Extra functionality has been removed from previous commit and accomod…

…ate the layout feature to existing encrypted root partition function. Updated the Documentation updated email address
madhu-pillai · Aug 4, 2023 · a054be9 · a054be9
1 parent 7065052
commit a054be9
Show file tree

Hide file tree

Showing 15 changed files with 65 additions and 55 deletions.
diff --git a/config/fcos/v1_6_exp/schema.go b/config/fcos/v1_6_exp/schema.go
@@ -32,7 +32,7 @@ type BootDevice struct {
 
 type BootDeviceLuks struct {
 	Discard   *bool       `yaml:"discard"`
-	Device    string     `yaml:"device"`
+	Device    string      `yaml:"device"`
 	Tang      []base.Tang `yaml:"tang"`
 	Threshold *int        `yaml:"threshold"`
 	Tpm2      *bool       `yaml:"tpm2"`

diff --git a/config/fcos/v1_6_exp/translate.go b/config/fcos/v1_6_exp/translate.go
@@ -117,17 +117,12 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 
 	// check for high-level features
 	wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 
-	wantLuksDevice := len(c.BootDevice.Luks.Device) > 0 
 	wantMirror := len(c.BootDevice.Mirror.Devices) > 0
 
 	if !wantLuks && !wantMirror {
 		return r
 	}
 
-	if wantLuksDevice && wantLuks {
-		panic("can't happen")	
-	}
-
 	// compute layout rendering options
 	var wantBIOSPart bool
 	var wantEFIPart bool
@@ -143,11 +138,11 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 		wantEFIPart = true
 	case *layout == "ppc64le":
 		wantPRePPart = true
-	case *layout == "s390x-zfcp" && wantLuksDevice:
+	case *layout == "s390x-zfcp" && !wantMirror:
 		wantMBR = true
-	case *layout == "s390x-eckd" && wantLuksDevice:
+	case *layout == "s390x-eckd" && !wantMirror:
 		wantDasd = true
-	case *layout == "s390x-virt" && !wantLuksDevice:
+	case *layout == "s390x-virt":
 		wantBIOSPart = true
 		wantEFIPart = true
 	default:
@@ -254,35 +249,8 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 		rendered.Storage.Filesystems = append(rendered.Storage.Filesystems, bootFilesystem)
 	}
 
-	// encrypted root partition
+	//encrypted root partition
 	if wantLuks {
-		luksDevice := "/dev/disk/by-partlabel/root"
-		if wantMirror {
-			luksDevice = "/dev/md/md-root"
-		}
-		clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
-		rendered.Storage.Luks = []types.Luks{{
-			Clevis:     clevis,
-			Device:     &luksDevice,
-			Discard:    c.BootDevice.Luks.Discard,
-			Label:      util.StrToPtr("luks-root"),
-			Name:       "root",
-			WipeVolume: util.BoolToPtr(true),
-		}}
-		lpath := path.New("yaml", "boot_device", "luks")
-		rpath := path.New("json", "storage", "luks", 0)
-		renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("clevis")))
-		renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard"))
-		for _, f := range []string{"device", "label", "name", "wipeVolume"} {
-			renderedTranslations.AddTranslation(lpath, rpath.Append(f))
-		}
-		renderedTranslations.AddTranslation(lpath, rpath)
-		renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
-		r.Merge(r2)
-	}
-
-	//encrypted root partition for s390x
-	if wantMBR || wantDasd {
 		var luksDevice string
 		dasd := dasdRe.FindString(c.BootDevice.Luks.Device)
 		sd := sdRe.FindString(c.BootDevice.Luks.Device)
@@ -292,9 +260,15 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 			luksDevice = sd + strconv.Itoa(2)
 		case wantDasd && len(dasd) != 0:
 			luksDevice = dasd + strconv.Itoa(2)
+		case wantMirror:
+			luksDevice = "/dev/md/md-root"
 		default:
-			panic("Incorrect Device Parameter")
+			luksDevice = "/dev/disk/by-partlabel/root"
 		}
+		// luksDevice := "/dev/disk/by-partlabel/root"
+		// if wantMirror {
+		// 	luksDevice = "/dev/md/md-root"
+		// }
 		clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
 		rendered.Storage.Luks = []types.Luks{{
 			Clevis:     clevis,
@@ -314,9 +288,8 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 		renderedTranslations.AddTranslation(lpath, rpath)
 		renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
 		r.Merge(r2)
-
 	}
-
+    
 	// create root filesystem
 	var rootDevice string
 	switch {
@@ -326,9 +299,6 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 	case wantMirror:
 		// RAID without LUKS
 		rootDevice = "/dev/md/md-root"
-	case wantLuksDevice:
-		//Only Luks for s390x
-		rootDevice = "/dev/mapper/root"
 	default:
 		panic("can't happen")
 	}	

diff --git a/docs/config-fcos-v1_3.md b/docs/config-fcos-v1_3.md
@@ -198,7 +198,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
     * **_should_exist_** (boolean): whether or not the group with the specified `name` should exist. If omitted, it defaults to true. If false, then Ignition will delete the specified group.
     * **_system_** (boolean): whether or not the group should be a system group. This only has an effect if the group doesn't exist yet.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-fcos-v1_4.md b/docs/config-fcos-v1_4.md
@@ -201,7 +201,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
   * **_should_exist_** (list of strings): the list of kernel arguments that should exist.
   * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-fcos-v1_5.md b/docs/config-fcos-v1_5.md
@@ -207,7 +207,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
   * **_should_exist_** (list of strings): the list of kernel arguments that should exist.
   * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-fcos-v1_6-exp.md b/docs/config-fcos-v1_6-exp.md
@@ -209,13 +209,14 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
   * **_should_exist_** (list of strings): the list of kernel arguments that should exist.
   * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.
       * **thumbprint** (string): thumbprint of a trusted signing key.
       * **_advertisement_** (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning.
     * **_tpm2_** (boolean): whether or not to use a tpm2 device.
+    * **device** (string): Specifically for s390x `eckd` and `zfcp` disk without `mirror`.
     * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
     * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
   * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance.

diff --git a/docs/config-openshift-v4_10.md b/docs/config-openshift-v4_10.md
@@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **name** (string): the username for the account. Must be `core`.
     * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-openshift-v4_11.md b/docs/config-openshift-v4_11.md
@@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **name** (string): the username for the account. Must be `core`.
     * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-openshift-v4_12.md b/docs/config-openshift-v4_12.md
@@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **name** (string): the username for the account. Must be `core`.
     * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-openshift-v4_13.md b/docs/config-openshift-v4_13.md
@@ -150,7 +150,7 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **_password_hash_** (string): the hashed password for the account.
     * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-openshift-v4_14-exp.md b/docs/config-openshift-v4_14-exp.md
@@ -158,13 +158,14 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique.
     * **_ssh_authorized_keys_local_** (list of strings): a list of local paths to SSH key files, relative to the directory specified by the `--files-dir` command-line argument, to be added as SSH key fragments at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. Each file may contain multiple SSH keys, one per line.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.
       * **thumbprint** (string): thumbprint of a trusted signing key.
       * **_advertisement_** (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning.
     * **_tpm2_** (boolean): whether or not to use a tpm2 device.
+    * **device** (string): Specifically for s390x `eckd` and `zfcp` disk without `mirror`.
     * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
     * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
   * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance.

diff --git a/docs/config-openshift-v4_8.md b/docs/config-openshift-v4_8.md
@@ -148,7 +148,7 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **name** (string): the username for the account. Must be `core`.
     * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/config-openshift-v4_9.md b/docs/config-openshift-v4_9.md
@@ -148,7 +148,7 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **name** (string): the username for the account. Must be `core`.
     * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique.
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
-  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+  * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.

diff --git a/docs/examples.md b/docs/examples.md
@@ -281,6 +281,42 @@ boot_device:
         thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
 ```
 
+This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem unlocked with a combination of a network Tang server in S390x.
+
+<!-- butane-config -->
+```yaml
+variant: fcos
+version: 1.3.0
+boot_device:
+  layout: s390x-eckd
+  luks:
+    device: /dev/dasda 
+    tang:
+      - url: https://tang.example.com
+        thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
+```
+```yaml
+variant: fcos
+version: 1.3.0
+boot_device:
+  layout: s390x-zfcp
+  luks:
+    device: /dev/sdb
+    tang:
+      - url: https://tang.example.com
+        thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
+```
+```yaml
+variant: fcos
+version: 1.3.0
+boot_device:
+  layout: s390x-virt
+  luks:
+    tang:
+      - url: https://tang.example.com
+        thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
+```
+
 This example combines `boot_device` with a manually-specified filesystem `format` to create an encrypted root filesystem formatted with `ext4` instead of the default `xfs`.
 
 <!-- butane-config -->

diff --git a/internal/doc/butane.yaml b/internal/doc/butane.yaml
@@ -395,14 +395,16 @@ root:
       desc: describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
       children:
         - name: layout
-          desc: the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
+          desc: the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`.
         - name: luks
           desc: describes the clevis configuration for encrypting the root filesystem.
           children:
             - name: tang
               use: tang
             - name: tpm2
               desc: whether or not to use a tpm2 device.
+            - name: device
+              desc: Specifically for s390x `eckd` and `zfcp` disk without `mirror`.
             - name: threshold
               desc: sets the minimum number of pieces required to decrypt the device. Default is 1.
             - name: discard