[MULTIARCH-3164] add NBDE encryption for IBM Z

[SNiemann15]

Version(s): 4.13 +

Issue: https://issues.redhat.com/browse/MULTIARCH-3164

Link to docs preview:

• zVM
• KVM

QE review:

• QE has approved this change.

Additional information:

[techrustlings]

Done with the review.

[techrustlings]

kindly replace ignition.firstboot=true to only ignition.firstboot.

[techrustlings]

rhcos-<version>-live-initramfs.x86_64.img is not required. as we already providing the path to the initramfs in the next line 68.

[techrustlings]

rhcos--live-initramfs.x86_64.img need removal as we already providing the initramfs file location on line number 68.

[techrustlings]

spell error replace utane to butane and encryption:ecify

[ocpdocs-previewbot]

🤖 Updated build preview is available at:
https://58373--docspreview.netlify.app

Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/16081

[bgilbert]

The threshold defaults to 1, so this could be omitted.

[bgilbert]

This one line isn't enough detail; we should give step-by-step instructions.

But, stepping back a bit: please don't ask users to manually modify Butane output. It's not how Butane is supposed to be used. Also, there's no guarantee that Butane's x86_64 template will meet the needs of s390x in the future, since s390x considerations are out of scope there. Instead, please use a Butane config that describes the necessary configuration in the storage section, avoiding boot_device altogether. See coreos/butane#453 for more info.

[bgilbert]

Omitting /dev/ is legacy syntax.

Suggested change

	coreos.inst.install_dev=dasda \ <1>
	coreos.inst.install_dev=/dev/dasda \ <1>

[bgilbert]

Suggested change

	ignition.firstboot=true ignition.platform.id=metal \
	ignition.firstboot ignition.platform.id=metal \

[techrustlings]

Updated the configuration as suggested by Benjamin.

[techrustlings]

The shortcut method works with s390x zfcp, but not works with dasd. So editing the ignition is not recommended. Define the storage configuration directly in the butane. Kindly remove the line from 41 to 52 and add the following config as example.

variant: openshift
version: 4.13.0
metadata:
  name: master-storage
  labels:
    machineconfiguration.openshift.io/role: master
storage:
  filesystems:
    - device: /dev/mapper/root
      format: xfs
      label: root
      wipe_filesystem: true
  luks:
    - clevis:
        tang:
          - thumbprint: QcPr_NHFJammnRCA3fFMVdNBwjs
            url: http://12.23.21.58:7500
      device: /dev/disk/by-partlabel/root
      label: luks-root
      name: root
      wipe_volume: true

[techrustlings]

Replace line 60 To encrypt DASD disks you must add device: /dev/disk/by-label/root to the Ignition file that is generated by Butane. <- To -> To encrypt DASD disks you must add device: /dev/disk/by-label/root to the butane file

[bgilbert]

It seems clearer to make this a footnote on the relevant Butane config line.

[techrustlings]

Kindly replace coreos.inst.install_dev=dasda to coreos.inst.install_dev=/dev/dasda

[techrustlings]

ignition.firstboot=true to ignition.firstboot

[bgilbert]

coreos.inst=yes is obsolete.

Suggested change

	--extra-args "rd.neednet=1 coreos.inst=yes coreos.inst.install_dev=/dev/vda coreos.live.rootfs_url={rhcos_liveos} ip={ip}::{default_gateway}:{subnet_mask_length}:{vn_name}:enc1:none:{MTU} nameserver={dns} coreos.inst.ignition_url={rhcos_ign}" \
	--extra-args "rd.neednet=1 coreos.inst.install_dev=/dev/vda coreos.live.rootfs_url={rhcos_liveos} ip={ip}::{default_gateway}:{subnet_mask_length}:{vn_name}:enc1:none:{MTU} nameserver={dns} coreos.inst.ignition_url={rhcos_ign}" \

[bgilbert]

The instructions don't say what to do with the Butane config once created. I assume we want to render it to a MachineConfig and add that to the install templates? We usually give explicit steps for that.

[SNiemann15]

We have a link to Creating machine configs with Butane in the additional resources.

[bgilbert]

Sure, but I think there's a risk that users will follow the steps verbatim and won't realize that additional actions are implied.

[madhu-pillai]

Just below the line no 71 a Note section will remind the user to follow the Adding day 1 kernel arguments. Like below .

Generate the MachineConfig object from master-storage.bu by using butane and place it in the Openshift installation directory as described in "Adding day-1 kernel arguments"

[SNiemann15]

Lets tackle this issue after 4.13 GA.

[bgilbert]

Are we requiring FIPS mode? If not, we should footnote that this is optional.

[SNiemann15]

Not required will remove the line.

[bgilbert]

Since this has been reinstated, would it make sense to footnote it?

[SNiemann15]

Yes it makes sense. I added the callout text we use in the sample install-config.yaml for FIPS

[bgilbert]

In the FIPS case, the luks entry should also include:

options:
  - --cipher
  - aes-cbc-essiv:sha256

We need this to ensure that we're using a FIPS 140-2 compatible cipher mode. The default cipher mode is too new for 140-2 (but is supported in 140-3). Normally Butane handles this if it sees boot_device.luks and also openshift.fips: true, but since we're not using boot_device we need to do this ourselves.

I'd be inclined to footnote it and say that it's only needed in FIPS mode.

[SNiemann15]

Not needed because I removed FIPS entry.

[holgwolf]

@SNiemann15 the comment from @bgilbert catched my eyes.
in case a customer want to have fips mode & a change for LUKS is required to adjust the cipher, we might want to document that. Because encryption is kind of base for compliance rules which also includes FIPS.

[bgilbert]

--dest-device does the same thing as coreos.inst.install_dev in the next step. I think it's better to only use --dest-device, and footnote the different values that should be used for virt/ECKD/FCP.

[madhu-pillai]

We do not require --dest-device in initramfs file for Dasda configuration. It has been mentioned in the call out section just below the example.

[bgilbert]

I'm suggesting that the instructions either consistently use only --dest-device or consistently use only coreos.inst.install_dev, rather than sometimes using both and having the latter override the former.

[madhu-pillai]

We used --dest-device in coreos-installer command, and the coreos.inst.install_dev we used in the kernel param file which we punch during the installation. Are you suggesting we use --dest-device in kernel param file too?

[bgilbert]

No, I'm suggesting that we either use --dest-device in the coreos-installer pxe customize command or coreos.inst.install_dev in the kernel param file. It's unnecessary and confusing to use both.

[bgilbert]

Might be clearer to use e.g. http://clevis.example.com/ to show that this shouldn't be used as-is.

[madhu-pillai]

Replace with http://clevis.example.com:7500

[bgilbert]

Nit: Butane doesn't care either way, but I'd be inclined to put this section after the luks section to make the execution order clearer.

[madhu-pillai]

variant: openshift
version: 4.13.0
metadata:
name: master-storage
labels:
machineconfiguration.openshift.io/role: master
storage:
luks:
- clevis:
tang:
- thumbprint: QcPr_NHFJammnRCA3fFMVdNBwjs
url: http://clevis.example.com:7500
device: /dev/disk/by-partlabel/root
label: luks-root
name: root
wipe_volume: true
filesystems:
- device: /dev/mapper/root
format: xfs
label: root
wipe_filesystem: true

[bgilbert]

Using /dev/disk/by-label/root rather than e.g. /dev/dasda3 (where the user has to fill in the correct disk instead of /dev/dasda) is a bit of a hack, but it does simplify the docs, and I think I'm okay with it. If we're using this approach, maybe it's worth simplifying by using /dev/disk/by-label/root for the virt case too.

[bgilbert]

Any thoughts on doing this?

[madhu-pillai]

Hi @bgilbert , /dev/disk/by-partlabel/root works with KVM too. During the testing on KVM and zVM the configuration are similar. I did not done explicit test using /dev/disk/by-label/root in virtual (kvm) and zVM case because on the first shot it worked.

[bgilbert]

I'm suggesting that, if we're going to use the /dev/disk/by-label/root hack, we might as well use it in all cases to avoid the footnote and additional explanation. It should work equally well everywhere.

[bgilbert]

To be clear, this is a cleanup, not a blocker.

[bgilbert]

Hmm, this note confuses me. Why is it only shown in the non-KVM case, and what does it add that the rest of the doc hasn't already said?

[madhu-pillai]

We need it KVM case as well.

[bgilbert]

We don't explicitly say that the customized initramfs should be used instead of the default initramfs when booting the machine. Should we?

[madhu-pillai]

We do not need to call that out explicitly.

[bgilbert]

I think that leaves users to fill in the gaps, and there's little harm in calling it out explicitly.

[madhu-pillai]

Ok, I think we are already providing the Note just below the command. So explicitly calling "customised" may not be relevant.

[bgilbert]

Hmm, the angle brackets read as slightly confusing to me.

[madhu-pillai]

We need to remove angle bracket..

[SNiemann15]

Ok will remove. Usually variables that get replaced have those brackets. But I also thought looks strange in this case.

[bgilbert]

Any thoughts on doing this?

[bgilbert]

I think that leaves users to fill in the gaps, and there's little harm in calling it out explicitly.

[SNiemann15]

/label peer-review-needed

QE review is still in progress.

[openshift-ci]

@ocpdocs-previewbot: user ocpdocs-previewbot is not trusted for pull request #58373

[madhu-pillai]

Looks good to me.

[snarayan-redhat]

Overall looks good! Few suggestions and nits.

[snarayan-redhat]

Suggested change

* You set up the External Tang Server. See link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#network-bound-disk-encryption_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Network-bound disk encryption] for instructions.

* You have set up the External Tang Server. See link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#network-bound-disk-encryption_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Network-bound disk encryption] for instructions.

[snarayan-redhat]

Suggested change

	The following example Butane configuration for a control plane node creates a file named `master-storage.bu` for disk encryption:
	The following example of Butane configuration for a control plane node creates a file named `master-storage.bu` for disk encryption:

[snarayan-redhat]

Suggested change

	. Create Butane config files for the control plane and compute nodes.
	. Create Butane configuration files for the control plane and compute nodes.

[snarayan-redhat]

Suggested change

	Before first boot, you must customize the initramfs for each node in the cluster and add PXE kernel parameters.
	Before first boot, you must customize the initramfs for each node in the cluster, and add PXE kernel parameters.

[snarayan-redhat]

Just mentioning that this block doesn't have callouts unlike the previous ifndef::ibm-z-kvm[] block, in case you think it's a miss. If it is intentional, then great.

[SNiemann15]

Intentional :-)

[snarayan-redhat]

Suggested change

	Example kernel parameter file for the control plane machine:
	.Example kernel parameter file for the control plane machine:

[snarayan-redhat]

Suggested change

	Example kernel parameter file for the control plane machine:
	.Example kernel parameter file for the control plane machine:

[snarayan-redhat]

This can be a note or added to the step above. I would prefer a note consideirng the structure and reowrding it to be something like:
Ensure that all options in the parameter file are in a single line, and have no newline characters.

[SNiemann15]

I would like to keep this active voice. But having it as a note is a good suggestion.

[SNiemann15]

/label merge-review-needed

[adellape]

@SNiemann15 Please squash to 1 commit and re-queue for merge review. Also, I couldn't tell per the earlier comment whether QE review was completed or not at this point?

Thank you!

[SNiemann15]

@SNiemann15 Please squash to 1 commit and re-queue for merge review. Also, I couldn't tell per the earlier comment whether QE review was completed or not at this point?

Thank you!

@adellape Really strange I squashed yesterday I assume the squash got stuck in the github issues.
Yes QE review is completed in the meantime. Both Holger and Benjamin ack'd.

[SNiemann15]

/label merge-review-needed

[bscott-rh]

I am not going to hold up the PR for this, but I would strongly recommend coming back later and adding annotations/callouts to describe the user-replaced values in this block.

[SNiemann15]

I'll pick that up in the follow-up PR we are planning post GA.

[bscott-rh]

Suggested change

	* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].
	* xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-butane_installing-customizing[Creating machine configs with Butane]

Please remove the period from end of the additional resources xrefs in these 4 assemblies as they are not complete sentences. I also updated the xref anchor to go directly to the "Creating machine configs with Butane" section which could be updated in all 4 assemblies. Thank you!

[bscott-rh]

/cherrypick enterprise-4.13

[openshift-cherrypick-robot]

@bscott-rh: new pull request created: #60007

In response to this:

/cherrypick enterprise-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bscott-rh]

Merged and cherrypicked to enterprise-4.13.