add NBDE encryption for IBM Z

openshift · May 10, 2023 · 6a26092 · 6a26092
1 parent 8ee2819
commit 6a26092
Show file tree

Hide file tree

Showing 7 changed files with 186 additions and 5 deletions.
diff --git a/installing/installing_ibm_z/installing-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-ibm-z-kvm.adoc
@@ -95,6 +95,14 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
 
 * link:https://www.ibm.com/docs/en/linux-on-systems?topic=ibmz-secure-execution[Linux as an IBM Secure Execution host or guest]
 
+include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_configure-nbde-ibm-z-kvm"]
+.Additional resources
+
+* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].
+
 include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]
 
 include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]

diff --git a/installing/installing_ibm_z/installing-ibm-z.adoc b/installing/installing_ibm_z/installing-ibm-z.adoc
@@ -98,6 +98,14 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
+include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_configure-nbde-ibm-z"]
+.Additional resources
+
+* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].
+
 include::modules/installation-ibm-z-user-infra-machines-iso.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2]

diff --git a/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
@@ -102,6 +102,14 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
 
 * link:https://www.ibm.com/docs/en/linux-on-systems?topic=ibmz-secure-execution[Linux as an IBM Secure Execution host or guest]
 
+include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_configure-nbde-ibm-z-kvm-restricted"]
+.Additional resources
+
+* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].
+
 include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]
 
 include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]

diff --git a/installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc b/installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
@@ -104,6 +104,14 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
+include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_Configure-nbde-ibm-z-restricted"]
+.Additional resources
+
+* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].
+
 include::modules/installation-ibm-z-user-infra-machines-iso.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2]

diff --git a/modules/ibmz-configure-nbde-with-static-ip.adoc b/modules/ibmz-configure-nbde-with-static-ip.adoc
@@ -0,0 +1,149 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ibm_z/installing-ibm-z.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
+// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
+
+ifeval::["{context}" == "installing-ibm-z"]
+:ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-ibm-z-kvm"]
+:ibm-z-kvm:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
+:ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
+:ibm-z-kvm:
+endif::[]
+
+:_content-type: PROCEDURE
+[id="configuring-nbde-static-ip-ibmz-linuxone-environment_{context}"]
+= Configuring NBDE with static IP in an {ibmzProductName} or {linuxoneProductName} environment
+
+Enabling NBDE disk encryption in an {ibmzProductName} or {linuxoneProductName} environment requires additional steps, which are described in detail in this section.
+
+.Prerequisites
+
+* You set up the External Tang Server. See link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#network-bound-disk-encryption_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Network-bound disk encryption] for instructions.
+* You have installed the `butane` utility.
+* You have reviewed the instructions for how to create machine configs with Butane.
+
+.Procedure
+
+. Create Butane config files for the control plane and compute nodes.
++
+The following example Butane configuration for a control plane node creates a file named `master-storage.bu` for disk encryption:
++
+[source,yaml]
+----
+variant: openshift
+version: 4.13.0
+metadata:
+ name: master-storage
+ labels:
+ machineconfiguration.openshift.io/role: master
+storage:
+ luks:
+ - clevis:
+ tang:
+ - thumbprint: QcPr_NHFJammnRCA3fFMVdNBwjs
+ url: http://clevis.example.com:7500
+ options: <1>
+ - --cipher
+ - aes-cbc-essiv:sha256
+ifndef::ibm-z-kvm[]
+ device: /dev/disk/by-partlabel/root <2>
+endif::ibm-z-kvm[]
+ifdef::ibm-z-kvm[]
+ device: /dev/disk/by-partlabel/root
+endif::ibm-z-kvm[]
+ label: luks-root
+ name: root
+ wipe_volume: true
+ filesystems:
+ - device: /dev/mapper/root
+ format: xfs
+ label: root
+ wipe_filesystem: true
+openshift:
+ fips: true
+----
+<1> The cipher option is only required if FIPS mode is enabled. Omit the entry if FIPS is disabled.
+ifndef::ibm-z-kvm[]
+<2> For installations on DASD-type disks, replace with `device: /dev/disk/by-label/root`.
+endif::ibm-z-kvm[]
+
+. Create a customized initramfs file to boot the machine, by running the following command:
++
+[source,terminal]
+----
+$ coreos-installer pxe customize \
+ /root/rhcos-bootfiles/rhcos-<release>-live-initramfs.s390x.img \
+ --dest-device /dev/sda --dest-karg-append \
+ ip=<ip-address>::<gateway-ip>:<subnet-mask>::<network-device>:none \
+ --dest-karg-append nameserver=<nameserver-ip> \
+ --dest-karg-append rd.neednet=1 -o \
+ /root/rhcos-bootfiles/<Node-name>-initramfs.s390x.img
+----
++
+[NOTE]
+====
+Before first boot, you must customize the initramfs for each node in the cluster and add PXE kernel parameters.
+====
+
+. Create a parameter file that includes `ignition.platform.id=metal` and `ignition.firstboot`.
++
+Example kernel parameter file for the control plane machine:
++
+ifndef::ibm-z-kvm[]
+[source,terminal]
+----
+rd.neednet=1 \
+console=ttysclp0 \
+coreos.inst.install_dev=/dev/dasda \ <1>
+ignition.firstboot ignition.platform.id=metal \
+coreos.live.rootfs_url=http://10.19.17.25/redhat/ocp/rhcos-413.86.202302201445-0/rhcos-413.86.202302201445-0-live-rootfs.s390x.img \
+coreos.inst.ignition_url=http://bastion.ocp-cluster1.example.com:8080/ignition/master.ign \
+ip=10.19.17.2::10.19.17.1:255.255.255.0::enbdd0:none nameserver=10.19.17.1 \
+zfcp.allow_lun_scan=0 \ <2>
+rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
+rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000 \ <3>
+zfcp.allow_lun_scan=0 \
+rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
+rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000
+----
+<1> For installations on DASD-type disks, add `coreos.inst.install_dev=/dev/dasda`. Omit this value for FCP-type disks.
+<2> For installations on FCP-type disks, add `zfcp.allow_lun_scan=0`. Omit this value for DASD-type disks.
+<3> For installations on DASD-type disks, replace with `rd.dasd=0.0.3490` to specify the DASD device.
+endif::ibm-z-kvm[]
+ifdef::ibm-z-kvm[]
+[source,terminal]
+----
+rd.neednet=1 \
+console=ttysclp0 \
+ignition.firstboot ignition.platform.id=metal \
+coreos.live.rootfs_url=http://10.19.17.25/redhat/ocp/rhcos-413.86.202302201445-0/rhcos-413.86.202302201445-0-live-rootfs.s390x.img \
+coreos.inst.ignition_url=http://bastion.ocp-cluster1.example.com:8080/ignition/master.ign \
+ip=10.19.17.2::10.19.17.1:255.255.255.0::enbdd0:none nameserver=10.19.17.1 \
+zfcp.allow_lun_scan=0 \
+rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
+rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000
+----
+endif::ibm-z-kvm[]
++
+Write all options in the parameter file as a single line and make sure you have no newline characters.
+
+ifeval::["{context}" == "installing-ibm-z"]
+:!ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-ibm-z-kvm"]
+:!ibm-z-kvm:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
+:!ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
+:!ibm-z-kvm:
+endif::[]
diff --git a/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc b/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc
@@ -55,7 +55,7 @@ $ virt-install \
  --network network={virt_network_parm} \
  --boot hd \
  --location {media_location},kernel={rhcos_kernel},initrd={rhcos_initrd} \
- --extra-args "rd.neednet=1 coreos.inst=yes coreos.inst.install_dev=vda coreos.live.rootfs_url={rhcos_liveos} ip={ip}::{default_gateway}:{subnet_mask_length}:{vn_name}:enc1:none:{MTU} nameserver={dns} coreos.inst.ignition_url={rhcos_ign}" \
+ --extra-args "rd.neednet=1 coreos.inst.install_dev=/dev/vda coreos.live.rootfs_url={rhcos_liveos} ip={ip}::{default_gateway}:{subnet_mask_length}:{vn_name}:enc1:none:{MTU} nameserver={dns} coreos.inst.ignition_url={rhcos_ign}" \
  --noautoconsole \
  --wait
 ----
diff --git a/modules/installation-ibm-z-user-infra-machines-iso.adoc b/modules/installation-ibm-z-user-infra-machines-iso.adoc
@@ -51,7 +51,7 @@ The rootfs image is the same for FCP and DASD.
 ** For `coreos.live.rootfs_url=`, specify the matching rootfs artifact for the kernel and initramfs you are booting. Only HTTP and HTTPS protocols are supported.
 
 ** For installations on DASD-type disks, complete the following tasks:
-... For `coreos.inst.install_dev=`, specify `dasda`.
+... For `coreos.inst.install_dev=`, specify `/dev/dasda`.
 ... Use `rd.dasd=` to specify the DASD where {op-system} is to be installed.
 ... Leave all other parameters unchanged.
 +
@@ -61,7 +61,7 @@ Example parameter file, `bootstrap-0.parm`, for the bootstrap machine:
 ----
 rd.neednet=1 \
 console=ttysclp0 \
-coreos.inst.install_dev=dasda \
+coreos.inst.install_dev=/dev/dasda \
 coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \
 coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/bootstrap.ign \
 ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \
@@ -79,7 +79,7 @@ Write all options in the parameter file as a single line and make sure you have
 ====
 When you install with multiple paths, you must enable multipathing directly after the installation, not at a later point in time, as this can cause problems.
 ====
-... Set the install device as: `coreos.inst.install_dev=sda`.
+... Set the install device as: `coreos.inst.install_dev=/dev/sda`.
 +
 [NOTE]
 ====
@@ -99,7 +99,7 @@ The following is an example parameter file `worker-1.parm` for a worker node wit
 ----
 rd.neednet=1 \
 console=ttysclp0 \
-coreos.inst.install_dev=sda \
+coreos.inst.install_dev=/dev/sda \
 coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \
 coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/worker.ign \
 ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \