diff --git a/config/fcos/v1_6_exp/schema.go b/config/fcos/v1_6_exp/schema.go index 31ecd38a..c2aa155b 100644 --- a/config/fcos/v1_6_exp/schema.go +++ b/config/fcos/v1_6_exp/schema.go @@ -32,7 +32,7 @@ type BootDevice struct { type BootDeviceLuks struct { Discard *bool `yaml:"discard"` - Device string `yaml:"device"` + Device string `yaml:"device"` Tang []base.Tang `yaml:"tang"` Threshold *int `yaml:"threshold"` Tpm2 *bool `yaml:"tpm2"` diff --git a/config/fcos/v1_6_exp/translate.go b/config/fcos/v1_6_exp/translate.go index e60b0b27..b74c384a 100644 --- a/config/fcos/v1_6_exp/translate.go +++ b/config/fcos/v1_6_exp/translate.go @@ -117,17 +117,12 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio // check for high-level features wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 - wantLuksDevice := len(c.BootDevice.Luks.Device) > 0 wantMirror := len(c.BootDevice.Mirror.Devices) > 0 if !wantLuks && !wantMirror { return r } - if wantLuksDevice && wantLuks { - panic("can't happen") - } - // compute layout rendering options var wantBIOSPart bool var wantEFIPart bool @@ -143,11 +138,11 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio wantEFIPart = true case *layout == "ppc64le": wantPRePPart = true - case *layout == "s390x-zfcp" && wantLuksDevice: + case *layout == "s390x-zfcp" && !wantMirror: wantMBR = true - case *layout == "s390x-eckd" && wantLuksDevice: + case *layout == "s390x-eckd" && !wantMirror: wantDasd = true - case *layout == "s390x-virt" && !wantLuksDevice: + case *layout == "s390x-virt": wantBIOSPart = true wantEFIPart = true default: @@ -254,35 +249,8 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio rendered.Storage.Filesystems = append(rendered.Storage.Filesystems, bootFilesystem) } - // encrypted root partition + //encrypted root partition if wantLuks { - luksDevice := "/dev/disk/by-partlabel/root" - if wantMirror { - luksDevice = "/dev/md/md-root" - } - clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options) - rendered.Storage.Luks = []types.Luks{{ - Clevis: clevis, - Device: &luksDevice, - Discard: c.BootDevice.Luks.Discard, - Label: util.StrToPtr("luks-root"), - Name: "root", - WipeVolume: util.BoolToPtr(true), - }} - lpath := path.New("yaml", "boot_device", "luks") - rpath := path.New("json", "storage", "luks", 0) - renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("clevis"))) - renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard")) - for _, f := range []string{"device", "label", "name", "wipeVolume"} { - renderedTranslations.AddTranslation(lpath, rpath.Append(f)) - } - renderedTranslations.AddTranslation(lpath, rpath) - renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks")) - r.Merge(r2) - } - - //encrypted root partition for s390x - if wantMBR || wantDasd { var luksDevice string dasd := dasdRe.FindString(c.BootDevice.Luks.Device) sd := sdRe.FindString(c.BootDevice.Luks.Device) @@ -292,9 +260,15 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio luksDevice = sd + strconv.Itoa(2) case wantDasd && len(dasd) != 0: luksDevice = dasd + strconv.Itoa(2) + case wantMirror: + luksDevice = "/dev/md/md-root" default: - panic("Incorrect Device Parameter") + luksDevice = "/dev/disk/by-partlabel/root" } + // luksDevice := "/dev/disk/by-partlabel/root" + // if wantMirror { + // luksDevice = "/dev/md/md-root" + // } clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options) rendered.Storage.Luks = []types.Luks{{ Clevis: clevis, @@ -314,9 +288,8 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio renderedTranslations.AddTranslation(lpath, rpath) renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks")) r.Merge(r2) - } - + // create root filesystem var rootDevice string switch { @@ -326,9 +299,6 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio case wantMirror: // RAID without LUKS rootDevice = "/dev/md/md-root" - case wantLuksDevice: - //Only Luks for s390x - rootDevice = "/dev/mapper/root" default: panic("can't happen") } diff --git a/docs/config-fcos-v1_3.md b/docs/config-fcos-v1_3.md index adcebd78..af961f74 100644 --- a/docs/config-fcos-v1_3.md +++ b/docs/config-fcos-v1_3.md @@ -198,7 +198,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (boolean): whether or not the group with the specified `name` should exist. If omitted, it defaults to true. If false, then Ignition will delete the specified group. * **_system_** (boolean): whether or not the group should be a system group. This only has an effect if the group doesn't exist yet. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-fcos-v1_4.md b/docs/config-fcos-v1_4.md index 3ff2f840..78326511 100644 --- a/docs/config-fcos-v1_4.md +++ b/docs/config-fcos-v1_4.md @@ -201,7 +201,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (list of strings): the list of kernel arguments that should exist. * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-fcos-v1_5.md b/docs/config-fcos-v1_5.md index 5148a48e..641196ef 100644 --- a/docs/config-fcos-v1_5.md +++ b/docs/config-fcos-v1_5.md @@ -207,7 +207,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (list of strings): the list of kernel arguments that should exist. * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-fcos-v1_6-exp.md b/docs/config-fcos-v1_6-exp.md index 3374ee72..29d2c782 100644 --- a/docs/config-fcos-v1_6-exp.md +++ b/docs/config-fcos-v1_6-exp.md @@ -209,13 +209,14 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (list of strings): the list of kernel arguments that should exist. * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. * **_advertisement_** (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning. * **_tpm2_** (boolean): whether or not to use a tpm2 device. + * **device** (string): Specifically for s390x `eckd` and `zfcp` disk without `mirror`. * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1. * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false. * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance. diff --git a/docs/config-openshift-v4_10.md b/docs/config-openshift-v4_10.md index 1324c583..9a38f6ef 100644 --- a/docs/config-openshift-v4_10.md +++ b/docs/config-openshift-v4_10.md @@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_11.md b/docs/config-openshift-v4_11.md index 6c190d89..62dd5cba 100644 --- a/docs/config-openshift-v4_11.md +++ b/docs/config-openshift-v4_11.md @@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_12.md b/docs/config-openshift-v4_12.md index a7e324a1..8c923d14 100644 --- a/docs/config-openshift-v4_12.md +++ b/docs/config-openshift-v4_12.md @@ -149,7 +149,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_13.md b/docs/config-openshift-v4_13.md index 3a0bb133..34c755dd 100644 --- a/docs/config-openshift-v4_13.md +++ b/docs/config-openshift-v4_13.md @@ -150,7 +150,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **_password_hash_** (string): the hashed password for the account. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_14-exp.md b/docs/config-openshift-v4_14-exp.md index d0309ccc..a00968e1 100644 --- a/docs/config-openshift-v4_14-exp.md +++ b/docs/config-openshift-v4_14-exp.md @@ -158,13 +158,14 @@ The OpenShift configuration is a YAML document conforming to the following speci * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. * **_ssh_authorized_keys_local_** (list of strings): a list of local paths to SSH key files, relative to the directory specified by the `--files-dir` command-line argument, to be added as SSH key fragments at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. Each file may contain multiple SSH keys, one per line. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. * **_advertisement_** (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning. * **_tpm2_** (boolean): whether or not to use a tpm2 device. + * **device** (string): Specifically for s390x `eckd` and `zfcp` disk without `mirror`. * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1. * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false. * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance. diff --git a/docs/config-openshift-v4_8.md b/docs/config-openshift-v4_8.md index 40599839..416618e5 100644 --- a/docs/config-openshift-v4_8.md +++ b/docs/config-openshift-v4_8.md @@ -148,7 +148,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/config-openshift-v4_9.md b/docs/config-openshift-v4_9.md index 6655b500..b5714c9e 100644 --- a/docs/config-openshift-v4_9.md +++ b/docs/config-openshift-v4_9.md @@ -148,7 +148,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **name** (string): the username for the account. Must be `core`. * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added to `.ssh/authorized_keys` (OpenShift < 4.13) or `.ssh/authorized_keys.d/ignition` (OpenShift ≥ 4.13) in the user's home directory. All SSH keys must be unique. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. diff --git a/docs/examples.md b/docs/examples.md index 6fb1c3e4..b03d47b9 100644 --- a/docs/examples.md +++ b/docs/examples.md @@ -281,6 +281,42 @@ boot_device: thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT ``` +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem unlocked with a combination of a network Tang server in S390x. + + +```yaml +variant: fcos +version: 1.3.0 +boot_device: + layout: s390x-eckd + luks: + device: /dev/dasda + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` +```yaml +variant: fcos +version: 1.3.0 +boot_device: + layout: s390x-zfcp + luks: + device: /dev/sdb + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` +```yaml +variant: fcos +version: 1.3.0 +boot_device: + layout: s390x-virt + luks: + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` + This example combines `boot_device` with a manually-specified filesystem `format` to create an encrypted root filesystem formatted with `ext4` instead of the default `xfs`. diff --git a/internal/doc/butane.yaml b/internal/doc/butane.yaml index 38422a0b..ad643984 100644 --- a/internal/doc/butane.yaml +++ b/internal/doc/butane.yaml @@ -395,7 +395,7 @@ root: desc: describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. children: - name: layout - desc: the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + desc: the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-zfcp`, `s390x-eckd`, `s390x-virt` and `x86_64`. Defaults to `x86_64`. - name: luks desc: describes the clevis configuration for encrypting the root filesystem. children: @@ -403,6 +403,8 @@ root: use: tang - name: tpm2 desc: whether or not to use a tpm2 device. + - name: device + desc: Specifically for s390x `eckd` and `zfcp` disk without `mirror`. - name: threshold desc: sets the minimum number of pieces required to decrypt the device. Default is 1. - name: discard