Skip to content

Commit

Permalink
s390x layout feature
Browse files Browse the repository at this point in the history
  • Loading branch information
madhu-pillai committed Oct 3, 2023
1 parent 790ccc3 commit 4ac37f1
Show file tree
Hide file tree
Showing 7 changed files with 91 additions and 5 deletions.
2 changes: 2 additions & 0 deletions config/common/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ var (
// boot device
ErrUnknownBootDeviceLayout = errors.New("layout must be one of: aarch64, ppc64le, x86_64")
ErrTooFewMirrorDevices = errors.New("mirroring requires at least two devices")
ErrNoLuksBootDevice = errors.New("s390x-device is required if layout: s390x-eckd && s390x-device: /dev/dasd[a-z] or s390x-zfcp && s390x-device: /dev/sd[a-z]")
ErrMirrorNotSupport = errors.New("layout: s390x-zfcp or s390x-eckd does not support mirror")

// partition
ErrReuseByLabel = errors.New("partitions cannot be reused by label; number must be specified except on boot disk (/dev/disk/by-id/coreos-boot-disk) or when wipe_table is true")
Expand Down
1 change: 1 addition & 0 deletions config/fcos/v1_6_exp/schema.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ type BootDevice struct {

type BootDeviceLuks struct {
Discard *bool `yaml:"discard"`
Device *string `yaml:"s390x-device"`
Tang []base.Tang `yaml:"tang"`
Threshold *int `yaml:"threshold"`
Tpm2 *bool `yaml:"tpm2"`
Expand Down
20 changes: 18 additions & 2 deletions config/fcos/v1_6_exp/translate.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
var wantBIOSPart bool
var wantEFIPart bool
var wantPRePPart bool
var wantS390x bool
layout := c.BootDevice.Layout
switch {
case layout == nil || *layout == "x86_64":
Expand All @@ -133,6 +134,13 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
wantEFIPart = true
case *layout == "ppc64le":
wantPRePPart = true
case *layout == "s390x-eckd":
wantS390x = true
case *layout == "s390x-zfcp":
wantS390x = true
case *layout == "s390x-virt":
wantBIOSPart = true
wantEFIPart = true
default:
// should have failed validation
panic("unknown layout")
Expand Down Expand Up @@ -239,9 +247,17 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio

// encrypted root partition
if wantLuks {
luksDevice := "/dev/disk/by-partlabel/root"
if wantMirror {
var luksDevice string
var device_s390x string
switch {
case wantS390x:
//Luks Device for dasd and zFCP-scsi
device_s390x = *c.BootDevice.Luks.Device
luksDevice = device_s390x + "2"
case wantMirror:
luksDevice = "/dev/md/md-root"
default:
luksDevice = "/dev/disk/by-partlabel/root"
}
clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
rendered.Storage.Luks = []types.Luks{{
Expand Down
24 changes: 23 additions & 1 deletion config/fcos/v1_6_exp/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ import (
const rootDevice = "/dev/disk/by-id/coreos-boot-disk"

var allowedMountpoints = regexp.MustCompile(`^/(etc|var)(/|$)`)
var dasdRe = regexp.MustCompile("(/dev/dasd[a-z]$)")
var sdRe = regexp.MustCompile("(/dev/sd[a-z]$)")

// We can't define a Validate function directly on Disk because that's defined in base,
// so we use a Validate function on the top-level Config instead.
Expand All @@ -51,11 +53,31 @@ func (conf Config) Validate(c path.ContextPath) (r report.Report) {
func (d BootDevice) Validate(c path.ContextPath) (r report.Report) {
if d.Layout != nil {
switch *d.Layout {
case "aarch64", "ppc64le", "x86_64":
case "aarch64", "ppc64le", "x86_64", "s390x-eckd", "s390x-virt", "s390x-zfcp":
default:
r.AddOnError(c.Append("layout"), common.ErrUnknownBootDeviceLayout)
}
}
//Validate s390x layout device specific luks.s390x-device.
//s390x layout does not support Mirror.
//Validate the luks.s390x-device and matching the device
if d.Layout != nil {
switch *d.Layout {
case "s390x-eckd", "s390x-zfcp":
if util.NilOrEmpty(d.Luks.Device) {
r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
}
if len(d.Mirror.Devices) > 0 {
r.AddOnError(c.Append(*d.Layout), common.ErrMirrorNotSupport)
}
if *d.Layout == "s390x-zfcp" && util.NotEmpty(d.Luks.Device) && !sdRe.MatchString(*d.Luks.Device) {
r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
}
if *d.Layout == "s390x-eckd" && util.NotEmpty(d.Luks.Device) && !dasdRe.MatchString(*d.Luks.Device) {
r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
}
}
}
r.Merge(d.Mirror.Validate(c.Append("mirror")))
return
}
Expand Down
3 changes: 2 additions & 1 deletion docs/config-fcos-v1_6-exp.md
Original file line number Diff line number Diff line change
Expand Up @@ -209,8 +209,9 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
* **_should_exist_** (list of strings): the list of kernel arguments that should exist.
* **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist.
* **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
* **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
* **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-eckd`, `s390x-virt`, `s390x-zfcp` and `x86_64`. Defaults to `x86_64`.
* **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
* **s390x-device** (string): describes device specific to s390x `dasd[a-z]` or `sd[a-z]`.
* **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
* **url** (string): url of the tang server.
* **thumbprint** (string): thumbprint of a trusted signing key.
Expand Down
3 changes: 2 additions & 1 deletion docs/config-openshift-v4_15-exp.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,9 @@ The OpenShift configuration is a YAML document conforming to the following speci
* **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique.
* **_ssh_authorized_keys_local_** (list of strings): a list of local paths to SSH key files, relative to the directory specified by the `--files-dir` command-line argument, to be added as SSH key fragments at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. Each file may contain multiple SSH keys, one per line.
* **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
* **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
* **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-eckd`, `s390x-virt`, `s390x-zfcp` and `x86_64`. Defaults to `x86_64`.
* **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
* **s390x-device** (string): describes device specific to s390x `dasd[a-z]` or `sd[a-z]`.
* **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
* **url** (string): url of the tang server.
* **thumbprint** (string): thumbprint of a trusted signing key.
Expand Down
43 changes: 43 additions & 0 deletions docs/examples.md
Original file line number Diff line number Diff line change
Expand Up @@ -296,8 +296,51 @@ storage:
format: ext4
```

This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device dasda unlocked with a network Tang server.

<!-- butane-config -->
```yaml
variant: fcos
version: 1.6.0
boot_device:
layout: s390x-eckd
luks:
s390x-device: /dev/dasda
tang:
- url: https://tang.example.com
thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
```

This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device zfcp scsi unlocked with a network Tang server.

<!-- butane-config -->
```yaml
variant: fcos
version: 1.6.0
boot_device:
layout: s390x-zfcp
luks:
s390x-device: /dev/sdb
tang:
- url: https://tang.example.com
thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
```
### Mirrored boot disk

This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x KVM unlocked with a network Tang server.

<!-- butane-config -->
```yaml
variant: fcos
version: 1.6.0
boot_device:
layout: s390x-virt
luks:
tang:
- url: https://tang.example.com
thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
```

This example replicates all default partitions on the boot disk across multiple disks, allowing the system to survive disk failure.

<!-- butane-config -->
Expand Down

0 comments on commit 4ac37f1

Please sign in to comment.