New("layout must be one of: aarch64, ppc64le, x86_64, s390x-zfcp, s390x-eckd, s390x-virt") ErrTooFewMirrorDevices = errors.New("mirroring requires at least two devices") + //ErrNoLuksBootDevice = errors.New("device field support layout: s390x-eckd /dev/dasd[a-z] or s390x-zfcp /dev/sd[a-z]") + ErrMirrorNotSupport = errors.New("mirror is not support with luks.device for layout: s390x-zfcp, s390x-eckd") // partition ErrWrongPartitionNumber = errors.New("incorrect partition number; a new partition will be created using reserved label") diff --git a/config/fcos/v1_6_exp/schema.go b/config/fcos/v1_6_exp/schema.go index 140cd31a..c2aa155b 100644 --- a/config/fcos/v1_6_exp/schema.go +++ b/config/fcos/v1_6_exp/schema.go @@ -32,6 +32,7 @@ type BootDevice struct { type BootDeviceLuks struct { Discard *bool `yaml:"discard"` + Device string `yaml:"device"` Tang []base.Tang `yaml:"tang"` Threshold *int `yaml:"threshold"` Tpm2 *bool `yaml:"tpm2"` diff --git a/config/fcos/v1_6_exp/translate.go b/config/fcos/v1_6_exp/translate.go index 5a5d02ca..d6c04166 100644 --- a/config/fcos/v1_6_exp/translate.go +++ b/config/fcos/v1_6_exp/translate.go @@ -17,6 +17,8 @@ package v1_6_exp import ( "fmt" "strings" + "regexp" + "strconv" baseutil "github.com/coreos/butane/base/util" "github.com/coreos/butane/config/common" @@ -29,6 +31,11 @@ import ( "github.com/coreos/vcontext/report" ) + var ( + dasdRe = regexp.MustCompile("(/dev/dasd[a-z]$)") + sdRe = regexp.MustCompile("(/dev/sd[a-z]$)") + ) + const ( reservedTypeGuid = "8DA63339-0007-60C0-C436-083AC8230908" biosTypeGuid = "21686148-6449-6E6F-744E-656564454649" @@ -109,8 +116,9 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio var r report.Report // check for high-level features - wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 + wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 wantMirror := len(c.BootDevice.Mirror.Devices) > 0 + if !wantLuks && !wantMirror { return r } @@ -119,6 +127,8 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio var wantBIOSPart bool var wantEFIPart bool var wantPRePPart bool + var wantMBR bool + var wantDasd bool layout := c.BootDevice.Layout switch { case layout == nil || *layout == "x86_64": @@ -128,6 +138,13 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio wantEFIPart = true case *layout == "ppc64le": wantPRePPart = true + case *layout == "s390x-zfcp": + wantMBR = true + case *layout == "s390x-eckd": + wantDasd = true + case *layout == "s390x-virt": + wantBIOSPart = true + wantEFIPart = true default: // should have failed validation panic("unknown layout") @@ -232,12 +249,25 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio rendered.Storage.Filesystems = append(rendered.Storage.Filesystems, bootFilesystem) } - // encrypted root partition + //encrypted root partition if wantLuks { - luksDevice := "/dev/disk/by-partlabel/root" - if wantMirror { + var luksDevice string + dasd := dasdRe.FindString(c.BootDevice.Luks.Device) + sd := sdRe.FindString(c.BootDevice.Luks.Device) + switch { + case wantMBR && len(sd) > 0: + luksDevice = sd + strconv.Itoa(2) + case wantDasd && len(dasd) > 0: + luksDevice = dasd + strconv.Itoa(2) + case wantMirror: luksDevice = "/dev/md/md-root" + default: + luksDevice = "/dev/disk/by-partlabel/root" } + // luksDevice := "/dev/disk/by-partlabel/root" + // if wantMirror { + // luksDevice = "/dev/md/md-root" + // } clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options) rendered.Storage.Luks = []types.Luks{{ Clevis: clevis, @@ -258,7 +288,6 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks")) r.Merge(r2) } - // create root filesystem var rootDevice string switch { @@ -271,6 +300,7 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio default: panic("can't happen") } + rootFilesystem := types.Filesystem{ Device: rootDevice, Format: util.StrToPtr("xfs"), diff --git a/config/fcos/v1_6_exp/translate_test.go b/config/fcos/v1_6_exp/translate_test.go index 625422e5..1434168c 100644 --- a/config/fcos/v1_6_exp/translate_test.go +++ b/config/fcos/v1_6_exp/translate_test.go @@ -1481,6 +1481,75 @@ func TestTranslateBootDevice(t *testing.T) { }, report.Report{}, }, + // boot_device s390x + { + Config{ + BootDevice: BootDevice{ + Layout: util.StrToPtr("s390x-zfcp"), + Luks: BootDeviceLuks{ + Device: "/dev/sda", + Tang: []base.Tang{{ + URL: "https://example.com/", + Thumbprint: util.StrToPtr("z"), + Advertisement: util.StrToPtr("{\"payload\": \"xyzzy\"}"), + }}, + }, + }, + }, + types.Config{ + Ignition: types.Ignition{ + Version: "3.5.0-experimental", + }, + Storage: types.Storage{ + Luks: []types.Luks{ + { + Clevis: types.Clevis{ + Tang: []types.Tang{{ + URL: "https://example.com/", + Thumbprint: util.StrToPtr("z"), + Advertisement: util.StrToPtr("{\"payload\": \"xyzzy\"}"), + }}, + }, + Device: util.StrToPtr("/dev/sda2"), + Label: util.StrToPtr("luks-root"), + Name: "root", + WipeVolume: util.BoolToPtr(true), + }, + }, + Filesystems: []types.Filesystem{ + { + Device: "/dev/mapper/root", + Format: util.StrToPtr("xfs"), + Label: util.StrToPtr("root"), + WipeFilesystem: util.BoolToPtr(true), + }, + }, + }, + }, + []translate.Translation{ + {From: path.New("yaml", "version"), To: path.New("json", "ignition", "version")}, + {From: path.New("yaml", "boot_device", "luks", "tang", 0, "url"), To: path.New("json", "storage", "luks", 0, "clevis", "tang", 0, "url")}, + {From: path.New("yaml", "boot_device", "luks", "tang", 0, "thumbprint"), To: path.New("json", "storage", "luks", 0, "clevis", "tang", 0, "thumbprint")}, + {From: path.New("yaml", "boot_device", "luks", "tang", 0, "advertisement"), To: path.New("json", "storage", "luks", 0, "clevis", "tang", 0, "advertisement")}, + {From: path.New("yaml", "boot_device", "luks", "tang", 0), To: path.New("json", "storage", "luks", 0, "clevis", "tang", 0)}, + {From: path.New("yaml", "boot_device", "luks", "tang"), To: path.New("json", "storage", "luks", 0, "clevis", "tang")}, + {From: path.New("yaml", "boot_device", "luks"), To: path.New("json", "storage", "luks", 0, "clevis")}, + {From: path.New("yaml", "boot_device", "luks"), To: path.New("json", "storage", "luks", 0, "device")}, + {From: path.New("yaml", "boot_device", "luks"), To: path.New("json", "storage", "luks", 0, "label")}, + {From: path.New("yaml", "boot_device", "luks"), To: path.New("json", "storage", "luks", 0, "name")}, + {From: path.New("yaml", "boot_device", "luks"), To: path.New("json", "storage", "luks", 0, "wipeVolume")}, + {From: path.New("yaml", "boot_device", "luks"), To: path.New("json", "storage", "luks", 0)}, + {From: path.New("yaml", "boot_device", "luks"), To: path.New("json", "storage", "luks")}, + {From: path.New("yaml", "boot_device"), To: path.New("json", "storage", "filesystems", 0, "device")}, + {From: path.New("yaml", "boot_device"), To: path.New("json", "storage", "filesystems", 0, "format")}, + {From: path.New("yaml", "boot_device"), To: path.New("json", "storage", "filesystems", 0, "label")}, + {From: path.New("yaml", "boot_device"), To: path.New("json", "storage", "filesystems", 0, "wipeFilesystem")}, + {From: path.New("yaml", "boot_device"), To: path.New("json", "storage", "filesystems", 0)}, + {From: path.New("yaml", "boot_device"), To: path.New("json", "storage", "filesystems")}, + {From: path.New("yaml", "boot_device"), To: path.New("json", "storage")}, + }, + report.Report{}, + }, } // The partition sizes of existing layouts must never change, but diff --git a/config/fcos/v1_6_exp/validate.go b/config/fcos/v1_6_exp/validate.go index b37585c4..dc7bd0e5 100644 --- a/config/fcos/v1_6_exp/validate.go +++ b/config/fcos/v1_6_exp/validate.go @@ -25,15 +25,25 @@ import ( func (d BootDevice) Validate(c path.ContextPath) (r report.Report) { if d.Layout != nil { switch *d.Layout { - case "aarch64", "ppc64le", "x86_64": + case "aarch64", "ppc64le", "x86_64", "s390x-virt", "s390x-zfcp", "s390x-eckd": default: r.AddOnError(c.Append("layout"), common.ErrUnknownBootDeviceLayout) } } + if len(d.Luks.Device) != 0 && len(d.Mirror.Devices) != 0 { + r.AddOnError(c.Append("mirror"), common.ErrMirrorNotSupport) + } r.Merge(d.Mirror.Validate(c.Append("mirror"))) return } +// func (l BootDeviceLuks) Validate(c path.ContextPath) (r report.Report) { +// if len(l.Device) == 0 { +// r.AddOnWarn(c.Append("device"), common.ErrNoLuksBootDevice) +// } +// return +// } + func (m BootDeviceMirror) Validate(c path.ContextPath) (r report.Report) { if len(m.Devices) == 1 { r.AddOnError(c.Append("devices"), common.ErrTooFewMirrorDevices) diff --git a/docs/config-fcos-v1_3.md b/docs/config-fcos-v1_3.md index adcebd78..af961f74 100644 --- a/docs/config-fcos-v1_3.md +++ b/docs/config-fcos-v1_3.md @@ -198,7 +198,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (boolean): whether or not the group with the specified `name` should exist. If omitted, it defaults to true. If false, then Ignition will delete the specified group. * **_system_** (boolean): whether or not the group should be a system group. This only has an effect if the group doesn't exist yet. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-fcos-v1_4.md b/docs/config-fcos-v1_4.md index 3ff2f840..78326511 100644 --- a/docs/config-fcos-v1_4.md +++ b/docs/config-fcos-v1_4.md @@ -201,7 +201,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (list of strings): the list of kernel arguments that should exist. * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-fcos-v1_5.md b/docs/config-fcos-v1_5.md index 5148a48e..641196ef 100644 --- a/docs/config-fcos-v1_5.md +++ b/docs/config-fcos-v1_5.md @@ -207,7 +207,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (list of strings): the list of kernel arguments that should exist. * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-fcos-v1_6-exp.md b/docs/config-fcos-v1_6-exp.md index 3374ee72..29d2c782 100644 --- a/docs/config-fcos-v1_6-exp.md +++ b/docs/config-fcos-v1_6-exp.md @@ -209,13 +209,14 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (list of strings): the list of kernel arguments that should exist. * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. * **_advertisement_** (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning. * **_tpm2_** (boolean): whether or not to use a tpm2 device. + * **device** (string): Specifically for s390x `eckd` and `zfcp` disk without `mirror`. * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1. * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false. * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance. diff --git a/docs/config-openshift-v4_10.md b/docs/config-openshift-v4_10.md index 1324c583..9a38f6ef 100644 --- a/docs/config-openshift-v4_10.md +++ b/docs/config-openshift-v4_10.md @@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_11.md b/docs/config-openshift-v4_11.md index 6c190d89..62dd5cba 100644 --- a/docs/config-openshift-v4_11.md +++ b/docs/config-openshift-v4_11.md @@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_12.md b/docs/config-openshift-v4_12.md index a7e324a1..8c923d14 100644 --- a/docs/config-openshift-v4_12.md +++ b/docs/config-openshift-v4_12.md @@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_13.md b/docs/config-openshift-v4_13.md index 3a0bb133..34c755dd 100644 --- a/docs/config-openshift-v4_13.md +++ b/docs/config-openshift-v4_13.md @@ -150,7 +150,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **_password_hash_** (string): the hashed password for the account. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_14-exp.md b/docs/config-openshift-v4_14-exp.md index d0309ccc..a00968e1 100644 --- a/docs/config-openshift-v4_14-exp.md +++ b/docs/config-openshift-v4_14-exp.md @@ -158,13 +158,14 @@ The OpenShift configuration is a YAML document conforming to the following speci * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. * **_ssh_authorized_keys_local_** (list of strings): a list of local paths to SSH key files, relative to the directory specified by the `--files-dir` command-line argument, to be added as SSH key fragments at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. Each file may contain multiple SSH keys, one per line. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. * **_advertisement_** (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning. * **_tpm2_** (boolean): whether or not to use a tpm2 device. + * **device** (string): Specifically for s390x `eckd` and `zfcp` disk without `mirror`. * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1. * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false. * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance. diff --git a/docs/config-openshift-v4_8.md b/docs/config-openshift-v4_8.md index 40599839..416618e5 100644 --- a/docs/config-openshift-v4_8.md +++ b/docs/config-openshift-v4_8.md @@ -148,7 +148,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_9.md b/docs/config-openshift-v4_9.md index 6655b500..b5714c9e 100644 --- a/docs/config-openshift-v4_9.md +++ b/docs/config-openshift-v4_9.md @@ -148,7 +148,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/examples.md b/docs/examples.md index 6fb1c3e4..b03d47b9 100644 --- a/docs/examples.md +++ b/docs/examples.md @@ -281,6 +281,42 @@ boot_device: thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT ``` +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem unlocked with a combination of a network Tang server in S390x. + + +```yaml +variant: fcos +version: 1.3.0 +boot_device: + layout: s390x-eckd + luks: + device: /dev/dasda + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` +```yaml +variant: fcos +version: 1.3.0 +boot_device: + layout: s390x-zfcp + luks: + device: /dev/sdb + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` +```yaml +variant: fcos +version: 1.3.0 +boot_device: + layout: s390x-virt + luks: + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` + This example combines `boot_device` with a manually-specified filesystem `format` to create an encrypted root filesystem formatted with `ext4` instead of the default `xfs`. diff --git a/internal/doc/butane.yaml b/internal/doc/butane.yaml index 38422a0b..ad643984 100644 --- a/internal/doc/butane.yaml +++ b/internal/doc/butane.yaml @@ -395,7 +395,7 @@ root: desc: describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. children: - name: layout - desc: the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + desc: the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. - name: luks desc: describes the clevis configuration for encrypting the root filesystem. children: @@ -403,6 +403,8 @@ root: use: tang - name: tpm2 desc: whether or not to use a tpm2 device. + - name: device + desc: Specifically for s390x `eckd` and `zfcp` disk without `mirror`. - name: threshold desc: sets the minimum number of pieces required to decrypt the device. Default is 1. - name: discard